### ### Apache configuration file for Signal-Server ### ### VirtualHost for the main service: ServerName cable-service.cable.im SSLEngine On # Per il servizio Signal vero e proprio usiamo invece il certificato self-signed. # Nel keystore del'app Android è il root certificate della nostra CA, assicurando # così che l'app riconosca come validi solo i certificati emessi dalla nostra CA. SSLCertificateFile /home/cable/certificati/whisper.crt SSLCertificateKeyFile /home/cable/certificati/whisper.key Include /etc/letsencrypt/options-ssl-apache.conf #SSLCertificateChainFile /home/cable/certificati/whisper.crt # Per proxare websocket (ws://) serve questa roba: # https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html # # Con ProxyPass non sono riuscito a fare il proxy http+websocket. # Ho provato con solo "ProxyPass ws://127.0.0.1:4242/" e anche # mettendo un ProxyPass per http:// e uno per ws://, non va. # Alla fine ho trovato la soluzione usando mod_rewrite leggendo # di gente che ha avuto lo stesso problema (con altri software): # # https://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel # # Forse non ottimale, ma comunque in produzione lo farei con nginx... RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://127.0.0.1:4242/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.*) http://127.0.0.1:4242/$1 [P,L] ProxyPassReverse / http://127.0.0.1:4242/ CustomLog "/var/log/httpd/cable.access.log" combined ErrorLog "/var/log/httpd/cable.error.log" LogLevel warn ### VirtualHost for letting Twilio call back: ServerName cable-service-ca.cable.im SSLEngine On # Su cable-service-ca.cable.im serve un certificato valido (letsencrypt). # È l'hostname a cui si connette Twilio per ottenere le informazioni # necessarie a fare la verifica del numero tramite chiamata vocale. SSLCertificateFile /etc/letsencrypt/live/cable-service-ca.cable.im/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/cable-service-ca.cable.im/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/cable-service-ca.cable.im/chain.pem ProxyVia On ProxyPreserveHost On ProxyPass / http://127.0.0.1:4242/ ProxyPassReverse / http://127.0.0.1:4242/ ### Giphy proxy: ServerName giphy.com ServerAlias *.giphy.com ProxyRequests On # The AllowConnect directive specifies a list of ports # to which the proxy CONNECT method may connect. AllowConnect 443 # Only allow HTTP CONNECT requests, denying the others (GET, POST, ...). Require method CONNECT # This block is not really needed, but let's leave it. # New syntax, see https://httpd.apache.org/docs/2.4/upgrading.html # Can't be mixed with the old "Order" and "Allow" stuff, so we stay # with the old syntax for now... #Require all denied Order deny,allow Deny from all #Require all granted Order allow,deny Allow from all ### Adminer (adminer.org): ServerName db.cable.im SSLEngine On SSLCertificateFile /etc/letsencrypt/live/db.cable.im/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/db.cable.im/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/db.cable.im/chain.pem DocumentRoot "/var/www/adminer/" AuthType Basic AuthUserFile "/var/www/adminer/.htpasswd" AuthName "Adminer" Require valid-user #Require all denied Order deny,allow Deny from all ### Minio ServerName s3.cable.im SSLEngine On SSLCertificateFile /etc/letsencrypt/live/s3.cable.im/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/s3.cable.im/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/s3.cable.im/chain.pem ProxyVia On ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / http://127.0.0.1:9000/