129 lines
4.9 KiB
Plaintext
129 lines
4.9 KiB
Plaintext
# TimeClock v3 - HTTPS VirtualHost
|
|
# Speichern unter: /etc/apache2/sites-available/stechuhr3.tsschulz.de-le-ssl.conf
|
|
|
|
<IfModule mod_ssl.c>
|
|
<VirtualHost *:443>
|
|
ServerName stechuhr3.tsschulz.de
|
|
ServerAdmin admin@tsschulz.de
|
|
|
|
# =================================================================
|
|
# Frontend (Vue.js SPA)
|
|
# =================================================================
|
|
DocumentRoot /var/www/timeclock/frontend/dist
|
|
|
|
<Directory /var/www/timeclock/frontend/dist>
|
|
Options -Indexes +FollowSymLinks
|
|
AllowOverride All
|
|
Require all granted
|
|
|
|
# SPA Fallback - alle Requests zu index.html
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteBase /
|
|
RewriteRule ^index\.html$ - [L]
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
RewriteCond %{REQUEST_FILENAME} !-d
|
|
RewriteCond %{REQUEST_URI} !^/api
|
|
RewriteRule . /index.html [L]
|
|
</IfModule>
|
|
</Directory>
|
|
|
|
# =================================================================
|
|
# API Reverse Proxy zum Backend
|
|
# =================================================================
|
|
<IfModule mod_proxy.c>
|
|
ProxyPreserveHost On
|
|
ProxyRequests Off
|
|
ProxyTimeout 60
|
|
|
|
# API Proxy
|
|
ProxyPass /api http://localhost:3010/api retry=0
|
|
ProxyPassReverse /api http://localhost:3010/api
|
|
|
|
<Location /api>
|
|
# Proxy Headers
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
RequestHeader set X-Forwarded-Port "443"
|
|
RequestHeader set X-Real-IP %{REMOTE_ADDR}s
|
|
</Location>
|
|
</IfModule>
|
|
|
|
# =================================================================
|
|
# Gzip Compression
|
|
# =================================================================
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
|
|
AddOutputFilterByType DEFLATE application/javascript application/x-javascript application/json
|
|
AddOutputFilterByType DEFLATE application/xml application/xml+rss application/rss+xml
|
|
AddOutputFilterByType DEFLATE image/svg+xml
|
|
AddOutputFilterByType DEFLATE font/ttf font/woff font/woff2
|
|
</IfModule>
|
|
|
|
# =================================================================
|
|
# Security Headers
|
|
# =================================================================
|
|
<IfModule mod_headers.c>
|
|
Header always set X-Frame-Options "SAMEORIGIN"
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
Header always set X-XSS-Protection "1; mode=block"
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
|
|
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
|
</IfModule>
|
|
|
|
# =================================================================
|
|
# Cache-Control
|
|
# =================================================================
|
|
# Cache für statische Assets
|
|
<FilesMatch "\.(js|css|png|jpg|jpeg|gif|ico|svg|webp|woff|woff2|ttf|eot)$">
|
|
<IfModule mod_headers.c>
|
|
Header set Cache-Control "public, max-age=31536000, immutable"
|
|
</IfModule>
|
|
</FilesMatch>
|
|
|
|
# Kein Cache für HTML
|
|
<FilesMatch "\.(html|htm)$">
|
|
<IfModule mod_headers.c>
|
|
Header set Cache-Control "no-cache, no-store, must-revalidate"
|
|
Header set Pragma "no-cache"
|
|
Header set Expires "0"
|
|
</IfModule>
|
|
</FilesMatch>
|
|
|
|
# =================================================================
|
|
# Sicherheit: Verstecke sensible Dateien
|
|
# =================================================================
|
|
<DirectoryMatch "^\.|\/\.">
|
|
Require all denied
|
|
</DirectoryMatch>
|
|
|
|
<FilesMatch "^\.">
|
|
Require all denied
|
|
</FilesMatch>
|
|
|
|
<FilesMatch "\.env">
|
|
Require all denied
|
|
</FilesMatch>
|
|
|
|
# =================================================================
|
|
# Limits
|
|
# =================================================================
|
|
LimitRequestBody 10485760
|
|
TimeOut 300
|
|
|
|
# =================================================================
|
|
# Logging
|
|
# =================================================================
|
|
ErrorLog ${APACHE_LOG_DIR}/stechuhr3-error.log
|
|
CustomLog ${APACHE_LOG_DIR}/stechuhr3-access.log combined
|
|
|
|
# =================================================================
|
|
# SSL-Konfiguration (von Certbot verwaltet)
|
|
# =================================================================
|
|
SSLCertificateFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/fullchain.pem
|
|
SSLCertificateKeyFile /etc/letsencrypt/live/stechuhr3.tsschulz.de/privkey.pem
|
|
Include /etc/letsencrypt/options-ssl-apache.conf
|
|
</VirtualHost>
|
|
</IfModule>
|
|
|