|
@@ -1,228 +1,233 @@
|
|
|
-ServerRoot "/usr/local/apache2"
|
|
|
-
|
|
|
-Listen 80
|
|
|
-
|
|
|
-LoadModule mpm_event_module modules/mod_mpm_event.so
|
|
|
-LoadModule authn_core_module modules/mod_authn_core.so
|
|
|
-LoadModule authz_core_module modules/mod_authz_core.so
|
|
|
-LoadModule access_compat_module modules/mod_access_compat.so
|
|
|
-LoadModule mime_module modules/mod_mime.so
|
|
|
-LoadModule log_config_module modules/mod_log_config.so
|
|
|
-LoadModule env_module modules/mod_env.so
|
|
|
-#LoadModule expires_module modules/mod_expires.so
|
|
|
-LoadModule headers_module modules/mod_headers.so
|
|
|
-#LoadModule setenvif_module modules/mod_setenvif.so
|
|
|
-#LoadModule remoteip_module modules/mod_remoteip.so
|
|
|
-LoadModule proxy_module modules/mod_proxy.so
|
|
|
-LoadModule proxy_http_module modules/mod_proxy_http.so
|
|
|
-LoadModule unixd_module modules/mod_unixd.so
|
|
|
-#LoadModule status_module modules/mod_status.so
|
|
|
-#LoadModule autoindex_module modules/mod_autoindex.so
|
|
|
-LoadModule dir_module modules/mod_dir.so
|
|
|
-LoadModule alias_module modules/mod_alias.so
|
|
|
-
|
|
|
-LoadModule session_module modules/mod_session.so
|
|
|
-LoadModule session_crypto_module modules/mod_session_crypto.so
|
|
|
-LoadModule session_cookie_module modules/mod_session_cookie.so
|
|
|
-LoadModule request_module modules/mod_request.so
|
|
|
-LoadModule authz_user_module modules/mod_authz_user.so
|
|
|
-LoadModule auth_form_module modules/mod_auth_form.so
|
|
|
-LoadModule authn_dbd_module modules/mod_authn_dbd.so
|
|
|
-LoadModule dbd_module modules/mod_dbd.so
|
|
|
-
|
|
|
-LoadModule macro_module modules/mod_macro.so
|
|
|
-LoadModule rewrite_module modules/mod_rewrite.so
|
|
|
-
|
|
|
-<IfModule unixd_module>
|
|
|
-#
|
|
|
-# If you wish httpd to run as a different user or group, you must run
|
|
|
-# httpd as root initially and it will switch.
|
|
|
-#
|
|
|
-# User/Group: The name (or #number) of the user/group to run httpd as.
|
|
|
-# It is usually good practice to create a dedicated user and group for
|
|
|
-# running httpd, as with most system services.
|
|
|
-#
|
|
|
-User daemon
|
|
|
-Group daemon
|
|
|
-</IfModule>
|
|
|
-
|
|
|
-ServerAdmin you@example.com
|
|
|
-
|
|
|
-ServerName feedati-fe:80
|
|
|
-
|
|
|
-DBDriver pgsql
|
|
|
-DBDParams "host=db dbname=feeds user=apache password=apachepass"
|
|
|
-
|
|
|
-<Macro Auth>
|
|
|
- AuthFormLoginRequiredLocation "/login/"
|
|
|
-# authn
|
|
|
- AuthFormProvider dbd
|
|
|
- AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
|
|
|
-# form
|
|
|
- AuthType form
|
|
|
- AuthName "authenticationform"
|
|
|
-# mod_session
|
|
|
- Session On
|
|
|
- SessionCookieName session path=/;httponly
|
|
|
- SessionCryptoPassphrase changeme!really!
|
|
|
-</Macro>
|
|
|
-
|
|
|
-<Location "/login/do">
|
|
|
-SetHandler form-login-handler
|
|
|
-Use Auth
|
|
|
-AuthFormLoginSuccessLocation "/panel/"
|
|
|
-</Location>
|
|
|
-<Location "/logout">
|
|
|
- SetHandler form-logout-handler
|
|
|
- AuthFormLogoutLocation "/login/logout.html"
|
|
|
- Session on
|
|
|
-</Location>
|
|
|
-
|
|
|
-<Directory />
|
|
|
- AllowOverride none
|
|
|
- Require all denied
|
|
|
-</Directory>
|
|
|
-
|
|
|
-DocumentRoot "/var/www"
|
|
|
-<Directory "/var/www">
|
|
|
- Options None
|
|
|
- AllowOverride None
|
|
|
- Use Auth
|
|
|
- Require all granted
|
|
|
-</Directory>
|
|
|
-
|
|
|
-<Files ".ht*">
|
|
|
- Require all denied
|
|
|
-</Files>
|
|
|
-
|
|
|
-# ErrorLog: The location of the error log file.
