Add apache section, fix wrong URL to config page

Using-a-Reverse-Proxy-with-Paperless-ngx.md

@@ -1,7 +1,7 @@
-# Nginx
-
 If you want to expose paperless to the internet, you should hide it
-behind a reverse proxy with SSL enabled.
+behind a reverse proxy with SSL enabled. The officially supported method is Nginx.
+
+# Nginx
 
 In addition to the usual configuration for SSL, the following
 configuration is required for paperless to operate:
@@ -37,8 +37,96 @@ http {
 ```
 
 The `PAPERLESS_URL` configuration variable is also required when using a
-reverse proxy. Please refer to the [hosting and security](/configuration#hosting-and-security) docs.
+reverse proxy. Please refer to the [hosting and security](https://docs.paperless-ngx.com/configuration/#hosting-and-security) docs.
 
 Also read
 [this](https://channels.readthedocs.io/en/stable/deploying.html#nginx-supervisor-ubuntu),
 towards the end of the section.
+
+# Apache
+
+Below is an example of an apache2 conf file that you may customize to fit your environment and needs.
+
+```apache
+    DEFINE local_url 127.0.0.1
+    DEFINE local_port 8000
+    DEFINE url_prefix paperless
+    DEFINE public_url ${url_prefix}.my.domain
+    DEFINE email ${url_prefix}@my.domain
+    ServerTokens Prod
+    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
+    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
+    SSLSessionCacheTimeout 300
+### If you have Google's Mod PageSpeed, disable it ###
+#    ModPagespeed Off
+<VirtualHost *:80>
+    ServerName ${public_url}
+    DocumentRoot /var/www/html
+    ServerAdmin ${email}
+    ErrorLog ${APACHE_LOG_DIR}/${url_prefix}.error.log
+    CustomLog ${APACHE_LOG_DIR}/${url_prefix}.access.log combined
+    RewriteEngine On
+    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
+    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+</VirtualHost>
+<VirtualHost *:443>
+    ServerName ${public_url}
+    DocumentRoot /var/www/html
+    ServerAdmin ${email}
+    ErrorLog ${APACHE_LOG_DIR}/${url_prefix}.error.log
+    CustomLog ${APACHE_LOG_DIR}/${url_prefix}.access.log combined
+    SSLEngine On
+    SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem
+### Forbid the http1.0 protocol ###
+    Protocols h2 http/1.1
+    Timeout 360
+    ProxyRequests Off
+    ProxyPreserveHost On
+    ProxyTimeout 600
+    ProxyReceiveBufferSize 4096
+    SSLProxyEngine On
+    RequestHeader set Front-End-Https "On"
+    ServerSignature Off
+    SSLCompression Off
+    SSLUseStapling On
+    SSLStaplingResponderTimeout 5
+    SSLStaplingReturnResponderErrors Off
+    SSLSessionTickets Off
+    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+    Header always set Strict-Transport-Security "max-age=15552000; preload"
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Robots-Tag none
+    Header always set X-XSS-Protection "1; mode=block"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+### Lax CSP and will not score the best on Mozilla Observatory or other platforms alike, but won't need to be updated with version changes ###
+    Header always set Content-Security-Policy "default-src 'none'; base-uri 'self'; font-src 'self' data: ${public_url}; media-src 'self' blob: data: https: ${public_url}; script-src 'self' 'unsafe-inline' ${public_url}; style-src 'self' 'unsafe-inline' ${public_url}; img-src 'self' data: blob: https: ${public_url}; worker-src * blob:; frame-src 'self' https://${public_url}; connect-src 'self' wss: https: ${public_url}; form-action 'self'; frame-ancestors 'self' https://${public_url} https://my.domain https://*.my.domain; manifest-src 'self'; object-src 'self' https://${public_url}"
+    Header always set Permissions-Policy 'geolocation=(self "https://${public_url}"), midi=(self "https://${public_url}"), sync-xhr=(self "https://${public_url}"), microphone=(self "https://${public_url}"), camera=(self "https://${public_url}"), magnetometer=(self "https://${public_url}"), gyroscope=(self "https://${public_url}"), fullscreen=(self "https://${public_url}"), payment=(self "https://${public_url}")'
+    SSLHonorCipherOrder Off
+### Use next two for very secure connections ###
+    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+### Use next two for secure connections and support more endpoints ###
+    #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+    #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+### Actually proxy the traffic and really the only important part ###
+    AllowEncodedSlashes On
+    RewriteEngine On
+    SetEnvIf Cookie "(^|;\ *)csrftoken=([^;\ ]+)" csrftoken=$2
+    RequestHeader set  X-CSRFToken "%{csrftoken}e"
+### Proxy Websockets Section 1 (works for me) ###
+    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
+    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
+    RewriteRule ^/?(.*) "ws://${local_url}:${local_port}/$1" [P,L]
+### Proxy Websockets Section 2 (untested) ###
+    #RewriteCond %{HTTP:UPGRADE} =websocket [NC]
+    #RewriteRule ^/ws/(.*) ws://${local_url}:${local_port}/ws/$1 [P,L]
+### Proxy everything else ###
+    ProxyPass / http://${local_url}:${local_port}/ connectiontimeout=6 timeout=60
+    ProxyPassReverse / http://${local_url}:${local_port}/
+### If Docker and/or Paperless-NGX server is down but webserver is up, show error page ###
+    ErrorDocument 503 '<!DOCTYPE html>\n<html xml:lang="en" lang="en" dir="ltr" prefix="og: http://ogp.me/ns#">\n<meta http-equiv="refresh" content="15" />\n<head id="head">\n<meta http-equiv="X-UA-Compatible" content="IE=edge"/>\n<title>Offline</title>\n<style>html{width:100%}body{background-color:#a6a6a6;text-align:center;font-family:Helvetica,Tahoma}</style>\n</head>\n<body>\n<h1>${public_url}</h1>\n<p>Appears to be offline... will try again every 15 seconds.<br><br>Nothing happening? Contact the <a href="mailto:${email}" target="_blank">admin</a>.</p>\n</body>\n</html>'
+</VirtualHost>
+```