From 96aec261dacea0d5c29a5909e4c2c32dec2121fa Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Wed, 31 Jul 2019 13:54:28 -0700 Subject: [PATCH] Add logs.opendev.org vhost This is a near-copy of the vhost template from puppet-openstackci. Change-Id: I191e41b501629e2cdd82381d66daa3b850e0be81 --- modules/openstack_project/manifests/static.pp | 10 + .../templates/logs.vhost.erb | 193 ++++++++++++++++++ 2 files changed, 203 insertions(+) create mode 100644 modules/openstack_project/templates/logs.vhost.erb diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp index 4a71481261..16a955f411 100644 --- a/modules/openstack_project/manifests/static.pp +++ b/modules/openstack_project/manifests/static.pp @@ -217,6 +217,16 @@ class openstack_project::static ( } } + ::httpd::vhost { "logs.opendev.org": + port => 443, + priority => '50', + ssl => true, + docroot => '/srv/static/logs', + require => File['/srv/static/logs'], + vhost_name => 'logs.opendev.org', + template => 'openstack_project/logs.vhost.erb', + } + vcsrepo { '/opt/devstack-gate': ensure => latest, provider => git, diff --git a/modules/openstack_project/templates/logs.vhost.erb b/modules/openstack_project/templates/logs.vhost.erb new file mode 100644 index 0000000000..7328d4b056 --- /dev/null +++ b/modules/openstack_project/templates/logs.vhost.erb @@ -0,0 +1,193 @@ +# -*- apache -*- +# ************************************ +# Managed by Puppet +# ************************************ + +NameVirtualHost <%= @vhost_name %>:80 +NameVirtualHost <%= @vhost_name %>:443 + + + ServerName <%= @vhost_name %> +<% if @serveraliases.is_a? Array -%> +<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> +<% elsif ! ['', nil].include?(@serveraliases) -%> +<%= " ServerAlias #{@serveraliases}" %> +<% end -%> + RewriteEngine On + RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301] + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + AllowOverrideList Redirect RedirectMatch + Satisfy Any + Require all granted + + LogLevel warn + ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log + CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined + ServerSignature Off + + + + ServerName <%= @vhost_name %> +<% if @serveraliases.is_a? Array -%> +<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> +<% elsif ! ['', nil, :undef].include?(@serveraliases) -%> +<%= " ServerAlias #{@serveraliases}" %> +<% end -%> + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key + SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer + + DocumentRoot <%= @docroot %> + + # Authorize cross request, e.g. fetch job-output from the zuul builds page + Header set Access-Control-Allow-Origin "*" + + WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1 + WSGIProcessGroup logs2 + WSGIApplicationGroup %{GLOBAL} + + AddType text/plain .log + AddType text/plain .sh + AddType text/plain .yaml + AddType text/plain .yml + + # use Apache to compress the results afterwards, to save on the wire + # it's approx 18x savings of wire traffic to compress. We need to + # compress by content types that htmlify can produce + AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml + + + ForceType text/html + AddDefaultCharset UTF-8 + AddEncoding x-gzip gz + + + ForceType text/css + AddDefaultCharset UTF-8 + AddEncoding x-gzip gz + + + ForceType text/javascript + AddDefaultCharset UTF-8 + AddEncoding x-gzip gz + + + ForceType application/x-font-ttf + AddEncoding x-gzip gz + + + ForceType image/svg+xml + AddEncoding x-gzip gz + + + ForceType application/json + AddEncoding x-gzip gz + + + # mod_mime_magic is sometimes passing css files as asm sources + # e.g css files generated by coverage reports + ForceType text/css + + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + Satisfy Any + ExpiresActive On + # Data in the logs server is static once generated by a job + ExpiresDefault "access plus 2 weeks" + + + Allow from all + Satisfy Any + + + + ReadmeName /help/tempest-overview.html + + + ReadmeName /help/tempest-overview.html + + + ReadmeName /help/tempest-logs.html + + + ReadmeName /help/tempest-logs.html + + + ReadmeName /help/tripleo-quickstart-logs.html + + + /periodic*/*> + IndexOrderDefault Descending Date + + + RewriteEngine On + + + Allow from all + Satisfy Any + + + # ARA sqlite middleware configuration + # See docs for details: https://ara.readthedocs.io/en/latest/advanced.html + SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600 + SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs + SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report + + # Redirect .*/ara-report to the ARA sqlite wsgi middleware + # This middleware automatically loads the ARA web application with the + # database located at .*/ara-report/ansible.sqlite. + # If we get a request directly to the database file, don't load the middleware + # so that users can download the raw database if they wish. + WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite + + # Everything beyond this point is rewritten to htmlify. + # Make sure we don't do that for dynamic ARA reports. + RewriteCond %{REQUEST_URI} ^.*/ara-report [NC] + RewriteRule .* - [L] + + # If the specified file does not exist, look if there is a gzipped version + # If there is, serve that one instead + RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f + RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f + RewriteRule ^/(.*)$ %{REQUEST_URI}.gz + + # rewrite (txt|log).gz & console.html[.gz] files to map to our + # internal htmlify wsgi app + # PT, Pass-through: to come back around and get picked up by the + # WSGIScriptAlias + # NS, No-subrequest: on coming back through, mod-autoindex may have added + # index.html which would match the !-f condition. We + # therefore ensure the rewrite doesn't trigger by + # disallowing subrequests. + RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS] + RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS] + + # Check if the request exists as a file, directory or symbolic link + # If not, write the request to htmlify to see if we can fetch from swift + RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f + RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d + RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l + RewriteCond %{REQUEST_FILENAME} !^/icon + RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS] + + WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py + + ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log + LogLevel warn + CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined + ServerSignature Off +