From e326eacee55d5bff5fd18aefece07cd7f7daacee Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Tue, 28 Apr 2020 13:11:01 +0300
Subject: Add Apache2-based HTTP(S) caching proxy configuration

---
 etc/proxy-apache2.conf | 144 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 144 insertions(+)
 create mode 100644 etc/proxy-apache2.conf

(limited to 'etc/proxy-apache2.conf')

diff --git a/etc/proxy-apache2.conf b/etc/proxy-apache2.conf
new file mode 100644
index 0000000..fc7cfea
--- /dev/null
+++ b/etc/proxy-apache2.conf
@@ -0,0 +1,144 @@
+# Paste the following fragment into the <VirtualHost> section intended for
+# proxying HTTP(S) requests and caching the responses. See INSTALL-PROXY for
+# details.
+#
+# List of modules used:
+#
+#   rewrite
+#   headers
+#   ssl
+#   proxy
+#   proxy_http
+#   cache
+#   cache_disk
+#
+
+        # Enable the rewrite rules functionality.
+        #
+        <IfModule !rewrite_module>
+          Error "rewrite_module is not enabled"
+        </IfModule>
+
+        RewriteEngine  on
+        RewriteOptions AllowAnyURI
+
+        # Make sure that the HTTP header management functionality is enabled.
+        #
+        <IfModule !headers_module>
+          Error "headers_module is not enabled"
+        </IfModule>
+
+        # Enable the HTTP proxy.
+        #
+        <IfModule !proxy_module>
+          Error "proxy_module is not enabled"
+        </IfModule>
+
+        <IfModule !proxy_http_module>
+          Error "proxy_http_module is not enabled"
+        </IfModule>
+
+        ProxyRequests On
+
+        # Enable SSL/TLS API usage for querying HTTPS URLs.
+        #
+        <IfModule !ssl_module>
+          Error "ssl_module is not enabled"
+        </IfModule>
+
+        SSLProxyEngine on
+
+        # Optional: prevent non-authorized proxy usage, for example:
+        #
+        # <Proxy *>
+        #   Require ip 10.5
+        # </Proxy>
+
+        # Accept only the HTTP GET method and respond with the 403 HTTP status
+        # code (Forbidden) for other methods.
+        #
+        RewriteCond %{REQUEST_METHOD} !GET
+        RewriteRule .* - [F]
+
+        # Optional: restrict the URL set allowed for proxying, for example:
+        #
+        # RewriteCond %{HTTP_HOST} !(.+\.)?example.org
+        # RewriteRule .* - [F]
+
+        # Convert the http scheme to https for URLs being proxied.
+        #
+        # To prevent the conversion we can exclude certain hosts. For example:
+        #
+        # RewriteCond %{HTTP_HOST} !(.+\.)?example.org [OR]
+        # RewriteCond %{HTTP_HOST} !(.+\.)?example.net
+        #
+        # Or check for a custom header value. Note that this header should not
+        # be forwarded to the origin server. For example:
+        #
+        # RewriteCond %{HTTP:X-Preserve-HTTP} !(1|on|true) [NC]
+        # RequestHeader unset X-Preserve-HTTP
+        #
+        RewriteRule ^proxy:http://(.*)$ "https://$1" [P]
+
+        # Enable the disk storage-based cache.
+        #
+        <IfModule !cache_module>
+          Error "cache_module is not enabled"
+        </IfModule>
+
+        <IfModule !cache_disk_module>
+          Error "cache_disk_module is not enabled"
+        </IfModule>
+
+        CacheEnable disk "http://"
+
+        # Specify the cache root directory and make sure it is writable by the
+        # user under which Apache2 is running.
+        #
+        # Note that if there are no other proxies enabled for the WEB server,
+        # you can probably specify (you still have to specify it) the default
+        # cache directory (/var/cache/apache2/mod_cache_disk for Debian/Ubuntu
+        # and /var/cache/httpd/proxy for Fedora/RHEL).
+        #
+        CacheRoot
+
+        # Cache entry maximum size (in bytes).
+        #
+        CacheMaxFileSize 100000000
+
+        # Prevent duplicate caching of responses for the same simultaneously
+        # proxied URL. Specify an appropriate per-URL lock timeout (in
+        # seconds) to avoid stalled downloads from keeping the entries
+        # uncached.
+        #
+        CacheLock       on
+        CacheLockMaxAge 600
+
+        # Always validate an existing cache entry by querying the origin
+        # server.
+        #
+        # We do this by injecting the request header which always declares the
+        # existing cache entry as potentially stale (ignoring Expire response
+        # header and Cache-Control header's max-age field) which should also
+        # be propagated through all the upstream proxies forcing them to
+        # validate the resource freshness.
+        #
+        # Note that this relies on both the proxy and origin servers correctly
+        # supporting conditional requests based on entity tags (ETag HTTP
+        # response and If-None-Match HTTP request headers) or less accurate
+        # entity modification times (Last-Modified HTTP response and
+        # If-Modified-Since HTTP request headers), which is normally the case
+        # if both are running Apache. A proxy normally caches the ETag and/or
+        # Last-Modified response header values alongside the cached entity and
+        # adds If-None-Match and/or If-Modified-Since headers respectively to
+        # the entity validation request. An origin server normally checks if
+        # any of the ETag or Last-Modified headers changed for the entity and
+        # responds with its full content, if that's the case, or with the 304
+        # HTTP status code (Not Modified) otherwise (see the Apache Caching
+        # Guide for details).
+        #
+        # Also note that to observe the injected header the cache handler
+        # should not be configured as a quick handler.
+        #
+        RequestHeader     set Cache-Control max-age=0
+        CacheQuickHandler off
-- 
cgit v1.1