| # |
| # Apache HTTP Server Configuration for Axis2/C HTTP/2 JSON Services |
| # Custom build at /usr/local/apache2 |
| # |
| # This configuration provides: |
| # - HTTP/2 with TLS 1.2+ (HTTPS-only) |
| # - Defense-in-depth request limits |
| # - Per-service payload limits |
| # - Integer overflow protection at Apache level |
| # - Security headers |
| # |
| |
| ServerRoot "/usr/local/apache2" |
| ServerName localhost:443 |
| ServerAdmin admin@localhost |
| |
| # Listen on HTTPS only (HTTP/2 requires TLS) |
| Listen 443 |
| |
| # ============================================================================= |
| # CORE MODULES |
| # ============================================================================= |
| LoadModule authn_file_module modules/mod_authn_file.so |
| LoadModule authn_core_module modules/mod_authn_core.so |
| LoadModule authz_host_module modules/mod_authz_host.so |
| LoadModule authz_groupfile_module modules/mod_authz_groupfile.so |
| LoadModule authz_user_module modules/mod_authz_user.so |
| LoadModule authz_core_module modules/mod_authz_core.so |
| LoadModule access_compat_module modules/mod_access_compat.so |
| LoadModule auth_basic_module modules/mod_auth_basic.so |
| LoadModule reqtimeout_module modules/mod_reqtimeout.so |
| LoadModule filter_module modules/mod_filter.so |
| LoadModule mime_module modules/mod_mime.so |
| LoadModule log_config_module modules/mod_log_config.so |
| LoadModule env_module modules/mod_env.so |
| LoadModule headers_module modules/mod_headers.so |
| LoadModule setenvif_module modules/mod_setenvif.so |
| LoadModule version_module modules/mod_version.so |
| LoadModule proxy_module modules/mod_proxy.so |
| LoadModule unixd_module modules/mod_unixd.so |
| LoadModule status_module modules/mod_status.so |
| LoadModule autoindex_module modules/mod_autoindex.so |
| LoadModule dir_module modules/mod_dir.so |
| LoadModule alias_module modules/mod_alias.so |
| LoadModule rewrite_module modules/mod_rewrite.so |
| |
| # SSL/TLS and HTTP/2 modules |
| LoadModule socache_shmcb_module modules/mod_socache_shmcb.so |
| LoadModule ssl_module modules/mod_ssl.so |
| LoadModule http2_module modules/mod_http2.so |
| |
| # Axis2/C module |
| LoadModule axis2_module /usr/local/axis2c/lib/libmod_axis2.so |
| |
| # ============================================================================= |
| # PROCESS/USER CONFIGURATION |
| # ============================================================================= |
| <IfModule unixd_module> |
| User www-data |
| Group www-data |
| </IfModule> |
| |
| # Use event MPM for HTTP/2 (required for multiplexing) |
| <IfModule mpm_event_module> |
| StartServers 2 |
| MinSpareThreads 25 |
| MaxSpareThreads 75 |
| ThreadLimit 64 |
| ThreadsPerChild 25 |
| MaxRequestWorkers 150 |
| MaxConnectionsPerChild 0 |
| </IfModule> |
| |
| # ============================================================================= |
| # AXIS2/C CONFIGURATION |
| # ============================================================================= |
| Axis2RepoPath /usr/local/axis2c |
| Axis2LogFile /var/log/axis2c/axis2.log |
| Axis2LogLevel info |
| |
| # ============================================================================= |
| # DEFENSE IN DEPTH: REQUEST LIMITS |
| # Apache enforces these limits BEFORE payloads reach Axis2/C code |
| # This protects against memory exhaustion, overflow attacks, and DoS |
| # ============================================================================= |
| |
| # Global default: 10MB max request body (matches Axis2/C max_buffer) |
| LimitRequestBody 10485760 |
| |
| # Limit request line (URL + method + protocol) - prevents long URL attacks |
| LimitRequestLine 8190 |
| |
| # Limit total header fields - prevents header flooding |
| LimitRequestFields 100 |
| |
| # Limit individual header size - prevents header overflow attacks |
| LimitRequestFieldSize 8190 |
| |
| # Request timeout protection (slowloris defense) |
| <IfModule reqtimeout_module> |
| RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 |
| </IfModule> |
| |
| # ============================================================================= |
| # HTTP/2 CONFIGURATION |
| # ============================================================================= |
| <IfModule http2_module> |
| # HTTP/2 performance settings for enterprise big data |
| H2WindowSize 65536 |
| H2MaxWorkers 256 |
| H2MaxSessionStreams 100 |
| H2StreamMaxMemSize 104857600 |
| H2StreamTimeout 300 |
| |
| # Security: HTTP/2 only over TLS 1.2+ |
| H2ModernTLSOnly on |
| H2Upgrade off |
| H2Direct on |
| </IfModule> |
| |
| # ============================================================================= |
| # SSL/TLS CONFIGURATION |
| # ============================================================================= |
| <IfModule ssl_module> |
| SSLRandomSeed startup builtin |
| SSLRandomSeed connect builtin |
| |
| # OCSP Stapling cache |
| SSLStaplingCache shmcb:/tmp/stapling_cache(128000) |
