# This is an HTTP config purely for Zanata, which mirrors id.fp.o # They run on old Java, which means that they do not support TLSv1.2, so let's # give them TLSv1.0 as well. # On how this works, look at the proxies' iptables: they will have a rule that # forwards a limited set of IP addresses' 443/tcp to 44342/tcp. Listen 44342 https ServerName id.fedoraproject.org ServerAdmin webmaster@fedoraproject.org RequestHeader unset X-Forwarded-For Protocols h2 http/1.1 SSLEngine on SSLUseStapling on SSLCertificateFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.cert SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2020.fedoraproject.org.key SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2020.fedoraproject.org.intermediate.cert SSLHonorCipherOrder On SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK Header always add Strict-Transport-Security "max-age=31536000; preload" Include "conf.d/id.fedoraproject.org/*.conf"