Skip to content
Permalink
master
Go to file
 
 
Cannot retrieve contributors at this time
114 lines (101 sloc) 4.53 KB
# This is a sample Apache SSL reverse proxy configuration for use with Sandstorm. Read more:
#
# https://docs.sandstorm.io/en/latest/administering/
# Any line containing example.com MUST be changed for this to work right. All other lines
# should work for an "out of the box" installation.
#
# Requires mod_ssl, mod_socache_shmcb, mod_rewrite, mod_headers, and mod_http2
<VirtualHost *:80>
# Use this VirtualHost for example.com and wildcards.
ServerName example.com
ServerAlias *.example.com
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
SSLEngine on
# The following paths will of course need to be replaced with the correct paths
# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
# Apache >=2.4.8 supports full cert chain and obsoletes SSLCertificateChainFile
# Uncomment it if running older version
#SSLCertificateChainFile /etc/pki/tls/certs/providedChainFileForexample.com.crt
# Enable h2 (HTTP/2), if available
# h2 requires Apache >=2.4.17 and mod_http2
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always add Strict-Transport-Security "max-age=63072000; includeSubdomains"
# Enable mod_rewrite so we can dispatch to ws:// vs. http:// based on HTTP Header. To make this
# work, you might need to run:
#
# sudo a2enmod rewrite
RewriteEngine On
SSLProxyEngine On
# If this request wanted a websocket, then give it one. To make this work, you might need to run:
#
# sudo a2enmod proxy_wstunnel
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://127.0.0.1:6080/$1 [P,L]
# If this request did not want a websocket, then give it http:// access to Sandstorm. To make this
# work, you might need to run:
#
# sudo a2enmod proxy_http
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://127.0.0.1:6080/$1 [P,L]
# By default, send all requests to Sandstorm over http://
ProxyPass / http://127.0.0.1:6080/ KeepAlive=On
# Preserve the inbound "Host: ..." header from the HTTP request. This is important so that
# Sandstorm can detect which wildcard host is being requested.
ProxyPreserveHost On
</VirtualHost>
# Configure SSL with forward secrecy and other goodies.
# Ciphersuite taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# "Intermediate compatibility" as of 2019-09-17
# TLSv1.3 requires Apache >=2.4.36 & OpenSSL >=1.1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP stapling, requires Intermediate cert
#SSLUseStapling On
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# Uncomment the below section and remove the above section if SSL is not desired.
#
# # This is a sample Apache reverse proxy configuration for use with Sandstorm. Read more:
# #
# # https://docs.sandstorm.io/en/latest/administering/
#
# <VirtualHost *:80>
# # Use this VirtualHost for example.com and wildcards.
# ServerName example.com
# ServerAlias *.example.com
#
# # Enable mod_rewrite so we can dispatch to ws:// vs. http:// based on HTTP Header. To make this
# # work, you might need to run:
# #
# # sudo a2enmod rewrite
# RewriteEngine On
#
# # If this request wanted a websocket, then give it one. To make this work, you might need to run:
# #
# # sudo a2enmod proxy_wstunnel
# RewriteCond %{HTTP:Upgrade} =websocket
# RewriteRule /(.*) ws://localhost:6080/$1 [P,L]
#
# # If this request did not want a websocket, then give it http:// access to Sandstorm. To make this
# # work, you might need to run:
# #
# # sudo a2enmod proxy_http
# RewriteCond %{HTTP:Upgrade} !=websocket
# RewriteRule /(.*) http://localhost:6080/$1 [P,L]
#
# # By default, send all requests to Sandstorm over http://
# ProxyPass / http://localhost:6080/
#
# # Preserve the inbound "Host: ..." header from the HTTP request. This is important so that
# # Sandstorm can detect which wildcard host is being requested.
# ProxyPreserveHost On
# </VirtualHost>
You can’t perform that action at this time.