<VirtualHost *:80>
    ServerAdmin serveradmin@misp.local
    ServerName misp.local

    # In theory not needed, left for debug purposes
    # LogLevel warn
    # ErrorLog /var/log/apache2/misp.local_p80_error.log
    # CustomLog /var/log/apache2/misp.local_p80_access.log combined

    Header always unset "X-Powered-By"

    RewriteEngine On
    RewriteCond %{HTTPS}  !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    ServerSignature Off
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin serveradmin@misp.local
    ServerName misp.local
    DocumentRoot /var/www/MISP/app/webroot
    <Directory /var/www/MISP/app/webroot>
        Options -Indexes
        AllowOverride all
        Require all granted
    </Directory>

    SSLEngine On
    
# StrongCiphers4All! \o/
# This proposal adds strong cipher suites based on the Mozilla recommendations. 
# mozilla config generator: https://ssl-config.mozilla.org/#server=apache&version=2.4.29&config=intermediate&openssl=1.1.1&guideline=5.6
# intermediate configuration
SSLProtocol 		    All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

# enable HTTP/2, if available
Protocols h2 http/1.1

    SSLCertificateFile /etc/ssl/private/misp.local.crt
    SSLCertificateKeyFile /etc/ssl/private/misp.local.key
#    SSLCertificateChainFile /etc/ssl/private/misp-chain.crt

    LogLevel warn
    ErrorLog /var/log/apache2/misp.local_error.log
    CustomLog /var/log/apache2/misp.local_access.log combined

    ServerSignature Off

    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN 
    Header always unset "X-Powered-By"

    # TODO: Think about X-XSS-Protection, Content-Security-Policy, Referrer-Policy & Feature-Policy
    ## Example:
    # Header always set X-XSS-Protection "1; mode=block"
    # Header always set Content-Security-Policy "default-src 'none'; style-src 'self' ... script-src/font-src/img-src/connect-src
    # Header always set Referrer-Policy "strict-origin-when-cross-origin"
    # Header always set Feature-Policy "geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self'; microphone 'none'; camera 'self'; magnometer 'self'; gyroscope 'self'; speake 'none'; vibrate 'self'; fullscreen 'none'"
</VirtualHost>

# strongciphers4All! \o/
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"