diff --git a/manifests/site.pp b/manifests/site.pp
index cdc4f51ade..1b9973a37b 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -667,6 +667,7 @@ node 'design-summit-prep.openstack.org' {
# Serve static AFS content for docs and other sites.
# Node-OS: trusty
node 'files01.openstack.org' {
+ $group = "files"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80],
sysadmins => hiera('sysadmins', []),
@@ -675,8 +676,14 @@ node 'files01.openstack.org' {
}
class { 'openstack_project::files':
- vhost_name => 'files.openstack.org',
- require => Class['Openstack_project::Server'],
+ vhost_name => 'files.openstack.org',
+ developer_cert_file_contents => hiera('developer_ssl_cert_file_contents'),
+ developer_key_file_contents => hiera('developer_ssl_key_file_contents'),
+ developer_chain_file_contents => hiera('developer_ssl_chain_file_contents'),
+ docs_cert_file_contents => hiera('docs_ssl_cert_file_contents'),
+ docs_key_file_contents => hiera('docs_ssl_key_file_contents'),
+ docs_chain_file_contents => hiera('docs_ssl_chain_file_contents'),
+ require => Class['Openstack_project::Server'],
}
}
diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt
index fcc8e1f063..166f4d550b 100644
--- a/modules/openstack_project/files/puppetmaster/groups.txt
+++ b/modules/openstack_project/files/puppetmaster/groups.txt
@@ -6,6 +6,7 @@ ci-backup ci-backup-*.openstack.org
disabled ci-backup-rs-ord.openstack.org:db368fcd-e61a-4294-a5cb-851c16650f7a:wiki.openstack.org
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
ethercalc ~ethercalc\d+\.openstack\.org
+files ~files\d+\.openstack\.org
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
git-server ~git\d+\.openstack\.org
logstash-worker ~logstash-worker\d+\.openstack\.org
diff --git a/modules/openstack_project/files/ssl_cert_check/ssldomains b/modules/openstack_project/files/ssl_cert_check/ssldomains
index 13482654ca..5b8134ca69 100644
--- a/modules/openstack_project/files/ssl_cert_check/ssldomains
+++ b/modules/openstack_project/files/ssl_cert_check/ssldomains
@@ -1,4 +1,6 @@
ask.openstack.org 443
+developer.openstack.org 443
+docs.openstack.org 443
ethercalc.openstack.org 443
etherpad.openstack.org 443
git.openstack.org 443
diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp
index 013f3a2360..06362eaf3f 100644
--- a/modules/openstack_project/manifests/files.pp
+++ b/modules/openstack_project/manifests/files.pp
@@ -2,6 +2,12 @@
#
class openstack_project::files (
$vhost_name = $::fqdn,
+ $developer_cert_file_contents,
+ $developer_key_file_contents,
+ $developer_chain_file_contents,
+ $docs_cert_file_contents,
+ $docs_key_file_contents,
+ $docs_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@@ -24,6 +30,22 @@ class openstack_project::files (
require => File["${www_base}"],
}
+ #####################################################
+ # Set up directories needed by HTTPS certs/keys
+ file { '/etc/ssl/certs':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
+
+ file { '/etc/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0700',
+ }
+
#####################################################
# Build VHost
include ::httpd
@@ -59,19 +81,69 @@ class openstack_project::files (
# docs.openstack.org
::httpd::vhost { 'docs.openstack.org':
- port => 80,
+ port => 443, # Is required despite not being used.
docroot => "${afs_root}docs",
priority => '50',
template => 'openstack_project/docs.vhost.erb',
}
+ file { '/etc/ssl/certs/docs.openstack.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $docs_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/docs.openstack.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $docs_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $docs_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/docs.openstack.org.pem'],
+ }
###########################################################
# developer.openstack.org
::httpd::vhost { 'developer.openstack.org':
- port => 80,
+ port => 443, # Is required despite not being used.
docroot => "${afs_root}developer-docs",
priority => '50',
- template => 'openstack_project/docs.vhost.erb',
+ template => 'openstack_project/developer.vhost.erb',
+ }
+ file { '/etc/ssl/certs/developer.openstack.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $developer_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ }
+ file { '/etc/ssl/private/developer.openstack.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $developer_key_file_contents,
+ require => File['/etc/ssl/private'],
+ }
+ file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $developer_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
}
diff --git a/modules/openstack_project/templates/developer.vhost.erb b/modules/openstack_project/templates/developer.vhost.erb
new file mode 100644
index 0000000000..fd322c8be8
--- /dev/null
+++ b/modules/openstack_project/templates/developer.vhost.erb
@@ -0,0 +1,68 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+
+ ServerName <%= @srvname %>
+ <% if @serveraliases.is_a? Array -%>
+ <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+ <% elsif @serveraliases != nil -%>
+ <%= " ServerAlias #{@serveraliases}" -%>
+ <% end -%>
+
+ RewriteEngine on
+
+ DocumentRoot <%= @docroot %>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ Satisfy any
+ Require all granted
+ # Allow mod_rewrite rules
+ AllowOverride FileInfo
+ ErrorDocument 404 /errorpage.html
+
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+ ServerSignature Off
+
+
+
+
+ ServerName <%= @srvname %>
+ <% if @serveraliases.is_a? Array -%>
+ <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+ <% elsif @serveraliases != nil -%>
+ <%= " ServerAlias #{@serveraliases}" -%>
+ <% end -%>
+
+ RewriteEngine on
+
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem
+ SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key
+ SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem
+
+ DocumentRoot <%= @docroot %>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ Satisfy any
+ Require all granted
+ # Allow mod_rewrite rules
+ AllowOverride FileInfo
+ ErrorDocument 404 /errorpage.html
+
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+ ServerSignature Off
+
+
diff --git a/modules/openstack_project/templates/docs.vhost.erb b/modules/openstack_project/templates/docs.vhost.erb
index 1dc78bb37b..7c40781347 100644
--- a/modules/openstack_project/templates/docs.vhost.erb
+++ b/modules/openstack_project/templates/docs.vhost.erb
@@ -2,8 +2,7 @@
# Managed by Puppet
# ************************************
-NameVirtualHost <%= @vhost_name %>:<%= @port %>
-:<%= @port %>>
+
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
@@ -28,3 +27,42 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
+
+
+
+ ServerName <%= @srvname %>
+ <% if @serveraliases.is_a? Array -%>
+ <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
+ <% elsif @serveraliases != nil -%>
+ <%= " ServerAlias #{@serveraliases}" -%>
+ <% end -%>
+
+ RewriteEngine on
+
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem
+ SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key
+ SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem
+
+ DocumentRoot <%= @docroot %>
+ >
+ Options Indexes FollowSymLinks MultiViews
+ Satisfy any
+ Require all granted
+ # Allow mod_rewrite rules
+ AllowOverride FileInfo
+ ErrorDocument 404 /errorpage.html
+
+
+ ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
+ LogLevel warn
+ CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
+ ServerSignature Off
+
+