From 9ddfa7e0ff980c013c9e524e00d6df85ce8d894d Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 13 Oct 2015 18:32:27 +0000 Subject: [PATCH] Add HTTPS support to tarballs.openstack.org Add HTTPS support to tarballs.openstack.org taking advantage of the SUbjectAltName entry for it in the current static.openstack.org X.509 certificate. Use a generalized vhost template for sites like this which should support access via both HTTP and HTTPS rather than redirecting from one to the other. Change-Id: I04aa73750f8fcee1c6af6efb1667127fd284f359 --- modules/openstack_project/manifests/static.pp | 15 ++++-- .../templates/static-http-and-https.vhost.erb | 49 +++++++++++++++++++ 2 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 modules/openstack_project/templates/static-http-and-https.vhost.erb diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp index 041a76b9c7..21b31317e7 100644 --- a/modules/openstack_project/manifests/static.pp +++ b/modules/openstack_project/manifests/static.pp @@ -143,10 +143,17 @@ class openstack_project::static ( # Tarballs ::httpd::vhost { 'tarballs.openstack.org': - port => 80, - priority => '50', - docroot => '/srv/static/tarballs', - require => File['/srv/static/tarballs'], + port => 443, # Is required despite not being used. + docroot => '/srv/static/tarballs', + priority => '50', + ssl => true, + template => 'openstack_project/static-http-and-https.vhost.erb', + vhost_name => 'tarballs.openstack.org', + require => [ + File['/srv/static/tarballs'], + File[$cert_file], + File[$key_file], + ], } file { '/srv/static/tarballs': diff --git a/modules/openstack_project/templates/static-http-and-https.vhost.erb b/modules/openstack_project/templates/static-http-and-https.vhost.erb new file mode 100644 index 0000000000..360c627d7e --- /dev/null +++ b/modules/openstack_project/templates/static-http-and-https.vhost.erb @@ -0,0 +1,49 @@ +# ************************************ +# Managed by Puppet +# ************************************ + + + ServerName <%= @vhost_name %> + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + Satisfy Any + + LogLevel warn + ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log + CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined + ServerSignature Off + + + + + ServerName <%= @vhost_name %> + DocumentRoot <%= @docroot %> + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %> + SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %> +<% if scope['openstack_project::static::chain_file'] != '' %> + SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %> +<% end %> + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + Satisfy Any + + LogLevel warn + ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log + CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined + ServerSignature Off + +