149 lines
4.2 KiB
Text
149 lines
4.2 KiB
Text
###
|
|
### Apache configuration file for Signal-Server
|
|
###
|
|
|
|
### VirtualHost for the main service:
|
|
|
|
<VirtualHost *:443>
|
|
ServerName cable-service.cable.im
|
|
SSLEngine On
|
|
|
|
# Per il servizio Signal vero e proprio usiamo invece il certificato self-signed.
|
|
# Nel keystore del'app Android è il root certificate della nostra CA, assicurando
|
|
# così che l'app riconosca come validi solo i certificati emessi dalla nostra CA.
|
|
|
|
SSLCertificateFile /home/cable/certificati/whisper.crt
|
|
SSLCertificateKeyFile /home/cable/certificati/whisper.key
|
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
|
#SSLCertificateChainFile /home/cable/certificati/whisper.crt
|
|
|
|
# Per proxare websocket (ws://) serve questa roba:
|
|
# https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
|
|
#
|
|
# Con ProxyPass non sono riuscito a fare il proxy http+websocket.
|
|
# Ho provato con solo "ProxyPass ws://127.0.0.1:4242/" e anche
|
|
# mettendo un ProxyPass per http:// e uno per ws://, non va.
|
|
# Alla fine ho trovato la soluzione usando mod_rewrite leggendo
|
|
# di gente che ha avuto lo stesso problema (con altri software):
|
|
#
|
|
# https://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel
|
|
#
|
|
# Forse non ottimale, ma comunque in produzione lo farei con nginx...
|
|
|
|
RewriteEngine On
|
|
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
|
RewriteRule /(.*) ws://127.0.0.1:4242/$1 [P,L]
|
|
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
|
|
RewriteRule /(.*) http://127.0.0.1:4242/$1 [P,L]
|
|
|
|
ProxyPassReverse / http://127.0.0.1:4242/
|
|
|
|
CustomLog "/var/log/httpd/cable.access.log" combined
|
|
ErrorLog "/var/log/httpd/cable.error.log"
|
|
LogLevel warn
|
|
</VirtualHost>
|
|
|
|
|
|
### VirtualHost for letting Twilio call back:
|
|
|
|
<VirtualHost *:443>
|
|
ServerName cable-service-ca.cable.im
|
|
SSLEngine On
|
|
|
|
# Su cable-service-ca.cable.im serve un certificato valido (letsencrypt).
|
|
# È l'hostname a cui si connette Twilio per ottenere le informazioni
|
|
# necessarie a fare la verifica del numero tramite chiamata vocale.
|
|
|
|
SSLCertificateFile /etc/letsencrypt/live/cable-service-ca.cable.im/cert.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/cable-service-ca.cable.im/privkey.pem
|
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
|
SSLCertificateChainFile /etc/letsencrypt/live/cable-service-ca.cable.im/chain.pem
|
|
|
|
ProxyVia On
|
|
ProxyPreserveHost On
|
|
ProxyPass / http://127.0.0.1:4242/
|
|
ProxyPassReverse / http://127.0.0.1:4242/
|
|
</VirtualHost>
|
|
|
|
|
|
### Giphy proxy:
|
|
|
|
<VirtualHost *:80>
|
|
ServerName giphy.com
|
|
ServerAlias *.giphy.com
|
|
ProxyRequests On
|
|
|
|
# The AllowConnect directive specifies a list of ports
|
|
# to which the proxy CONNECT method may connect.
|
|
AllowConnect 443
|
|
|
|
# Only allow HTTP CONNECT requests, denying the others (GET, POST, ...).
|
|
<Location />
|
|
Require method CONNECT
|
|
</Location>
|
|
|
|
# This <Proxy *> block is not really needed, but let's leave it.
|
|
<Proxy *>
|
|
# New syntax, see https://httpd.apache.org/docs/2.4/upgrading.html
|
|
# Can't be mixed with the old "Order" and "Allow" stuff, so we stay
|
|
# with the old syntax for now...
|
|
#Require all denied
|
|
|
|
Order deny,allow
|
|
Deny from all
|
|
</Proxy>
|
|
|
|
<Proxy "*.giphy.com:443">
|
|
#Require all granted
|
|
|
|
Order allow,deny
|
|
Allow from all
|
|
</Proxy>
|
|
</VirtualHost>
|
|
|
|
|
|
### Adminer (adminer.org):
|
|
|
|
<VirtualHost *:443>
|
|
ServerName db.cable.im
|
|
SSLEngine On
|
|
|
|
SSLCertificateFile /etc/letsencrypt/live/db.cable.im/cert.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/db.cable.im/privkey.pem
|
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
|
SSLCertificateChainFile /etc/letsencrypt/live/db.cable.im/chain.pem
|
|
|
|
DocumentRoot "/var/www/adminer/"
|
|
|
|
<Directory /var/www/adminer/>
|
|
AuthType Basic
|
|
AuthUserFile "/var/www/adminer/.htpasswd"
|
|
AuthName "Adminer"
|
|
Require valid-user
|
|
</Directory>
|
|
|
|
<Files ".*">
|
|
#Require all denied
|
|
Order deny,allow
|
|
Deny from all
|
|
</Files>
|
|
</VirtualHost>
|
|
|
|
|
|
### Minio
|
|
|
|
<VirtualHost *:443>
|
|
ServerName s3.cable.im
|
|
SSLEngine On
|
|
|
|
SSLCertificateFile /etc/letsencrypt/live/s3.cable.im/cert.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/s3.cable.im/privkey.pem
|
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
|
SSLCertificateChainFile /etc/letsencrypt/live/s3.cable.im/chain.pem
|
|
|
|
ProxyVia On
|
|
ProxyPreserveHost On
|
|
ProxyPass / http://127.0.0.1:9000/
|
|
ProxyPassReverse / http://127.0.0.1:9000/
|
|
</VirtualHost>
|
|
|