Merge "Add HTTPS to developer and docs.openstack.org"
This commit is contained in:
commit
3ab33db222
@ -667,6 +667,7 @@ node 'design-summit-prep.openstack.org' {
|
||||
# Serve static AFS content for docs and other sites.
|
||||
# Node-OS: trusty
|
||||
node 'files01.openstack.org' {
|
||||
$group = "files"
|
||||
class { 'openstack_project::server':
|
||||
iptables_public_tcp_ports => [22, 80],
|
||||
sysadmins => hiera('sysadmins', []),
|
||||
@ -675,8 +676,14 @@ node 'files01.openstack.org' {
|
||||
}
|
||||
|
||||
class { 'openstack_project::files':
|
||||
vhost_name => 'files.openstack.org',
|
||||
require => Class['Openstack_project::Server'],
|
||||
vhost_name => 'files.openstack.org',
|
||||
developer_cert_file_contents => hiera('developer_ssl_cert_file_contents'),
|
||||
developer_key_file_contents => hiera('developer_ssl_key_file_contents'),
|
||||
developer_chain_file_contents => hiera('developer_ssl_chain_file_contents'),
|
||||
docs_cert_file_contents => hiera('docs_ssl_cert_file_contents'),
|
||||
docs_key_file_contents => hiera('docs_ssl_key_file_contents'),
|
||||
docs_chain_file_contents => hiera('docs_ssl_chain_file_contents'),
|
||||
require => Class['Openstack_project::Server'],
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -6,6 +6,7 @@ ci-backup ci-backup-*.openstack.org
|
||||
disabled ci-backup-rs-ord.openstack.org:db368fcd-e61a-4294-a5cb-851c16650f7a:wiki.openstack.org
|
||||
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
|
||||
ethercalc ~ethercalc\d+\.openstack\.org
|
||||
files ~files\d+\.openstack\.org
|
||||
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
|
||||
git-server ~git\d+\.openstack\.org
|
||||
logstash-worker ~logstash-worker\d+\.openstack\.org
|
||||
|
@ -1,4 +1,6 @@
|
||||
ask.openstack.org 443
|
||||
developer.openstack.org 443
|
||||
docs.openstack.org 443
|
||||
ethercalc.openstack.org 443
|
||||
etherpad.openstack.org 443
|
||||
git.openstack.org 443
|
||||
|
@ -2,6 +2,12 @@
|
||||
#
|
||||
class openstack_project::files (
|
||||
$vhost_name = $::fqdn,
|
||||
$developer_cert_file_contents,
|
||||
$developer_key_file_contents,
|
||||
$developer_chain_file_contents,
|
||||
$docs_cert_file_contents,
|
||||
$docs_key_file_contents,
|
||||
$docs_chain_file_contents,
|
||||
) {
|
||||
|
||||
$afs_root = '/afs/openstack.org/'
|
||||
@ -24,6 +30,22 @@ class openstack_project::files (
|
||||
require => File["${www_base}"],
|
||||
}
|
||||
|
||||
#####################################################
|
||||
# Set up directories needed by HTTPS certs/keys
|
||||
file { '/etc/ssl/certs':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
file { '/etc/ssl/private':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
}
|
||||
|
||||
#####################################################
|
||||
# Build VHost
|
||||
include ::httpd
|
||||
@ -59,19 +81,69 @@ class openstack_project::files (
|
||||
# docs.openstack.org
|
||||
|
||||
::httpd::vhost { 'docs.openstack.org':
|
||||
port => 80,
|
||||
port => 443, # Is required despite not being used.
|
||||
docroot => "${afs_root}docs",
|
||||
priority => '50',
|
||||
template => 'openstack_project/docs.vhost.erb',
|
||||
}
|
||||
file { '/etc/ssl/certs/docs.openstack.org.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $docs_cert_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
}
|
||||
file { '/etc/ssl/private/docs.openstack.org.key':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => $docs_key_file_contents,
|
||||
require => File['/etc/ssl/private'],
|
||||
}
|
||||
file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $docs_chain_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
before => File['/etc/ssl/certs/docs.openstack.org.pem'],
|
||||
}
|
||||
|
||||
###########################################################
|
||||
# developer.openstack.org
|
||||
|
||||
::httpd::vhost { 'developer.openstack.org':
|
||||
port => 80,
|
||||
port => 443, # Is required despite not being used.
