Add example manual config for apache

[ci skip]

docs/installation-and-operations/installation/packaged/README.md

@@ -364,7 +364,11 @@ The installer will not set up an external web server for accessing. You will nee
 
 Only choose this option if you have a local Apache2 installed that the OpenProject package may not control, or need to use a different web server such as Nginx. Please note that not all functionality (especially regarding Repositories) are supported on Nginx. 
 
-When installing with an existing Apache2, you can use our [installation wizard templates](https://github.com/pkgr/addon-apache2/tree/master/conf) for guidance on how to set up the integration. [For a minimal nginx config, please see this gist](https://gist.github.com/seLain/375d16ccd4542e3727e97a7478187d3a) as as starting point.
+When installing with an existing Apache2, you can take a look at the source of our [installation  templates](https://github.com/pkgr/addon-apache2/tree/master/conf) for guidance on how to set up the integration. 
+
+[Here's an exemplary configuration](./openproject-apache-example.conf) that might work for you.
+
+[For a minimal nginx config, please see this gist](https://gist.github.com/seLain/375d16ccd4542e3727e97a7478187d3a) as as starting point.
 
 ## Step 3: SVN/Git integration server
 

docs/installation-and-operations/installation/packaged/openproject-apache-example.conf

@@ -0,0 +1,86 @@
+<VirtualHost *:80>
+    ServerName openproject.example.com
+    redirect permanent / https://openproject.example.com/
+</VirtualHost>
+
+<VirtualHost *:443>
+    #
+    # SSL Start
+    #
+
+    SSLEngine On
+#    SSLCertificateChainFile /etc/apache2/ssl/cdc_ca.cert.pem
+    SSLCertificateFile /etc/letsencrypt/live/openproject.example.com/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/openproject.example.com/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/openproject.example.com/fullchain.pem
+
+    # Set Forwarded protocol header to proxy
+    # otherwise OpenProject doesn't know we're terminating SSL here.
+    RequestHeader set X_FORWARDED_PROTO 'https'
+
+    #
+    # SSL End
+    #
+
+    ServerName      openproject.example.com
+    ServerAdmin     admin@example.com
+    DocumentRoot    /opt/openproject/public
+
+    # Proxy requests to localhost:6000 / unicorn worker
+    ProxyRequests off
+    ProxyPass / http://127.0.0.1:6000/ retry=0
+    ProxyPassReverse / http://127.0.0.1:6000/
+
+
+    # Disallow internal API for external use
+    # (used for repository authenticiation, if any)
+    <LocationMatch "^/sys">
+      <IfModule mod_authz_core.c>
+	      Require local
+      </IfModule>
+
+      <IfModule !mod_authz_core.c>
+        Order Deny,Allow
+        Deny from all
+        Allow from 127.0.0.1
+      </IfModule>
+    </LocationMatch>
+
+  # Configure assets and uploads
+  Alias /assets /opt/openproject/public/assets
+  Alias /uploads /opt/openproject/public/uploads
+  <Directory "/opt/openproject/public">
+    Options -Indexes
+    <IfModule mod_authz_core.c>
+      # apache 2.4+
+      Require all granted
+    </IfModule>
+
+    <IfModule !mod_authz_core.c>
+      Order deny,allow
+      Allow from all
+    </IfModule>
+  </Directory>
+
+   # Don't pass assets through proxy but deliver them through apache
+   ProxyPass /assets/ !
+   <Location /assets/>
+     # Avoid using mtime or inode information for ETag
+     FileETag Size
+     ExpiresActive On ExpiresDefault "access plus 1 year"
+   </Location>
+
+    # Send expiry headers for assets, that carry an asset id. Assuming, an asset
+    # id is a unix timestamp, which is currently a 10 digit integer. This might
+    # change in the far future.
+    <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$">
+      ExpiresActive On
+      ExpiresDefault "access plus 1 year"
+    </FilesMatch>
+
+    # Enabling compression for common text formats
+    AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript
+
+    ErrorLog    /var/log/apache2/openproject.example.com-error.log
+</VirtualHost>
+