static: add default site

If you currently hit https://static.opendev.org you get redirected to the default site, which is just the first site in alphabetical order, which happens to be governance.openstack.org. Add a 00-static.opendev.org.conf file so this is the default site. It will just serve up the top-level afs directory. Change-Id: Icdcee962b76545c12e84d4cadb0b60a68cabe38b
2020-02-20 16:45:21 +11:00 · 2020-02-20 16:45:21 +11:00 · b2eb6c7003
parent 2f1b2f3eae
commit b2eb6c7003
3 changed files with 67 additions and 1 deletions
--- a/playbooks/roles/static/files/00-static.opendev.org.conf
+++ b/playbooks/roles/static/files/00-static.opendev.org.conf
@ -0,0 +1,43 @@
+Define AFS_ROOT /afs/openstack.org/
+
+<VirtualHost *:80>
+  ServerName static.opendev.org
+  ServerAlias static.openstack.org
+  RewriteEngine On
+  RewriteRule ^/(.*) https://static.opendev.org/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/static.opendev.org_error.log
+  CustomLog /var/log/apache2/static.opendev.org_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+
+  ServerName static.opendev.org
+  ServerAlias static.openstack.org
+
+  DocumentRoot ${AFS_ROOT}
+
+  SSLCertificateFile      /etc/letsencrypt-certs/static.opendev.org/static.opendev.org.cer
+  SSLCertificateKeyFile   /etc/letsencrypt-certs/static.opendev.org/static.opendev.org.key
+  SSLCertificateChainFile /etc/letsencrypt-certs/static.opendev.org/ca.cer
+  SSLProtocol All -SSLv2 -SSLv3
+  # Note: this list should ensure ciphers that provide forward secrecy
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+
+  <Directory ${AFS_ROOT}>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverrideList Redirect RedirectMatch
+    Satisfy Any
+    Require all granted
+  </Directory>
+
+  LogLevel warn
+  ErrorLog /var/log/apache2/static.opendev.org_error.log
+  CustomLog /var/log/apache2/static.opendev.org_access.log combined
+  ServerSignature Off
+
+</VirtualHost>
+</IfModule>
--- a/playbooks/roles/static/tasks/main.yaml
+++ b/playbooks/roles/static/tasks/main.yaml
@ -50,11 +50,28 @@
    state: present
    name: headers

- name: Make sure default site disabled
+
+# Default site
+- name: Make sure packaged default site disabled
  command: a2dissite 000-default.conf
  args:
    removes: /etc/apache2/sites-enabled/000-default.conf

+- name: Add custom default site
+  copy:
+    src: 00-static.opendev.org.conf
+    dest: /etc/apache2/sites-available/
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Enable static.opendev.org
+  command: a2ensite 00-static.opendev.org
+  args:
+    creates: /etc/apache2/sites-enabled/00-static.opendev.org
+  notify:
+    - Reload apache2
+
 # governance.openstack.org
 - name: Install governance.openstack.org
  copy:
--- a/testinfra/test_static.py
+++ b/testinfra/test_static.py
@ -20,6 +20,12 @@ def test_apache(host):
    apache = host.service('apache2')
    assert apache.is_running

+def test_static_opendev_org(host):
+    cmd = host.run('curl --insecure '
+                   '--resolve static.opendev.org:443:127.0.0.1 '
+                   'https://static.opendev.org/')
+    assert 'Index of /' in cmd.stdout
+
 def test_governance_openstack_org(host):
    cmd = host.run('curl --insecure '
                   '--resolve governance.openstack.org:443:127.0.0.1 '