diff --git a/httpclient5-testing/docker/apache-httpd/Dockerfile b/httpclient5-testing/docker/apache-httpd/Dockerfile index 166e507fb..6400aff4f 100644 --- a/httpclient5-testing/docker/apache-httpd/Dockerfile +++ b/httpclient5-testing/docker/apache-httpd/Dockerfile @@ -33,7 +33,7 @@ RUN mkdir ${httpd_home}/ssl COPY server-cert.pem ${httpd_home}/ssl/ COPY server-key.pem ${httpd_home}/ssl/ COPY httpd.conf ${httpd_home}/conf/ -COPY httpd-ssl.conf ${httpd_home}/conf/ +COPY httpd-ssl.conf ${httpd_home}/conf/extra/ RUN mkdir -p ${private_dir} # user: testuser; pwd: nopassword diff --git a/httpclient5-testing/docker/apache-httpd/httpd-ssl.conf b/httpclient5-testing/docker/apache-httpd/httpd-ssl.conf index 0f04fbd39..53477407c 100644 --- a/httpclient5-testing/docker/apache-httpd/httpd-ssl.conf +++ b/httpclient5-testing/docker/apache-httpd/httpd-ssl.conf @@ -67,8 +67,8 @@ Listen 8443 # ensure these follow appropriate best practices for this deployment. # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4 -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4 +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES # By the end of 2016, only TLSv1.2 ciphers should remain in use. # Older ciphers should be disallowed as soon as possible, while the diff --git a/httpclient5-testing/docker/apache-httpd/httpd.conf b/httpclient5-testing/docker/apache-httpd/httpd.conf index 8564ef117..93d05d426 100644 --- a/httpclient5-testing/docker/apache-httpd/httpd.conf +++ b/httpclient5-testing/docker/apache-httpd/httpd.conf @@ -77,6 +77,9 @@ Listen 8080 # Example: # LoadModule foo_module modules/mod_foo.so # +LoadModule mpm_event_module modules/mod_mpm_event.so +#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +#LoadModule mpm_worker_module modules/mod_mpm_worker.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_anon_module modules/mod_authn_anon.so @@ -154,6 +157,8 @@ LoadModule version_module modules/mod_version.so #LoadModule proxy_http_module modules/mod_proxy_http.so #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so +#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so @@ -428,6 +433,15 @@ LogLevel warn Require all granted + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + # # TypesConfig points to the file containing the list of mappings from @@ -556,7 +570,7 @@ Include conf/extra/proxy-html.conf # Secure (SSL/TLS) connections -Include conf/httpd-ssl.conf +Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent diff --git a/httpclient5-testing/docker/squid/squid.conf b/httpclient5-testing/docker/squid/squid.conf index 8cc14ec4e..bf9c7a945 100644 --- a/httpclient5-testing/docker/squid/squid.conf +++ b/httpclient5-testing/docker/squid/squid.conf @@ -14,7 +14,8 @@ # limitations under the License. # ========================================================================== -http_port 8888 8889 +http_port 8888 +http_port 8889 coredump_dir /var/spool/squid3