system-config/modules/openstack_project/templates/static-http-and-https.vhost.erb

# ************************************
# Managed by Puppet
# ************************************

<VirtualHost *:80>
  ServerName <%= @vhost_name %>
  DocumentRoot <%= @docroot %>
  <Directory <%= @docroot %>>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    Satisfy Any
  </Directory>
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName <%= @vhost_name %>
  DocumentRoot <%= @docroot %>
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Once the machine is using something to terminate TLS that supports ECDHE
  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
  # only is guarenteed.
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on
  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
  <Directory <%= @docroot %>>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
    Satisfy Any
  </Directory>
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>
</IfModule>