ServerName {{ inventory_hostname }} ServerAdmin webmaster@openstack.org AllowEncodedSlashes On ErrorLog ${APACHE_LOG_DIR}/paste-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/paste-access.log combined RewriteEngine On # NOTE(fungi) 2021-08-13 : The pastebinit command-line tool # hard-codes an allowed list of pastebin URLs, one of which is # "http://paste.openstack.org" so redirecting to HTTPS and to other # hostnames seems to break it. We allow it to access the http site # for compatability, but redirect anything that doesn't look like it # over to the https site. RewriteCond %{HTTP_USER_AGENT} !"Pastebinit" [NC] RewriteRule ^(.*)$ https://paste.opendev.org$1 [R=301,L] # NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent # This a) gives Python 3 unicode errors we haven't looked into and b) # is only used by bots as a vector for scraping things. Just # disable it. RewriteCond %{QUERY_STRING} "method=pastes.getRecent" RewriteRule .* - [F,L] ProxyPass / http://localhost:9000/ retry=0 ProxyPassReverse / http://localhost:9000/ ProxyPass ! ProxyPass ! Require all granted Alias /assets /var/lib/lodgeit/www/assets Alias /robots.txt /var/lib/lodgeit/www/robots.txt ServerName {{ inventory_hostname }} ServerAdmin webmaster@openstack.org AllowEncodedSlashes On ErrorLog ${APACHE_LOG_DIR}/paste-ssl-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/paste-ssl-access.log combined SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Note: this list should ensure ciphers that provide forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer ProxyPass / http://localhost:9000/ retry=0 ProxyPassReverse / http://localhost:9000/ # NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent # This a) gives Python 3 unicode errors we haven't looked into and b) # is only used by bots as a vector for scraping things. Just # disable it. RewriteEngine On RewriteCond %{QUERY_STRING} "method=pastes.getRecent" RewriteRule .* - [F,L] ProxyPass ! ProxyPass ! Require all granted Alias /assets /var/lib/lodgeit/www/assets Alias /robots.txt /var/lib/lodgeit/www/robots.txt