-
-
Notifications
You must be signed in to change notification settings - Fork 710
/
Copy pathapache-virtualhost.conf
114 lines (101 loc) · 4.53 KB
/
apache-virtualhost.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# This is a sample Apache SSL reverse proxy configuration for use with Sandstorm. Read more:
#
# https://docs.sandstorm.io/en/latest/administering/
# Any line containing example.com MUST be changed for this to work right. All other lines
# should work for an "out of the box" installation.
#
# Requires mod_ssl, mod_socache_shmcb, mod_rewrite, mod_headers, and mod_http2
<VirtualHost *:80>
# Use this VirtualHost for example.com and wildcards.
ServerName example.com
ServerAlias *.example.com
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
SSLEngine on
# The following paths will of course need to be replaced with the correct paths
# curl https://ssl-config.mozilla.org/ffdhe2048.txt >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams
SSLCertificateKeyFile /path/to/private_key
# Apache >=2.4.8 supports full cert chain and obsoletes SSLCertificateChainFile
# Uncomment it if running older version
#SSLCertificateChainFile /etc/pki/tls/certs/providedChainFileForexample.com.crt
# Enable h2 (HTTP/2), if available
# h2 requires Apache >=2.4.17 and mod_http2
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always add Strict-Transport-Security "max-age=63072000; includeSubdomains"
# Enable mod_rewrite so we can dispatch to ws:// vs. http:// based on HTTP Header. To make this
# work, you might need to run:
#
# sudo a2enmod rewrite
RewriteEngine On
SSLProxyEngine On
# If this request wanted a websocket, then give it one. To make this work, you might need to run:
#
# sudo a2enmod proxy_wstunnel
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://127.0.0.1:6080/$1 [P,L]
# If this request did not want a websocket, then give it http:// access to Sandstorm. To make this
# work, you might need to run:
#
# sudo a2enmod proxy_http
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://127.0.0.1:6080/$1 [P,L]
# By default, send all requests to Sandstorm over http://
ProxyPass / http://127.0.0.1:6080/ KeepAlive=On
# Preserve the inbound "Host: ..." header from the HTTP request. This is important so that
# Sandstorm can detect which wildcard host is being requested.
ProxyPreserveHost On
</VirtualHost>
# Configure SSL with forward secrecy and other goodies.
# Ciphersuite taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# "Intermediate compatibility" as of 2019-09-17
# TLSv1.3 requires Apache >=2.4.36 & OpenSSL >=1.1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP stapling, requires Intermediate cert
#SSLUseStapling On
#SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# Uncomment the below section and remove the above section if SSL is not desired.
#
# # This is a sample Apache reverse proxy configuration for use with Sandstorm. Read more:
# #
# # https://docs.sandstorm.io/en/latest/administering/
#
# <VirtualHost *:80>
# # Use this VirtualHost for example.com and wildcards.
# ServerName example.com
# ServerAlias *.example.com
#
# # Enable mod_rewrite so we can dispatch to ws:// vs. http:// based on HTTP Header. To make this
# # work, you might need to run:
# #
# # sudo a2enmod rewrite
# RewriteEngine On
#
# # If this request wanted a websocket, then give it one. To make this work, you might need to run:
# #
# # sudo a2enmod proxy_wstunnel
# RewriteCond %{HTTP:Upgrade} =websocket
# RewriteRule /(.*) ws://localhost:6080/$1 [P,L]
#
# # If this request did not want a websocket, then give it http:// access to Sandstorm. To make this
# # work, you might need to run:
# #
# # sudo a2enmod proxy_http
# RewriteCond %{HTTP:Upgrade} !=websocket
# RewriteRule /(.*) http://localhost:6080/$1 [P,L]
#
# # By default, send all requests to Sandstorm over http://
# ProxyPass / http://localhost:6080/
#
# # Preserve the inbound "Host: ..." header from the HTTP request. This is important so that
# # Sandstorm can detect which wildcard host is being requested.
# ProxyPreserveHost On
# </VirtualHost>