Add logs.opendev.org vhost

This is a near-copy of the vhost template from puppet-openstackci.

Change-Id: I191e41b501629e2cdd82381d66daa3b850e0be81
This commit is contained in:
James E. Blair 2019-07-31 13:54:28 -07:00
parent 48cafd19f8
commit 96aec261da
2 changed files with 203 additions and 0 deletions

View File

@ -217,6 +217,16 @@ class openstack_project::static (
}
}
::httpd::vhost { "logs.opendev.org":
port => 443,
priority => '50',
ssl => true,
docroot => '/srv/static/logs',
require => File['/srv/static/logs'],
vhost_name => 'logs.opendev.org',
template => 'openstack_project/logs.vhost.erb',
}
vcsrepo { '/opt/devstack-gate':
ensure => latest,
provider => git,

View File

@ -0,0 +1,193 @@
# -*- apache -*-
# ************************************
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:80
NameVirtualHost <%= @vhost_name %>:443
<VirtualHost *:80>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
RewriteEngine On
RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301]
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil, :undef].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key
SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer
DocumentRoot <%= @docroot %>
# Authorize cross request, e.g. fetch job-output from the zuul builds page
Header set Access-Control-Allow-Origin "*"
WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1
WSGIProcessGroup logs2
WSGIApplicationGroup %{GLOBAL}
AddType text/plain .log
AddType text/plain .sh
AddType text/plain .yaml
AddType text/plain .yml
# use Apache to compress the results afterwards, to save on the wire
# it's approx 18x savings of wire traffic to compress. We need to
# compress by content types that htmlify can produce
AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml
<FilesMatch \.html\.gz$>
ForceType text/html
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.css\.gz$>
ForceType text/css
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.js\.gz$>
ForceType text/javascript
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.ttf\.gz$>
ForceType application/x-font-ttf
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.svg\.gz$>
ForceType image/svg+xml
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.json\.gz$>
ForceType application/json
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.css$>
# mod_mime_magic is sometimes passing css files as asm sources
# e.g css files generated by coverage reports
ForceType text/css
</FilesMatch>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
Satisfy Any
ExpiresActive On
# Data in the logs server is static once generated by a job
ExpiresDefault "access plus 2 weeks"
</Directory>
<Directory /usr/local/lib/python2.7/dist-packages/os_loganalyze>
Allow from all
Satisfy Any
</Directory>
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*>
ReadmeName /help/tempest-overview.html
</Directory>
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*>
ReadmeName /help/tempest-overview.html
</Directory>
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*/logs/>
ReadmeName /help/tempest-logs.html
</Directory>
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*/logs/>
ReadmeName /help/tempest-logs.html
</Directory>
<Directory /srv/static/logs/*/*/*/*/*tripleo-ci-*/*/logs/>
ReadmeName /help/tripleo-quickstart-logs.html
</Directory>
<Directory <%= @docroot %>/periodic*/*>
IndexOrderDefault Descending Date
</Directory>
RewriteEngine On
<Directory "/usr/local/bin">
<Files "ara-wsgi-sqlite">
Allow from all
Satisfy Any
</Files>
</Directory>
# ARA sqlite middleware configuration
# See docs for details: https://ara.readthedocs.io/en/latest/advanced.html
SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600
SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs
SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report
# Redirect .*/ara-report to the ARA sqlite wsgi middleware
# This middleware automatically loads the ARA web application with the
# database located at .*/ara-report/ansible.sqlite.
# If we get a request directly to the database file, don't load the middleware
# so that users can download the raw database if they wish.
WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite
# Everything beyond this point is rewritten to htmlify.
# Make sure we don't do that for dynamic ARA reports.
RewriteCond %{REQUEST_URI} ^.*/ara-report [NC]
RewriteRule .* - [L]
# If the specified file does not exist, look if there is a gzipped version
# If there is, serve that one instead
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f
RewriteRule ^/(.*)$ %{REQUEST_URI}.gz
# rewrite (txt|log).gz & console.html[.gz] files to map to our
# internal htmlify wsgi app
# PT, Pass-through: to come back around and get picked up by the
# WSGIScriptAlias
# NS, No-subrequest: on coming back through, mod-autoindex may have added
# index.html which would match the !-f condition. We
# therefore ensure the rewrite doesn't trigger by
# disallowing subrequests.
RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS]
RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS]
# Check if the request exists as a file, directory or symbolic link
# If not, write the request to htmlify to see if we can fetch from swift
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !^/icon
RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS]
WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py
ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log
LogLevel warn
CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined
ServerSignature Off
</VirtualHost>