|
|
|
-# If you do not specify an ErrorLog directive within a <VirtualHost>
|
|
|
-# container, error messages relating to that virtual host will be
|
|
|
-# logged here. If you *do* define an error logfile for a <VirtualHost>
|
|
|
-# container, that host's errors will be logged there and not here.
|
|
|
-#
|
|
|
-ErrorLog /proc/self/fd/2
|
|
|
-
|
|
|
-# LogLevel: Control the number of messages logged to the error_log.
|
|
|
-# Possible values include: debug, info, notice, warn, error, crit,
|
|
|
-# alert, emerg.
|
|
|
-LogLevel warn
|
|
|
-
|
|
|
-<IfModule log_config_module>
|
|
|
- #
|
|
|
- # The following directives define some format nicknames for use with
|
|
|
- # a CustomLog directive (see below).
|
|
|
- #
|
|
|
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
|
- LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
|
-
|
|
|
- <IfModule logio_module>
|
|
|
- # You need to enable mod_logio.c to use %I and %O
|
|
|
- LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
|
|
- </IfModule>
|
|
|
-
|
|
|
- #
|
|
|
- # The location and format of the access logfile (Common Logfile Format).
|
|
|
- # If you do not define any access logfiles within a <VirtualHost>
|
|
|
- # container, they will be logged here. Contrariwise, if you *do*
|
|
|
- # define per-<VirtualHost> access logfiles, transactions will be
|
|
|
- # logged therein and *not* in this file.
|
|
|
- #
|
|
|
- CustomLog /proc/self/fd/1 common
|
|
|
-
|
|
|
- #
|
|
|
- # If you prefer a logfile with access, agent, and referer information
|
|
|
- # (Combined Logfile Format) you can use the following directive.
|
|
|
- #
|
|
|
- #CustomLog "logs/access_log" combined
|
|
|
-</IfModule>
|
|
|
-
|
|
|
-<IfModule headers_module>
|
|
|
- #
|
|
|
- # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
|
|
|
- # backend servers which have lingering "httpoxy" defects.
|
|
|
- # 'Proxy' request header is undefined by the IETF, not listed by IANA
|
|
|
- #
|
|
|
- RequestHeader unset Proxy early
|
|
|
-</IfModule>
|
|
|
-
|
|
|
-<IfModule mime_module>
|
|
|
- #
|
|
|
- # TypesConfig points to the file containing the list of mappings from
|
|
|
- # filename extension to MIME-type.
|
|
|
- #
|
|
|
- TypesConfig conf/mime.types
|
|
|
-
|
|
|
- #
|
|
|
- # AddType allows you to add to or override the MIME configuration
|
|
|
- # file specified in TypesConfig for specific file types.
|
|
|
- #
|
|
|
- #AddType application/x-gzip .tgz
|
|
|
- #
|
|
|
- # AddEncoding allows you to have certain browsers uncompress
|
|
|
- # information on the fly. Note: Not all browsers support this.
|
|
|
- #
|
|
|
- #AddEncoding x-compress .Z
|
|
|
- #AddEncoding x-gzip .gz .tgz
|
|
|
- #
|
|
|
- # If the AddEncoding directives above are commented-out, then you
|
|
|
- # probably should define those extensions to indicate media types:
|
|
|
- #
|
|
|
- AddType application/x-compress .Z
|
|
|
- AddType application/x-gzip .gz .tgz
|
|
|
-
|
|
|
- #
|
|
|
- # AddHandler allows you to map certain file extensions to "handlers":
|
|
|
- # actions unrelated to filetype. These can be either built into the server
|
|
|
- # or added with the Action directive (see below)
|
|
|
- #
|
|
|
- # To use CGI scripts outside of ScriptAliased directories:
|
|
|
- # (You will also need to add "ExecCGI" to the "Options" directive.)
