Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
112 lines (97 sloc) 4.4 KB
<VirtualHost *:80>
# Upgrade insecure connections to HTTPS.
ServerAdmin webmaster@localhost
ServerName dissem.in
Redirect permanent / https://dissem.in/
</VirtualHost>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName dissem.in
# SSL configuration
# =================
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dissem.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dissem.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/dissem.in/fullchain.pem
# Use HSTS
# TODO: Include subdomains? Preload?
Header always set Strict-Transport-Security "max-age=15768000"
# Ciphers configuration from Mozilla
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# Security headers
# ================
# TODO: Content Security Policy?
# XSS filter enabled and prevented rendering the page if attack detected
Header set X-XSS-Protection "1; mode=block"
# Prevent browsers from guessing MIME type
Header set X-Content-Type-Options nosniff
# CORS for the API
# ================
<Location /api>
Header set Access-Control-Allow-Origin "*"
</Location>
# Static assets configuration
# ===========================
# Note that Apache2 requires a Location block for every Alias directive.
Alias /robots.txt /home/dissemin/prod/www/robots.txt
Alias /favicon.ico /home/dissemin/prod/www/favicon/favicon.ico
Alias /favicon/ /home/dissemin/prod/www/favicon/
Alias /static/ /home/dissemin/prod/www/
Alias /media/thumbnails/ /dissemin/media/thumbnails/
Alias /media/repository_logos/ /dissemin/media/repository_logos/
# Enable GZIP compression of static files
<Location /robots.txt>
Require all granted
</Location>
<Location /favicon.ico>
SetOutputFilter DEFLATE
Require all granted
</Location>
<Location /favicon>
SetOutputFilter DEFLATE
Require all granted
</Location>
<Location /media>
SetOutputFilter DEFLATE
Require all granted
</Location>
<Location /static>
SetOutputFilter DEFLATE
Require all granted
</Location>
# TODO: Add Cache-Control headers
# Set up WSGI for the main app
# ============================
# With setting ProcessGroup and ApplicationGroup we can use WSGIImportScript to make reload the wsgi script directly without a request
WSGIProcessGroup prod.dissem.in
WSGIApplicationGroup production
WSGIScriptAlias / /home/dissemin/prod/dissemin/wsgi.py
WSGIDaemonProcess prod.dissem.in python-home=/home/dissemin/prod/.venv python-path=/home/dissemin/prod user=dissemin group=dissemin processes=4 threads=6
WSGIImportScript /home/dissemin/prod/dissemin/wsgi.py process-group=prod.dissem.in application-group=production
<Directory /home/dissemin/prod/dissemin/>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
# Handle maintenance page
# =======================
RewriteEngine On
RewriteCond /home/dissemin/prod/www/maintenance.html -f
RewriteCond %{REQUEST_FILENAME} !/maintenance.html
RewriteRule ^.*$ /home/dissemin/prod/www/maintenance.html [L]
# Logging
# =======
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/django-dissemin-prod.log
CustomLog ${APACHE_LOG_DIR}/access-dissemin-prod.log combined
</VirtualHost>
You can’t perform that action at this time.