Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
99 lines (81 sloc) 4.96 KB
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Enable HTTP/2 and HTTP/1.1
Protocols h2 http/1.1
# SSL/TLS options.
SSLEngine On
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder On
SSLCompression Off
SSLOptions +StrictRequire
# SSL/TLS stapling.
SSLUseStapling On
SSLSessionTickets Off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
# Security headers.
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
# Allow Disqus only on articles.
<If "%{REQUEST_URI} =~ /articles/">
Header always set Content-Security-Policy "default-src 'none'; base-uri 'none'; connect-src 'self' https://links.services.disqus.com; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'self' https://disqus.com; img-src 'self' https://c.disquscdn.com; manifest-src 'self'; media-src 'none'; object-src 'none'; sandbox allow-forms allow-popups allow-same-origin allow-scripts; script-src 'self' https://aaronhorler.disqus.com https://c.disquscdn.com https://disqus.com; style-src 'self' 'sha256-uk49LxwIkjcBX6GDo88be/xhZX0Cnowd7MsDmRZfFl8=' https://fonts.googleapis.com https://c.disquscdn.com; upgrade-insecure-requests; worker-src 'none'"
</If>
<Else>
Header always set Content-Security-Policy "default-src 'none'; base-uri 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src 'self'; manifest-src 'self'; media-src 'none'; object-src 'none'; sandbox allow-forms allow-popups allow-same-origin allow-scripts; script-src 'self'; style-src 'self' 'sha256-9BcRMskIHVmLY6LVRAMcZ3/2l55BhLy8AVDLDNIlrxY=' https://fonts.googleapis.com; upgrade-insecure-requests; worker-src 'none'"
</Else>
Header always set Referrer-Policy "no-referrer"
Header always set Public-Key-Pins-Report-Only "max-age=1296000; pin-sha256=\"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=\"; pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; pin-sha256=\"C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=\"; report-uri=\"https://report.aaronhorler.com/\""
Header always set Expect-CT "max-age=1296000; report-uri=\"https://report.aaronhorler.com/\""
Header always set X-DNS-Prefetch-Control "off"
Header always set Tk "N"
Header always set X-Happiness "Is a warm gun"
# Ensure cookies have the Secure flag set.
Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
# Cache documents for two days.
<filesMatch ".(html|txt|asc|xml|json)$">
Header set Cache-Control "max-age=172800, must-revalidate"
</filesMatch>
# Cache CSS and JavaScript for one week.
<filesMatch ".(css|js)$">
Header set Cache-Control "max-age=604800, public"
</filesMatch>
# Cache images for two weeks.
<filesMatch ".(png|svg|ico)$">
Header set Cache-Control "max-age=1209600, public"
</filesMatch>
# Cache fonts for two weeks.
<filesMatch ".(ttf|woff|woff2)$">
Header set Cache-Control "max-age=1209600, public"
</filesMatch>
ServerName aaronhorler.com
ServerAlias www.aaronhorler.com
ServerAdmin admin@aaronhorler.com
DocumentRoot /var/www/aaronhorler.com/html
# Logging.
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
SSLCertificateFile /etc/letsencrypt/ecdsa/aaronhorler.com/0001_chain.pem
SSLCertificateKeyFile /etc/letsencrypt/ecdsa/aaronhorler.com/privkey.pem
# Redirect www subdomain to domain.
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.aaronhorler.com
RewriteRule ^ https://aaronhorler.com%{REQUEST_URI} [END,QSA,R=permanent]
# Redirect old articles.
Redirect 301 /articles/openvpn-17.04-dns-leak.html https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html
Redirect 301 /articles/openvpn-16.10-dns-leak.html https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html
Redirect 301 /articles/openvpn-16.04-dns-leak.html https://aaronhorler.com/articles/openvpn-17.10-dns-leak.html
# Other redirections.
Redirect 301 /hackers.txt https://aaronhorler.com/security.txt
Redirect 301 /wp-admin https://www.youtube.com/watch?v=H0cJBEMiN1c
Redirect 301 /wp-admin.php https://www.youtube.com/watch?v=H0cJBEMiN1c
Redirect 301 /admin https://www.youtube.com/watch?v=H0cJBEMiN1c
Redirect 301 /wp-login https://www.youtube.com/watch?v=H0cJBEMiN1c
Redirect 301 /wp-login.php https://www.youtube.com/watch?v=H0cJBEMiN1c
Redirect 301 /administrator https://www.youtube.com/watch?v=H0cJBEMiN1c
</VirtualHost>
</IfModule>
You can’t perform that action at this time.