Last active
August 29, 2015 13:58
-
-
Save ggreer/9984770 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For HSTS | |
<IfModule !headers_module> | |
LoadModule headers_module modules/mod_headers.so | |
</IfModule> | |
# For admin interface | |
<IfModule !authn_yubikey_module> | |
LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so | |
</IfModule> | |
# Engine.io stuff | |
<IfModule !proxy_module> | |
LoadModule proxy_module modules/mod_proxy.so | |
</IfModule> | |
<IfModule !proxy_http_module> | |
LoadModule proxy_http_module modules/mod_proxy_http.so | |
</IfModule> | |
<IfModule !proxy_wstunnel_module> | |
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so | |
</IfModule> | |
<VirtualHost *:80> | |
ServerName floobits.com | |
ServerAdmin root@floobits.com | |
RewriteEngine On | |
# no www | |
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] | |
RewriteRule ^(.*)$ https://%1$1 [R=301,L] | |
# Redirect to https | |
RewriteCond %{HTTPS} !=on | |
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
# Possible values include: debug, info, notice, warn, error, crit, | |
# alert, emerg. | |
LogLevel warn | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
</VirtualHost> | |
<VirtualHost *:443> | |
ServerName floobits.com | |
ServerAdmin root@floobits.com | |
SSLEngine on | |
SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt | |
SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key | |
SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem | |
SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem | |
# Disable SSLv2 and v3 | |
SSLProtocol All -SSLv2 -SSLv3 | |
SSLCompression Off | |
SSLHonorCipherOrder On | |
# Avoid insecure ciphers and support perfect forward secrecy | |
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 | |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com wss://floobits.com https://*.floobits.com wss://*.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://*.olark.com https://*.stripe.com; img-src *; media-src *;" | |
RewriteEngine On | |
# no www | |
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] | |
RewriteRule ^(.*)$ https://%1$1 [R=301,L] | |
# redirect old links | |
RewriteRule ^/org/(.+)$ /$1 [R=302,L] | |
RewriteRule ^/r/(.+)$ /$1 [R=302,L] | |
RewriteRule ^/u/(.+)$ /$1 [R=302,L] | |
DocumentRoot /data/web | |
<Directory /> | |
Options FollowSymLinks | |
AllowOverride None | |
</Directory> | |
<Directory /data/web/> | |
Options Indexes FollowSymLinks MultiViews | |
AllowOverride None | |
Require all granted | |
</Directory> | |
ErrorDocument 400 /static/400.html | |
ErrorDocument 401 /static/401.html | |
ErrorDocument 403 /static/403.html | |
ErrorDocument 404 /static/404.html | |
ErrorDocument 500 /static/500.html | |
ErrorDocument 503 /static/503.html | |
Alias /robots.txt /data/web/floobits/static/robots.txt | |
Alias /favicon.ico /data/web/floobits/static/favicon.ico | |
Alias /media/ /data/web/floobits/media/ | |
Alias /static/ /data/web/floobits/static/ | |
AddHandler send-as-is asis | |
# We use unique URLs for these things. Tell browsers to cache them forever. | |
<Directory /data/web/floobits/media/> | |
Require all granted | |
Header set Cache-Control "max-age=29030400, public" | |
</Directory> | |
<Directory /data/web/floobits/static/> | |
Require all granted | |
Header set Cache-Control "max-age=29030400, public" | |
</Directory> | |
<Directory /data/web/floobits/static/js/ace-src-min-noconflict/> | |
Require all granted | |
Header set Cache-Control "max-age=29030400, public" | |
</Directory> | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
LogLevel warn | |
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg. | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
<Location /admin> | |
AuthType Basic | |
AuthBasicProvider yubikey | |
AuthName "Auth" | |
