1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
<VirtualHost *:80>
Use BASIC_SITE pablotron.org www-admin@pablotron.org
Use BASIC_LOGS pablotron.org
Use STRIP_WWW https://pablotron.org
Use MOD_DEFLATE
# unconditionally rewrite to https://pablotron.org
RewriteEngine On
RewriteRule ^/(.*)$ https://pablotron.org/$1 [R,L]
</VirtualHost>
<VirtualHost *:443>
Use BASIC_SITE pablotron.org www-admin@pablotron.org
Use BASIC_LOGS pablotron.org
Use STRIP_WWW https://pablotron.org
Use MOD_DEFLATE
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/pablotron.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pablotron.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/pablotron.org/fullchain.pem
# redirect old rss feed to new one
RewriteCond %{QUERY_STRING} theme=rss
RewriteCond %{REQUEST_URI} ^/$
RewriteRule (.*) /index.xml [R=301,L]
# enable http2 (added 2022-01-29)
Protocols h2 http/1.1
# set security headers
# (added on 2021-10-17)
#
# refs:
# - https://web.dev/security-headers/#xfo
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
# - https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
#
# permissions-policy docs (seems poorly thought out):
# * https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
# * feature list (for old feature-policy header, but a good reference): https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/platform/feature_policy/feature_policy.cc;drc=ab90b51c5b60de15054a32b0bd18e4839536a1c9;l=138
# https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
#
Header append "Strict-Transport-Security" "max-age=31536000"
Header append "X-Frame-Options" "SAMEORIGIN"
Header append "X-Content-Type-Options" "nosniff"
Header append "Cross-Origin-Opener-Policy" "same-origin"
Header append "Cross-Origin-Resource-Policy" "same-origin"
Header append "Access-Control-Allow-Origin" "https://pablotron.org"
Header append "Referrer-Policy" "strict-origin-when-cross-origin"
# not sure about these yet
Header append "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()"
# POST needed for /hooks
Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
# 'unsafe-inline' is needed for goldmark table cell alignment
# Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org; style-src 'self' 'unsafe-inline'"
# removed all tables w/ alignment, so i nuked unsafe-inline (2021-10-21)
Header append "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org"
# cache images, stylesheets, and javascript for 1 year
# (added 2022-01-29, i may regret this...)
<FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
<Location /hooks/>
ProxyPass "http://localhost:9000/"
ProxyPassReverse "http://localhost:9000/"
</Location>
</VirtualHost>
|
