puppet-openstackid/templates/vhost.erb

<VirtualHost *:80>
  ServerName <%= scope.lookupvar("openstackid::vhost_name") %>
  ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>

  ErrorLog ${APACHE_LOG_DIR}/openstackid-error.log
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/openstackid-access.log combined

  Redirect / https://<%= scope.lookupvar("openstackid::vhost_name") %>/

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName <%= scope.lookupvar("openstackid::vhost_name") %>
  ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>

  ErrorLog ${APACHE_LOG_DIR}/openstackid-ssl-error.log
  LogLevel warn
  CustomLog ${APACHE_LOG_DIR}/openstackid-ssl-access.log combined

  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Once the machine is using something to terminate TLS that supports ECDHE
  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
  # only is guarenteed.
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on
  SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
  SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
<% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>
  SSLCertificateChainFile <%= scope.lookupvar("openstackid::ssl_chain_file") %>
<% end %>

  RewriteEngine on
  RewriteCond %{HTTP_HOST} !<%= scope.lookupvar("openstackid::vhost_name") %>
  RewriteRule ^.*$ <%= scope.lookupvar("openstackid::canonicalweburl") %>

  DocumentRoot <%= @docroot %>
  <Directory <%= @docroot %>/>
    Order allow,deny
    Allow from all
  </Directory>

  <FilesMatch \.php$>
    SetHandler "proxy:fcgi://127.0.0.1:9000"
  </FilesMatch>

</VirtualHost>
</IfModule>