|
||||
docroot => "${afs_root}developer-docs",
|
||||
priority => '50',
|
||||
template => 'openstack_project/docs.vhost.erb',
|
||||
template => 'openstack_project/developer.vhost.erb',
|
||||
}
|
||||
file { '/etc/ssl/certs/developer.openstack.org.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $developer_cert_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
}
|
||||
file { '/etc/ssl/private/developer.openstack.org.key':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => $developer_key_file_contents,
|
||||
require => File['/etc/ssl/private'],
|
||||
}
|
||||
file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $developer_chain_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
|
||||
}
|
||||
}
|
||||
|
68
modules/openstack_project/templates/developer.vhost.erb
Normal file
68
modules/openstack_project/templates/developer.vhost.erb
Normal file
@ -0,0 +1,68 @@
|
||||
# ************************************
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName <%= @srvname %>
|
||||
<% if @serveraliases.is_a? Array -%>
|
||||
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
||||
<% elsif @serveraliases != nil -%>
|
||||
<%= " ServerAlias #{@serveraliases}" -%>
|
||||
<% end -%>
|
||||
|
||||
RewriteEngine on
|
||||
|
||||
DocumentRoot <%= @docroot %>
|
||||
<Directory <%= @docroot %>>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
Satisfy any
|
||||
Require all granted
|
||||
# Allow mod_rewrite rules
|
||||
AllowOverride FileInfo
|
||||
ErrorDocument 404 /errorpage.html
|
||||
</Directory>
|
||||
|
||||
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
|
||||
LogLevel warn
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost *:443>
|
||||
ServerName <%= @srvname %>
|
||||
<% if @serveraliases.is_a? Array -%>
|
||||
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
||||
<% elsif @serveraliases != nil -%>
|
||||
<%= " ServerAlias #{@serveraliases}" -%>
|
||||
<% end -%>
|
||||
|
||||
RewriteEngine on
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
# Once the machine is using something to terminate TLS that supports ECDHE
|
||||
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
||||
# only is guarenteed.
|
||||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key
|
||||
SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem
|
||||
|
||||
DocumentRoot <%= @docroot %>
|
||||
<Directory <%= @docroot %>>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
Satisfy any
|
||||
Require all granted
|
||||
# Allow mod_rewrite rules
|
||||
AllowOverride FileInfo
|
||||
ErrorDocument 404 /errorpage.html
|
||||
</Directory>
|
||||
|
||||
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
|
||||
LogLevel warn
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
</IfModule>
|
@ -2,8 +2,7 @@
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
NameVirtualHost <%= @vhost_name %>:<%= @port %>
|
||||
<VirtualHost <%= @vhost_name %>:<%= @port %>>
|
||||
<VirtualHost *:80>
|
||||
ServerName <%= @srvname %>
|
||||
<% if @serveraliases.is_a? Array -%>
|
||||
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
||||
@ -28,3 +27,42 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost *:443>
|
||||
ServerName <%= @srvname %>
|
||||
<% if @serveraliases.is_a? Array -%>
|
||||
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
||||
<% elsif @serveraliases != nil -%>
|
||||
<%= " ServerAlias #{@serveraliases}" -%>
|
||||
<% end -%>
|
||||
|
||||
RewriteEngine on
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
# Once the machine is using something to terminate TLS that supports ECDHE
|
||||
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
||||
# only is guarenteed.
|
||||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key
|
||||
SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem
|
||||
|
||||
DocumentRoot <%= @docroot %>
|
||||
<Directory <%= @docroot %>>
|
||||
Options Indexes FollowSymLinks MultiViews
|
||||
Satisfy any
|
||||
Require all granted
|
||||
# Allow mod_rewrite rules
|
||||
AllowOverride FileInfo
|
||||
ErrorDocument 404 /errorpage.html
|
||||
</Directory>
|
||||
|
||||
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
|
||||
LogLevel warn
|
||||
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
</IfModule>
|
||||
|
Loading…
Reference in New Issue
Block a user