File di configurazione Apache

2017-01-24 17:17:19 +01:00 · 2017-01-24 17:17:19 +01:00 · d86fa16cf2
commit d86fa16cf2
parent ada4c418f6
1 changed files with 74 additions and 0 deletions
--- a/cable.conf
+++ b/cable.conf
@ -0,0 +1,74 @@
+<VirtualHost *:443>
+	ServerName cable-service-ca.cable.im
+	SSLEngine On
+
+	# Su cable-service-ca.cable.im serve un certificato valido (letsencrypt).
+	# È l'hostname a cui si connette Twilio per ottenere le informazioni
+	# necessarie a fare la verifica del numero tramite chiamata vocale.
+
+	SSLCertificateFile /etc/letsencrypt/live/cable-service-ca.cable.im/cert.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/cable-service-ca.cable.im/privkey.pem
+	Include /etc/letsencrypt/options-ssl-apache.conf
+	SSLCertificateChainFile /etc/letsencrypt/live/cable-service-ca.cable.im/chain.pem
+
+	ProxyVia On
+	ProxyPreserveHost On
+	ProxyPass / http://127.0.0.1:4242/
+	ProxyPassReverse / http://127.0.0.1:4242/
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName cable-service.cable.im
+	SSLEngine On
+
+	# Per il servizio Signal vero e proprio usiamo invece il certificato self-signed.
+	# Nel keystore del'app Android è il root certificate della nostra CA, assicurando
+	# così che l'app riconosca come validi solo i certificati emessi dalla nostra CA.
+
+	SSLCertificateFile /home/cable/certificati/whisper.crt
+	SSLCertificateKeyFile /home/cable/certificati/whisper.key
+	Include /etc/letsencrypt/options-ssl-apache.conf
+	#SSLCertificateChainFile /home/cable/certificati/whisper.crt
+
+	# Per proxare websocket (ws://) serve questa roba:
+	#
+	# https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
+
+	ProxyVia On
+	ProxyPreserveHost On
+	ProxyPass / ws://127.0.0.1:4242/
+	ProxyPassReverse / ws://127.0.0.1:4242/
+</VirtualHost>
+
+<VirtualHost *:80>
+	ServerName giphy.com
+	ServerAlias *.giphy.com
+	ProxyRequests On
+	ProxyVia Block
+	ProxyPreserveHost On
+
+	## The AllowConnect directive specifies a list of ports
+	## to which the proxy CONNECT method may connect.
+	AllowConnect 443
+
+	## Only ever allow incoming HTTP CONNECT requests.
+	## Explicitly deny other request types like GET, POST, etc.
+	## This tells Apache to return a 403 Forbidden if this virtual
+	## host receives anything other than an HTTP CONNECT.
+	<Location />
+		<LimitExcept CONNECT>
+			Order allow,deny
+			Deny from all
+		</LimitExcept>
+	</Location>
+
+	<Proxy *>
+		Order allow,deny
+		Deny from all
+	</Proxy>
+
+	<Proxy "*.giphy.com:443">
+		Allow from all
+	</Proxy>
+</VirtualHost>
+