openproject/docs/installation-and-operations/installation/packaged/openproject-apache-example....

<VirtualHost *:80>
    ServerName openproject.example.com
    redirect permanent / https://openproject.example.com/
</VirtualHost>

<VirtualHost *:443>
    #
    # SSL Start
    #

    SSLEngine On
#    SSLCertificateChainFile /etc/apache2/ssl/cdc_ca.cert.pem
    SSLCertificateFile /etc/letsencrypt/live/openproject.example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/openproject.example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/openproject.example.com/fullchain.pem

    # Set Forwarded protocol header to proxy
    # otherwise OpenProject doesn't know we're terminating SSL here.
    RequestHeader set X_FORWARDED_PROTO 'https'

    #
    # SSL End
    #

    ServerName      openproject.example.com
    ServerAdmin     admin@example.com
    DocumentRoot    /opt/openproject/public

    # Proxy requests to localhost:6000 / unicorn worker
    ProxyRequests off
    ProxyPass / http://127.0.0.1:6000/ retry=0
    ProxyPassReverse / http://127.0.0.1:6000/


    # Disallow internal API for external use
    # (used for repository authenticiation, if any)
    <LocationMatch "^/sys">
      <IfModule mod_authz_core.c>
	      Require local
      </IfModule>

      <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
      </IfModule>
    </LocationMatch>

  # Configure assets and uploads
  Alias /assets /opt/openproject/public/assets
  Alias /uploads /opt/openproject/public/uploads
  <Directory "/opt/openproject/public">
    Options -Indexes
    <IfModule mod_authz_core.c>
      # apache 2.4+
      Require all granted
    </IfModule>

    <IfModule !mod_authz_core.c>
      Order deny,allow
      Allow from all
    </IfModule>
  </Directory>

   # Don't pass assets through proxy but deliver them through apache
   ProxyPass /assets/ !
   <Location /assets/>
     # Avoid using mtime or inode information for ETag
     FileETag Size
     ExpiresActive On ExpiresDefault "access plus 1 year"
   </Location>

    # Send expiry headers for assets, that carry an asset id. Assuming, an asset
    # id is a unix timestamp, which is currently a 10 digit integer. This might
    # change in the far future.
    <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
      ExpiresActive On
      ExpiresDefault "access plus 1 year"
    </FilesMatch>

    # Enabling compression for common text formats
    AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript

    ErrorLog    /var/log/apache2/openproject.example.com-error.log
</VirtualHost>
Add example manual config for apache [ci skip] 4 years ago			`<VirtualHost *:80>`
			`ServerName openproject.example.com`
			`redirect permanent / https://openproject.example.com/`
			`</VirtualHost>`

			`<VirtualHost *:443>`
			`#`
			`# SSL Start`
			`#`

			`SSLEngine On`
			`# SSLCertificateChainFile /etc/apache2/ssl/cdc_ca.cert.pem`
			`SSLCertificateFile /etc/letsencrypt/live/openproject.example.com/cert.pem`
			`SSLCertificateKeyFile /etc/letsencrypt/live/openproject.example.com/privkey.pem`
			`SSLCertificateChainFile /etc/letsencrypt/live/openproject.example.com/fullchain.pem`

			`# Set Forwarded protocol header to proxy`
			`# otherwise OpenProject doesn't know we're terminating SSL here.`
			`RequestHeader set X_FORWARDED_PROTO 'https'`

			`#`
			`# SSL End`
			`#`

			`ServerName openproject.example.com`
			`ServerAdmin admin@example.com`
			`DocumentRoot /opt/openproject/public`

			`# Proxy requests to localhost:6000 / unicorn worker`
			`ProxyRequests off`
			`ProxyPass / http://127.0.0.1:6000/ retry=0`
			`ProxyPassReverse / http://127.0.0.1:6000/`


			`# Disallow internal API for external use`
			`# (used for repository authenticiation, if any)`
			`<LocationMatch "^/sys">`
			`<IfModule mod_authz_core.c>`
			`Require local`
			`</IfModule>`

			`<IfModule !mod_authz_core.c>`
			`Order Deny,Allow`
			`Deny from all`
			`Allow from 127.0.0.1`
			`</IfModule>`
			`</LocationMatch>`

			`# Configure assets and uploads`
			`Alias /assets /opt/openproject/public/assets`
			`Alias /uploads /opt/openproject/public/uploads`
			`<Directory "/opt/openproject/public">`
			`Options -Indexes`
			`<IfModule mod_authz_core.c>`
			`# apache 2.4+`
			`Require all granted`
			`</IfModule>`

			`<IfModule !mod_authz_core.c>`
			`Order deny,allow`
			`Allow from all`
			`</IfModule>`
			`</Directory>`

			`# Don't pass assets through proxy but deliver them through apache`
			`ProxyPass /assets/ !`
			`<Location /assets/>`
			`# Avoid using mtime or inode information for ETag`
			`FileETag Size`
			`ExpiresActive On ExpiresDefault "access plus 1 year"`
			`</Location>`

			`# Send expiry headers for assets, that carry an asset id. Assuming, an asset`
			`# id is a unix timestamp, which is currently a 10 digit integer. This might`
			`# change in the far future.`
			`<FilesMatch "\.(ico\|pdf\|flv\|jpg\|jpeg\|png\|gif\|js\|css\|swf)$">`
			`ExpiresActive On`
			`ExpiresDefault "access plus 1 year"`
			`</FilesMatch>`

			`# Enabling compression for common text formats`
			`AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript`

			`ErrorLog /var/log/apache2/openproject.example.com-error.log`
			`</VirtualHost>`