HEX
Server: Apache/2.4.65 (Debian)
System: Linux kubikelcreative 5.10.0-35-amd64 #1 SMP Debian 5.10.237-1 (2025-05-19) x86_64
User: www-data (33)
PHP: 8.4.13
Disabled: NONE
$ pwd: /var/www/indoadvisory_new/web/webapp/
Upload Files
File: /var/www/indoadvisory_new/web/webapp/apache.conf
# Apache Virtual Host Configuration for Indo Advisory
# Alternative to Nginx (if using Apache instead of Nginx reverse proxy)
# Location: /etc/apache2/sites-available/indo-advisory.conf

<VirtualHost *:80>
    ServerName indoadvisory.com
    ServerAlias www.indoadvisory.com
    DocumentRoot /var/www/indo-advisory/public
    
    # Logging
    ErrorLog ${APACHE_LOG_DIR}/indo-advisory-error.log
    CustomLog ${APACHE_LOG_DIR}/indo-advisory-access.log combined
    
    # Security Headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # Hide Apache version
    ServerTokens Prod
    ServerSignature Off
    
    # Proxy to Node.js Application
    ProxyPreserveHost On
    ProxyRequests Off
    
    # Static files served directly by Apache
    <Directory "/var/www/indo-advisory/public">
        Options -Indexes
        AllowOverride None
        Require all granted
        
        # Cache static assets
        <FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
            ExpiresActive On
            ExpiresDefault "access plus 30 days"
            Header set Cache-Control "public, immutable"
        </FilesMatch>
    </Directory>
    
    # Upload directory (protected)
    Alias /uploads /var/www/indo-advisory/uploads
    <Directory "/var/www/indo-advisory/uploads">
        Options -Indexes
        AllowOverride None
        
        # Require authentication for uploads (handled by Node.js)
        <RequireAll>
            Require all denied
        </RequireAll>
        
        # Only allow specific file types
        <FilesMatch "\.(jpg|jpeg|png|gif|pdf|doc|docx)$">
            Require all granted
        </FilesMatch>
    </Directory>
    
    # Proxy API routes to Node.js
    ProxyPass /api/ http://127.0.0.1:3000/api/
    ProxyPassReverse /api/ http://127.0.0.1:3000/api/
    
    # Proxy admin routes to Node.js
    ProxyPass /admin http://127.0.0.1:3000/admin
    ProxyPassReverse /admin http://127.0.0.1:3000/admin
    
    # Proxy authentication routes to Node.js
    ProxyPass /auth/ http://127.0.0.1:3000/auth/
    ProxyPassReverse /auth/ http://127.0.0.1:3000/auth/
    
    # Proxy uploads to Node.js (for authentication)
    ProxyPass /uploads/ http://127.0.0.1:3000/uploads/
    ProxyPassReverse /uploads/ http://127.0.0.1:3000/uploads/
    
    # Proxy all other requests to Node.js
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
    
    # Block access to sensitive files
    <FilesMatch "^\.">
        Require all denied
    </FilesMatch>
    
    <FilesMatch "\.(env|config|sql|log)$">
        Require all denied
    </FilesMatch>
    
    # Block common exploit attempts
    RedirectMatch 404 ^/(wp-admin|wp-content|wp-includes|phpmyadmin|admin|administrator)
    
    # Enable compression
    <IfModule mod_deflate.c>
        SetOutputFilter DEFLATE
        
        # Don't compress images
        SetEnvIfNoCase Request_URI \
            \.(?:gif|jpe?g|png|ico)$ no-gzip dont-vary
        
        # Don't compress archives
        SetEnvIfNoCase Request_URI \
            \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
        
        # Compress text, html, javascript, css, xml
        SetEnvIfNoCase Request_URI \
            \.(?:txt|html?|js|css|xml|json)$ gzip vary
    </IfModule>
    
    # Rate limiting (requires mod_evasive)
    <IfModule mod_evasive24.c>
        DOSHashTableSize    512
        DOSPageCount        3
        DOSSiteCount        50
        DOSPageInterval     1
        DOSSiteInterval     1
        DOSBlockingPeriod   600
        
        # Admin areas get stricter limits
        <LocationMatch "^/(admin|auth)">
            DOSPageCount    2
            DOSSiteCount    10
        </LocationMatch>
    </IfModule>
    
    # Security hardening
    <IfModule mod_security2.c>
        SecRuleEngine On
        SecDefaultAction "phase:2,deny,log,status:406"
    </IfModule>
    
</VirtualHost>

# SSL Configuration (uncomment after obtaining SSL certificate)
# <VirtualHost *:443>
#     ServerName indoadvisory.com
#     ServerAlias www.indoadvisory.com
#     DocumentRoot /var/www/indo-advisory/public
#     
#     # SSL Configuration
#     SSLEngine on
#     SSLCertificateFile /etc/ssl/certs/indoadvisory.com.crt
#     SSLCertificateKeyFile /etc/ssl/private/indoadvisory.com.key
#     SSLCertificateChainFile /etc/ssl/certs/indoadvisory.com.chain.crt
#     
#     # SSL Security
#     SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
#     SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
#     SSLHonorCipherOrder on
#     
#     # Include all configurations from HTTP virtual host above...
# 
#     # Additional HTTPS-specific headers
#     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# </VirtualHost>

# Redirect HTTP to HTTPS (enable after SSL setup)
# <VirtualHost *:80>
#     ServerName indoadvisory.com
#     ServerAlias www.indoadvisory.com
#     Redirect permanent / https://indoadvisory.com/
# </VirtualHost>
@ Telegram