ggreer/gist:9984770

## gistfile1.apacheconf
# For HSTS
<IfModule !headers_module>
LoadModule headers_module modules/mod_headers.so
</IfModule>

# For admin interface
<IfModule !authn_yubikey_module>
LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so
</IfModule>

# Engine.io stuff
<IfModule !proxy_module>
LoadModule proxy_module modules/mod_proxy.so
</IfModule>
<IfModule !proxy_http_module>
LoadModule proxy_http_module modules/mod_proxy_http.so
</IfModule>
<IfModule !proxy_wstunnel_module>
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
</IfModule>


<VirtualHost *:80>
    ServerName floobits.com
    ServerAdmin root@floobits.com

    RewriteEngine On
    # no www
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1$1 [R=301,L]
    # Redirect to https
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


<VirtualHost *:443>
    ServerName floobits.com
    ServerAdmin root@floobits.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
    SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
    SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
    SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
    # Disable SSLv2 and v3
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    # Avoid insecure ciphers and support perfect forward secrecy
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com wss://floobits.com https://*.floobits.com wss://*.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://*.olark.com https://*.stripe.com; img-src *; media-src *;"

    RewriteEngine On
    # no www
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1$1 [R=301,L]

    # redirect old links
    RewriteRule ^/org/(.+)$ /$1 [R=302,L]
    RewriteRule ^/r/(.+)$ /$1 [R=302,L]
    RewriteRule ^/u/(.+)$ /$1 [R=302,L]

    DocumentRoot /data/web
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /data/web/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    ErrorDocument 400 /static/400.html
    ErrorDocument 401 /static/401.html
    ErrorDocument 403 /static/403.html
    ErrorDocument 404 /static/404.html
    ErrorDocument 500 /static/500.html
    ErrorDocument 503 /static/503.html

    Alias /robots.txt /data/web/floobits/static/robots.txt
    Alias /favicon.ico /data/web/floobits/static/favicon.ico

    Alias /media/ /data/web/floobits/media/
    Alias /static/ /data/web/floobits/static/
    AddHandler send-as-is asis

    # We use unique URLs for these things. Tell browsers to cache them forever.
    <Directory /data/web/floobits/media/>
        Require all granted
        Header set Cache-Control "max-age=29030400, public"
    </Directory>
    <Directory /data/web/floobits/static/>
        Require all granted
        Header set Cache-Control "max-age=29030400, public"
    </Directory>
    <Directory /data/web/floobits/static/js/ace-src-min-noconflict/>
        Require all granted
        Header set Cache-Control "max-age=29030400, public"
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Location /admin>
        AuthType Basic
        AuthBasicProvider yubikey
        AuthName "Auth"
        AuthYubiKeyTimeout 3600
        AuthYubiKeyTmpFile /var/cache/apache2/yubikey_temp_db
        AuthYubiKeyUserFile /etc/apache2/yubikey_user_db
        AuthYubiKeyRequireSecure On
        AuthYubiKeyExternalErrorPage Off
        require valid-user
    </Location>

    ProxyPass /engine.io ws://localhost:8048/engine.io keepalive=On disablereuse=On status=I
    ProxyPassReverse /engine.io ws://localhost:8048/engine.io

    ProxyPass /favicon.ico !
    ProxyPass /media !
    ProxyPass /robots.txt !
    ProxyPass /static !
    ProxyPass / http://127.0.0.1:8000/ keepalive=On disablereuse=On status=I
    ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>


<VirtualHost *:443>
    ServerName email.floobits.com
    ServerAdmin root@floobits.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
    SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
    SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
    SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
    # Disable SSLv2 and v3
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    # Avoid insecure ciphers and support perfect forward secrecy
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    RewriteEngine On
    # Redirect to mailgun
    RewriteCond %{HTTP_HOST} =email.floobits.com
    RewriteRule ^/?(.*) https://mailgun.org/$1 [R,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>


<VirtualHost *:443>
    ServerName news.floobits.com
    ServerAdmin root@floobits.com

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
    SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
    SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
    SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
    # Disable SSLv2 and v3
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    # Avoid insecure ciphers and support perfect forward secrecy
    SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com https://*.floobits.com wss://*.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://*.olark.com; img-src *; media-src *;"

    DocumentRoot /data/news
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /data/news/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    ErrorDocument 400 /static/400.html
    ErrorDocument 401 /static/401.html
    ErrorDocument 403 /static/403.html
    ErrorDocument 404 /static/404.html
    ErrorDocument 500 /static/500.html
    ErrorDocument 503 /static/503.html

    Alias /robots.txt /data/news/robots.txt
    Alias /favicon.ico /data/web/floobits/static/favicon.ico

    Alias /media/ /data/web/floobits/media/
    Alias /static/ /data/web/floobits/static/

    <Directory /data/web/floobits/media/>
        Order deny,allow
        Allow from all
        Header set Cache-Control "max-age=29030400, public"
    </Directory>
    <Directory /data/web/floobits/static/>
        Order deny,allow
        Allow from all
        Header set Cache-Control "max-age=29030400, public"
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
	# For HSTS
	<IfModule !headers_module>
	LoadModule headers_module modules/mod_headers.so
	</IfModule>

	# For admin interface
	<IfModule !authn_yubikey_module>
	LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so
	</IfModule>

	# Engine.io stuff
	<IfModule !proxy_module>
	LoadModule proxy_module modules/mod_proxy.so
	</IfModule>
	<IfModule !proxy_http_module>
	LoadModule proxy_http_module modules/mod_proxy_http.so
	</IfModule>
	<IfModule !proxy_wstunnel_module>
	LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
	</IfModule>


