-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtestnetpool.conf
More file actions
68 lines (59 loc) · 3.09 KB
/
Copy pathtestnetpool.conf
File metadata and controls
68 lines (59 loc) · 3.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# Apache2 reverse proxy for the TestnetPool dashboard + JSON API.
#
# sudo cp contrib/apache/testnetpool.conf /etc/apache2/sites-available/
# sudo a2enmod proxy proxy_http ssl headers rewrite deflate
# sudo a2ensite testnetpool
# sudo certbot --apache -d testnetpool.com -d www.testnetpool.com # TLS cert
# sudo systemctl reload apache2
#
# IMPORTANT:
# * Set [stats] host = "127.0.0.1" in your config so the dashboard is reachable
# ONLY through Apache, not directly. Match the port below to your [stats] port.
# * The STRATUM ports (3333 / 3334 / ...) are raw TCP - miners connect to them
# DIRECTLY. Do NOT proxy them through Apache; just open them in the firewall.
# * ProxyPreserveHost On is required: the "Connect a miner" page builds the miner-
# facing stratum host from the Host header, so without it miners would be told to
# connect to 127.0.0.1.
<VirtualHost *:80>
ServerName testnetpool.com
ServerAlias www.testnetpool.com
RewriteEngine On
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName testnetpool.com
ServerAlias www.testnetpool.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/testnetpool.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testnetpool.com/privkey.pem
# certbot --apache writes/overwrites the two SSLCertificate* lines above.
# Pass the real Host through (required - see note above) and tell the app it's
# behind TLS. mod_proxy_http appends the real client to X-Forwarded-For automatically;
# the app reads its LAST hop to key the per-IP HTTP rate limiter (it trusts XFF only
# because the socket peer is this loopback proxy). Don't strip or rewrite XFF here, or
# every client collapses into one rate-limit bucket.
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
# --- optional: a static OG/share banner -------------------------------
# The pool does NOT serve an image (the share card is text-only by default).
# To add a picture card, drop a 1200x630 PNG here, uncomment, and set
# og_image = "https://testnetpool.com/og.png" in [stats].
# Alias /og.png /var/www/testnetpool/og.png
# ProxyPass /og.png !
# <Location "/og.png">
# Require all granted
# Header set Cache-Control "public, max-age=86400"
# </Location>
# --- reverse proxy to the dashboard (match your [stats] port) ----------
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
# Compress the server-rendered HTML / JSON.
AddOutputFilterByType DEFLATE text/html application/json text/css application/javascript
# Reasonable hardening (drop HSTS while testing if you switch domains often).
Header always set Strict-Transport-Security "max-age=31536000"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
ErrorLog ${APACHE_LOG_DIR}/testnetpool_error.log
CustomLog ${APACHE_LOG_DIR}/testnetpool_access.log combined
</VirtualHost>