1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
# -*-mode: apache;-*-
<VirtualHost *:443>
ServerName __WWWSERVERNAME__
__WWWSERVERALIAS__
ServerAdmin __WEBMASTEREMAIL__
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCompression Off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLCertificateFile /etc/libravatar/www.crt
SSLCertificateKeyFile /etc/libravatar/www.pem
SSLCertificateChainFile /etc/libravatar/www-chain.pem
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# Turn on HSTS
Header always add Strict-Transport-Security: "max-age=15768000; includeSubdomains"
# Prevent Clickjacking in logged-in pages
Header set X-Frame-Options "deny"
# Content Security Policy
# http://www.w3.org/TR/CSP/
Header set Content-Security-Policy: "default-src 'none' ; script-src 'self' ; style-src 'self' ; img-src 'self' data: https://seccdn.libravatar.org"
<Location /account/confirm_email>
Header set Content-Security-Policy: "default-src 'none' ; script-src 'self' ; style-src 'self' ; img-src *"
</Location>
<Location /tools/check>
Header set Content-Security-Policy: "default-src 'none' ; script-src 'self' ; style-src 'self' ; img-src *"
</Location>
# Static files don't need CSP headers
<LocationMatch "^/(js|css|img|user)/">
Header unset Content-Security-Policy
</LocationMatch>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType text/xml "access plus 1 seconds"
ExpiresByType text/plain "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
ExpiresByType text/javascript "access plus 1 week"
ExpiresByType text/css "access plus 1 week"
ExpiresByType image/jpeg "access plus 1 week"
ExpiresByType image/png "access plus 1 week"
</IfModule>
# Whitelist paths to be served (assuming server config denies the rest)
<Directory /usr/share/libravatar/libravatar>
Options -Indexes
<Files favicon.ico>
Require all granted
Header append Cache-Control "public"
</Files>
<Files humans.txt>
Require all granted
</Files>
<Files robots.txt>
Require all granted
</Files>
<Files rules.abe>
Require all granted
</Files>
</Directory>
<Directory /usr/share/libravatar/libravatar/schemas>
Require all granted
Options +Indexes
</Directory>
<Directory /usr/share/libravatar/static>
Require all granted
Options -Indexes
</Directory>
<Directory /etc/libravatar>
Options -Indexes
<Files django.wsgi>
Require all granted
</Files>
</Directory>
<Directory /var/lib/libravatar/uploaded>
Require all granted
Options -Indexes
</Directory>
<Directory /var/lib/libravatar/user>
Require all granted
Options -Indexes
</Directory>
<Directory /var/lib/libravatar/export>
Require all granted
Options -Indexes
</Directory>
# Take advantage of precompressed files when they exist
<Directory /usr/share/libravatar/static/css>
AddEncoding gzip gz
ForceType text/css
Options +Multiviews
</Directory>
<Directory /usr/share/libravatar/static/js>
AddEncoding gzip gz
ForceType text/javascript
Options +Multiviews
</Directory>
# Explicitly make static content cachable
<Directory /usr/share/libravatar/static>
Header append Cache-Control "public"
</Directory>
Alias /avatar /usr/share/libravatar/static/avatar
Alias /css /usr/share/libravatar/static/css
Alias /js /usr/share/libravatar/static/js
Alias /img /usr/share/libravatar/static/img
Alias /favicon.ico /usr/share/libravatar/libravatar/favicon.ico
Alias /humans.txt /usr/share/libravatar/libravatar/humans.txt
Alias /robots.txt /usr/share/libravatar/libravatar/robots.txt
Alias /rules.abe /usr/share/libravatar/libravatar/rules.abe
Alias /uploaded /var/lib/libravatar/uploaded
Alias /user /var/lib/libravatar/user
Alias /export /var/lib/libravatar/export
Alias /schemas /usr/share/libravatar/libravatar/schemas
<Location /avatar>
ErrorDocument 404 " "
</Location>
<Location /uploaded>
# Uploaded/cropped images never change
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
</Location>
<Location /user>
ErrorDocument 404 /img/missing.png
# Uploaded/cropped images never change
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
</Location>
<Location /export>
# Force browsers to download this instead of serving it
ForceType application/octet-stream
Header set Content-Disposition attachment
</Location>
RewriteEngine on
# These pages have moved to the wiki
RewriteRule ^/api/?$ https://wiki.libravatar.org/api/ [redirect=301]
RewriteRule ^/libraries/?$ https://wiki.libravatar.org/libraries/ [redirect=301]
RewriteRule ^/run_your_own/?$ https://wiki.libravatar.org/running_your_own/ [redirect=301]
RewriteRule ^/security/?$ https://wiki.libravatar.org/security/ [redirect=301]
WSGIScriptAlias / /etc/libravatar/django.wsgi
ErrorLog /var/log/libravatar/error-www.log
LogLevel notice
CustomLog /var/log/libravatar/access-www.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName __WWWSERVERNAME__
ServerAdmin __WEBMASTEREMAIL__
Redirect permanent / https://__WWWSERVERNAME__/
</VirtualHost>
|