====== Apache configuration ======
The default Apache configuration created by the node installation is located in **/etc/apache2/sites-available/blockchain.yourDomain.conf** and contains the following parameters:
ServerAdmin **mail for Let's encrypt authority**
MDCertificateAgreement accepted
MDomain **blockchain.yourDomain**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)
ServerName **blockchain.yourDomain**
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
DocumentRoot /var/www/html
ProxyPreserveHost On
ProxyRequests Off
ProxyPass /admin http://localhost:8081
ProxyPass / http://localhost:8080/
ProxyPassReverse /admin http://localhost:8081
ProxyPassReverse / http://localhost:8080
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=15768000"
Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy "same-origin"
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
ServerName **blockchain.yourDomain**
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:3001/
ProxyPassReverse / http://localhost:3001/
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=15768000"
Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy "same-origin"
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
* The **blockchain.yourDomain.conf** configuration file needs to be included among the Apache configs
* ''sudo a2ensite blockchain.yourDomain''
* To **/etc/apache2/ports.conf** under **ssl_module** needs to be added ''Listen 3000'' for the gateway functionality
* In **/etc/apache2/sites-available/000-default.conf** it is advisable to add automatic redirect to https to the virtual host
* ''Redirect permanent / [[https://blockchain.vaseDomena|https://blockchain.yourDomain]]''
* The following modules need to be enabled:
* ''sudo a2enmod rewrite''
* ''sudo a2enmod ssl''
* ''sudo a2enmod md''
* ''sudo a2enmod proxy''
* ''sudo a2enmod proxy_http''
* ''sudo a2enmod http2''
* ''sudo a2enmod headers''
SSL certificates are automatically generated via the mod_md module built into Apache. If you want to add another domain for which certificates need to be generated (for example, your application running on a node under another domain), we recommend creating a new config, for example **application.yourDomain.conf** in /etc/apache2/sites-available/ and include it to Apache configs running the command ''sudo a2ensite application.yourDomain''. Then restart Apache ''sudo systemctl restart apache2'' and certificates should start to be generated for this domain on a regular basis. Config for an application running on local port 8083 should look like this:
ServerAdmin **mail for Let's encrypt authority**
MDCertificateAgreement accepted
MDomain **application.yourDomain**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)
ServerName **application.yourDomain**
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8083/
ProxyPassReverse / http://localhost:8083/
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
SSLHonorCipherOrder on
SSLCompression off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=15768000"
Header always append X-Frame-Options SAMEORIGIN
Header always append X-Content-Type-Options nosniff
Header always set X-Xss-Protection "1; mode=block"
Header always set Referrer-Policy "same-origin"
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
==== Your own SSL certificates ====
Just add the path to the certificate to the mentioned config **/etc/apache2/sites-available/blockchain.****yourDomain.****conf**
4th line ''MDomain **blockchain.yourDomain**'' rewrite to:
MDCertificateFile /etc/ssl/certs/ssl-cert.pem
MDCertificateKeyFile /etc/ssl/private/ssl-cert.key