# ************************************
# Managed by Puppet
# ************************************

<VirtualHost *:80>
  ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
  RewriteEngine On
  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName <%= @vhost_name %>
  DocumentRoot <%= @docroot %>
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Once the machine is using something to terminate TLS that supports ECDHE
  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
  # only is guarenteed.
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on
  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
  # Alias other folders
  <% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
    Alias "<%= a %>" "<%= d %>"
  <% end -%>
  # Set up redirects
  <% scope.lookupvar('openstack_project::static::governance_redirects').each do |a, d| -%>
    Redirect "<%= a %>" "<%= d %>"
  <% end -%>
  <% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
  <Directory <%= dirname %>>
    Options Indexes FollowSymLinks MultiViews
    AllowOverrideList Redirect RedirectMatch
    Satisfy Any
    Require all granted
  </Directory>
  <% end -%>
  <Directory /srv/static/governance/badges>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Satisfy Any
    Require all granted
    <IfModule mod_headers.c>
        Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
        Header set Pragma "no-cache"
    </IfModule>
    ErrorDocument 404 /badges/project-unofficial.svg
  </Directory>
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>
</IfModule>