Kagee/misp-ssl.conf

## misp-ssl.conf
# For LDAP debug
# LDAPLibraryDebug 7

<VirtualHost *:80>
    ServerAdmin serveradmin@misp.local
    ServerName misp.local
    Header always unset "X-Powered-By"
    RewriteEngine On
    RewriteCond %{HTTPS}  !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
    ServerAdmin serveradmin@misp.local
    ServerName misp.local
    DocumentRoot /var/www/MISP/app/webroot
    <Directory /var/www/MISP/app/webroot>
        Options -Indexes
        AllowOverride all
        Require all granted
    </Directory>
    <Location "/users/login">
    <If "-n %{HTTP:Authorization} && %{HTTP:Authorization} == 'Basic bG9nb3V0Og==' ">
        # This is a hack to properly logout the user from Firefox.
        # 'Basic bG9nb3V0Og==' equals 'Basic logout:'
        AuthType Basic
        AuthName "MISP"
        AuthUserFile /dev/null
        Require valid-user
    </If>
    <Else>
        AuthType Basic
        AuthName "MISP"
        AuthBasicProvider ldap
        AuthLDAPUrl "ldap://ad.example.com/dc=example,dc=com?samaccountname?sub?(objectclass=*)" STARTTLS
        AuthLDAPBindDN "CN=srv_misp,OU=Service Users,DC=example,DC=com"
        AuthLDAPBindPassword "eew5Shiegheevua5iz9rohvi"
        LDAPReferrals off
        <RequireAll>
            Require valid-user
            # The filter should not have " or ' around it etc, even if it has spaces in it. It will be used litterally
            # This filter works for AD, Samba and other LDAPs that support LDAP_MATCHING_RULE_IN_CHAIN
            Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=R_MISP Access,OU=MISP,OU=Access Groups,DC=example,DC=com
    </RequireAll>
  </Else>
</Location>
    SSLEngine On
    SSLCertificateFile /etc/ssl/private/misp_tls.crt
    SSLCertificateKeyFile /etc/ssl/private/misp_tls.key
    LogLevel debug
    ErrorLog /var/log/apache2/misp.local_error.log
    CustomLog /var/log/apache2/misp.local_access.log combined
    ServerSignature Off
    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always unset "X-Powered-By"
</VirtualHost>
	# For LDAP debug
	# LDAPLibraryDebug 7

	<VirtualHost *:80>
	ServerAdmin serveradmin@misp.local
	ServerName misp.local
	Header always unset "X-Powered-By"
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
	ServerSignature Off
	</VirtualHost>
	<VirtualHost *:443>
	ServerAdmin serveradmin@misp.local
	ServerName misp.local
	DocumentRoot /var/www/MISP/app/webroot
	<Directory /var/www/MISP/app/webroot>
	Options -Indexes
	AllowOverride all
	Require all granted
	</Directory>
	<Location "/users/login">
	<If "-n %{HTTP:Authorization} && %{HTTP:Authorization} == 'Basic bG9nb3V0Og==' ">
	# This is a hack to properly logout the user from Firefox.
	# 'Basic bG9nb3V0Og==' equals 'Basic logout:'
	AuthType Basic
	AuthName "MISP"
	AuthUserFile /dev/null
	Require valid-user
	</If>
	<Else>
	AuthType Basic
	AuthName "MISP"
	AuthBasicProvider ldap
	AuthLDAPUrl "ldap://ad.example.com/dc=example,dc=com?samaccountname?sub?(objectclass=*)" STARTTLS
	AuthLDAPBindDN "CN=srv_misp,OU=Service Users,DC=example,DC=com"
	AuthLDAPBindPassword "eew5Shiegheevua5iz9rohvi"
	LDAPReferrals off
	<RequireAll>
	Require valid-user
	# The filter should not have " or ' around it etc, even if it has spaces in it. It will be used litterally
	# This filter works for AD, Samba and other LDAPs that support LDAP_MATCHING_RULE_IN_CHAIN
	Require ldap-filter memberof:1.2.840.113556.1.4.1941:=CN=R_MISP Access,OU=MISP,OU=Access Groups,DC=example,DC=com
	</RequireAll>
	</Else>
	</Location>
	SSLEngine On
	SSLCertificateFile /etc/ssl/private/misp_tls.crt
	SSLCertificateKeyFile /etc/ssl/private/misp_tls.key
	LogLevel debug
	ErrorLog /var/log/apache2/misp.local_error.log
	CustomLog /var/log/apache2/misp.local_access.log combined
	ServerSignature Off
	Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
	Header always set X-Content-Type-Options nosniff
	Header always set X-Frame-Options SAMEORIGIN
	Header always unset "X-Powered-By"
	</VirtualHost>