-
Notifications
You must be signed in to change notification settings - Fork 0
/
https_vhost.conf.template
38 lines (34 loc) · 2.05 KB
/
https_vhost.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<VirtualHost *:${HTTPS_PORT}>
ServerName ${SERVERNAME}:${HTTPS_PORT}
ServerAdmin ${SERVERADMIN}
DocumentRoot /var/www
RequestHeader unset Expect early
## make sure rewrite is enabled
RewriteEngine On
## SSL directives
SSLEngine on
## default cache path / size. this may need to be adjusted if "logs" becomes a volume mount
#SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
#SSLSessionCacheTimeout 300
#SSLStaplingCache "shmcb:/usr/local/apache2/logs/ocsp(32768)"
SSLCertificateFile "/etc/letsencrypt/live/${SERVERNAME}/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/${SERVERNAME}/privkey.pem"
SSLCACertificatePath "/etc/ssl/certs"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
# TODO FIXME reenable after test driving this image for a bit
#Header always set Strict-Transport-Security "max-age=31536000"
# https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers
# mod_proxy_http already adds these headers by default:
# X-Forwarded-For: The IP address of the client.
# X-Forwarded-Host: The original host requested by the client in the Host HTTP request header.
# X-Forwarded-Server: The hostname of the proxy server.
# there is also another option:
# https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost
# ProxyPreserveHost: When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.
# if the backend supports it, X-Forwarded-Host is the cleaner solution
# we almost always want to inform the backend of the protocol though, which isn't sent by default
RequestHeader set X-Forwarded-Proto "https"
Include conf/goobi-common.conf
</VirtualHost>