app.conf

ServerTokens Prod
ServerSignature Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
TraceEnable Off
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

<VirtualHost *:80>
	AddDefaultCharset utf-8
	DocumentRoot "/var/www/orcidhub"
	ServerName orcidhub.org.nz
	#ServerAlias sentry.${ENV}.orcidhub.org.nz
	ServerAlias ${ENV}.orcidhub.org.nz
	RewriteRule /$ https://%{SERVER_NAME} [R,L]
    RewriteCond %{REQUEST_URI} !^/.well-known
	RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

#<VirtualHost *:443>
#	AddDefaultCharset utf-8
#	DocumentRoot "/var/www/sentry"
#	ServerName sentry.${ENV}.orcidhub.org.nz
#	LimitRequestBody 10000000
#        WSGIScriptReloading On

#	ProxyPass / http://sentry:9000/
#	ProxyPassReverse / http://sentry:9000/

	## SSL:
#	SSLEngine on
#	SSLProtocol ALL -SSLv2 -SSLv3
#	SSLHonorCipherOrder On
#	SSLCipherSuite ECDHE+AES:AES:!ECDHE+3DES:!RSA+3DES:!MD5:!EXPORT:!DES:!EDH:!RC4:!ADH:!aNULL
#	SSLCompression Off
#	SSLCertificateFile /etc/pki/tls/certs/server.crt
#	SSLCertificateKeyFile /etc/pki/tls/private/server.key
#	SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
#</VirtualHost>

<VirtualHost *:443>
	AddDefaultCharset utf-8
	DocumentRoot "/var/www/orcidhub"
	ServerName ${ENV}.orcidhub.org.nz
	# WSGIDaemonProcess NZORCIDHUB user=user1 group=group1 threads=5
	# TODO: processes and threads should be adjusted for production
	# WSGIDaemonProcess NZORCIDHUB processes=12 threads=5 maximum-requests=10000
	WSGIDaemonProcess NZORCIDHUB processes=2 threads=3 maximum-requests=1000
	WSGIProcessGroup NZORCIDHUB
	WSGIPassAuthorization On
	LimitRequestBody 10000000
	#WSGIApplicationGroup %{GLOBAL}
	#Order deny,allow
	#Allow from all
    WSGIScriptReloading On
	WSGIScriptAlias / /var/www/orcidhub/app.wsgi
	Alias /static /var/www/orcidhub/orcid_hub/static

	## Shibboleth:
	<Location /Tuakiri>
		AuthType shibboleth
		ShibRequireSession On
		require valid-user
		ShibUseHeaders On
	</Location>

	<Location /Shibboleth.sso>
		AuthType None
		Require all granted
		SetHandler shib
	</Location>

	<IfModule mod_alias.c>
	  <Location /shibboleth-sp>
	    AuthType None
	    Require all granted
	  </Location>
	  Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
	</IfModule>

    ## Logging:
    # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D" combined_with_response_time
    CustomLog logs/orcidhub_log combined_with_response_time

	## SSL:
	SSLEngine on
    SSLProtocol all -TLSv1 -TLSv1.1 -SSLv3
	SSLHonorCipherOrder On
    # SSLCipherSuite 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_256_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256'
    # SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256
	SSLCompression Off
	SSLCertificateFile /etc/pki/tls/certs/server.crt
	SSLCertificateKeyFile /etc/pki/tls/private/server.key
	SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
</VirtualHost>