<IfModule mod_ssl.c> <VirtualHost *:80> Redirect perma

1. <IfModule mod_ssl.c>
2.         <VirtualHost *:80>
3.                 Redirect permanent / https://cloud.mydomain.tld
4.                 RewriteEngine on
5.                 RewriteCond %{SERVER_NAME} =mydomain.tld [OR]
6.                 RewriteCond %{SERVER_NAME} =cloud.mydomain.tld
7.                 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
8.         </VirtualHost>
9.         <VirtualHost *:443>
10.                 ServerAdmin email@mydomain.tld
11.                 ServerName cloud.mydomain.tld
12.                 <Directory /var/www/nextcloud/>
13.                         Options +FollowSymlinks
14.                         AllowOverride All
15.                         Satisfy Any
16.                         <IfModule mod_dav.c>
17.                                 Dav off
18.                         </IfModule>
19.  
20.                         SetEnv HOME /var/www/nextcloud
21.                         SetEnv HTTP_HOME /var/www/nextcloud
22.                 </Directory>
23.  
24.                 DocumentRoot /var/www/nextcloud
25.  
26.                 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
27.                 # error, crit, alert, emerg.
28.                 # It is also possible to configure the loglevel for particular
29.                 # modules, e.g.
30.                 #LogLevel info ssl:warn
31.  
32.                 ErrorLog ${APACHE_LOG_DIR}/error.log
33.                 CustomLog ${APACHE_LOG_DIR}/access.log combined
34.  
35.                 # For most configuration files from conf-available/, which are
36.                 # enabled or disabled at a global level, it is possible to
37.                 # include a line for only one particular virtual host. For example the
38.                 # following line enables the CGI configuration for this host only
39.                 # after it has been globally disabled with "a2disconf".
40.                 #Include conf-available/serve-cgi-bin.conf
41.  
42.                 #   SSL Engine Switch:
43.                 #   Enable/Disable SSL for this virtual host.
44.                 SSLEngine on
45.  
46.                 #   A self-signed (snakeoil) certificate can be created by installing
47.                 #   the ssl-cert package. See
48.                 #   /usr/share/doc/apache2/README.Debian.gz for more info.
49.                 #   If both key and certificate are stored in the same file, only the
50.                 #   SSLCertificateFile directive is needed.
51.  
52.                 #   Server Certificate Chain:
53.                 #   Point SSLCertificateChainFile at a file containing the
54.                 #   concatenation of PEM encoded CA certificates which form the
55.                 #   certificate chain for the server certificate. Alternatively
56.                 #   the referenced file can be the same as SSLCertificateFile
57.                 #   when the CA certificates are directly appended to the server
58.                 #   certificate for convinience.
59.                 #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
60.  
61.                 #   Certificate Authority (CA):
62.                 #   Set the CA certificate verification path where to find CA
63.                 #   certificates for client authentication or alternatively one
64.                 #   huge file containing all of them (file must be PEM encoded)
65.                 #   Note: Inside SSLCACertificatePath you need hash symlinks
66.                 #                to point to the certificate files. Use the provided
67.                 #                Makefile to update the hash symlinks after changes.
68.                 #SSLCACertificatePath /etc/ssl/certs/
69.                 #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
70.  
71.                 #   Certificate Revocation Lists (CRL):
72.                 #   Set the CA revocation path where to find CA CRLs for client
73.                 #   authentication or alternatively one huge file containing all
74.                 #   of them (file must be PEM encoded)
75.                 #   Note: Inside SSLCARevocationPath you need hash symlinks
76.                 #                to point to the certificate files. Use the provided
77.                 #                Makefile to update the hash symlinks after changes.
78.                 #SSLCARevocationPath /etc/apache2/ssl.crl/
79.                 #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
80.  
81.                 #   Client Authentication (Type):
82.                 #   Client certificate verification type and depth.  Types are
83.                 #   none, optional, require and optional_no_ca.  Depth is a
84.                 #   number which specifies how deeply to verify the certificate
85.                 #   issuer chain before deciding the certificate is not valid.
86.                 #SSLVerifyClient require
87.                 #SSLVerifyDepth  10
88.  
89.                 #   SSL Engine Options:
90.                 #   Set various options for the SSL engine.
91.                 #   o FakeBasicAuth:
92.                 #        Translate the client X.509 into a Basic Authorisation.  This means that
93.                 #        the standard Auth/DBMAuth methods can be used for access control.  The
94.                 #        user name is the `one line' version of the client's X.509 certificate.
95.                 #        Note that no password is obtained from the user. Every entry in the user
96.                 #        file needs this password: `xxj31ZMTZzkVA'.