|
|
|
- #
|
|
|
- #AddHandler cgi-script .cgi
|
|
|
-
|
|
|
- # For type maps (negotiated resources):
|
|
|
- #AddHandler type-map var
|
|
|
-
|
|
|
- #
|
|
|
- # Filters allow you to process content before it is sent to the client.
|
|
|
- #
|
|
|
- # To parse .shtml files for server-side includes (SSI):
|
|
|
- # (You will also need to add "Includes" to the "Options" directive.)
|
|
|
- #
|
|
|
- #AddType text/html .shtml
|
|
|
- #AddOutputFilter INCLUDES .shtml
|
|
|
-</IfModule>
|
|
|
-
|
|
|
-Redirect permanent "/tt-rss" "/tt-rss/"
|
|
|
-
|
|
|
-ProxyPreserveHost On
|
|
|
-<Location /tt-rss/>
|
|
|
-ProxyPass http://tt-rss/tt-rss/
|
|
|
-ProxyPassReverse http://tt-rss/tt-rss/
|
|
|
-Use Auth
|
|
|
-Require valid-user
|
|
|
-RewriteEngine on
|
|
|
-RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
|
|
|
-RequestHeader set X-Forwarded-User %{RU}e
|
|
|
-</Location>
|
|
|
-
|
|
|
-Redirect permanent "/rss-bridge" "/rss-bridge/"
|
|
|
-
|
|
|
-<Location /rss-bridge/>
|
|
|
-ProxyPass http://rss-bridge/
|
|
|
-ProxyPassReverse http://rss-bridge/
|
|
|
-Require all granted
|
|
|
-</Location>
|
|
|
-
|
|
|
-<Location /panel/>
|
|
|
-ProxyPass http://panel:8000/panel/
|
|
|
-ProxyPassReverse http://panel:8000/panel/
|
|
|
-Use Auth
|
|
|
-Require valid-user
|
|
|
-RewriteEngine on
|
|
|
-RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
|
|
|
-RequestHeader set X-Forwarded-User %{RU}e
|
|
|
-</Location>
|
|
|
-
|
|
|
-# vim: set ft=apache bkc=yes:
|
|
|
+ServerRoot "/usr/local/apache2"
|
|
|
+
|
|
|
+Listen 80
|
|
|
+
|
|
|
+LoadModule mpm_event_module modules/mod_mpm_event.so
|
|
|
+LoadModule authn_core_module modules/mod_authn_core.so
|
|
|
+LoadModule authz_core_module modules/mod_authz_core.so
|
|
|
+LoadModule access_compat_module modules/mod_access_compat.so
|
|
|
+LoadModule mime_module modules/mod_mime.so
|
|
|
+LoadModule log_config_module modules/mod_log_config.so
|
|
|
+LoadModule env_module modules/mod_env.so
|
|
|
+#LoadModule expires_module modules/mod_expires.so
|
|
|
+LoadModule headers_module modules/mod_headers.so
|
|
|
+#LoadModule setenvif_module modules/mod_setenvif.so
|
|
|
+#LoadModule remoteip_module modules/mod_remoteip.so
|
|
|
+LoadModule proxy_module modules/mod_proxy.so
|
|
|
+LoadModule proxy_http_module modules/mod_proxy_http.so
|
|
|
+LoadModule unixd_module modules/mod_unixd.so
|
|
|
+#LoadModule status_module modules/mod_status.so
|
|
|
+#LoadModule autoindex_module modules/mod_autoindex.so
|
|
|
+LoadModule dir_module modules/mod_dir.so
|
|
|
+LoadModule alias_module modules/mod_alias.so
|
|
|
+
|
|
|
+LoadModule session_module modules/mod_session.so
|
|
|
+LoadModule session_crypto_module modules/mod_session_crypto.so
|
|
|
+LoadModule session_cookie_module modules/mod_session_cookie.so
|
|
|
+LoadModule request_module modules/mod_request.so
|
|
|
+LoadModule authz_user_module modules/mod_authz_user.so
|
|
|
+LoadModule auth_form_module modules/mod_auth_form.so
|
|
|
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
|
|
|
+LoadModule dbd_module modules/mod_dbd.so
|
|
|
+
|
|
|
+LoadModule macro_module modules/mod_macro.so
|
|
|
+LoadModule rewrite_module modules/mod_rewrite.so
|
|
|
+
|
|
|
+<IfModule unixd_module>
|
|
|
+#
|
|
|
+# If you wish httpd to run as a different user or group, you must run
|
|
|
+# httpd as root initially and it will switch.