| </IfModule> |
| |
| # ============================================================================= |
| # DIRECTORY AND LOGGING CONFIGURATION |
| # ============================================================================= |
| <Directory /> |
| AllowOverride none |
| Require all denied |
| </Directory> |
| |
| DocumentRoot "/usr/local/apache2/htdocs" |
| <Directory "/usr/local/apache2/htdocs"> |
| Options Indexes FollowSymLinks |
| AllowOverride None |
| Require all granted |
| </Directory> |
| |
| <IfModule dir_module> |
| DirectoryIndex index.html |
| </IfModule> |
| |
| <Files ".ht*"> |
| Require all denied |
| </Files> |
| |
| ErrorLog "logs/error_log" |
| LogLevel warn |
| |
| <IfModule log_config_module> |
| LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined |
| LogFormat "%h %l %u %t \"%r\" %>s %b" common |
| CustomLog "logs/access_log" combined |
| </IfModule> |
| |
| <IfModule mime_module> |
| TypesConfig conf/mime.types |
| AddType application/x-compress .Z |
| AddType application/x-gzip .gz .tgz |
| AddType application/json .json |
| </IfModule> |
| |
| # ============================================================================= |
| # HTTPS VIRTUAL HOST WITH HTTP/2 |
| # ============================================================================= |
| <VirtualHost *:443> |
| ServerName localhost:443 |
| DocumentRoot /usr/local/apache2/htdocs |
| |
| # HTTP/2 first, HTTP/1.1 fallback |
| Protocols h2 http/1.1 |
| |
| # SSL/TLS Configuration |
| SSLEngine on |
| SSLCertificateFile /usr/local/apache2/conf/ssl/apache-selfsigned.crt |
| SSLCertificateKeyFile /usr/local/apache2/conf/ssl/apache-selfsigned.key |
| |
| # TLS 1.2+ required for HTTP/2 |
| SSLProtocol -all +TLSv1.2 +TLSv1.3 |
| |
| # Modern cipher suites for HTTP/2 |
| SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS |
| SSLHonorCipherOrder off |
| |
| # OCSP Stapling |
| SSLUseStapling on |
| |
| # ========================================================================= |
| # SECURITY HEADERS |
| # ========================================================================= |
| Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" |
| Header always set X-Content-Type-Options nosniff |
| Header always set X-Frame-Options DENY |
| |
| # ========================================================================= |
| # AXIS2/C SERVICES HANDLER |
| # ========================================================================= |
| <Location /services> |
| SetHandler axis2_module |
| SSLRequireSSL |
| |
| # CORS headers for API access |
| Header always set Access-Control-Allow-Origin "*" |
| Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS" |
| Header always set Access-Control-Allow-Headers "Content-Type, Authorization, Accept" |
| </Location> |
| |
| # ========================================================================= |
| # PER-SERVICE REQUEST LIMITS (Defense in Depth) |
| # These limits are enforced by Apache BEFORE Axis2/C code executes |
| # ========================================================================= |
| |
| # Camera Control Service - IoT payloads are small |
| <Location /services/CameraControlService> |
| # IoT endpoints: 64KB max (camera commands are ~24 bytes) |
| LimitRequestBody 65536 |
| Header always set Cache-Control "no-cache, no-store, must-revalidate" |
| </Location> |
| |
| # Financial Benchmark Service - Enterprise payloads up to 10MB |
| <Location /services/FinancialBenchmarkService> |
| # Enterprise payloads: 10MB max (500-asset portfolios ~5MB) |
| LimitRequestBody 10485760 |
| Header always set Cache-Control "no-cache, no-store, must-revalidate" |
| </Location> |
| |
| # Big Data H2 Service - Large payloads up to 50MB |
| <Location /services/BigDataH2Service> |
| # Big data payloads: 50MB max |
| LimitRequestBody 52428800 |
| Header always set Cache-Control "no-cache, no-store, must-revalidate" |
| </Location> |
| |
| # Login Service - Authentication payloads are small |
| <Location /services/LoginService> |
| # Auth payloads: 64KB max (credentials are small) |
| LimitRequestBody 65536 |
| Header always set X-XSS-Protection "1; mode=block" |
| Header always set Content-Security-Policy "default-src 'self'" |
| </Location> |
| |
| # Test WS Service - XSS demonstration with small payloads |
| <Location /services/TestwsService> |
| # Test payloads: 1MB max |
| LimitRequestBody 1048576 |
| Header always set X-XSS-Protection "1; mode=block" |
| Header always set Content-Security-Policy "default-src 'self'; script-src 'none'" |
| </Location> |
| |
| # ========================================================================= |
| # HTTP/2 ENFORCEMENT (Optional - uncomment to require HTTP/2) |
| # ========================================================================= |
| # RewriteEngine On |
| # RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.1$ |
| # RewriteRule ^/services/.* - [R=426,L] |
| # ErrorDocument 426 "HTTP/2 Required: Use --http2 flag" |
| |
| </VirtualHost> |