Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <VirtualHost *:443>
- ServerName lemmy.makearmy.io
- ServerAdmin [email protected]
- ErrorLog "/usr/local/apache2/logs/ssl-error_log"
- CustomLog "/usr/local/apache2/logs/ssl-access_log" common
- CustomLog "/usr/local/apache2/logs/ssl_request_log" \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
- LogLevel warn
- SSLEngine on
- #SSLProtocol all -SSLv2
- SSLProtocol -all +TLSv1.2 +TLSv1.3
- SSLCipherSuite HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA
- #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile "/root/.acme.sh/lemmy.makearmy.io_ecc/lemmy.makearmy.io.cer"
- SSLCertificateKeyFile "/root/.acme.sh/lemmy.makearmy.io_ecc/lemmy.makearmy.io.key"
- SSLCertificateChainFile "/root/.acme.sh/lemmy.makearmy.io_ecc/fullchain.cer"
- SSLHonorCipherOrder on
- SSLCompression off
- SSLSessionTickets off
- Protocols h2 http/1.1
- <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars
- </FilesMatch>
- <Directory /usr/local/apache2/secure/makearmy.io.lemmy>
- Options -Indexes +FollowSymLinks +MultiViews
- AllowOverride All
- Require all granted
- </Directory>
- <FilesMatch \.php$>
- # Apache 2.4.10+ can proxy to unix socket
- SetHandler "proxy:unix:///run/php83-fpm.sock|fcgi://localhost/"
- </FilesMatch>
- <Directory "/usr/local/apache2/cgi-bin">
- SSLOptions +StdEnvVars
- </Directory>
- # Add compression for some text-based resources
- # AddOutputFilterByType DEFLATE text/css
- # AddOutputFilterByType DEFLATE application/javascript
- # AddOutputFilterByType DEFLATE image/svg+xml
- # Add headers
- Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
- Header always set X-Frame-Options SAMEORIGIN
- Header always set X-Content-Type-Options nosniff
- Header always set X-XSS-Protection "1; mode=block"
- ProxyPreserveHost On
- ProxyAddHeaders On
- # Don't proxy LetsEncrypt's ACME challenge
- ProxyPass /.well-known/acme-challenge/ !
- <Directory /opt/lemmy/lemmy-ui/dist/.well-known/acme-challenge>
- Require all granted
- AllowOverride none
- Options -Indexes +FollowSymLinks
- </Directory>
- # Don't proxy static files, serve them directly instead
- ProxyPassMatch ^/(assets|js|styles|service-worker.js) !
- DocumentRoot /opt/lemmy/lemmy-ui/dist
- <Directory /opt/lemmy/lemmy-ui/dist>
- Require all granted
- </Directory>
- # Proxy API calls
- ProxyPassMatch ^/(api|pictrs|feeds|nodeinfo|\.well-known)/(.*)$ ws://127.0.0.1:8536/$1/$2
- # ProxyPassReverse doesn't like regexps, so we have to manually specify every location
- ProxyPassReverse /api/ ws://127.0.0.1:8536/api/
- ProxyPassReverse /pictrs/ ws://127.0.0.1:8536/pictrs/
- ProxyPassReverse /feeds/ ws://127.0.0.1:8536/feeds/
- ProxyPassReverse /nodeinfo/ ws://127.0.0.1:8536/nodeinfo/
- ProxyPassReverse /.well-known/ ws://127.0.0.1:8536/.well-known/
- # Proxy the frontend
- ProxyPass / http://127.0.0.1:1234/
- ProxyPassReverse / http://127.0.0.1:1234/
- # Correctly proxy websocket traffic
- RewriteEngine On
- RewriteCond %{HTTP:Upgrade} websocket [NC]
- RewriteRule .* ws://127.0.0.1:8536%{REQUEST_URI} [P]
- # Proxy POST and JSON requests directly to the backend
- RewriteCond %{HTTP_ACCEPT} "=application/activity+json" [NC,OR]
- RewriteCond %{HTTP_ACCEPT} '=application/ld+json; profile="https://www.w3.org/ns/activitystreams"' [NC,OR]
- RewriteCond %{REQUEST_METHOD} ^POST [NC]
- RewriteRule .* ws://127.0.0.1:8536%{REQUEST_URI} [P]
- </VirtualHost>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
