charm-keystone/templates/openstack_https_frontend.conf

{% if endpoints -%}
{% for ext_port in ext_ports -%}
Listen {{ ext_port }}
{% endfor -%}
{% for address, endpoint, ext, int in endpoints -%}
<VirtualHost {{ address }}:{{ ext }}>
    ServerName {{ endpoint }}
    SSLEngine on

    # This section is based on Mozilla's recommendation
    # as the "intermediate" profile as of July 7th, 2020.
    # https://wiki.mozilla.org/Security/Server_Side_TLS
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder off

    SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
    # See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
    SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
    SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
    ProxyPass / http://localhost:{{ int }}/
    ProxyPassReverse / http://localhost:{{ int }}/
    ProxyPreserveHost on
    RequestHeader set X-Forwarded-Proto "https"
    KeepAliveTimeout 75
    MaxKeepAliveRequests 1000
    IncludeOptional /etc/apache2/mellon*/sp-location*.conf
</VirtualHost>
{% endfor -%}
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
<Location />
    Order allow,deny
    Allow from all
</Location>
{% endif -%}