|
|
|
+#
|
|
|
+# User/Group: The name (or #number) of the user/group to run httpd as.
|
|
|
+# It is usually good practice to create a dedicated user and group for
|
|
|
+# running httpd, as with most system services.
|
|
|
+#
|
|
|
+User daemon
|
|
|
+Group daemon
|
|
|
+</IfModule>
|
|
|
+
|
|
|
+ServerAdmin you@example.com
|
|
|
+
|
|
|
+ServerName feedati-fe:80
|
|
|
+
|
|
|
+DBDriver pgsql
|
|
|
+DBDParams "host=db dbname=feeds user=apache password=apachepass"
|
|
|
+
|
|
|
+<Macro Auth>
|
|
|
+ AuthFormLoginRequiredLocation "/login/"
|
|
|
+# authn
|
|
|
+ AuthFormProvider dbd
|
|
|
+ AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
|
|
|
+# form
|
|
|
+ AuthType form
|
|
|
+ AuthName "authenticationform"
|
|
|
+# mod_session
|
|
|
+ Session On
|
|
|
+ SessionCookieName session path=/;httponly
|
|
|
+ SessionCryptoPassphrase changeme!really!
|
|
|
+</Macro>
|
|
|
+
|
|
|
+<Location "/login/do">
|
|
|
+SetHandler form-login-handler
|
|
|
+Use Auth
|
|
|
+AuthFormLoginSuccessLocation "/panel/"
|
|
|
+</Location>
|
|
|
+<Location "/logout">
|
|
|
+ SetHandler form-logout-handler
|
|
|
+ AuthFormLogoutLocation "/login/logout.html"
|
|
|
+ Session on
|
|
|
+</Location>
|
|
|
+
|
|
|
+<Directory />
|
|
|
+ AllowOverride none
|
|
|
+ Require all denied
|
|
|
+</Directory>
|
|
|
+
|
|
|
+DocumentRoot "/var/www"
|
|
|
+<Directory "/var/www">
|
|
|
+ Options None
|
|
|
+ AllowOverride None
|
|
|
+ Use Auth
|
|
|
+ Require all granted
|
|
|
+</Directory>
|
|
|
+
|
|
|
+<Files ".ht*">
|
|
|
+ Require all denied
|
|
|
+</Files>
|
|
|
+
|
|
|
+# ErrorLog: The location of the error log file.
|
|
|
+# If you do not specify an ErrorLog directive within a <VirtualHost>
|
|
|
+# container, error messages relating to that virtual host will be
|
|
|
+# logged here. If you *do* define an error logfile for a <VirtualHost>
|
|
|
+# container, that host's errors will be logged there and not here.
|
|
|
+#
|
|
|
+ErrorLog /proc/self/fd/2
|
|
|
+
|
|
|
+# LogLevel: Control the number of messages logged to the error_log.
|
|
|
+# Possible values include: debug, info, notice, warn, error, crit,
|
|
|
+# alert, emerg.
|
|
|
+LogLevel warn
|
|
|
+
|
|
|
+<IfModule log_config_module>
|
|
|
+ #
|
|
|
+ # The following directives define some format nicknames for use with
|
|
|
+ # a CustomLog directive (see below).
|
|
|
+ #
|
|
|
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
|
|
|
+ LogFormat "%h %l %u %t \"%r\" %>s %b" common
|
|
|
+
|
|
|
+ <IfModule logio_module>
|
|
|
+ # You need to enable mod_logio.c to use %I and %O
|
|
|
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
|
|
|
+ </IfModule>
|
|
|
+
|
|
|
+ #
|
|
|
+ # The location and format of the access logfile (Common Logfile Format).
|
|
|
+ # If you do not define any access logfiles within a <VirtualHost>
|
|
|
+ # container, they will be logged here. Contrariwise, if you *do*
|
|
|
+ # define per-<VirtualHost> access logfiles, transactions will be
|
|
|
+ # logged therein and *not* in this file.
|
|
|
+ #
|
|
|
+ CustomLog /proc/self/fd/1 common
|
|
|
+
|
|
|
+ #
|
|
|
+ # If you prefer a logfile with access, agent, and referer information
|
|
|
+ # (Combined Logfile Format) you can use the following directive.
