Created
July 24, 2015 07:35
-
-
Save Mbitzg/2a9be9972936ef05ca61 to your computer and use it in GitHub Desktop.
Apache2 vhost and vdir config file sample
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##ref: https://raw.githubusercontent.com/docker/docker-registry/master/contrib/apache.conf | |
| <VirtualHost *:443> | |
| ServerName registry.example.com | |
| ServerAlias www.registry.example.com | |
| SSLEngine on | |
| SSLCertificateFile /etc/apache2/ssl/registry.example.com.crt | |
| SSLCertificateKeyFile /etc/apache2/ssl/registry.example.com.key | |
| Header set Host "registry.example.com" | |
| RequestHeader set X-Forwarded-Proto "https" | |
| ProxyRequests off | |
| ProxyPreserveHost on | |
| # Some HTTPd came configured with /error for error messages | |
| # In this case, you should disable proxying to remote docker-registry | |
| # ProxyPass /error/ ! | |
| ProxyPass / http://127.0.0.1:5000/ | |
| ProxyPassReverse / http://127.0.0.1:5000/ | |
| ErrorLog ${APACHE_LOG_DIR}/registry-error.log | |
| LogLevel warn | |
| CustomLog ${APACHE_LOG_DIR}/registry-access.log combined | |
| <Location /> | |
| Order deny,allow | |
| Allow from all | |
| AuthName "Registry Authentication" | |
| AuthType basic | |
| AuthUserFile "/etc/apache2/htpasswd/registry-htpasswd" | |
| Require valid-user | |
| </Location> | |
| # Allow ping and users to run unauthenticated. | |
| <Location /v1/_ping> | |
| Satisfy any | |
| Allow from all | |
| </Location> | |
| # Allow ping and users to run unauthenticated. | |
| <Location /_ping> | |
| Satisfy any | |
| Allow from all | |
| </Location> | |
| </VirtualHost> | |
| ##ref: https://raw.githubusercontent.com/t2d/wasuptls/master/apache-vhost.conf | |
| <VirtualHost *:80> | |
| # based on https://github.com/ioerror/duraconf/blob/master/configs/apache2/https-hsts.conf | |
| ServerAdmin [email protected] | |
| ServerName example.com | |
| DocumentRoot /var/www | |
| RedirectPermanent / https://example.com/ | |
| ErrorLog ${APACHE_LOG_DIR}/error.log | |
| CustomLog ${APACHE_LOG_DIR}/access.log combined | |
| ServerSignature Off | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| ServerAdmin [email protected] | |
| ServerName example.com | |
| SSLEngine on | |
| SSLCertificateFile /etc/apache2/ssl/root.crt | |
| SSLCertificateKeyFile /etc/apache2/ssl/root.pem | |
| SSLCACertificateFile /etc/apache2/ssl/ca.pem | |
| SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 | |
| # BEAST mitigation, but RC4 | |
| # SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH | |
| # from http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # Forward Secrecy, but no BEAST mitigation | |
| SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL | |
| SSLHonorCipherOrder on | |
| SSLCompression off | |
| # export cipher variables | |
| SSLOptions +StdEnvVars | |
| # Add six earth month HSTS header for all users, protect all Subdomains | |
| Header append Strict-Transport-Security "max-age=15768000 ; includeSubDomains" | |
| # mitigate TIME attack | |
| Header always append X-Frame-Options "sameorigin" | |
| DocumentRoot /var/www/ | |
| # Server Side Includes | |
| <Directory "/var/www/wasuptls"> | |
| Options +IncludesNOEXEC | |
| XBitHack On | |
| </Directory> | |
| ErrorLog ${APACHE_LOG_DIR}/error.log | |
| CustomLog ${APACHE_LOG_DIR}/access.log combined | |
| ServerSignature Off | |
| </VirtualHost> | |
| ##ref: https://gitlab.com/gitlab-org/gitlab-recipes/raw/master/web-server/apache/gitlab-apache2.4.conf | |
| #This configuration has been tested on GitLab 6.0.0 and GitLab 6.0.1 | |
| #Note this config assumes unicorn is listening on default port 8080. | |
| #Module dependencies | |
| # mod_rewrite | |
| # mod_proxy | |
| # mod_proxy_http | |
| <VirtualHost *:80> | |
| ServerName gitlab.example.com | |
| ServerSignature Off | |
| ProxyPreserveHost On | |
| # Ensure that encoded slashes are not decoded but left in their encoded state. | |
| # http://doc.gitlab.com/ce/api/projects.html#get-single-project | |
| AllowEncodedSlashes NoDecode | |
| <Location /> | |
| # New authorization commands for apache 2.4 and up | |
| # http://httpd.apache.org/docs/2.4/upgrading.html#access | |
| Require all granted | |
| ProxyPassReverse http://127.0.0.1:8080 | |
| ProxyPassReverse http://gitlab.example.com/ | |
| </Location> | |
| #apache equivalent of nginx try files | |
| # http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files | |
| # http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab | |
| RewriteEngine on | |
| RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f | |
| RewriteRule .* http://127.0.0.1:8080%{REQUEST_URI} [P,QSA] | |
| # needed for downloading attachments | |
| DocumentRoot /home/git/gitlab/public | |
| #Set up apache error documents, if back end goes down (i.e. 503 error) then a maintenance/deploy page is thrown up. | |
| ErrorDocument 404 /404.html | |
| ErrorDocument 422 /422.html | |
| ErrorDocument 500 /500.html | |
| ErrorDocument 503 /deploy.html | |
| LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded | |
| ErrorLog /var/log/httpd/logs/gitlab.example.com_error.log | |
| CustomLog /var/log/httpd/logs/gitlab.example.com_forwarded.log common_forwarded | |
| CustomLog /var/log/httpd/logs/gitlab.example.com_access.log combined env=!dontlog | |
| CustomLog /var/log/httpd/logs/gitlab.example.com.log combined | |
| </VirtualHost> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment