123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184 |
- ###
- ### Apache configuration file for Signal-Server
- ###
- ### VirtualHost for the main service:
- <VirtualHost *:443>
- ServerName cable-service.cable.im
- SSLEngine On
- # Per il servizio Signal vero e proprio usiamo invece il certificato self-signed.
- # Nel keystore del'app Android è il root certificate della nostra CA, assicurando
- # così che l'app riconosca come validi solo i certificati emessi dalla nostra CA.
- SSLCertificateFile /home/cable/certificati/whisper.crt
- SSLCertificateKeyFile /home/cable/certificati/whisper.key
- Include /etc/letsencrypt/options-ssl-apache.conf
- #SSLCACertificateFile /home/cable/certificati/rootCA.crt
- # Doesn't make sense for self-signed certificates:
- SSLUseStapling Off
- # Per proxare websocket (ws://) serve questa roba:
- # https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
- #
- # Con ProxyPass non sono riuscito a fare il proxy http+websocket.
- # Ho provato con solo "ProxyPass ws://127.0.0.1:4242/" e anche
- # mettendo un ProxyPass per http:// e uno per ws://, non va.
- # Alla fine ho trovato la soluzione usando mod_rewrite leggendo
- # di gente che ha avuto lo stesso problema (con altri software):
- #
- # https://stackoverflow.com/questions/27526281/websockets-and-apache-proxy-how-to-configure-mod-proxy-wstunnel
- #
- # Forse non ottimale, ma comunque in produzione lo farei con nginx...
- RewriteEngine On
- RewriteCond %{HTTP:Upgrade} =websocket [NC]
- RewriteRule /(.*) ws://127.0.0.1:4242/$1 [P,L]
- RewriteCond %{HTTP:Upgrade} !=websocket [NC]
- RewriteRule /(.*) http://127.0.0.1:4242/$1 [P,L]
- ProxyPassReverse / http://127.0.0.1:4242/
- CustomLog "/var/log/httpd/cable/cable-service.cable.im.access.log" combined
- ErrorLog "/var/log/httpd/cable/cable-service.cable.im.error.log"
- LogLevel warn
- # Production:
- #CustomLog "/dev/null"
- #ErrorLog "/dev/null"
- </VirtualHost>
- ### VirtualHost for letting Twilio call back:
- <VirtualHost *:443>
- ServerName cable-service-ca.cable.im
- SSLEngine On
- # Su cable-service-ca.cable.im serve un certificato valido (letsencrypt).
- # È l'hostname a cui si connette Twilio per ottenere le informazioni
- # necessarie a fare la verifica del numero tramite chiamata vocale.
- SSLCertificateFile /etc/letsencrypt/live/cable-service-ca.cable.im/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/cable-service-ca.cable.im/privkey.pem
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateChainFile /etc/letsencrypt/live/cable-service-ca.cable.im/chain.pem
- ProxyVia On
- ProxyPreserveHost On
- ProxyPass / http://127.0.0.1:4242/
- ProxyPassReverse / http://127.0.0.1:4242/
- CustomLog "/var/log/httpd/cable/cable-service-ca.cable.im.access.log" combined
- ErrorLog "/var/log/httpd/cable/cable-service-ca.cable.im.error.log"
- LogLevel warn
- # Production:
- #CustomLog "/dev/null"
- #ErrorLog "/dev/null"
- </VirtualHost>
- ### Giphy proxy:
- <VirtualHost *:80>
- ServerName giphy.com
- ServerAlias *.giphy.com
- ProxyRequests On
- # The AllowConnect directive specifies a list of ports
- # to which the proxy CONNECT method may connect.
- AllowConnect 443
- # Only allow HTTP CONNECT requests, denying the others (GET, POST, ...).
- <Location />
- Require method CONNECT
- </Location>
- # This <Proxy *> block is not really needed, but let's leave it.
- <Proxy *>
- # New syntax, see https://httpd.apache.org/docs/2.4/upgrading.html
- # Can't be mixed with the old "Order" and "Allow" stuff, so we stay
- # with the old syntax for now...
- #Require all denied
- Order deny,allow
- Deny from all
- </Proxy>
- <Proxy "*.giphy.com:443">
- #Require all granted
- Order allow,deny
- Allow from all
- </Proxy>
- CustomLog "/var/log/httpd/cable/giphy-proxy.cable.im.access.log" combined
- ErrorLog "/var/log/httpd/cable/giphy-proxy.cable.im.error.log"
- LogLevel warn
- # Production:
- #CustomLog "/dev/null"
- #ErrorLog "/dev/null"
- </VirtualHost>
- ### Adminer (adminer.org):
- <VirtualHost *:443>
- ServerName db.cable.im
- SSLEngine On
- SSLCertificateFile /etc/letsencrypt/live/db.cable.im/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/db.cable.im/privkey.pem
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateChainFile /etc/letsencrypt/live/db.cable.im/chain.pem
- DocumentRoot "/var/www/adminer/"
- <Directory /var/www/adminer/>
- AuthType Basic
- AuthUserFile "/var/www/adminer/.htpasswd"
- AuthName "Adminer"
- Require valid-user
- </Directory>
- <Files ".*">
- #Require all denied
- Order deny,allow
- Deny from all
- </Files>
- CustomLog "/var/log/httpd/cable/db.cable.im.access.log" combined
- ErrorLog "/var/log/httpd/cable/db.cable.im.error.log"
- LogLevel warn
- </VirtualHost>
- ### Minio
- <VirtualHost *:443>
- ServerName s3.cable.im
- SSLEngine On
- SSLCertificateFile /etc/letsencrypt/live/s3.cable.im/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/s3.cable.im/privkey.pem
- Include /etc/letsencrypt/options-ssl-apache.conf
- SSLCertificateChainFile /etc/letsencrypt/live/s3.cable.im/chain.pem
- ProxyVia On
- ProxyPreserveHost On
- ProxyPass / http://127.0.0.1:9000/
- ProxyPassReverse / http://127.0.0.1:9000/
- CustomLog "/var/log/httpd/cable/s3.cable.im.access.log" combined
- ErrorLog "/var/log/httpd/cable/s3.cable.im.error.log"
- LogLevel warn
- # Production:
- #CustomLog "/dev/null"
- #ErrorLog "/dev/null"
- </VirtualHost>
|