97.                 #   o ExportCertData:
98.                 #        This exports two additional environment variables: SSL_CLIENT_CERT and
99.                 #        SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
100.                 #        server (always existing) and the client (only existing when client
101.                 #        authentication is used). This can be used to import the certificates
102.                 #        into CGI scripts.
103.                 #   o StdEnvVars:
104.                 #        This exports the standard SSL/TLS related `SSL_*' environment variables.
105.                 #        Per default this exportation is switched off for performance reasons,
106.                 #        because the extraction step is an expensive operation and is usually
107.                 #        useless for serving static content. So one usually enables the
108.                 #        exportation for CGI and SSI requests only.
109.                 #   o OptRenegotiate:
110.                 #        This enables optimized SSL connection renegotiation handling when SSL
111.                 #        directives are used in per-directory context.
112.                 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
113.                 <FilesMatch "\.(cgi|shtml|phtml|php)$">
114.                                 SSLOptions +StdEnvVars
115.                 </FilesMatch>
116.                 <Directory /usr/lib/cgi-bin>
117.                                 SSLOptions +StdEnvVars
118.                 </Directory>
119.  
120.                 #   SSL Protocol Adjustments:
121.                 #   The safe and default but still SSL/TLS standard compliant shutdown
122.                 #   approach is that mod_ssl sends the close notify alert but doesn't wait for
123.                 #   the close notify alert from client. When you need a different shutdown
124.                 #   approach you can use one of the following variables:
125.                 #   o ssl-unclean-shutdown:
126.                 #        This forces an unclean shutdown when the connection is closed, i.e. no
127.                 #        SSL close notify alert is send or allowed to received.  This violates
128.                 #        the SSL/TLS standard but is needed for some brain-dead browsers. Use
129.                 #        this when you receive I/O errors because of the standard approach where
130.                 #        mod_ssl sends the close notify alert.
131.                 #   o ssl-accurate-shutdown:
132.                 #        This forces an accurate shutdown when the connection is closed, i.e. a
133.                 #        SSL close notify alert is send and mod_ssl waits for the close notify
134.                 #        alert of the client. This is 100% SSL/TLS standard compliant, but in
135.                 #        practice often causes hanging connections with brain-dead browsers. Use
136.                 #        this only for browsers where you know that their SSL implementation
137.                 #        works correctly.
138.                 #   Notice: Most problems of broken clients are also related to the HTTP
139.                 #   keep-alive facility, so you usually additionally want to disable
140.                 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
141.                 #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
142.                 #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
143.                 #   "force-response-1.0" for this.
144.                 # BrowserMatch "MSIE [2-6]" \
145.                 #               nokeepalive ssl-unclean-shutdown \
146.                 #               downgrade-1.0 force-response-1.0
147.  
148.                 Include /etc/letsencrypt/options-ssl-apache.conf
149.                 Include /etc/letsencrypt/options-ssl-apache.conf
150.                 Include /etc/letsencrypt/options-ssl-apache.conf
151.                 SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
152.                 SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
153.                 Include /etc/letsencrypt/options-ssl-apache.conf
154.         </VirtualHost>
155.         <VirtualHost *:443>
156.                 ServerName office.mydomain.tld:443
157.  
158.                 # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
159.                 SSLEngine on
160.                 SSLCertificateFile /etc/letsencrypt/live/mydomain.tld/fullchain.pem
161.                 SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.tld/privkey.pem
162.                 SSLProtocol             all -SSLv2 -SSLv3
163.                 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
164.                 SSLHonorCipherOrder     on
165.  
166.                 # Encoded slashes need to be allowed
167.                 AllowEncodedSlashes NoDecode
168.  
169.                 # Container uses a unique non-signed certificate
170.                 SSLProxyEngine On
171.                 SSLProxyVerify None
172.                 SSLProxyCheckPeerCN Off
173.                 SSLProxyCheckPeerName Off
174.  
175.                 # keep the host
176.                 ProxyPreserveHost On
177.  
178.                 # static html, js, images, etc. served from loolwsd
179.                 # loleaflet is the client part of LibreOffice Online
180.                 ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
181.                 ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet
182.  
183.                 # WOPI discovery URL
184.                 ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
185.                 ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery
186.  
187.                 # Main websocket
188.                 ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
189.  
190.                 # Admin Console websocket
191.                 ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws
192.  
193.                 # Download as, Fullscreen presentation and Image upload operations
194.                 ProxyPass           /lool https://127.0.0.1:9980/lool
195.                 ProxyPassReverse    /lool https://127.0.0.1:9980/lool
196.         </VirtualHost>
197. </IfModule>