From 8b95a9a0b19e49836a85e36cbafd5c36c808e782 Mon Sep 17 00:00:00 2001
From: iamdoubz <iamdoubz@gmail.com>
Date: Fri, 30 Oct 2020 16:03:32 +0100
Subject: [PATCH 1/2] Add apache2 reverse proxy configuration file
---
support/apache/mobilizon.conf | 90 +++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
create mode 100644 support/apache/mobilizon.conf
diff --git a/support/apache/mobilizon.conf b/support/apache/mobilizon.conf
new file mode 100644
index 000000000..e7bf6af6a
--- /dev/null
+++ b/support/apache/mobilizon.conf
@@ -0,0 +1,90 @@
+### This .conf file requires:
+ ## Apache >= 2.4.17 and these mods:
+ # headers, proxy, proxy_balancer, proxy_http, proxy_wstunnel, rewrite, lbmethod_byrequests
+###
+ DEFINE base_url dom.ain
+ DEFINE mob_url 127.0.0.1
+ DEFINE mob_port 4000
+ DEFINE root_path /home/mobilizon/live/
+ DEFINE public_url mobilizon.dom.ain
+ DEFINE email events@mo.dom.ain
+ ServerTokens Prod
+ SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
+ SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
+ SSLSessionCacheTimeout 300
+<VirtualHost *:80>
+ ServerName ${public_url}
+ #ServerAdmin ${email}
+ DocumentRoot ${root_path}
+ ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log
+ CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined
+ RewriteEngine on
+ RewriteCond %{SERVER_NAME} =mobilizon.dom.ain
+ RewriteCond %{HTTPS} off
+ RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+<VirtualHost *:443>
+ ServerName ${public_url}
+ #ServerAdmin ${email}
+ DocumentRoot ${root_path}
+ ErrorLog ${APACHE_LOG_DIR}/mobilizon.error.log
+ CustomLog ${APACHE_LOG_DIR}/mobilizon.access.log combined
+ SSLEngine On
+ SSLCertificateFile /etc/letsencrypt/live/dom.ain/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/dom.ain/privkey.pem
+ #Include /etc/letsencrypt/options-ssl-apache.conf
+ Protocols h2 http/1.1
+ Timeout 360
+ ProxyRequests Off
+ ProxyPreserveHost On
+ ProxyTimeout 600
+ ProxyReceiveBufferSize 4096
+ SSLProxyEngine On
+ RequestHeader set Front-End-Https "On"
+ ServerSignature Off
+ SSLCompression Off
+ SSLUseStapling On
+ SSLStaplingResponderTimeout 5
+ SSLStaplingReturnResponderErrors Off
+ SSLSessionTickets Off
+ RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+ Header always set Strict-Transport-Security "max-age=15552000; preload"
+ Header always set Referrer-Policy "strict-origin-when-cross-origin"
+ Header always set X-Robots-Tag none
+ #Header always set X-XSS-Protection "1; mode=block"
+ #Header always set X-Frame-Options "SAMEORIGIN"
+ #Header always set X-Content-Type-Options nosniff
+ ## Extremely untested Content-Security-Policy: NOTE this will change every new build of Mobilizon ##
+ Header always set Content-Security-Policy "default-src 'none'; base-uri 'self' ${base_url} ${public_url}; font-src 'self' data: ${base_url} ${public_url}; media-src 'self' ${base_url} ${public_url}; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${base_url} ${public_url}; style-src 'self' 'unsafe-inline' ${base_url} ${public_url}; img-src 'self' https: data: blob: *.${base_url} ${public_url}; worker-src *; frame-src 'self' https:; connect-src 'self' wss: https: ${base_url} ${public_url}; object-src 'self' ${base_url} ${public_url}; frame-ancestors 'self' ${base_url} ${public_url}; form-action 'self' ${base_url} ${public_url}; manifest-src 'self' ${base_url} ${public_url};"
+ Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; fullscreen 'self'; payment 'self';"
+ Header always set Permissions-Policy "geolocation=(self '${base_url}' '${public_url}'), midi=(self '${base_url}' '${public_url}'), sync-xhr=(self '${base_url}' '${public_url}'), microphone=(self '${base_url}' '${public_url}'), camera=(self '${base_url}' '${public_url}'), magnetometer=(self '${base_url}' '${public_url}'), gyroscope=(self '${base_url}' '${public_url}'), fullscreen=(self '${base_url}' '${public_url}'), payment=(self '${base_url}' '${public_url}')"
+### Use next two for very secure connections ###
+ SSLHonorCipherOrder Off
+ SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+ SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+### Actually start proxying traffic
+ #LimitRequestBody 4294967294
+ #Options -Includes -ExecCGI
+ #LimitRequestBody 512000
+ #FileETag None
+ #TraceEnable off
+ <Location />
+ ProxyPass http://${mob_url}:${mob_port}/
+ </Location>
+ <FilesMatch ^/(js|css)$>
+ Header append Cache-Control "public, max-age=31536000, immutable"
+ SetEnv dontlog
+ </FilesMatch>
+ AliasMatch ^/(js|css)$ ${root_path}priv/static/$1
+ <LocationMatch ^/(media|proxy)$>
+ Header append Cache-Control "public, max-age=31536000, immutable"
+ SetEnv dontlog
+ ProxyPass http://${mob_url}:${mob_port}/$1
+ </LocationMatch>
+# Please create a pull request for this section
+# error_page 500 501 502 503 504 @error;
+# location @error {
+# root /home/mobilizon/live/priv/errors;
+# try_files /error.html 502;
+# }
+</VirtualHost>
\ No newline at end of file
From 1d9bf70e5e3af516deeaf329019770b58963f124 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Thu, 10 Dec 2020 10:21:54 +0100
Subject: [PATCH 2/2] Add websocket support to Apache vhost template
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
support/apache/mobilizon.conf | 3 +++
1 file changed, 3 insertions(+)
diff --git a/support/apache/mobilizon.conf b/support/apache/mobilizon.conf
index e7bf6af6a..b6a849dfe 100644
--- a/support/apache/mobilizon.conf
+++ b/support/apache/mobilizon.conf
@@ -69,7 +69,10 @@
#FileETag None
#TraceEnable off
<Location />
+ ProxyPass ws://${mob_url}:${mob_port}/
+ ProxyPassReverse ws://${mob_url}:${mob_port}/
ProxyPass http://${mob_url}:${mob_port}/
+ ProxyPassReverse http://${mob_url}:${mob_port}/
</Location>
<FilesMatch ^/(js|css)$>
Header append Cache-Control "public, max-age=31536000, immutable"