	<VirtualHost *:80>
	ServerName floobits.com
	ServerAdmin root@floobits.com

	RewriteEngine On
	# no www
	RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
	RewriteRule ^(.*)$ https://%1$1 [R=301,L]
	# Redirect to https
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

	ErrorLog ${APACHE_LOG_DIR}/error.log
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>


	<VirtualHost *:443>
	ServerName floobits.com
	ServerAdmin root@floobits.com

	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
	SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
	SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
	SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
	# Disable SSLv2 and v3
	SSLProtocol All -SSLv2 -SSLv3
	SSLCompression Off
	SSLHonorCipherOrder On
	# Avoid insecure ciphers and support perfect forward secrecy
	SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com wss://floobits.com https://.floobits.com wss://.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://.olark.com https://.stripe.com; img-src ; media-src ;"

	RewriteEngine On
	# no www
	RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
	RewriteRule ^(.*)$ https://%1$1 [R=301,L]

	# redirect old links
	RewriteRule ^/org/(.+)$ /$1 [R=302,L]
	RewriteRule ^/r/(.+)$ /$1 [R=302,L]
	RewriteRule ^/u/(.+)$ /$1 [R=302,L]

	DocumentRoot /data/web
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>
	<Directory /data/web/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Require all granted
	</Directory>

	ErrorDocument 400 /static/400.html
	ErrorDocument 401 /static/401.html
	ErrorDocument 403 /static/403.html
	ErrorDocument 404 /static/404.html
	ErrorDocument 500 /static/500.html
	ErrorDocument 503 /static/503.html

	Alias /robots.txt /data/web/floobits/static/robots.txt
	Alias /favicon.ico /data/web/floobits/static/favicon.ico

	Alias /media/ /data/web/floobits/media/
	Alias /static/ /data/web/floobits/static/
	AddHandler send-as-is asis

	# We use unique URLs for these things. Tell browsers to cache them forever.
	<Directory /data/web/floobits/media/>
	Require all granted
	Header set Cache-Control "max-age=29030400, public"
	</Directory>
	<Directory /data/web/floobits/static/>
	Require all granted
	Header set Cache-Control "max-age=29030400, public"
	</Directory>
	<Directory /data/web/floobits/static/js/ace-src-min-noconflict/>
	Require all granted
	Header set Cache-Control "max-age=29030400, public"
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	LogLevel warn
	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	<Location /admin>
	AuthType Basic
	AuthBasicProvider yubikey
	AuthName "Auth"
	AuthYubiKeyTimeout 3600
	AuthYubiKeyTmpFile /var/cache/apache2/yubikey_temp_db
	AuthYubiKeyUserFile /etc/apache2/yubikey_user_db
	AuthYubiKeyRequireSecure On
	AuthYubiKeyExternalErrorPage Off
	require valid-user
	</Location>

	ProxyPass /engine.io ws://localhost:8048/engine.io keepalive=On disablereuse=On status=I
	ProxyPassReverse /engine.io ws://localhost:8048/engine.io

	ProxyPass /favicon.ico !
	ProxyPass /media !
	ProxyPass /robots.txt !
	ProxyPass /static !
	ProxyPass / http://127.0.0.1:8000/ keepalive=On disablereuse=On status=I
	ProxyPassReverse / http://127.0.0.1:8000/
	</VirtualHost>


	<VirtualHost *:443>
	ServerName email.floobits.com
	ServerAdmin root@floobits.com

	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
	SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
	SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
	SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
	# Disable SSLv2 and v3
	SSLProtocol All -SSLv2 -SSLv3
	SSLCompression Off
	SSLHonorCipherOrder On
	# Avoid insecure ciphers and support perfect forward secrecy
	SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

	RewriteEngine On
	# Redirect to mailgun
	RewriteCond %{HTTP_HOST} =email.floobits.com
	RewriteRule ^/?(.*) https://mailgun.org/$1 [R,L]

	ErrorLog ${APACHE_LOG_DIR}/error.log
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>


	<VirtualHost *:443>
	ServerName news.floobits.com
	ServerAdmin root@floobits.com

	SSLEngine on
	SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt
	SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key
	SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem
	SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem
	# Disable SSLv2 and v3
	SSLProtocol All -SSLv2 -SSLv3
	SSLCompression Off
	SSLHonorCipherOrder On
	# Avoid insecure ciphers and support perfect forward secrecy
	SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com https://.floobits.com wss://.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://.olark.com; img-src ; media-src *;"

	DocumentRoot /data/news
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>
	<Directory /data/news/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Require all granted
	</Directory>

	ErrorDocument 400 /static/400.html
	ErrorDocument 401 /static/401.html
	ErrorDocument 403 /static/403.html
	ErrorDocument 404 /static/404.html
	ErrorDocument 500 /static/500.html
	ErrorDocument 503 /static/503.html

	Alias /robots.txt /data/news/robots.txt
	Alias /favicon.ico /data/web/floobits/static/favicon.ico

	Alias /media/ /data/web/floobits/media/
	Alias /static/ /data/web/floobits/static/

	<Directory /data/web/floobits/media/>
	Order deny,allow
	Allow from all
	Header set Cache-Control "max-age=29030400, public"
	</Directory>
	<Directory /data/web/floobits/static/>
	Order deny,allow
	Allow from all
	Header set Cache-Control "max-age=29030400, public"
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	LogLevel warn
	# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	</VirtualHost>