From 9c4f3a57e3616b42764e1c934ac76c0bb8157a29 Mon Sep 17 00:00:00 2001 From: Paul Duncan Date: Thu, 30 May 2024 04:19:28 -0400 Subject: add content/articles/site-backend.md (draft) --- .../articles/site-backend/pablotron.org.conf.txt | 76 ++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 static/files/articles/site-backend/pablotron.org.conf.txt (limited to 'static/files') diff --git a/static/files/articles/site-backend/pablotron.org.conf.txt b/static/files/articles/site-backend/pablotron.org.conf.txt new file mode 100644 index 0000000..8934bad --- /dev/null +++ b/static/files/articles/site-backend/pablotron.org.conf.txt @@ -0,0 +1,76 @@ + + Use BASIC_SITE pablotron.org www-admin@pablotron.org + Use BASIC_LOGS pablotron.org + Use STRIP_WWW https://pablotron.org + Use MOD_DEFLATE + + # unconditionally rewrite to https://pablotron.org + RewriteEngine On + RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L] + + + + Use BASIC_SITE pablotron.org www-admin@pablotron.org + Use BASIC_LOGS pablotron.org + Use STRIP_WWW https://pablotron.org + Use MOD_DEFLATE + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem + + # redirect old rss feed to new one + RewriteCond %{QUERY_STRING} theme=rss + RewriteCond %{REQUEST_URI} ^/$ + RewriteRule (.*) /index.xml [R=301,L] + + # enable http2 (added 2022-01-29) + Protocols h2 http/1.1 + + # set security headers + # (added on 2021-10-17) + # + # refs: + # - https://web.dev/security-headers/#xfo + # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS + # - https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin + # + # permissions-policy docs (seems poorly thought out): + # * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ + # * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138 + # https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md + # + Header append "Strict-Transport-Security" "max-age=31536000" + Header append "X-Frame-Options" "SAMEORIGIN" + Header append "X-Content-Type-Options" "nosniff" + Header append "Cross-Origin-Opener-Policy" "same-origin" + Header append "Cross-Origin-Resource-Policy" "same-origin" + Header append "Access-Control-Allow-Origin" "https://pablotron.org" + Header append "Referrer-Policy" "strict-origin-when-cross-origin" + + # not sure about these yet + Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()" + + # POST needed for /hooks + Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS" + + # 'unsafe-inline' is needed for goldmark table cell alignment + # Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'" + # removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21) + Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org" + + # cache images, stylesheets, and javascript for 1 year + # (added 2022-01-29, i may regret this...) + + Header set Cache-Control "max-age=31536000, public" + + + + ProxyPass "http://localhost:9000/" + ProxyPassReverse "http://localhost:9000/" + + -- cgit v1.2.3