standardebooks/web
1
0
Fork 0
mirror of https://github.com/standardebooks/web.git synced 2025-07-08 15:50:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
web/config/apache/standardebooks.test.conf

232 lines
11 KiB
Text
Raw Blame History

# Global configuration; see https://securityheaders.com
Header set X-UA-Compatible "IE=edge"
Header set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
Header set X-Xss-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer-when-downgrade"
ServerTokens prod
ServerSignature off
AddDefaultCharset utf-8
UseCanonicalName on
LogLevel warn
AddOutputFilterByType deflate image/svg+xml
AddType application/font-woff2 .woff2
TraceEnable off
Protocols h2 h2c http/1.1
# Set up caching directives for infrequently changed files
ExpiresActive On
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/vnd.microsoft.icon "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
# These lines are a workaround for an Apache bug that prevents mod_deflate, etags, and ExpiresByType working at the same time.
# This is probably still broken in 18.04. See https://stackoverflow.com/questions/896974/apache-is-not-sending-304-response-if-mod-deflate-and-addoutputfilterbytype-is
FileETag All
RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
# SSL hardening; see https://mozilla.github.io/server-side-tls/ssl-config-generator/
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# SSL Stapling should be off for testing to prevent errors in log files, and on for live
SSLUseStapling off
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Define domain standardebooks.test
<VirtualHost *:80>
ServerName ${domain}
ServerAlias www.${domain}
RedirectPermanent / https://${domain}/
</VirtualHost>
<VirtualHost *:443>
ServerName ${domain}
ServerAlias www.${domain}
DocumentRoot /standardebooks.org/web/www
ErrorDocument 404 /404
ErrorLog /var/log/local/www-error.log
RewriteEngine on
SSLEngine on
SSLCertificateFile /standardebooks.org/web/config/ssl/${domain}.crt
SSLCertificateKeyFile /standardebooks.org/web/config/ssl/${domain}.key
Header always set Strict-Transport-Security "max-age=15768000"
Header set Content-Security-Policy "default-src 'self';"
# Log downloads
SetEnvIf Request_URI "\.epub$" logdownload
SetEnvIf Request_URI "\.kepub.epub$" logdownload
SetEnvIf Request_URI "\.azw3$" logdownload
CustomLog /var/log/local/downloads.log "%h [%{%Y-%m-%d %H:%M:%S %Z}t] \"%r\" %>s %b" env=logdownload
DirectorySlash Off
<Directory /standardebooks.org/web/www/>
# Disable .htaccess files
AllowOverride none
# Disable unneeded options
Options none
# Allow access to www/
Require all granted
# Pass HTTP Authorization headers to PHP-FPM
CGIPassAuth on
</Directory>
AddType application/epub+zip .epub
AddType application/x-mobi8-ebook .azw3
<Location ~ ^/ebooks/.+?/downloads/.+$>
# Serve distributables using the "download" dialog instead of opening in-browser
# Note: the trailing e in the Header directive is required
SetEnvIf Request_URI ^/ebooks/.+?/downloads/(.+)$ FILENAME=$1
Header set "Content-Disposition" "attachment; filename=%{FILENAME}e"
</Location>
<Location ~ ^/opds.+?$>
DirectoryIndex index.xml
</location>
# We explicitly set the content-type for items in the /vocab/ directory, because Apache doesn't set it for us,
# and we need a content-type header when using the "nosniff" header. See https://bugzilla.mozilla.org/show_bug.cgi?id=1547076
<Location ~ ^/vocab/.+$>
Header set Content-Type "text/plain"
</location>
# Enable HTTP CORS so that browser-based readers like Readium can access opds and ebooks
# See https://github.com/standardebooks/tools/issues/2
<Location ~ /(ebooks|drafts|opds)/>
Header set Access-Control-Allow-Origin "*"
</Location>
# We use a different CSP policy for single-page files because our default one doesn't allow inline images or CSS
<Location ~ /text/single-page$>
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline';"
