From 405d67cbab59ac3e8bea11c7cbe71448a6b30cb8 Mon Sep 17 00:00:00 2001
From: forksand <moe@forksand.com>
Date: Mon, 12 Apr 2021 20:19:00 -0600
Subject: [PATCH] web3 proxy

---
 source/resources/apps/web3/README.md          | 42 +++++++++++++++++++
 .../apps/web3/apache/000-default.conf         | 11 +++++
 .../resources/apps/web3/apache/apache2.conf   | 32 ++++++++++++++
 .../web3/apache/conf-available/security.conf  | 10 +++++
 .../resources/apps/web3/apache/dot-htaccess   |  4 ++
 .../sites-available/000-default-le-ssl.conf   | 42 +++++++++++++++++++
 6 files changed, 141 insertions(+)
 create mode 100644 source/resources/apps/web3/README.md
 create mode 100644 source/resources/apps/web3/apache/000-default.conf
 create mode 100644 source/resources/apps/web3/apache/apache2.conf
 create mode 100644 source/resources/apps/web3/apache/conf-available/security.conf
 create mode 100644 source/resources/apps/web3/apache/dot-htaccess
 create mode 100644 source/resources/apps/web3/apache/sites-available/000-default-le-ssl.conf

diff --git a/source/resources/apps/web3/README.md b/source/resources/apps/web3/README.md
new file mode 100644
index 0000000..fc2ba70
--- /dev/null
+++ b/source/resources/apps/web3/README.md
@@ -0,0 +1,42 @@
+# web3
+
+* web3py
+
+# Proxy
+Apache proxy
+
+```
+apt-get -y install apache2 python3-certbot-apache
+apt clean
+a2enmod ssl rewrite proxy proxy_http headers
+a2ensite default-ssl.conf
+echo vweb3.forksand.com > /var/www/html/index.html
+vim iptables.test.rules
+# Web
+-A INPUT -p tcp --dport  80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+systemctl restart apache2
+/root/iptables-reload
+```
+
+## Cerbot
+Not public, use DNS.
+
+
+```
+sudo su -
+pip3 install certbot-dns-njalla
+
+touch /etc/njalla.ini
+chmod 600 /etc/njalla.ini
+# Create API key at Njalla
+echo 'certbot_dns_njalla:dns_njalla_token=0000000000000000000000000000000000000000' > /etc/njalla.ini
+certbot certonly -a certbot-dns-njalla:dns-njalla --certbot-dns-njalla:dns-njalla-credentials njalla.ini -d vweb3.forksand.com
+# Disable API key at Njalla
+
+# Plugin legacy name certbot-dns-njalla:dns-njalla may be removed in a future version. Please use dns-njalla instead.
+#certbot run -n -d vweb3.forksand.com,eth.forksand.com --apache --agree-tos -m "certbot@forksand.com"
+
+systemctl restart apache2
+```
diff --git a/source/resources/apps/web3/apache/000-default.conf b/source/resources/apps/web3/apache/000-default.conf
new file mode 100644
index 0000000..1ef9c71
--- /dev/null
+++ b/source/resources/apps/web3/apache/000-default.conf
@@ -0,0 +1,11 @@
+<VirtualHost *:80>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =vweb3.forksand.com
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
+</VirtualHost>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/source/resources/apps/web3/apache/apache2.conf b/source/resources/apps/web3/apache/apache2.conf
new file mode 100644
index 0000000..72de24a
--- /dev/null
+++ b/source/resources/apps/web3/apache/apache2.conf
@@ -0,0 +1,32 @@
+DefaultRuntimeDir ${APACHE_RUN_DIR}
+PidFile ${APACHE_PID_FILE}
+Timeout 300
+KeepAlive On
+MaxKeepAliveRequests 100
+KeepAliveTimeout 5
+User ${APACHE_RUN_USER}
+Group ${APACHE_RUN_GROUP}
+HostnameLookups Off
+ErrorLog ${APACHE_LOG_DIR}/error.log
+LogLevel warn
+IncludeOptional mods-enabled/*.load
+IncludeOptional mods-enabled/*.conf
+Include ports.conf
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+	Require all denied
+</Directory>
+AccessFileName .htaccess
+<FilesMatch "^\.ht">
+	Require all denied
+</FilesMatch>
+LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
+LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %O" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+IncludeOptional conf-enabled/*.conf
+IncludeOptional sites-enabled/*.conf
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/source/resources/apps/web3/apache/conf-available/security.conf b/source/resources/apps/web3/apache/conf-available/security.conf
new file mode 100644
index 0000000..45f6ac2
--- /dev/null
+++ b/source/resources/apps/web3/apache/conf-available/security.conf
@@ -0,0 +1,10 @@
+<Directory />
+   AllowOverride None
+   Require all denied
+</Directory>
+ServerTokens Minimal
+ServerSignature Off
+TraceEnable Off
+Header set X-Frame-Options: "sameorigin"
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/source/resources/apps/web3/apache/dot-htaccess b/source/resources/apps/web3/apache/dot-htaccess
new file mode 100644
index 0000000..4ab80e2
--- /dev/null
+++ b/source/resources/apps/web3/apache/dot-htaccess
@@ -0,0 +1,4 @@
+AuthType Basic
+AuthName "Restricted Content"
+AuthUserFile /etc/apache2/.htpasswd
+Require valid-user
diff --git a/source/resources/apps/web3/apache/sites-available/000-default-le-ssl.conf b/source/resources/apps/web3/apache/sites-available/000-default-le-ssl.conf
new file mode 100644
index 0000000..20775d1
--- /dev/null
+++ b/source/resources/apps/web3/apache/sites-available/000-default-le-ssl.conf
@@ -0,0 +1,42 @@
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+ProxyRequests On
+ProxyVia On
+<Proxy *>
+    Order deny,allow
+    Allow from all
+    AuthType Basic
+    AuthName "Password Required"
+    AuthUserFile /etc/apache2/.htpasswd
+    Require valid-user
+</Proxy>
+ ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/html
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+ ServerName vweb3.forksand.com
+ SSLCertificateFile /etc/letsencrypt/live/vweb3.forksand.com/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/vweb3.forksand.com/privkey.pem
+ Include /etc/letsencrypt/options-ssl-apache.conf
+
+        SSLProtocol -All TLSv1.3 TLSv1.2 -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite AES256+EECDH
+        SSLHonorCipherOrder on
+        SSLCompression off
+        SSLVerifyClient None
+#       Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+        SSLSessionTickets Off
+        SSLOptions +StrictRequire
+
+        RewriteEngine on
+        RewriteCond %{SERVER_NAME} =vweb3.forksand.org [OR]
+        RewriteCond %{SERVER_NAME} =vweb3.forksand.net
+        RewriteRule ^ https://vweb3.forksand.com%{REQUEST_URI} [END,NE,R=permanent]
+ ProxyPreserveHost On
+ ProxyRequests off
+ AllowEncodedSlashes NoDecode
+ ProxyPass / http://localhost:8502/ nocanon
+ ProxyPassReverse / http://localhost:8502/
+</VirtualHost>
+</IfModule>
+