From c954c42cdc2239a962996ca01fd7a0398e1113e3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Sun, 13 Sep 2015 21:46:05 +0200
Subject: [PATCH] Improve security in configurations.

---
 doc/pocci-ssl.conf | 15 +++++++++------
 doc/pocci.conf     |  6 +++---
 public/.keep       |  0
 3 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100644 public/.keep

diff --git a/doc/pocci-ssl.conf b/doc/pocci-ssl.conf
index 62e870d..38d0d20 100644
--- a/doc/pocci-ssl.conf
+++ b/doc/pocci-ssl.conf
@@ -3,7 +3,11 @@
     SSLEngine on
 
     # for security reasons you may restrict the SSL protocol, but some clients may fail if SSLv2 is not supported
-    SSLProtocol all
+    SSLProtocol all -SSLv2 -SSLv3
+
+    # pedantic security
+    SSLCipherSuite kEECDH:HIGH:MEDIUM:!aNULL:!MD5:!RC4:!eNULL
+    SSLHonorCipherOrder On
 
     # this should point to your server host certificate
     SSLCertificateFile /etc/grid-security/hostcert.pem
@@ -14,8 +18,7 @@
     # directory containing the Root CA certificates and their hashes
     SSLCACertificatePath /etc/grid-security/certificates
 
-    # set to optional, this tells Apache to attempt to verify SSL certificates i
-f provided
+    # set to optional, this tells Apache to attempt to verify SSL certificates if provided
     # for X.509 access with GridSite/VOMS, however, set to 'require'
     SSLVerifyClient optional
     #SSLVerifyClient require
@@ -24,15 +27,15 @@ f provided
     SSLVerifyDepth 10
 
     ServerName localhost
-    DocumentRoot /var/www/html/pOCCI-flask
-    <Directory /var/www/html/pOCCI-flask>
+    DocumentRoot /var/www/html/pOCCI-flask/public
+    <Directory /var/www/html/pOCCI-flask/public>
         Options -MultiViews
         #Allow from all
         # Uncomment this if you're on Apache >= 2.4:
         Require all granted
     </Directory>
 
-    Alias /pocci /var/www/html/pOCCI-flask
+    Alias /pocci /var/www/html/pOCCI-flask/public
     <Location /pocci>
         PassengerBaseURI /pocci
         PassengerAppRoot /var/www/html/pOCCI-flask
diff --git a/doc/pocci.conf b/doc/pocci.conf
index 892e4ae..ffcbcfc 100644
--- a/doc/pocci.conf
+++ b/doc/pocci.conf
@@ -1,14 +1,14 @@
 <VirtualHost *:80>
     ServerName localhost
-    DocumentRoot /var/www/html/pOCCI-flask
-    <Directory /var/www/html/pOCCI-flask>
+    DocumentRoot /var/www/html/pOCCI-flask/public
+    <Directory /var/www/html/pOCCI-flask/public>
         Options -MultiViews
         #Allow from all
         # Uncomment this if you're on Apache >= 2.4:
         Require all granted
     </Directory>
 
-    Alias /pocci /var/www/html/pOCCI-flask
+    Alias /pocci /var/www/html/pOCCI-flask/public
     <Location /pocci>
         PassengerBaseURI /pocci
         PassengerAppRoot /var/www/html/pOCCI-flask
diff --git a/public/.keep b/public/.keep
new file mode 100644
index 0000000..e69de29
-- 
1.8.2.3