summaryrefslogtreecommitdiffstats
path: root/apache2-VH.conf
blob: da8b963f98c1bacb43a641851537d1822e0fa760 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<VirtualHost *:80>
    ServerName safecomms.virebent.art
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
    ServerName localhost.localdomain
    DocumentRoot /var/www/nofuture

    # Enable SSL and specify the paths for Let's Encrypt certificates
    SSLEngine on
    SSLProtocol -all +TLSv1.3
    SSLCertificateFile /etc/letsencrypt/live/localhost.localdomain/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/localhost.localdomain/privkey.pem
    
    # Enable HTTP/2
    Protocols h2 http/1.1
    # Example: if your backend handles exactly these 4 routes:
    ProxyPreserveHost On
    ProxyPass /api/ http://127.0.0.1:3000/api/ disablereuse=On
    ProxyPassReverse /api/ http://127.0.0.1:3000/api/

    # CORS Headers for API requests
    <Location /api/>
        Header always set Access-Control-Allow-Origin "*"
        Header always set Access-Control-Allow-Methods "POST, OPTIONS"
        Header always set Access-Control-Allow-Headers "Content-Type"
        Header always set Content-Type "application/json"
        # Handle OPTIONS requests
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [R=204,L]
    </Location>

    # for debugging
    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/nofuture_error.log

    # for this to work: a2enmod remoteip and uncomment LogFormat
    # LogFormat "\"%{X-Forwarded-For}i\" %l %u %t \"%r\" %>s %b" anonymized_log
    CustomLog ${APACHE_LOG_DIR}/nofuture_access.log anonymized_log
 
 # a2enmod expires   
<Directory /var/www/nofuture/>
        Options FollowSymLinks
        ExpiresActive On
        ExpiresByType text/css "access plus 1 year"
        ExpiresByType application/javascript "access plus 1 year"
        Header set Cache-Control "public, immutable"
        DirectoryIndex index.html
        AllowOverride none
        Require all granted
        
        # protection for our files in DocumentRoot
        <FilesMatch "\.(env|go|mod|sum|gitignore|md)$">
            Require all denied
        </FilesMatch>
        </Directory>
     
    # Headers
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Referrer-Policy "no-referrer"
    
    # Rate limiting per prevenire abusi
    <Location "/buddy_encrypt">
        SetEnv ratelimit-ips 100
        SetEnv ratelimit-window 60
    </Location>
</VirtualHost></pre>