ServerName openproject.example.com redirect permanent / https://openproject.example.com/ # # SSL Start # SSLEngine On # SSLCertificateChainFile /etc/apache2/ssl/cdc_ca.cert.pem SSLCertificateFile /etc/letsencrypt/live/openproject.example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/openproject.example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/openproject.example.com/fullchain.pem # Set Forwarded protocol header to proxy # otherwise OpenProject doesn't know we're terminating SSL here. RequestHeader set X_FORWARDED_PROTO 'https' # # SSL End # ServerName openproject.example.com ServerAdmin admin@example.com DocumentRoot /opt/openproject/public # Proxy requests to localhost:6000 (puma) ProxyRequests off # Forward the original host name to the proxy ProxyPreserveHost On ProxyPass / http://127.0.0.1:6000/ retry=0 ProxyPassReverse / http://127.0.0.1:6000/ # Disallow internal API for external use # (used for repository authenticiation, if any) Require local Order Deny,Allow Deny from all Allow from 127.0.0.1 # Configure assets and uploads Alias /assets /opt/openproject/public/assets Alias /uploads /opt/openproject/public/uploads Options -Indexes # apache 2.4+ Require all granted Order deny,allow Allow from all # Don't pass assets through proxy but deliver them through apache ProxyPass /assets/ ! # Avoid using mtime or inode information for ETag FileETag Size ExpiresActive On ExpiresDefault "access plus 1 year" # Send expiry headers for assets, that carry an asset id. Assuming, an asset # id is a unix timestamp, which is currently a 10 digit integer. This might # change in the far future. ExpiresActive On ExpiresDefault "access plus 1 year" # Enabling compression for common text formats AddOutputFilterByType DEFLATE text/html text/css application/x-javascript application/javascript ErrorLog /var/log/apache2/openproject.example.com-error.log