95 lines
2.9 KiB
Django/Jinja
95 lines
2.9 KiB
Django/Jinja
<VirtualHost *:80>
|
|
ServerName {{ inventory_hostname }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
AllowEncodedSlashes On
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/paste-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/paste-access.log combined
|
|
|
|
RewriteEngine On
|
|
|
|
# NOTE(fungi) 2021-08-13 : The pastebinit command-line tool
|
|
# hard-codes an allowed list of pastebin URLs, one of which is
|
|
# "http://paste.openstack.org" so redirecting to HTTPS and to other
|
|
# hostnames seems to break it. We allow it to access the http site
|
|
# for compatability, but redirect anything that doesn't look like it
|
|
# over to the https site.
|
|
RewriteCond %{HTTP_USER_AGENT} !"Pastebinit" [NC]
|
|
RewriteRule ^(.*)$ https://paste.opendev.org$1 [R=301,L]
|
|
|
|
# NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent
|
|
# This a) gives Python 3 unicode errors we haven't looked into and b)
|
|
# is only used by bots as a vector for scraping things. Just
|
|
# disable it.
|
|
RewriteCond %{QUERY_STRING} "method=pastes.getRecent"
|
|
RewriteRule .* - [F,L]
|
|
|
|
ProxyPass / http://localhost:9000/ retry=0
|
|
ProxyPassReverse / http://localhost:9000/
|
|
|
|
<Location "/assets/">
|
|
ProxyPass !
|
|
</Location>
|
|
<Location "/robots.txt">
|
|
ProxyPass !
|
|
</Location>
|
|
<Directory "/var/lib/lodgeit/www">
|
|
Require all granted
|
|
</Directory>
|
|
Alias /assets /var/lib/lodgeit/www/assets
|
|
Alias /robots.txt /var/lib/lodgeit/www/robots.txt
|
|
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
ServerName {{ inventory_hostname }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
AllowEncodedSlashes On
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/paste-ssl-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/paste-ssl-access.log combined
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Note: this list should ensure ciphers that provide forward secrecy
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
|
|
SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
|
|
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
|
|
SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
|
|
|
|
ProxyPass / http://localhost:9000/ retry=0
|
|
ProxyPassReverse / http://localhost:9000/
|
|
|
|
# NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent
|
|
# This a) gives Python 3 unicode errors we haven't looked into and b)
|
|
# is only used by bots as a vector for scraping things. Just
|
|
# disable it.
|
|
RewriteEngine On
|
|
RewriteCond %{QUERY_STRING} "method=pastes.getRecent"
|
|
RewriteRule .* - [F,L]
|
|
|
|
<Location "/assets/">
|
|
ProxyPass !
|
|
</Location>
|
|
<Location "/robots.txt">
|
|
ProxyPass !
|
|
</Location>
|
|
<Directory "/var/lib/lodgeit/www">
|
|
Require all granted
|
|
</Directory>
|
|
Alias /assets /var/lib/lodgeit/www/assets
|
|
Alias /robots.txt /var/lib/lodgeit/www/robots.txt
|
|
|
|
</VirtualHost>
|
|
|