Add a httpd SSL template

If passed the new ssl file parameters, configure and install a SSL
version of the apache config.

For graphite.opendev.org it is intended to use the letsencrypt
certificates provisioned by the base ansible run for this.

Change-Id: Ic133e3abc09343541210c061af544f7b37480f27
This commit is contained in:
Ian Wienand 2019-04-11 13:04:30 +10:00
parent 8bd634047e
commit d6368cf248
2 changed files with 86 additions and 1 deletions

View File

@ -25,6 +25,10 @@ class graphite(
# Have statsd listen on '::' which, thanks to dual-stack,
# gets ipv4 and ipv6 connections.
$statsd_ipv6_listen = true,
$ssl_cert_file = '',
$ssl_chain_file = '',
$ssl_key_file = '',
) {
$packages = [ 'python-django',
'python-django-tagging',
@ -222,11 +226,17 @@ class graphite(
File['/etc/graphite/admin.ini']],
}
if $ssl_cert_file != '' {
$http_template = 'graphite/graphite.ssl.vhost.erb'
} else {
$http_template = 'graphite/graphite.vhost.erb'
}
::httpd::vhost { $vhost_name:
port => 80,
priority => '50',
docroot => '/var/lib/graphite/webapp',
template => 'graphite/graphite.vhost.erb',
template => $http_template,
}
if !defined(Httpd::Mod['headers']) {

View File

@ -0,0 +1,75 @@
<VirtualHost *:80>
ErrorLog /var/log/apache2/graphite-error.log
CustomLog /var/log/apache2/graphite-access.log common
LogLevel warn
ServerSignature Off
Redirect / https://<%= scope.lookupvar("graphite::vhost_name") %>/
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile <%= @ssl_cert_file %>
SSLCertificateKeyFile <%= @ssl_key_file %>
<%# The original default was '' -%>
<%# scope.lookupvar returns nil for an undefined variable in puppet 4 -%>
<%# scope.lookupvar returns :undef for an undefined variable in puppet 3 -%>
<% unless ['', nil, :undef].include?@ssl_chain_file %>
SSLCertificateChainFile <%= @ssl_chain_file %>
<% end %>
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
DocumentRoot "/var/lib/graphite/webapp"
ErrorLog /var/log/apache2/graphite-error.log
CustomLog /var/log/apache2/graphite-access.log common
# Add CORS authorization to the header so third-party services can pull
# metrics data via API calls for things like vizualiation dashboards.
Header set Access-Control-Allow-Origin "*"
# I've found that an equal number of processes & threads tends
# to show the best performance for Graphite (ymmv).
WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
WSGIProcessGroup graphite
WSGIApplicationGroup %{GLOBAL}
SetEnv GRAPHITE_STORAGE_DIR /var/lib/graphite/storage
WSGIImportScript /etc/graphite/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
# XXX You will need to create this file! There is a graphite.wsgi.example
# file in this directory that you can safely use, just copy it to graphite.wgsi
WSGIScriptAlias / /etc/graphite/graphite.wsgi
Alias /content/ /var/lib/graphite/webapp/content/
<Location "/content/">
SetHandler None
</Location>
# XXX In order for the django admin site media to work you
# must change @DJANGO_ROOT@ to be the path to your django
# installation, which is probably something like:
# /usr/lib/python2.6/site-packages/django
Alias /media/ "/usr/lib/python2.7/dist-packages/django/contrib/admin/media/"
<Location "/media/">
SetHandler None
</Location>
# The graphite.wsgi file has to be accessible by apache. It won't
# be visible to clients because of the DocumentRoot though.
<Directory /etc/graphite/>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory>
<IfVersion >= 2.4>
<Directory /var/lib/graphite/webapp/content/>
Require all granted
</Directory>
</IfVersion>
</VirtualHost>