7907fa96e9
The Ceph RADOS Gateway uses some unusual URI's for multisite replication; ensure that mod_proxy passes the 'raw' URI down to the radosgw http endpoint so that client and server side signatures continue to match. This seems quite Ceph specific so the template is specialised into the charm rather than updated in charm-helpers. Change-Id: Iede49ba8904500076d53388345e154a3ed18e761 Closes-Bug: 1966669
38 lines
1.4 KiB
Plaintext
38 lines
1.4 KiB
Plaintext
{% if endpoints -%}
|
|
{% for ext_port in ext_ports -%}
|
|
Listen {{ ext_port }}
|
|
{% endfor -%}
|
|
{% for address, endpoint, ext, int in endpoints -%}
|
|
<VirtualHost {{ address }}:{{ ext }}>
|
|
ServerName {{ endpoint }}
|
|
SSLEngine on
|
|
|
|
# This section is based on Mozilla's recommendation
|
|
# as the "intermediate" profile as of July 7th, 2020.
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
|
|
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
# See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
|
|
SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
|
ProxyPass / http://localhost:{{ int }}/ nocanon
|
|
ProxyPassReverse / http://localhost:{{ int }}/
|
|
ProxyPreserveHost on
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
KeepAliveTimeout 75
|
|
MaxKeepAliveRequests 1000
|
|
</VirtualHost>
|
|
{% endfor -%}
|
|
<Proxy *>
|
|
Order deny,allow
|
|
Allow from all
|
|
</Proxy>
|
|
<Location />
|
|
Order allow,deny
|
|
Allow from all
|
|
</Location>
|
|
{% endif -%}
|