And here the apache2 config I forgot to append.
Nils Gillmann transcribed 1.4K bytes:
> Hi,
>
> first off: sorry that the logs are down for such a long time.
>
> Since someone in your community offered to fix the Apache config,
> and I got the okay to share it, you can find the config for the
> https://irclogs.gnunet.org appended to this email.
>
> The application running is taking limnoria textfile logs and
> publishes them. The sourcecode is
> https://git.kyriasis.com/kyrias/znc-log-viewer
> with some minor modifications (only a local config change).
>
> The author told me:
> > Because that looks a lot like a TLS handshake, which you most certainly
> > should not be sending to flask.
> > uwsgi://127.0.0.1:7000/
> > It's not running under uwsgi, so don't try to proxypass it using the uwsgi
> > protocol.
> > So either change it to an actual http proxying, or run it under uwsgi.
>
> We are currently busy fighting other fires, but we understand the logs are
> important for the hosted communities. If you want to have the current outcome
> of a longer discussion displayed, you can help and fix the apache2 config.
> The past logs are dumped, they still need to be converted (or the
> znc-log-viewer
> needs some code for SQL).
>
> PS: Please don't use this email to throw discussions about wether your
> favorite language or viewer might be the better replacement in my
> inbox, there have been discussions and they happened offlist and I'm
> not happy with the outcome but it gets the job done.
>
> Thanks, and happy hacking!
>
ServerTokens Prod
<IfModule mod_ssl.c>
<VirtualHost irclogs.gnunet.org:443>
ServerAdmin webmas...@gnunet.org
ServerName "irclogs.gnunet.org"
ServerSignature Off
KeepAlive On
KeepAliveTimeout 30
MaxKeepAliveRequests 1000
ExpiresActive On
ExpiresDefault "access plus 5 minutes"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType application/javascript "access plus 1 week"
ExpiresByType text/css "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType text/html "access plus 1 minute"
Header unset Cache-Control
Header unset ETag
FileETag None
ErrorLog /var/log/apache2/gnunet-irclogs-ssl_error.log
LogLevel debug
CustomLog /var/log/apache2/gnunet-irclogs-ssl_access.log combined
ProxyPass / uwsgi://127.0.0.1:7000/
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCompression off
SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
SSLHonorCipherOrder On
Header add Strict-Transport-Security "max-age=15768000 ;
includeSubDomains; preload"
Header add X-XSS-Protection "1; mode=block"
Header add X-Frame-Options "SAMEORIGIN"
Header add X-Content-Type-Options "nosniff"
Header add Content-Security-Policy "default-src 'self'; script-src
'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
connect-src 'self' wss://irclogs.gnunet.org; frame-ancestors 'self'"
SSLCipherSuite
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#:!EDH
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
# SSLCertificateKeyFile /etc/ssl/private/gnunet.org.key
SSLCertificateKeyFile /etc/letsencrypt/live/v10.gnunet.org/privkey.pem
SSLCertificateChainFile
/etc/letsencrypt/live/v10.gnunet.org/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/v10.gnunet.org/cert.pem
# SSLCertificateFile /etc/ssl/certs/gnunet.org.cert
# SSLCertificateChainFile /etc/ssl/private/cachain.csr
SSLOptions +StrictRequire
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
