Add production build optimizations to Vite configuration; set target, output directory, and minification options for improved performance

2025-10-18 21:19:07 +02:00
parent bda61c0ed4
commit 06a65e9130
16 changed files with 4210 additions and 1 deletions
--- a/apache2.conf
+++ b/apache2.conf
@@ -0,0 +1,275 @@
+# Apache 2 VirtualHost-Konfiguration für TimeClock v3
+# Datei speichern unter: /etc/apache2/sites-available/stechuhr3.tsschulz.de.conf
+#
+# Installation:
+# sudo cp apache2.conf /etc/apache2/sites-available/stechuhr3.tsschulz.de.conf
+# sudo a2enmod proxy proxy_http ssl rewrite headers deflate expires
+# sudo a2ensite stechuhr3.tsschulz.de
+# sudo apache2ctl configtest
+# sudo systemctl reload apache2
+
+# HTTP VirtualHost - Redirect zu HTTPS
+<VirtualHost *:80>
+    ServerName stechuhr3.tsschulz.de
+    ServerAdmin admin@tsschulz.de
+
+    # Let's Encrypt ACME Challenge
+    DocumentRoot /var/www/certbot
+    <Directory /var/www/certbot>
+        Require all granted
+    </Directory>
+
+    # Alle anderen Requests zu HTTPS umleiten
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
+    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+
+    ErrorLog ${APACHE_LOG_DIR}/stechuhr3-error.log
+    CustomLog ${APACHE_LOG_DIR}/stechuhr3-access.log combined
+</VirtualHost>
+
+# HTTPS VirtualHost - Hauptkonfiguration
+<VirtualHost *:443>
+    ServerName stechuhr3.tsschulz.de
+    ServerAdmin admin@tsschulz.de
+
+    # =================================================================
+    # SSL-Konfiguration (wird von Certbot automatisch verwaltet)
+    # =================================================================
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/privkey.pem
+    
+    # SSL-Protokolle und Cipher Suites
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLHonorCipherOrder off
+    SSLSessionTickets off
+    
+    # OCSP Stapling
+    SSLUseStapling on
+    SSLStaplingResponderTimeout 5
+    SSLStaplingReturnResponderErrors off
+
+    # =================================================================
+    # Frontend (Vue.js SPA)
+    # =================================================================
+    DocumentRoot /var/www/timeclock/frontend/dist
+    
+    <Directory /var/www/timeclock/frontend/dist>
+        Options -Indexes +FollowSymLinks
+        AllowOverride All
+        Require all granted
+        
+        # SPA Fallback - alle Requests zu index.html
+        <IfModule mod_rewrite.c>
+            RewriteEngine On
+            RewriteBase /
+            RewriteRule ^index\.html$ - [L]
+            RewriteCond %{REQUEST_FILENAME} !-f
+            RewriteCond %{REQUEST_FILENAME} !-d
+            RewriteCond %{REQUEST_URI} !^/api
+            RewriteRule . /index.html [L]
+        </IfModule>
+    </Directory>
+
+    # =================================================================
+    # Gzip Compression
+    # =================================================================
+    <IfModule mod_deflate.c>
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
+        AddOutputFilterByType DEFLATE application/javascript application/x-javascript application/json
+        AddOutputFilterByType DEFLATE application/xml application/xml+rss application/rss+xml
+        AddOutputFilterByType DEFLATE application/atom+xml
+        AddOutputFilterByType DEFLATE image/svg+xml
+        AddOutputFilterByType DEFLATE font/ttf font/woff font/woff2
+    </IfModule>
+
+    # =================================================================
+    # Security Headers
+    # =================================================================
+    <IfModule mod_headers.c>
+        # X-Frame-Options: Schutz vor Clickjacking
+        Header always set X-Frame-Options "SAMEORIGIN"
+        
+        # X-Content-Type-Options: Verhindert MIME-Type Sniffing
+        Header always set X-Content-Type-Options "nosniff"
+        
+        # X-XSS-Protection: XSS-Schutz für ältere Browser
+        Header always set X-XSS-Protection "1; mode=block"
+        
+        # Referrer-Policy: Kontrolliert Referrer-Informationen
+        Header always set Referrer-Policy "strict-origin-when-cross-origin"
+        
+        # Permissions-Policy: Kontrolliert Browser-Features
+        Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
+        
+        # Content-Security-Policy (angepasst für Vue.js)
+        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://stechuhr3.tsschulz.de;"
+        
+        # Strict-Transport-Security (HSTS)
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+    </IfModule>
+
+    # =================================================================
+    # API Reverse Proxy zum Backend
+    # =================================================================
+    <IfModule mod_proxy.c>
+        ProxyPreserveHost On
+        ProxyRequests Off
+        
+        # Timeouts
+        ProxyTimeout 60
+        
+        # API Proxy
+        ProxyPass /api http://localhost:3010/api retry=0
+        ProxyPassReverse /api http://localhost:3010/api
+        
+        <Location /api>
+            # Proxy Headers
+            RequestHeader set X-Forwarded-Proto "https"
+            RequestHeader set X-Forwarded-Port "443"
+            RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+            
+            # CORS Headers (falls benötigt, aber Backend sollte das handhaben)
