ServerName <%= domain %> ServerAlias www.<%= domain %> RewriteEngine On RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] ServerName <%= domain_name %> ServerAlias <%= domain %> ServerAlias www.<%= domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' <% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" <% end -%> Header always unset X-Powered-By Header always unset X-Runtime <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public RewriteEngine On # Check for maintenance file and redirect all requests RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteCond %{REQUEST_URI} !/images/maintenance.jpg RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt AllowEncodedSlashes on PassengerAllowEncodedSlashes on PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) Header unset ETag FileETag None ExpiresActive On ExpiresDefault "access plus 1 year" <% end -%> <% if (defined? @services) and (@services.include? 'monitor') -%> <% if (defined? @services) and (@services.include? 'webapp') -%> PassengerEnabled off <% end -%> AllowOverride all # Nagios won't work with setting this option to "DENY", # as set in conf.d/security (#4169). Therefor we allow # it here, only for nagios. Header set X-Frame-Options: "ALLOW" <% end -%>