opendev/system-config
Code Issues Proposed changes
05c16e2e35
system-config/modules/openstack_project/templates/security.vhost.erb
Jeremy Stanley 954ece8642 Use SNI/SAN on static.openstack.org 
A new cert bundle and key have been obtained for
static.openstack.org with SubjectAltNames for most of its relevant
vhosts. Switch it into place and generalize the current HTTPS
configuration for security.openstack.org in preparation for adding
HTTPS support to the remaining vhosts in subsequent commits. Also
add sane snakeoil fallback behavior for undefined certificate/key
files.

Change-Id: I65b7dbc3b5ad8735c158a1ac0b41b848ad5d2077
2015-10-11 13:01:07 +00:00

41 lines
1.5 KiB
Plaintext
Raw Blame History

# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @vhost_name %>
RewriteEngine On
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
<Directory <%= @docroot %>>
Allow from all
Satisfy Any
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>
View Git Blame Copy Permalink