Le présent site tourne sur un serveur apache.
Sites
- /etc/apache2/sites-available/lain.chimrod.com.conf
# In the default configuration, redirect to https instead <VirtualHost *:80> ServerName lain.chimrod.com Redirect / https://lain.chimrod.com/ </VirtualHost> <VirtualHost *:443> Use dehydrated_ssl lain.chimrod.com ServerName lain.chimrod.com ServerAdmin webmaster@localhost DocumentRoot /home/www/lain/ <Directory /home/www/lain/> AllowOverride All Require all granted </Directory> ProxyPass "/torrent" http://localhost:8080 ProxyPassReverse "/torrent" http://localhost:8080 # Configuration pour Cockpit SSLProxyEngine On # required module RewriteEngine On # required module ProxyPreserveHost On # required ProxyRequests Off # RECOMMENDED, disables forwarding, see https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests ProxyErrorOverride Off # if possible, present cockpit's error pages instead of apache's SSLProxyVerify optional_no_ca # cockpit has a self-signed cert by default, therefore no CA SSLProxyCheckPeerCN Off # SSL error without this SSLProxyCheckPeerName Off # SSL error without this SSLProxyCheckPeerExpire Off # recommended since potential SSL error without this RequestHeader set "X-Forwarded-Proto" "https" # required by cockpit.conf # following is adapted from https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteCond %{HTTP:Connection} upgrade [NC] RewriteRule "^/cockpit/(.*)" "wss://127.0.0.1:9090/cockpit/$1" [P,L] # when websocket in upgrade AND # within UrlRoot, rewrite proxy with wss:// RewriteCond ${HTTP:Upgrade} !=websocket [NC] RewriteRule "^/cockpit/(.*)" "https://127.0.0.1:9090/cockpit/$1" [P,L] # when no websocket upgrade AND # within UrlRoot, rewrite proxy with https:// ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
- /etc/apache2/sites-available/downloads.conf
<VirtualHost *:443> Use dehydrated_ssl chimrod.com ServerAdmin webmaster@localhost alias "/downloads" "/home/www/downloads" <Directory /home/www/downloads> AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Macro
La macro dehydrated_ssl est utilisée pour charger le certificat demandé dans la configuration de dehydrated et l’utiliser sur l’adresse courante.
- /etc/apache2/conf-available/dehydrated_ssl.conf
<Macro dehydrated_ssl $domain> ServerName $domain <IfFile /var/lib/dehydrated/certs/$domain/fullchain.pem> SSLengine ON # enable HTTP/2, if available Protocols h2 http/1.1 # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds) Header always set Strict-Transport-Security "max-age=63072000" # intermediate configuration SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder on SSLSessionTickets off #SSLUseStapling On #SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLCertificateFile /var/lib/dehydrated/certs/$domain/fullchain.pem SSLCertificateKeyFile /var/lib/dehydrated/certs/$domain/privkey.pem </IfFile> </Macro>