opendev/system-config
Code Issues Proposed changes
44f9246de7
system-config/playbooks/roles/etherpad/templates/etherpad.vhost.j2
Clark Boylan 1fd4deb76d Update Etherpad to v2.2.5 
After the 2.2.4 release we upgraded to a development commit between
2.2.4 and the future (at that time non existant) 2.2.5 release to fix
integration between meetpad and etherpad. Now there is a proper 2.2.5
and we should update to get off the dev commit.

This release fixes a number of bugs, updates dependencies, and adds
proper swagger documentation for the API. The "complete" changelog can
be seen here:
  https://github.com/ether/etherpad-lite/blob/v2.2.5/CHANGELOG.md

Note that I don't believe the API has changed they are merely
documenting it properly using swagger. Our testing should confirm.
To expose the new swagger documentation we do add /api-docs/ and
/api-docs.json to our proxy exclusion list.

We also update our settings.json files to sync with upstream. This pulls
in a new `updateServer` key value pair to set the location that should
be checked by etherpad to determine if there is a newer version
available. I believe this behavior has existing for years they are just
now making it a bit more configurable. Unfortunately the way this value
is used I think we will do a local file lookup if we set the value to
"". I've stuck with the default since this shouldn't be a regression and
we can try to disable it later.

Change-Id: I73a09a0c79db18887cb1703c84f9aebae6f072eb
2024-09-23 10:29:15 -07:00

110 lines
4.1 KiB
Django/Jinja
Raw Blame History

<VirtualHost *:80>
ServerName {{ etherpad_vhost_name }}
ServerAdmin webmaster@openstack.org
ErrorLog ${APACHE_LOG_DIR}/etherpad-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/etherpad-access.log combined
Redirect / https://{{ etherpad_vhost_name }}/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName {{ etherpad_vhost_name }}
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/etherpad-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/etherpad-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/ca.cer
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mod_proxy.c>
# The following redirects "nice" urls such as https://etherpad.example.org/padname
# to https://etherpad.example.org/p/padname. It was problematic directly
# supporting "nice" urls as etherpad hardcodes /p/ in many places.
# Adapted from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
RewriteEngine on
# Do not rewrite the /server-status URL (though by default, this
# is only accessible from localhost). Connect to it with:
# ssh -L 8443:localhost:443 $HOSTNAME
# https://localhost:8443/server-status
RewriteRule ^/server-status$ /server-status [L]
RewriteCond %{HTTP_HOST} !{{ etherpad_vhost_name }}
RewriteRule ^.*$ https://{{ etherpad_vhost_name }} [L,R=301]
# Serve robots.txt directly so that it does not affect
# etherpad-lite installation.
RewriteRule ^/robots.txt$ /var/etherpad/www/robots.txt [L]
# Refuse external connections to the API through the proxy
RewriteRule ^/api/ - [F,L]
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/manifest.json
RewriteCond %{REQUEST_URI} !^/locales/
RewriteCond %{REQUEST_URI} !^/locales.json
RewriteCond %{REQUEST_URI} !^/admin
RewriteCond %{REQUEST_URI} !^/static/
RewriteCond %{REQUEST_URI} !^/pluginfw/
RewriteCond %{REQUEST_URI} !^/javascripts/
RewriteCond %{REQUEST_URI} !^/socket.io/
RewriteCond %{REQUEST_URI} !^/ep/
RewriteCond %{REQUEST_URI} !^/ep_etherpad-lite/
RewriteCond %{REQUEST_URI} !^/minified/
RewriteCond %{REQUEST_URI} !^/padbootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/timeSliderBootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/indexBootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/api-docs/
RewriteCond %{REQUEST_URI} !^/api-docs.json
RewriteCond %{REQUEST_URI} !^/ro/
RewriteCond %{REQUEST_URI} !^/error/
RewriteCond %{REQUEST_URI} !^/jserror
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteRule ^/+(.+)$ https://{{ etherpad_vhost_name }}/p/$1 [NC,L,R=301]
<IfModule mod_proxy_wstunnel.c>
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:9001/$1 [P,L]
ProxyPass /socket.io http://localhost:9001/socket.io retry=0
ProxyPassReverse /socket.io http://localhost:9001/socket.io
</IfModule>
ProxyPass / http://localhost:9001/ retry=0
ProxyPassReverse / http://localhost:9001/
</IfModule>
<Directory /var/etherpad/www/>
Require all granted
</Directory>
</VirtualHost>
</IfModule>
View Git Blame Copy Permalink