bb7bd1c58e
The current implementation of airship-libvirt-gate is using sushy-emulator binary to emulate redfish. Sushy-emulator works only for http and also can’t authenticate users out-of-box if ran by itself. In order to check https and authentication the reverse-proxy was introduced. This approach had several drawbacks: 1) http still doesn’t check auth 2) to use apache for https only is too heavy solution for https This change converts reverse proxy to apache running sushy-emulator as wsgi backend, that gives an ability to check authentication for both http and https. We’re also getting rid of ad-hoc sushy-emulator service and using out-of-box apache service implementation. The code also introduces gathering of apache resulting configs and logs for quicker debug if needed. Right now authentication is disabled, since manifests are written in a way so they don’t use them. If it’s necessary to enable it, just set username here[1] PS There is ability to use apache for http-server [2], but it’s better to do as a separate PR [1] roles/airship-libvirt-gate/defaults/main.yaml [2] roles/http-fileserver Change-Id: I43b5bca41519c88b01535c156b2db0e9edaa81bb
17 lines
687 B
Django/Jinja
17 lines
687 B
Django/Jinja
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
|
|
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
|
|
|
|
SSLHonorCipherOrder On
|
|
# Disable preloading HSTS for now. You can use the commented out header line that includes
|
|
# the "preload" directive if you understand the implications.
|
|
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
|
|
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
|
|
Header always set X-Frame-Options DENY
|
|
Header always set X-Content-Type-Options nosniff
|
|
# Requires Apache >= 2.4
|
|
SSLCompression off
|
|
SSLSessionTickets Off
|
|
SSLUseStapling on
|
|
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
|
|
|