29 lines
1.6 KiB
Text
29 lines
1.6 KiB
Text
# This is an HTTP config purely for Zanata, which mirrors id.fp.o
|
|
# They run on old Java, which means that they do not support TLSv1.2, so let's
|
|
# give them TLSv1.0 as well.
|
|
# On how this works, look at the proxies' iptables: they will have a rule that
|
|
# forwards a limited set of IP addresses' 443/tcp to 44342/tcp.
|
|
Listen 44342 https
|
|
<VirtualHost *:44342>
|
|
ServerName id.fedoraproject.org
|
|
ServerAdmin webmaster@fedoraproject.org
|
|
|
|
RequestHeader unset X-Forwarded-For
|
|
|
|
Protocols h2 http/1.1
|
|
|
|
SSLEngine on
|
|
SSLUseStapling on
|
|
SSLCertificateFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert
|
|
SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key
|
|
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert
|
|
|
|
SSLHonorCipherOrder On
|
|
|
|
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
|
|
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
|
|
|
|
Header always add Strict-Transport-Security "max-age=31536000; preload"
|
|
Include "conf.d/id.fedoraproject.org/*.conf"
|
|
</VirtualHost>
|
|
|