mirror of
https://framagit.org/framasoft/mobilizon.git
synced 2024-12-30 20:06:07 +00:00
1d9bf70e5e
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
93 lines
No EOL
4.8 KiB
Text
93 lines
No EOL
4.8 KiB
Text
### This .conf file requires:
|
|
## Apache >= 2.4.17 and these mods:
|
|
# headers, proxy, proxy_balancer, proxy_http, proxy_wstunnel, rewrite, lbmethod_byrequests
|
|
###
|
|
DEFINE base_url dom.ain
|
|
DEFINE mob_url 127.0.0.1
|
|
DEFINE mob_port 4000
|
|
DEFINE root_path /home/mobilizon/live/
|
|
DEFINE public_url mobilizon.dom.ain
|
|
DEFINE email events@mo.dom.ain
|
|
ServerTokens Prod
|
|
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
|
|
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
|
|
SSLSessionCacheTimeout 300
|
|
<VirtualHost *:80>
|
|
ServerName ${public_url}
|
|
#ServerAdmin ${email}
|
|
DocumentRoot ${root_path}
|
|
ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log
|
|
CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined
|
|
RewriteEngine on
|
|
RewriteCond %{SERVER_NAME} =mobilizon.dom.ain
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
|
|
</VirtualHost>
|
|
<VirtualHost *:443>
|
|
ServerName ${public_url}
|
|
#ServerAdmin ${email}
|
|
DocumentRoot ${root_path}
|
|
ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log
|
|
CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined
|
|
SSLEngine On
|
|
SSLCertificateFile /etc/letsencrypt/live/dom.ain/fullchain.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/dom.ain/privkey.pem
|
|
#Include /etc/letsencrypt/options-ssl-apache.conf
|
|
Protocols h2 http/1.1
|
|
Timeout 360
|
|
ProxyRequests Off
|
|
ProxyPreserveHost On
|
|
ProxyTimeout 600
|
|
ProxyReceiveBufferSize 4096
|
|
SSLProxyEngine On
|
|
RequestHeader set Front-End-Https "On"
|
|
ServerSignature Off
|
|
SSLCompression Off
|
|
SSLUseStapling On
|
|
SSLStaplingResponderTimeout 5
|
|
SSLStaplingReturnResponderErrors Off
|
|
SSLSessionTickets Off
|
|
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
|
|
Header always set Strict-Transport-Security "max-age=15552000; preload"
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
Header always set X-Robots-Tag none
|
|
#Header always set X-XSS-Protection "1; mode=block"
|
|
#Header always set X-Frame-Options "SAMEORIGIN"
|
|
#Header always set X-Content-Type-Options nosniff
|
|
## Extremely untested Content-Security-Policy: NOTE this will change every new build of Mobilizon ##
|
|
Header always set Content-Security-Policy "default-src 'none'; base-uri 'self' ${base_url} ${public_url}; font-src 'self' data: ${base_url} ${public_url}; media-src 'self' ${base_url} ${public_url}; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${base_url} ${public_url}; style-src 'self' 'unsafe-inline' ${base_url} ${public_url}; img-src 'self' https: data: blob: *.${base_url} ${public_url}; worker-src *; frame-src 'self' https:; connect-src 'self' wss: https: ${base_url} ${public_url}; object-src 'self' ${base_url} ${public_url}; frame-ancestors 'self' ${base_url} ${public_url}; form-action 'self' ${base_url} ${public_url}; manifest-src 'self' ${base_url} ${public_url};"
|
|
Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; fullscreen 'self'; payment 'self';"
|
|
Header always set Permissions-Policy "geolocation=(self '${base_url}' '${public_url}'), midi=(self '${base_url}' '${public_url}'), sync-xhr=(self '${base_url}' '${public_url}'), microphone=(self '${base_url}' '${public_url}'), camera=(self '${base_url}' '${public_url}'), magnetometer=(self '${base_url}' '${public_url}'), gyroscope=(self '${base_url}' '${public_url}'), fullscreen=(self '${base_url}' '${public_url}'), payment=(self '${base_url}' '${public_url}')"
|
|
### Use next two for very secure connections ###
|
|
SSLHonorCipherOrder Off
|
|
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
|
|
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
|
### Actually start proxying traffic
|
|
#LimitRequestBody 4294967294
|
|
#Options -Includes -ExecCGI
|
|
#LimitRequestBody 512000
|
|
#FileETag None
|
|
#TraceEnable off
|
|
<Location />
|
|
ProxyPass ws://${mob_url}:${mob_port}/
|
|
ProxyPassReverse ws://${mob_url}:${mob_port}/
|
|
ProxyPass http://${mob_url}:${mob_port}/
|
|
ProxyPassReverse http://${mob_url}:${mob_port}/
|
|
</Location>
|
|
<FilesMatch ^/(js|css)$>
|
|
Header append Cache-Control "public, max-age=31536000, immutable"
|
|
SetEnv dontlog
|
|
</FilesMatch>
|
|
AliasMatch ^/(js|css)$ ${root_path}priv/static/$1
|
|
<LocationMatch ^/(media|proxy)$>
|
|
Header append Cache-Control "public, max-age=31536000, immutable"
|
|
SetEnv dontlog
|
|
ProxyPass http://${mob_url}:${mob_port}/$1
|
|
</LocationMatch>
|
|
# Please create a pull request for this section
|
|
# error_page 500 501 502 503 504 @error;
|
|
# location @error {
|
|
# root /home/mobilizon/live/priv/errors;
|
|
# try_files /error.html 502;
|
|
# }
|
|
</VirtualHost> |