system-config/modules/gerrit/templates/gerrit.vhost.erb
Timothy Chavez 47db7ea292 Use the SSLProtocol blacklist approach
It turns out that specifying the ciphers we want to use leads to
breakage.  So instead we'll explicitly tell Apache which ciphers
we don't want to use.

Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
2014-10-16 11:41:04 -05:00

89 lines
2.8 KiB
Plaintext

<VirtualHost <%= scope.lookupvar("gerrit::vhost_name") %>:80>
ServerAdmin <%= scope.lookupvar("gerrit::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
Redirect / https://<%= scope.lookupvar("gerrit::vhost_name") %>/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost <%= scope.lookupvar("gerrit::vhost_name") %>:443>
ServerName <%= scope.lookupvar("gerrit::vhost_name") %>
ServerAdmin <%= scope.lookupvar("gerrit::serveradmin") %>
AllowEncodedSlashes NoDecode
ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile <%= scope.lookupvar("gerrit::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("gerrit::ssl_key_file") %>
<% if scope.lookupvar("gerrit::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("gerrit::ssl_chain_file") %>
<% end %>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
RewriteEngine on
RewriteCond %{HTTP_HOST} !<%= scope.lookupvar("gerrit::vhost_name") %>
RewriteRule ^.*$ <%= scope.lookupvar("gerrit::canonicalweburl") %>
<% if scope.lookupvar("gerrit::replicate_local") -%>
RewriteCond %{REQUEST_URI} !^/p/
<% end -%>
<% if scope.lookupvar("gerrit::contactstore") == true -%>
RewriteCond %{REQUEST_URI} !^/fakestore$
<% end -%>
<% if scope.lookupvar("gerrit::robots_txt_source") != "" -%>
RewriteCond %{REQUEST_URI} !^/robots.txt$
<% end -%>
RewriteRule ^/(.*)$ http://localhost:8081/$1 [NE,P]
ProxyPassReverse / http://localhost:8081/
<% if scope.lookupvar("gerrit::robots_txt_source") != "" -%>
Alias /robots.txt /home/gerrit2/review_site/static/robots.txt
<% end -%>
<% if scope.lookupvar("gerrit::replicate_local") -%>
SetEnv GIT_PROJECT_ROOT <%= scope.lookupvar("gerrit::replicate_path") %>
SetEnv GIT_HTTP_EXPORT_ALL
AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ <%= scope.lookupvar("gerrit::replicate_path") %>/$1
AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ <%= scope.lookupvar("gerrit::replicate_path") %>/$1
ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
<% end -%>
<% if scope.lookupvar("gerrit::contactstore") == true -%>
ScriptAlias /fakestore /home/gerrit2/review_site/lib/fakestore.cgi
<% end -%>
<Directory /home/gerrit2/review_site/git/>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
</IfModule>