-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathapp.conf
97 lines (87 loc) · 3.59 KB
/
app.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
ServerTokens Prod
ServerSignature Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
TraceEnable Off
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
<VirtualHost *:80>
AddDefaultCharset utf-8
DocumentRoot "/var/www/orcidhub"
ServerName orcidhub.org.nz
#ServerAlias sentry.${ENV}.orcidhub.org.nz
ServerAlias ${ENV}.orcidhub.org.nz
RewriteRule /$ https://%{SERVER_NAME} [R,L]
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
#<VirtualHost *:443>
# AddDefaultCharset utf-8
# DocumentRoot "/var/www/sentry"
# ServerName sentry.${ENV}.orcidhub.org.nz
# LimitRequestBody 10000000
# WSGIScriptReloading On
# ProxyPass / http://sentry:9000/
# ProxyPassReverse / http://sentry:9000/
## SSL:
# SSLEngine on
# SSLProtocol ALL -SSLv2 -SSLv3
# SSLHonorCipherOrder On
# SSLCipherSuite ECDHE+AES:AES:!ECDHE+3DES:!RSA+3DES:!MD5:!EXPORT:!DES:!EDH:!RC4:!ADH:!aNULL
# SSLCompression Off
# SSLCertificateFile /etc/pki/tls/certs/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/server.key
# SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
#</VirtualHost>
<VirtualHost *:443>
AddDefaultCharset utf-8
DocumentRoot "/var/www/orcidhub"
ServerName ${ENV}.orcidhub.org.nz
# WSGIDaemonProcess NZORCIDHUB user=user1 group=group1 threads=5
# TODO: processes and threads should be adjusted for production
# WSGIDaemonProcess NZORCIDHUB processes=12 threads=5 maximum-requests=10000
WSGIDaemonProcess NZORCIDHUB processes=2 threads=3 maximum-requests=1000
WSGIProcessGroup NZORCIDHUB
WSGIPassAuthorization On
LimitRequestBody 10000000
#WSGIApplicationGroup %{GLOBAL}
#Order deny,allow
#Allow from all
WSGIScriptReloading On
WSGIScriptAlias / /var/www/orcidhub/app.wsgi
Alias /static /var/www/orcidhub/orcid_hub/static
## Shibboleth:
<Location /Tuakiri>
AuthType shibboleth
ShibRequireSession On
require valid-user
ShibUseHeaders On
</Location>
<Location /Shibboleth.sso>
AuthType None
Require all granted
SetHandler shib
</Location>
<IfModule mod_alias.c>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
Alias /shibboleth-sp/main.css /usr/share/shibboleth/main.css
</IfModule>
## Logging:
# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %D" combined_with_response_time
CustomLog logs/orcidhub_log combined_with_response_time
## SSL:
SSLEngine on
SSLProtocol all -TLSv1 -TLSv1.1 -SSLv3
SSLHonorCipherOrder On
# SSLCipherSuite 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA:TLS_DHE_RSA_WITH_AES_256_CBC_SHA:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256'
# SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256
SSLCompression Off
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/private/server.key
SSLCertificateChainFile /etc/pki/tls/certs/CA.crt
</VirtualHost>