blob: 98ecdd427c29004d1bdd63570dc13c9937cf3961 [file]
#
# Apache HTTP Server Configuration for Axis2/C HTTP/2 JSON Services
# Custom build at /usr/local/apache2
#
# This configuration provides:
# - HTTP/2 with TLS 1.2+ (HTTPS-only)
# - Defense-in-depth request limits
# - Per-service payload limits
# - Integer overflow protection at Apache level
# - Security headers
#
ServerRoot "/usr/local/apache2"
ServerName localhost:443
ServerAdmin admin@localhost
# Listen on HTTPS only (HTTP/2 requires TLS)
Listen 443
# =============================================================================
# CORE MODULES
# =============================================================================
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
# SSL/TLS and HTTP/2 modules
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule http2_module modules/mod_http2.so
# Axis2/C module
LoadModule axis2_module /usr/local/axis2c/lib/libmod_axis2.so
# =============================================================================
# PROCESS/USER CONFIGURATION
# =============================================================================
<IfModule unixd_module>
User www-data
Group www-data
</IfModule>
# Use event MPM for HTTP/2 (required for multiplexing)
<IfModule mpm_event_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 0
</IfModule>
# =============================================================================
# AXIS2/C CONFIGURATION
# =============================================================================
Axis2RepoPath /usr/local/axis2c
Axis2LogFile /var/log/axis2c/axis2.log
Axis2LogLevel info
# =============================================================================
# DEFENSE IN DEPTH: REQUEST LIMITS
# Apache enforces these limits BEFORE payloads reach Axis2/C code
# This protects against memory exhaustion, overflow attacks, and DoS
# =============================================================================
# Global default: 10MB max request body (matches Axis2/C max_buffer)
LimitRequestBody 10485760
# Limit request line (URL + method + protocol) - prevents long URL attacks
LimitRequestLine 8190
# Limit total header fields - prevents header flooding
LimitRequestFields 100
# Limit individual header size - prevents header overflow attacks
LimitRequestFieldSize 8190
# Request timeout protection (slowloris defense)
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
# =============================================================================
# HTTP/2 CONFIGURATION
# =============================================================================
<IfModule http2_module>
# HTTP/2 performance settings for enterprise big data
H2WindowSize 65536
H2MaxWorkers 256
H2MaxSessionStreams 100
H2StreamMaxMemSize 104857600
H2StreamTimeout 300
# Security: HTTP/2 only over TLS 1.2+
H2ModernTLSOnly on
H2Upgrade off
H2Direct on
</IfModule>
# =============================================================================
# SSL/TLS CONFIGURATION
# =============================================================================
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
# OCSP Stapling cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
</IfModule>
# =============================================================================
# DIRECTORY AND LOGGING CONFIGURATION
# =============================================================================
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "logs/access_log" combined
</IfModule>
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/json .json
</IfModule>
# =============================================================================
# HTTPS VIRTUAL HOST WITH HTTP/2
# =============================================================================
<VirtualHost *:443>
ServerName localhost:443
DocumentRoot /usr/local/apache2/htdocs
# HTTP/2 first, HTTP/1.1 fallback
Protocols h2 http/1.1
# SSL/TLS Configuration
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/ssl/apache-selfsigned.crt
SSLCertificateKeyFile /usr/local/apache2/conf/ssl/apache-selfsigned.key
# TLS 1.2+ required for HTTP/2
SSLProtocol -all +TLSv1.2 +TLSv1.3
# Modern cipher suites for HTTP/2
SSLCipherSuite ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20:!aNULL:!MD5:!DSS
SSLHonorCipherOrder off
# OCSP Stapling
SSLUseStapling on
# =========================================================================
# SECURITY HEADERS
# =========================================================================
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
# =========================================================================
# AXIS2/C SERVICES HANDLER
# =========================================================================
<Location /services>
SetHandler axis2_module
SSLRequireSSL
# CORS headers for API access
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization, Accept"
</Location>
# =========================================================================
# PER-SERVICE REQUEST LIMITS (Defense in Depth)
# These limits are enforced by Apache BEFORE Axis2/C code executes
# =========================================================================
# Camera Control Service - IoT payloads are small
<Location /services/CameraControlService>
# IoT endpoints: 64KB max (camera commands are ~24 bytes)
LimitRequestBody 65536
Header always set Cache-Control "no-cache, no-store, must-revalidate"
</Location>
# Financial Benchmark Service - Enterprise payloads up to 10MB
<Location /services/FinancialBenchmarkService>
# Enterprise payloads: 10MB max (500-asset portfolios ~5MB)
LimitRequestBody 10485760
Header always set Cache-Control "no-cache, no-store, must-revalidate"
</Location>
# Big Data H2 Service - Large payloads up to 50MB
<Location /services/BigDataH2Service>
# Big data payloads: 50MB max
LimitRequestBody 52428800
Header always set Cache-Control "no-cache, no-store, must-revalidate"
</Location>
# Login Service - Authentication payloads are small
<Location /services/LoginService>
# Auth payloads: 64KB max (credentials are small)
LimitRequestBody 65536
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'"
</Location>
# Test WS Service - XSS demonstration with small payloads
<Location /services/TestwsService>
# Test payloads: 1MB max
LimitRequestBody 1048576
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'; script-src 'none'"
</Location>
# =========================================================================
# HTTP/2 ENFORCEMENT (Optional - uncomment to require HTTP/2)
# =========================================================================
# RewriteEngine On
# RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.1$
# RewriteRule ^/services/.* - [R=426,L]
# ErrorDocument 426 "HTTP/2 Required: Use --http2 flag"
</VirtualHost>