Configure Shadowsocks + V2ray + TLS + Apache + CDN on Ubuntu

Shadowsocks

nano /etc/shadowsocks/config.json
{
    "server":"127.0.0.1",
    "server_port":10001,
    "password":"password",
    "mode":"tcp_only",
    "timeout":300,
    "method":"chacha20-ietf-poly1305",
    "plugin":"v2ray-plugin_linux_amd64",
    "plugin_opts":"server;path=/ss;loglevel=none", # loglevel=debug
    "nameserver":"1.1.1.1"
}

Apache

nano /etc/apache2/apache2.conf
<VirtualHost *:80>
    Servername example.com
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =example.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URL} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    # change your domain
    ServerName example.com
    # you may have a different root
    DocumentRoot /var/www/

    # the SSL configuration enable https for your site and it’s also required by shadowsocks + v2ray
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/example.com/privkey.pem

    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
    SSLCipherSuite HIGH:!aNULL

    <Location "/ss">
    ProxyPass ws://127.0.0.1:10001/ss
    ProxyAddHeaders Off
    ProxyPreserveHost On
    RequestHeader append X-Forwarded-For %{REMOTE_ADDR}s
    </Location>
</VirtualHost>

 

References
https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration
https://big533.cc/wordpress/index.php/2020/01/03/v2ray-setup-with-websocket-tls-using-apache/
https://github.com/KonaisPC/v2ray-apache-ws/blob/master/v2ray-apache.sh

.NET core app with SignalR with SSL with Apache Reverse Proxy Configuration

<IfModule mod_ssl.c>
<VirtualHost *:443>
  RewriteEngine On
  ProxyPreserveHost On
  ProxyRequests Off

  # allow for upgrading to websockets
  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)           ws://localhost:5000/$1 [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket [NC]
  RewriteRule /(.*)           http://localhost:5000/$1 [P,L]


  ProxyPass "/" "http://localhost:5000/"
  ProxyPassReverse "/" "http://localhost:5000/"

  ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
  ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"

  ServerName site.com
  
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

References
https://gist.github.com/technoknol/f21ae396f463e78e431bd89cc41b83ee
https://stackoverflow.com/questions/43552164/websocket-through-ssl-with-apache-reverse-proxy

Add Expires Headers to .htaccess File in WordPress

Making sure mod_expires is enabled

sudo a2enmod expires
systemctl restart apache2

Add Expires Headers to .htaccess

To add Expires Headers to your site, you need to edit the .htaccess file.

Simply download the .htaccess file from the root of your host (it may be hidden) and add the code below:

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"
</IfModule>
## EXPIRES CACHING ##

References
https://electrictoolbox.com/apache-mod-expires-browser-caching/
https://betterstudio.com/blog/add-expires-headers-htaccess/

Disable Directory Browsing In WordPress

To disable directory browsing in WordPress all you need to do is add a single line of code in your WordPress site’s .htaccess file located in the root directory of your website.
Once connected to your website, you will find a .htaccess file in your site’s root directory. .htaccess is a hidden file, and if you can not find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.
Now at the end of your WordPress generated code in the .htaccess file simply add this line at the bottom:

Options All -Indexes

References
https://bloggingwizard.com/disable-directory-browsing-wordpress/
https://www.wpbeginner.com/wp-tutorials/disable-directory-browsing-wordpress/

Host ASP.NET Core on Linux with Apache

dotnet add package Microsoft.AspNetCore.HttpOverrides

Configure a proxy server

Invoke the UseForwardedHeaders method at the top of Startup.Configure before calling other middleware. Configure the middleware to forward the X-Forwarded-For and X-Forwarded-Proto headers:

// using Microsoft.AspNetCore.HttpOverrides;

app.UseForwardedHeaders(new ForwardedHeadersOptions
{
    ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});

app.UseAuthentication();
// using System.Net;

services.Configure<ForwardedHeadersOptions>(options =>
{
    options.KnownProxies.Add(IPAddress.Parse("10.0.0.100"));
});

Forwarded Headers Middleware order

Forwarded Headers Middleware should run before other middleware. This ordering ensures that the middleware relying on forwarded headers information can consume the header values for processing. Forwarded Headers Middleware can run after diagnostics and error handling, but it must be run before calling UseHsts:

using Microsoft.AspNetCore.HttpOverrides;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRazorPages();
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders =
        ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});

var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseForwardedHeaders();
    app.UseHsts();
}
else
{
    app.UseDeveloperExceptionPage();
    app.UseForwardedHeaders();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseAuthorization();

app.MapRazorPages();

app.Run();

Alternatively, call UseForwardedHeaders before diagnostics:

using Microsoft.AspNetCore.HttpOverrides;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRazorPages();
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders =
        ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
});

var app = builder.Build();

app.UseForwardedHeaders();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseAuthorization();

app.MapRazorPages();

app.Run();

Forwarded Headers Middleware options

using System.Net;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddRazorPages();
builder.Services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardLimit = 2;
    options.KnownProxies.Add(IPAddress.Parse("127.0.10.1"));
    options.ForwardedForHeaderName = "X-Forwarded-For-My-Custom-Header-Name";
});

var app = builder.Build();

app.UseForwardedHeaders();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseAuthorization();

app.MapRazorPages();

app.Run();

References
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-5.0
https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0

Apache reverse proxy configuration for socket.io

sudo a2enmod proxy_http
sudo a2enmod proxy_fcgi
sudo a2enmod proxy_wstunnel
# VirtualHost ms.example.net
<VirtualHost *:80>
  ServerName ms.example.net
  ProxyRequests Off
  ProxyPreserveHost On
  RemoteIPHeader X-Forwarded-For
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/socket.io          [NC]
  RewriteCond %{QUERY_STRING} transport=websocket [NC]
  RewriteRule /(.*) ws://localhost:14102/$1        [P,L]

  ProxyPass /socket.io http://localhost:14102/socket.io
  ProxyPassReverse /socket.io http://localhost:14102/socket.io
</VirtualHost>

<VirtualHost *:443>
  ServerName ms.example.net
  ProxyRequests Off
  ProxyPreserveHost On
  RemoteIPHeader X-Forwarded-For
  RewriteEngine on
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>
  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.net/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.net/privkey.pem
  
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/socket.io          [NC]
  RewriteCond %{QUERY_STRING} transport=websocket [NC]
  RewriteRule /(.*) ws://localhost:14102/$1        [P,L]
  ProxyPass /socket.io http://localhost:14102/socket.io
  ProxyPassReverse /socket.io http://localhost:14102/socket.io
  
</VirtualHost>

Use a secure URL for your initial connection, i.e. instead of “http://” use “https://”. If the WebSocket transport is chosen, then Socket.IO should automatically use “wss://” (SSL) for the WebSocket connection too.

var socket = io.connect('https://localhost', {secure: true});

References
http://xpo6.com/socket-io-via-apache-reverse-proxy/
https://stackoverflow.com/questions/36472920/apache-proxy-configuration-for-socket-io-project-not-in-root
https://gist.github.com/iacchus/954e0787d6893c5ab8e1
https://stackoverflow.com/questions/6599470/node-js-socket-io-with-ssl