aboutsummaryrefslogtreecommitdiff
path: root/static/files/articles/site-backend
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2024-05-30 04:19:28 -0400
committerPaul Duncan <pabs@pablotron.org>2024-05-30 04:19:28 -0400
commit9c4f3a57e3616b42764e1c934ac76c0bb8157a29 (patch)
tree68d7fdb8521e63a76ec460eee2da517a8d245956 /static/files/articles/site-backend
parent3e4c425006c7fd5a97f285401c9431d901f36a25 (diff)
downloadpablotron.org-9c4f3a57e3616b42764e1c934ac76c0bb8157a29.tar.bz2
pablotron.org-9c4f3a57e3616b42764e1c934ac76c0bb8157a29.zip
add content/articles/site-backend.md (draft)
Diffstat (limited to 'static/files/articles/site-backend')
-rw-r--r--static/files/articles/site-backend/pablotron.org.conf.txt76
1 files changed, 76 insertions, 0 deletions
diff --git a/static/files/articles/site-backend/pablotron.org.conf.txt b/static/files/articles/site-backend/pablotron.org.conf.txt
new file mode 100644
index 0000000..8934bad
--- /dev/null
+++ b/static/files/articles/site-backend/pablotron.org.conf.txt
@@ -0,0 +1,76 @@
+<VirtualHost *:80>
+ Use BASIC_SITE pablotron.org www-admin@pablotron.org
+ Use BASIC_LOGS pablotron.org
+ Use STRIP_WWW https://pablotron.org
+ Use MOD_DEFLATE
+
+ # unconditionally rewrite to https://pablotron.org
+ RewriteEngine On
+ RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L]
+</VirtualHost>
+
+<VirtualHost *:443>
+ Use BASIC_SITE pablotron.org www-admin@pablotron.org
+ Use BASIC_LOGS pablotron.org
+ Use STRIP_WWW https://pablotron.org
+ Use MOD_DEFLATE
+
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem
+
+ # redirect old rss feed to new one
+ RewriteCond %{QUERY_STRING} theme=rss
+ RewriteCond %{REQUEST_URI} ^/$
+ RewriteRule (.*) /index.xml [R=301,L]
+
+ # enable http2 (added 2022-01-29)
+ Protocols h2 http/1.1
+
+ # set security headers
+ # (added on 2021-10-17)
+ #
+ # refs:
+ # - https://web.dev/security-headers/#xfo
+ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
+ # - https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+ #
+ # permissions-policy docs (seems poorly thought out):
+ # * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
+ # * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138
+ # https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
+ #
+ Header append "Strict-Transport-Security" "max-age=31536000"
+ Header append "X-Frame-Options" "SAMEORIGIN"
+ Header append "X-Content-Type-Options" "nosniff"
+ Header append "Cross-Origin-Opener-Policy" "same-origin"
+ Header append "Cross-Origin-Resource-Policy" "same-origin"
+ Header append "Access-Control-Allow-Origin" "https://pablotron.org"
+ Header append "Referrer-Policy" "strict-origin-when-cross-origin"
+
+ # not sure about these yet
+ Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"
+
+ # POST needed for /hooks
+ Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
+
+ # 'unsafe-inline' is needed for goldmark table cell alignment
+ # Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
+ # removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21)
+ Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
+
+ # cache images, stylesheets, and javascript for 1 year
+ # (added 2022-01-29, i may regret this...)
+ <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
+ Header set Cache-Control "max-age=31536000, public"
+ </FilesMatch>
+
+ <Location /hooks/>
+ ProxyPass "http://localhost:9000/"
+ ProxyPassReverse "http://localhost:9000/"
+ </Location>
+</VirtualHost>