4a58212a5e
In order to unify approach for managing Apache Web server, we migrate to usage of standalone `httpd` role instead of managing apache separately inside service roles. Change-Id: I5be9be18ec0b61a4c24f4ac670cf195db0a65dc8
75 lines
3.3 KiB
YAML
75 lines
3.3 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Clean-up old vhost files
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop: "{{ keystone_deprecated_apache_configs }}"
|
|
|
|
- name: Including HTTPD role
|
|
ansible.builtin.import_role:
|
|
name: httpd
|
|
vars:
|
|
httpd_pki_dir: "{{ keystone_pki_dir }}"
|
|
httpd_pki_setup_host: "{{ keystone_pki_setup_host }}"
|
|
httpd_ssl_protocol: "{{ keystone_ssl_protocol }}"
|
|
httpd_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite_tls12 }}"
|
|
httpd_ssl_cipher_suite_tls13: "{{ keystone_ssl_cipher_suite_tls13 }}"
|
|
httpd_pki_regen_cert: "{{ keystone_pki_regen_cert }}"
|
|
httpd_extra_packages: "{{ keystone_sp_apache_mod_packages | selectattr('state', 'eq', 'present') | map(attribute='name') }}"
|
|
httpd_extra_modules: "{{ keystone_apache_modules }}"
|
|
httpd_vhosts:
|
|
- name: openstack_keystone
|
|
address: "{{ keystone_web_server_bind_address }}"
|
|
port: "{{ keystone_service_port }}"
|
|
log_level: "{{ keystone_apache_log_level }}"
|
|
log_format: "{{ keystone_apache_custom_log_format }}"
|
|
server_name: "{{ ansible_facts['hostname'] }}"
|
|
headers:
|
|
- 'Header set X-Content-Type-Options "nosniff"'
|
|
- 'Header set X-XSS-Protection "1; mode=block"'
|
|
- >-
|
|
Header set Content-Security-Policy "default-src 'self' https: wss:;"
|
|
- >-
|
|
{% set scp_script_src = "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';" -%}
|
|
{{ (keystone_sp != {}) | ternary('Header set Content-Security-Policy "' ~ scp_script_src ~ '"', '') }}
|
|
- "Header set X-Frame-Options {{ keystone_x_frame_options | default('DENY') }}"
|
|
options: |-
|
|
{% set options = _keystone_httpd_base_options %}
|
|
{% if keystone_sp_apache_mod_auth_openidc %}
|
|
{% set _ = options.extend(_keystone_httpd_openidc_options) %}
|
|
{% endif %}
|
|
{% if keystone_sp_apache_mod_shib %}
|
|
{% set _ = options.extend(_keystone_httpd_shib_options) %}
|
|
{% endif %}
|
|
{% set _ = options.append('ProxyPass / uwsgi://127.0.0.1:' ~ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] ~ '/') %}
|
|
{{ options }}
|
|
locations: |-
|
|
{% set locations = [] %}
|
|
{% if keystone_sp_apache_mod_auth_openidc %}
|
|
{% set _ = locations.extend(_keystone_httpd_openidc_locations) %}
|
|
{% endif %}
|
|
{% if keystone_sp_apache_mod_shib %}
|
|
{% set _ = locations.extend(_keystone_httpd_shib_locations) %}
|
|
{% endif %}
|
|
{{ locations }}
|
|
directories: "{{ (keystone_sp != {}) | ternary(_keystone_httpd_sp_directories, []) }}"
|
|
ssl: "{{ keystone_backend_ssl | ternary(_keystone_httpd_vhost_ssl, false) }}"
|
|
tags:
|
|
- horizon-install
|
|
- horizon-config
|
|
- httpd
|