|
|
|
+ #
|
|
|
+ #CustomLog "logs/access_log" combined
|
|
|
+</IfModule>
|
|
|
+
|
|
|
+<IfModule headers_module>
|
|
|
+ #
|
|
|
+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
|
|
|
+ # backend servers which have lingering "httpoxy" defects.
|
|
|
+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
|
|
|
+ #
|
|
|
+ RequestHeader unset Proxy early
|
|
|
+</IfModule>
|
|
|
+
|
|
|
+<IfModule mime_module>
|
|
|
+ #
|
|
|
+ # TypesConfig points to the file containing the list of mappings from
|
|
|
+ # filename extension to MIME-type.
|
|
|
+ #
|
|
|
+ TypesConfig conf/mime.types
|
|
|
+
|
|
|
+ #
|
|
|
+ # AddType allows you to add to or override the MIME configuration
|
|
|
+ # file specified in TypesConfig for specific file types.
|
|
|
+ #
|
|
|
+ #AddType application/x-gzip .tgz
|
|
|
+ #
|
|
|
+ # AddEncoding allows you to have certain browsers uncompress
|
|
|
+ # information on the fly. Note: Not all browsers support this.
|
|
|
+ #
|
|
|
+ #AddEncoding x-compress .Z
|
|
|
+ #AddEncoding x-gzip .gz .tgz
|
|
|
+ #
|
|
|
+ # If the AddEncoding directives above are commented-out, then you
|
|
|
+ # probably should define those extensions to indicate media types:
|
|
|
+ #
|
|
|
+ AddType application/x-compress .Z
|
|
|
+ AddType application/x-gzip .gz .tgz
|
|
|
+
|
|
|
+ #
|
|
|
+ # AddHandler allows you to map certain file extensions to "handlers":
|
|
|
+ # actions unrelated to filetype. These can be either built into the server
|
|
|
+ # or added with the Action directive (see below)
|
|
|
+ #
|
|
|
+ # To use CGI scripts outside of ScriptAliased directories:
|
|
|
+ # (You will also need to add "ExecCGI" to the "Options" directive.)
|
|
|
+ #
|
|
|
+ #AddHandler cgi-script .cgi
|
|
|
+
|
|
|
+ # For type maps (negotiated resources):
|
|
|
+ #AddHandler type-map var
|
|
|
+
|
|
|
+ #
|
|
|
+ # Filters allow you to process content before it is sent to the client.
|
|
|
+ #
|
|
|
+ # To parse .shtml files for server-side includesC (SSI):
|
|
|
+ # (You will also need to add "Includes" to the "Options" directive.)
|
|
|
+ #
|
|
|
+ #AddType text/html .shtml
|
|
|
+ #AddOutputFilter INCLUDES .shtml
|
|
|
+</IfModule>
|
|
|
+
|
|
|
+Redirect permanent "/tt-rss" "/tt-rss/"
|
|
|
+
|
|
|
+Header always set Referrer-Policy "same-origin"
|
|
|
+Header always setifempty Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
|
|
|
+Header always setifempty X-XSS-Protection "1; mode=block"
|
|
|
+Header always setifempty X-Frame-Options "deny"
|
|
|
+
|
|
|
+ProxyPreserveHost On
|
|
|
+<Location /tt-rss/>
|
|
|
+ProxyPass http://tt-rss/tt-rss/
|
|
|
+ProxyPassReverse http://tt-rss/tt-rss/
|
|
|
+Use Auth
|
|
|
+Require valid-user
|
|
|
+RewriteEngine on
|
|
|
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
|
|
|
+RequestHeader set X-Forwarded-User %{RU}e
|
|
|
+</Location>
|
|
|
+
|
|
|
+Redirect permanent "/rss-bridge" "/rss-bridge/"
|
|
|
+
|
|
|
+<Location /rss-bridge/>
|
|
|
+ProxyPass http://rss-bridge/
|
|
|
+ProxyPassReverse http://rss-bridge/
|
|
|
+Require all granted
|
|
|
+</Location>
|
|
|
+
|
|
|
+<Location /panel/>
|
|
|
+ProxyPass http://panel:8000/panel/
|
|
|
+ProxyPassReverse http://panel:8000/panel/
|
|
|
+Use Auth
|
|
|
+Require valid-user
|
|
|
+RewriteEngine on
|
|
|
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
|
|
|
+RequestHeader set X-Forwarded-User %{RU}e
|
|
|
+</Location>
|
|
|
+
|
|
|
+# vim: set ft=apache bkc=yes:
|