+            # Header set Access-Control-Allow-Origin "https://stechuhr3.tsschulz.de"
+            # Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+            # Header set Access-Control-Allow-Headers "Content-Type, Authorization"
+            # Header set Access-Control-Allow-Credentials "true"
+        </Location>
+    </IfModule>
+
+    # =================================================================
+    # Statische Assets mit langem Cache
+    # =================================================================
+    <IfModule mod_expires.c>
+        ExpiresActive On
+        
+        # JavaScript und CSS
+        ExpiresByType text/css "access plus 1 year"
+        ExpiresByType text/javascript "access plus 1 year"
+        ExpiresByType application/javascript "access plus 1 year"
+        ExpiresByType application/x-javascript "access plus 1 year"
+        
+        # Bilder
+        ExpiresByType image/jpeg "access plus 1 year"
+        ExpiresByType image/jpg "access plus 1 year"
+        ExpiresByType image/png "access plus 1 year"
+        ExpiresByType image/gif "access plus 1 year"
+        ExpiresByType image/webp "access plus 1 year"
+        ExpiresByType image/svg+xml "access plus 1 year"
+        ExpiresByType image/x-icon "access plus 1 year"
+        
+        # Fonts
+        ExpiresByType font/ttf "access plus 1 year"
+        ExpiresByType font/woff "access plus 1 year"
+        ExpiresByType font/woff2 "access plus 1 year"
+        ExpiresByType application/font-woff "access plus 1 year"
+        ExpiresByType application/font-woff2 "access plus 1 year"
+        
+        # HTML (kein Cache)
+        ExpiresByType text/html "access plus 0 seconds"
+    </IfModule>
+    
+    # Cache-Control Headers für Assets
+    <FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|webp|woff|woff2|ttf|eot)$">
+        <IfModule mod_headers.c>
+            Header set Cache-Control "public, max-age=31536000, immutable"
+        </IfModule>
+    </FilesMatch>
+    
+    # Kein Cache für HTML
+    <FilesMatch "\.(html|htm)$">
+        <IfModule mod_headers.c>
+            Header set Cache-Control "no-cache, no-store, must-revalidate"
+            Header set Pragma "no-cache"
+            Header set Expires "0"
+        </IfModule>
+    </FilesMatch>
+
+    # =================================================================
+    # Spezielle Dateien
+    # =================================================================
+    # robots.txt und sitemap.xml
+    <FilesMatch "(robots\.txt|sitemap\.xml)$">
+        <IfModule mod_headers.c>
+            Header set Cache-Control "public, max-age=86400"
+        </IfModule>
+    </FilesMatch>
+
+    # =================================================================
+    # Sicherheit: Verstecke sensible Dateien
+    # =================================================================
+    # Blockiere Zugriff auf versteckte Dateien (.git, .env, etc.)
+    <DirectoryMatch "^\.|\/\.">
+        Require all denied
+    </DirectoryMatch>
+    
+    <FilesMatch "^\.">
+        Require all denied
+    </FilesMatch>
+    
+    # Blockiere Zugriff auf Backup-Dateien
+    <FilesMatch "~$">
+        Require all denied
+    </FilesMatch>
+    
+    # Blockiere .env Dateien
+    <FilesMatch "\.env">
+        Require all denied
+    </FilesMatch>
+
+    # =================================================================
+    # Limits
+    # =================================================================
+    # Client Body Size Limit (z.B. für File-Uploads)
+    LimitRequestBody 10485760
+    
+    # Timeouts
+    TimeOut 300
+
+    # =================================================================
+    # Logging
+    # =================================================================
+    ErrorLog ${APACHE_LOG_DIR}/stechuhr3-error.log
+    CustomLog ${APACHE_LOG_DIR}/stechuhr3-access.log combined
+    
+    # Optional: Log-Level für detailliertere Logs
+    # LogLevel info ssl:warn proxy:debug
+</VirtualHost>
+
+# =================================================================
+# Globale SSL-Konfiguration (optional, in /etc/apache2/mods-available/ssl.conf)
+# =================================================================
+# <IfModule mod_ssl.c>
+#     # OCSP Stapling Cache
+#     SSLStaplingCache shmcb:/var/run/ocsp(128000)
+#     
+#     # SSL Session Cache
+#     SSLSessionCache shmcb:/var/run/ssl_scache(512000)
+#     SSLSessionCacheTimeout 300
+# </IfModule>
+
+# =================================================================
+# OPTIONAL: Rate Limiting mit mod_evasive
+# =================================================================
+# Installieren mit: sudo apt install libapache2-mod-evasive
+# Dann konfigurieren in: /etc/apache2/mods-available/evasive.conf
+#
+# <IfModule mod_evasive20.c>
+#     DOSHashTableSize 3097
+#     DOSPageCount 5
+#     DOSSiteCount 100
+#     DOSPageInterval 1
+#     DOSSiteInterval 1
+#     DOSBlockingPeriod 10
+#     DOSEmailNotify admin@tsschulz.de
+#     DOSLogDir /var/log/apache2/mod_evasive
+# </IfModule>
+
+# =================================================================
+# OPTIONAL: Zusätzliche Security mit mod_security
+# =================================================================
+# Installieren mit: sudo apt install libapache2-mod-security2
+# Konfiguration in: /etc/modsecurity/modsecurity.conf
+