Add HTTPS support to tarballs.openstack.org

Add HTTPS support to tarballs.openstack.org taking advantage of the SUbjectAltName entry for it in the current static.openstack.org X.509 certificate. Use a generalized vhost template for sites like this which should support access via both HTTP and HTTPS rather than redirecting from one to the other. Change-Id: I04aa73750f8fcee1c6af6efb1667127fd284f359
2015-10-13 18:32:27 +00:00 · 2015-10-13 18:32:27 +00:00 · 9ddfa7e0ff
commit 9ddfa7e0ff
parent edb95c4d3a
2 changed files with 60 additions and 4 deletions
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@ -143,10 +143,17 @@ class openstack_project::static (
  # Tarballs

  ::httpd::vhost { 'tarballs.openstack.org':
-    port     => 80,
-    priority => '50',
-    docroot  => '/srv/static/tarballs',
-    require  => File['/srv/static/tarballs'],
+    port       => 443, # Is required despite not being used.
+    docroot    => '/srv/static/tarballs',
+    priority   => '50',
+    ssl        => true,
+    template   => 'openstack_project/static-http-and-https.vhost.erb',
+    vhost_name => 'tarballs.openstack.org',
+    require    => [
+      File['/srv/static/tarballs'],
+      File[$cert_file],
+      File[$key_file],
+    ],
  }

  file { '/srv/static/tarballs':
--- a/modules/openstack_project/templates/static-http-and-https.vhost.erb
+++ b/modules/openstack_project/templates/static-http-and-https.vhost.erb
@ -0,0 +1,49 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Satisfy Any
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
+  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
+<% if scope['openstack_project::static::chain_file'] != '' %>
+  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
+<% end %>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Satisfy Any
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>