# TimeClock v3 - HTTPS VirtualHost # Speichern unter: /etc/apache2/sites-available/stechuhr3.tsschulz.de-le-ssl.conf ServerName stechuhr3.tsschulz.de ServerAdmin admin@tsschulz.de # ================================================================= # Frontend (Vue.js SPA) # ================================================================= DocumentRoot /var/www/timeclock/frontend/dist Options -Indexes +FollowSymLinks AllowOverride All Require all granted # SPA Fallback - alle Requests zu index.html RewriteEngine On RewriteBase / RewriteRule ^index\.html$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^/api RewriteRule . /index.html [L] # ================================================================= # API Reverse Proxy zum Backend # ================================================================= ProxyPreserveHost On ProxyRequests Off ProxyTimeout 60 # API Proxy ProxyPass /api http://localhost:3010/api retry=0 ProxyPassReverse /api http://localhost:3010/api # Proxy Headers RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Real-IP %{REMOTE_ADDR}s # ================================================================= # Gzip Compression # ================================================================= AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript AddOutputFilterByType DEFLATE application/javascript application/x-javascript application/json AddOutputFilterByType DEFLATE application/xml application/xml+rss application/rss+xml AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE font/ttf font/woff font/woff2 # ================================================================= # Security Headers # ================================================================= Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # ================================================================= # Cache-Control # ================================================================= # Cache für statische Assets Header set Cache-Control "public, max-age=31536000, immutable" # Kein Cache für HTML Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "0" # ================================================================= # Sicherheit: Verstecke sensible Dateien # ================================================================= Require all denied Require all denied Require all denied # ================================================================= # Limits # ================================================================= LimitRequestBody 10485760 TimeOut 300 # ================================================================= # Logging # ================================================================= ErrorLog ${APACHE_LOG_DIR}/stechuhr3-error.log CustomLog ${APACHE_LOG_DIR}/stechuhr3-access.log combined # ================================================================= # SSL-Konfiguration (von Certbot verwaltet) # ================================================================= SSLCertificateFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf