blob: 2e7bf2d3bc6e9a2e2beb7c1ee359afe57f7a6e9c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
# Note this config assumes unicorn is listening on port 9737.
# Module dependencies
# mod_rewrite
# mod_ssl
# mod_proxy
# mod_proxy_http
# mod_headers
# This section is only needed if you want to redirect http traffic to https.
# You can live without it but clients will have to type in https:// to reach discourse.
<VirtualHost *:80>
ServerName discourse.example.com
ServerSignature Off
# Include the trailing slash!
Redirect permanent / https://discourse.example.com/
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
# strong encryption ciphers only
# see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/httpd/ssl.crt/discourse.example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/discourse.example.com.key
SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName discourse.example.com
ServerSignature Off
ProxyPreserveHost On
# Ensure that encoded slashes are not decoded but left in their encoded state.
# http://doc.discourse.com/ce/api/projects.html#get-single-project
AllowEncodedSlashes NoDecode
<Location />
# New authorization commands for apache 2.4 and up
# http://httpd.apache.org/docs/2.4/upgrading.html#access
Require all granted
ProxyPassReverse http://127.0.0.1:9737
ProxyPassReverse http://discourse.example.com/
</Location>
<LocationMatch "^/assets/.*$">
# Set caching headers here, providing advice to downstream cache
Header set Cache-Control "public, max-age = 604800"
</LocationMatch>
# apache equivalent of nginx try files
# http://serverfault.com/questions/290784/what-is-apaches-equivalent-of-nginxs-try-files
# http://stackoverflow.com/questions/10954516/apache2-proxypass-for-rails-app-gitlab
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:9737%{REQUEST_URI} [P,QSA]
RequestHeader set X_FORWARDED_PROTO 'https'
# needed for downloading attachments
DocumentRoot /usr/share/webapps/discourse/public
# Set up apache error documents, if back end goes down an error page is thrown up.
ErrorDocument 403 /403.html
ErrorDocument 422 /422.html
ErrorDocument 500 /500.html
ErrorDocument 503 /503.html
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
ErrorLog /var/log/httpd/logs/discourse.example.com_error.log
CustomLog /var/log/httpd/logs/discourse.example.com_forwarded.log common_forwarded
CustomLog /var/log/httpd/logs/discourse.example.com_access.log combined env=!dontlog
CustomLog /var/log/httpd/logs/discourse.example.com.log combined
</VirtualHost>
|