configpolicy/roles/gitea/templates/gitea.httpd.conf.j2

{#- vim: set ft=apache.jinja : -#}
# vim: set sw=4 ts=4 sts=4 et :
{% macro proxypass() -%}
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:3000/ nocanon
ProxyPassReverse / http://localhost:3000/
AllowEncodedSlashes NoDecode
{%- endmacro -%}

<VirtualHost _default_:80>
    ServerName {{ gitea_http_domain }}

    RewriteEngine on
    RewriteCond %{HTTPS} !on
    RewriteCond %{REQUEST_FILENAME} !\.ks$
    RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]

    {{ proxypass() | indent(4) }}
</VirtualHost>

<VirtualHost _default_:443>
    ServerName {{ gitea_http_domain }}

    RemoteIPProxyProtocol On
    RemoteIPProxyProtocolExceptions \
        172.30.0.1/32 \
        172.30.0.2/32 \
        172.30.0.3/32 \
        172.30.0.4/32 \
        172.30.0.5/32 \
        172.30.0.7/32 \
        172.30.0.8/29 \
        172.30.0.16/28 \
        172.30.0.32/27 \
        172.30.0.160/27 \
        172.30.0.192/29 \
        172.30.0.200/29 \
        172.31.1.0/24

    SSLCertificateFile {{ gitea_ssl_certificate }}
    SSLCertificateKeyFile {{ gitea_ssl_certificate_key }}
    SSLCertificateChainFile {{ gitea_ssl_certificate }}

    Header always set \
        Strict-Transport-Security "max-age=63072000; includeSubDomains"

    {{ proxypass() | indent(4) }}
</VirtualHost>