</Location>
# Remove www from requests
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
# PHP-FPM configuration
# See https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784
# Forward all PHP requests to the php-fpm pool for this domain.
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/${domain}.sock|fcgi://${domain}"
Header set Cache-Control "no-store"
</FilesMatch>
# Set some proxy properties.
<Proxy fcgi://${domain}>
ProxySet connectiontimeout=5 timeout=240
</Proxy>
# In case of 404, serve the 404 page specified by ErrorDocument, not the default FPM error page.
# Note that we can't use `ProxyErrorOverride on` because that catches ALL 4xx and 5xx HTTP headers
# and serves the default Apache page for them.
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
RewriteRule (.*) - [H=text/html]
# Received: /filename.php and /filename.php exists in filesystem; Result: 301 redirect to /filename and restart request
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} -f
RewriteRule ^/(.+)\.php$ /$1 [R=301,L]
# Received: /filename and /filename.php exists in filesystem; Result: change /filename to /filename.php and continue processing
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
RewriteRule ^(.+)$ $1.php [QSA]
# End PHP-FPM configuration
# Received: /filename and /filename.xml exists in filesystem; Result: rewrite to /filename.xml
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f
RewriteRule (.*) $1.xml
# Remove trailing slashes
RewriteRule ^/(.+?)/$ /$1 [R=301,L]
# Redirect ToC of XHTML representation of books
RewriteRule ^/ebooks/(.+?)/text$ /ebooks/$1/toc.xhtml [L]
# Received: /filename and /filename.xhtml exists in filesystem; Result: rewrite to /filename.xhtml
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xhtml -f
RewriteRule (.*) $1.xhtml
# Redirect index pages
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}/index.php -f
RewriteRule (.*) /$1/index.php
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}/index.xml -f
RewriteRule (.*) /$1/index.xml
# Remove newline characters inserted by accident in some email clients
RewriteRule ^(.*)\r\n[\ ]?(.*)$ $1$2 [R=301,N]
RewriteRule ^(.*)/r/n[\ ]?(.*)$ $1$2 [R=301,N]
RewriteRule ^(.*)/[rn]$ $1 [R=301,N]
# Favicon rewrites
RewriteRule ^/(apple-touch|android-chrome|favicon|mstile|safari-pinned|browserconfig|manifest)([^/]+)$ /images/favicons/$1$2 [L]
# Redirect tools
RewriteRule ^/tools$ https://github.com/standardebooks/tools [R=302,L]
# Redirect latest version of the manual
RewriteRule ^/manual/latest(.*) /manual/index.php?url=$1 [L]
# List of specific URL rewrites
RewriteRule ^/ebooks/aristotle/the-nicomachean-ethics(.+)$ /ebooks/aristotle/nicomachean-ethics$1 [R=301,L]
RewriteRule ^/ebooks/sir-arthur-conan-doyle(.+)$ /ebooks/arthur-conan-doyle$1 [R=301,L]
RewriteRule ^/alices-adventures-in-wonderland.+$ /ebooks/lewis-carroll/alices-adventures-in-wonderland/$1 [R=301,L]
RewriteRule ^/ebooks/philip-k-dick/short-stories(.+)$ /ebooks/philip-k-dick/short-fiction$1 [R=301,L]