AuthYubiKeyTimeout 3600 | |
AuthYubiKeyTmpFile /var/cache/apache2/yubikey_temp_db | |
AuthYubiKeyUserFile /etc/apache2/yubikey_user_db | |
AuthYubiKeyRequireSecure On | |
AuthYubiKeyExternalErrorPage Off | |
require valid-user | |
</Location> | |
ProxyPass /engine.io ws://localhost:8048/engine.io keepalive=On disablereuse=On status=I | |
ProxyPassReverse /engine.io ws://localhost:8048/engine.io | |
ProxyPass /favicon.ico ! | |
ProxyPass /media ! | |
ProxyPass /robots.txt ! | |
ProxyPass /static ! | |
ProxyPass / http://127.0.0.1:8000/ keepalive=On disablereuse=On status=I | |
ProxyPassReverse / http://127.0.0.1:8000/ | |
</VirtualHost> | |
<VirtualHost *:443> | |
ServerName email.floobits.com | |
ServerAdmin root@floobits.com | |
SSLEngine on | |
SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt | |
SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key | |
SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem | |
SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem | |
# Disable SSLv2 and v3 | |
SSLProtocol All -SSLv2 -SSLv3 | |
SSLCompression Off | |
SSLHonorCipherOrder On | |
# Avoid insecure ciphers and support perfect forward secrecy | |
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 | |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
RewriteEngine On | |
# Redirect to mailgun | |
RewriteCond %{HTTP_HOST} =email.floobits.com | |
RewriteRule ^/?(.*) https://mailgun.org/$1 [R,L] | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
# Possible values include: debug, info, notice, warn, error, crit, | |
# alert, emerg. | |
LogLevel warn | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
</VirtualHost> | |
<VirtualHost *:443> | |
ServerName news.floobits.com | |
ServerAdmin root@floobits.com | |
SSLEngine on | |
SSLCertificateFile /etc/ssl/certs/floobits.com-wildcard.crt | |
SSLCertificateKeyFile /etc/ssl/private/floobits.com-wildcard.key | |
SSLCertificateChainFile /etc/ssl/certs/startssl-sub.class2.server.ca.pem | |
SSLCACertificateFile /etc/ssl/certs/startssl-ca.pem | |
# Disable SSLv2 and v3 | |
SSLProtocol All -SSLv2 -SSLv3 | |
SSLCompression Off | |
SSLHonorCipherOrder On | |
# Avoid insecure ciphers and support perfect forward secrecy | |
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 | |
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" | |
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https://floobits.com https://*.floobits.com wss://*.floobits.com https://staging.floobits.com:8448 wss://staging.floobits.com:8448 https://ssl.google-analytics.com https://*.olark.com; img-src *; media-src *;" | |
DocumentRoot /data/news | |
<Directory /> | |
Options FollowSymLinks | |
AllowOverride None | |
</Directory> | |
<Directory /data/news/> | |
Options Indexes FollowSymLinks MultiViews | |
AllowOverride None | |
Require all granted | |
</Directory> | |
ErrorDocument 400 /static/400.html | |
ErrorDocument 401 /static/401.html | |
ErrorDocument 403 /static/403.html | |
ErrorDocument 404 /static/404.html | |
ErrorDocument 500 /static/500.html | |
ErrorDocument 503 /static/503.html | |
Alias /robots.txt /data/news/robots.txt | |
Alias /favicon.ico /data/web/floobits/static/favicon.ico | |
Alias /media/ /data/web/floobits/media/ | |
Alias /static/ /data/web/floobits/static/ | |
<Directory /data/web/floobits/media/> | |
Order deny,allow | |
Allow from all | |
Header set Cache-Control "max-age=29030400, public" | |
</Directory> | |
<Directory /data/web/floobits/static/> | |
Order deny,allow | |
Allow from all | |
Header set Cache-Control "max-age=29030400, public" | |
</Directory> | |
ErrorLog ${APACHE_LOG_DIR}/error.log | |
LogLevel warn | |
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg. | |
CustomLog ${APACHE_LOG_DIR}/access.log combined | |
</VirtualHost> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment