diff --git a/support/apache/mobilizon.conf b/support/apache/mobilizon.conf new file mode 100644 index 000000000..b6a849dfe --- /dev/null +++ b/support/apache/mobilizon.conf @@ -0,0 +1,93 @@ +### This .conf file requires: + ## Apache >= 2.4.17 and these mods: + # headers, proxy, proxy_balancer, proxy_http, proxy_wstunnel, rewrite, lbmethod_byrequests +### + DEFINE base_url dom.ain + DEFINE mob_url 127.0.0.1 + DEFINE mob_port 4000 + DEFINE root_path /home/mobilizon/live/ + DEFINE public_url mobilizon.dom.ain + DEFINE email events@mo.dom.ain + ServerTokens Prod + SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)" + SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)" + SSLSessionCacheTimeout 300 + + ServerName ${public_url} + #ServerAdmin ${email} + DocumentRoot ${root_path} + ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log + CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined + RewriteEngine on + RewriteCond %{SERVER_NAME} =mobilizon.dom.ain + RewriteCond %{HTTPS} off + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] + + + ServerName ${public_url} + #ServerAdmin ${email} + DocumentRoot ${root_path} + ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log + CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined + SSLEngine On + SSLCertificateFile /etc/letsencrypt/live/dom.ain/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/dom.ain/privkey.pem + #Include /etc/letsencrypt/options-ssl-apache.conf + Protocols h2 http/1.1 + Timeout 360 + ProxyRequests Off + ProxyPreserveHost On + ProxyTimeout 600 + ProxyReceiveBufferSize 4096 + SSLProxyEngine On + RequestHeader set Front-End-Https "On" + ServerSignature Off + SSLCompression Off + SSLUseStapling On + SSLStaplingResponderTimeout 5 + SSLStaplingReturnResponderErrors Off + SSLSessionTickets Off + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + Header always set Strict-Transport-Security "max-age=15552000; preload" + Header always set Referrer-Policy "strict-origin-when-cross-origin" + Header always set X-Robots-Tag none + #Header always set X-XSS-Protection "1; mode=block" + #Header always set X-Frame-Options "SAMEORIGIN" + #Header always set X-Content-Type-Options nosniff + ## Extremely untested Content-Security-Policy: NOTE this will change every new build of Mobilizon ## + Header always set Content-Security-Policy "default-src 'none'; base-uri 'self' ${base_url} ${public_url}; font-src 'self' data: ${base_url} ${public_url}; media-src 'self' ${base_url} ${public_url}; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${base_url} ${public_url}; style-src 'self' 'unsafe-inline' ${base_url} ${public_url}; img-src 'self' https: data: blob: *.${base_url} ${public_url}; worker-src *; frame-src 'self' https:; connect-src 'self' wss: https: ${base_url} ${public_url}; object-src 'self' ${base_url} ${public_url}; frame-ancestors 'self' ${base_url} ${public_url}; form-action 'self' ${base_url} ${public_url}; manifest-src 'self' ${base_url} ${public_url};" + Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; fullscreen 'self'; payment 'self';" + Header always set Permissions-Policy "geolocation=(self '${base_url}' '${public_url}'), midi=(self '${base_url}' '${public_url}'), sync-xhr=(self '${base_url}' '${public_url}'), microphone=(self '${base_url}' '${public_url}'), camera=(self '${base_url}' '${public_url}'), magnetometer=(self '${base_url}' '${public_url}'), gyroscope=(self '${base_url}' '${public_url}'), fullscreen=(self '${base_url}' '${public_url}'), payment=(self '${base_url}' '${public_url}')" +### Use next two for very secure connections ### + SSLHonorCipherOrder Off + SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 + SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +### Actually start proxying traffic + #LimitRequestBody 4294967294 + #Options -Includes -ExecCGI + #LimitRequestBody 512000 + #FileETag None + #TraceEnable off + + ProxyPass ws://${mob_url}:${mob_port}/ + ProxyPassReverse ws://${mob_url}:${mob_port}/ + ProxyPass http://${mob_url}:${mob_port}/ + ProxyPassReverse http://${mob_url}:${mob_port}/ + + + Header append Cache-Control "public, max-age=31536000, immutable" + SetEnv dontlog + + AliasMatch ^/(js|css)$ ${root_path}priv/static/$1 + + Header append Cache-Control "public, max-age=31536000, immutable" + SetEnv dontlog + ProxyPass http://${mob_url}:${mob_port}/$1 + +# Please create a pull request for this section +# error_page 500 501 502 503 504 @error; +# location @error { +# root /home/mobilizon/live/priv/errors; +# try_files /error.html 502; +# } + \ No newline at end of file