RewriteRule ^/ebooks/benjamin-disraeli/sibyl(.+)$ /ebooks/benjamin-disraeli/sybil$1 [R=301,L]
RewriteRule ^/ebooks/lewis-carroll/alices-adventures-in-wonderland/downloads/(.+)$ /ebooks/lewis-carroll/alices-adventures-in-wonderland/john-tenniel/downloads/$1 [R=301,L]
RewriteRule ^/ebooks/lewis-carroll/through-the-looking-glass/downloads/(.+)$ /ebooks/lewis-carroll/through-the-looking-glass/john-tenniel/downloads/$1 [R=301,L]
RewriteRule ^/ebooks/nikolai-gogol/short-fiction/claud-field_isabel-f-hapgood_vizetelly-and-company$ /ebooks/nikolai-gogol/short-fiction/claud-field_isabel-f-hapgood_vizetelly-and-company_george-tolstoy [R=301,L]
RewriteRule ^/ebooks/nikolai-gogol/short-fiction/claud-field_isabel-f-hapgood_vizetelly-and-company/(.+?)$ /ebooks/nikolai-gogol/short-fiction/claud-field_isabel-f-hapgood_vizetelly-and-company_george-tolstoy/$1 [R=301,L]
RewriteRule ^/ebooks/h-g-wells/tales-of-space-and-time(.+)$ /ebooks/h-g-wells/short-fiction$1 [R=301,L]
RewriteRule ^/ebooks/omar-khayyam/the-rubaiyat-of-omar-khayyam/edward-fitzgerald/edmund-dulac(.*?)$ /ebooks/omar-khayyam/the-rubaiyat-of-omar-khayyam/edward-fitzgerald$1 [R=301,L]
RewriteRule ^/ebooks/alfred-lord-tennyson/idylls-of-the-king/gustave-dore(.*?)$ /ebooks/alfred-lord-tennyson/idylls-of-the-king$1 [R=301,L]
RewriteRule ^/ebooks/w-w-jacobs/the-lady-of-the-barge/maurice-greiffenhagen(.*?)$ /ebooks/w-w-jacobs/the-lady-of-the-barge$1 [R=301,L]
RewriteRule ^/ebooks/robert-louis-stevenson/treasure-island/milo-winter(.*?)$ /ebooks/robert-louis-stevenson/treasure-island$1 [R=301,L]
RewriteRule ^/ebooks/edgar-rice-burroughs/a-princess-of-mars/frank-e-schoonover(.*?)$ /ebooks/edgar-rice-burroughs/a-princess-of-mars$1 [R=301,L]
RewriteRule ^/ebooks/abraham-merritt/the-moon-pool(.*?)$ /ebooks/a-merritt/the-moon-pool$1 [R=301,L]
RewriteRule ^/ebooks/leo-tolstoy/a-confession/aylmer-maude_louise-maude(.*?)$ /ebooks/leo-tolstoy/a-confession/aylmer-maude$1 [R=301,L]
RewriteRule ^/ebooks/f-marion-crawford/khaled-a-tale-of-arabia(.*?)$ /ebooks/f-marion-crawford/khaled$1 [R=301,L]
# Redirect cover images with caching sha's to the root image
# We do this because some sites like Google cache the cover image path, so changing it results in lots of 404s
RewriteRule ^/images/covers/(.+?)\-[a-z0-9]{8}\-(cover|hero)(@2x)?\.(jpg|avif)$ /images/covers/$1-$2$3.$4
RewriteRule ^/ebooks/([^\./]+?)$ /ebooks/author.php?url-path=$1 [QSA]
RewriteRule ^/tags/([^\./]+?)$ /ebooks/index.php?tags[]=$1 [QSA]
RewriteRule ^/collections/([^\./]+?)$ /ebooks/index.php?collection=$1 [QSA]
# Prevent this rule from firing if we're getting a distribution file
RewriteCond %{REQUEST_FILENAME} !^/ebooks/.+?/downloads/.+$
RewriteCond %{REQUEST_FILENAME} !^/ebooks/.+?/text.*$
RewriteRule ^/ebooks/([^\.]+?)$ /ebooks/ebook.php?url-path=$1
# If we ask for /opds/all?query=xyz, rewrite that to the search page.
RewriteCond %{QUERY_STRING} ^query=
RewriteRule ^/opds/all.xml$ /opds/search.php [QSA]
</VirtualHost>
Reference in a new issue View git blame Copy permalink