opendev/system-config
Code Issues Proposed changes
1fd4deb76d
system-config/playbooks/roles/lodgeit/templates/paste.vhost.j2
Jeremy Stanley 1a227489e2 Use Apache to serve a local OpenDev logo on paste 
In order to avoid unnecessary browser requests to other sites,
install a copy of the OpenDev logo on the Lodgeit server and serve
it from there rather than pointing at one served from Gitea.

Change-Id: I4c3678a1de8ca4a41cd0c64aab71b2e0e25373af
2021-09-21 20:28:29 +00:00

95 lines
2.9 KiB
Django/Jinja
Raw Blame History

<VirtualHost *:80>
ServerName {{ inventory_hostname }}
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/paste-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/paste-access.log combined
RewriteEngine On
# NOTE(fungi) 2021-08-13 : The pastebinit command-line tool
# hard-codes an allowed list of pastebin URLs, one of which is
# "http://paste.openstack.org" so redirecting to HTTPS and to other
# hostnames seems to break it. We allow it to access the http site
# for compatability, but redirect anything that doesn't look like it
# over to the https site.
RewriteCond %{HTTP_USER_AGENT} !"Pastebinit" [NC]
RewriteRule ^(.*)$ https://paste.opendev.org$1 [R=301,L]
# NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent
# This a) gives Python 3 unicode errors we haven't looked into and b)
# is only used by bots as a vector for scraping things. Just
# disable it.
RewriteCond %{QUERY_STRING} "method=pastes.getRecent"
RewriteRule .* - [F,L]
ProxyPass / http://localhost:9000/ retry=0
ProxyPassReverse / http://localhost:9000/
<Location "/assets/">
ProxyPass !
</Location>
<Location "/robots.txt">
ProxyPass !
</Location>
<Directory "/var/lib/lodgeit/www">
Require all granted
</Directory>
Alias /assets /var/lib/lodgeit/www/assets
Alias /robots.txt /var/lib/lodgeit/www/robots.txt
</VirtualHost>
<VirtualHost *:443>
ServerName {{ inventory_hostname }}
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/paste-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/paste-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
ProxyPass / http://localhost:9000/ retry=0
ProxyPassReverse / http://localhost:9000/
# NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent
# This a) gives Python 3 unicode errors we haven't looked into and b)
# is only used by bots as a vector for scraping things. Just
# disable it.
RewriteEngine On
RewriteCond %{QUERY_STRING} "method=pastes.getRecent"
RewriteRule .* - [F,L]
<Location "/assets/">
ProxyPass !
</Location>
<Location "/robots.txt">
ProxyPass !
</Location>
<Directory "/var/lib/lodgeit/www">
Require all granted
</Directory>
Alias /assets /var/lib/lodgeit/www/assets
Alias /robots.txt /var/lib/lodgeit/www/robots.txt
</VirtualHost>
View Git Blame Copy Permalink