Add SSL support for apps.openstack.org.

This commit enables SSL support for the
App Catalog.

Partial-Bug: 1496611
Change-Id: I87180f34d583b7319e4964d8e97c53279554f3f3
This commit is contained in:
Christopher Aedo 2015-09-23 13:38:11 -07:00
parent 962f316fb4
commit c2814473c9
2 changed files with 107 additions and 9 deletions

View File

@ -1,12 +1,18 @@
# == Class: apps_site
#
class apps_site (
$vhost_name = $::fqdn,
$root_dir = '/opt/apps_site',
$serveradmin = "webmaster@${::domain}",
$commit = 'master',
$vhost_name = $::fqdn,
$root_dir = '/opt/apps_site',
$serveradmin = "webmaster@${::domain}",
$commit = 'master',
$ssl_cert_file_contents = undef,
$ssl_key_file_contents = undef,
$ssl_chain_file_contents = undef,
$ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
$ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
$ssl_chain_file = '/etc/ssl/certs/ca-certificates.crt',
) {
include ::httpd::ssl
if !defined(Package['git']) {
package { 'git':
@ -24,14 +30,13 @@ class apps_site (
]
}
include ::httpd
::httpd::vhost { $vhost_name:
port => 80,
port => 443,
docroot => "${root_dir}/openstack_catalog/web",
priority => '50',
template => 'apps_site/vhost.erb',
vhost_name => $vhost_name,
ssl => true,
}
httpd_mod { 'headers':
@ -49,6 +54,36 @@ class apps_site (
notify => Service['httpd']
}
if $ssl_cert_file_contents != undef {
file { $ssl_cert_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_cert_file_contents,
before => Httpd::Vhost[$vhost_name],
}
}
if $ssl_key_file_contents != undef {
file { $ssl_key_file:
owner => 'root',
group => 'ssl-cert',
mode => '0640',
content => $ssl_key_file_contents,
before => Httpd::Vhost[$vhost_name],
}
}
if $ssl_chain_file_contents != undef {
file { $ssl_chain_file:
owner => 'root',
group => 'root',
mode => '0640',
content => $ssl_chain_file_contents,
before => Httpd::Vhost[$vhost_name],
}
}
if ! defined(Package['python-yaml']) {
package { 'python-yaml':
ensure => present,

View File

@ -42,5 +42,68 @@
CustomLog /var/log/apache2/app_site-access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerAdmin <%= @serveradmin %>
ServerName <%= @vhost_name %>
ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile <%= @ssl_cert_file %>
SSLCertificateKeyFile <%= @ssl_key_file %>
<% if @ssl_chain_file != nil %>
SSLCertificateChainFile <%= @ssl_chain_file %>
<% end %>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
DocumentRoot <%= @docroot %>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory <%= @docroot %>>
Allow from all
Satisfy Any
</Directory>
<Location "/api/v1/assets">
Header set Access-Control-Allow-Origin "*"
Header set Content-type "application/json"
Header set Access-Control-Allow-Headers "Origin, Accept-Encoding, Content-Type, X-App-Catalog-Versions"
Header set Access-Control-Max-Age 3600
Header set Cache-Control max-age=3600
Header set Access-Control-Allow-Methods "GET, OPTIONS"
SetOutputFilter DEFLATE
</Location>
RewriteEngine On
RewriteRule "^/api/v1/assets\.gz$" "-" [T=application/json,E=no-gzip:1]
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(/api/v1/assets)$ /static/blank.json [QSA,L]
RewriteCond "%{HTTP:Accept-Encoding}" "gzip"
RewriteCond "%{REQUEST_FILENAME}\.gz" -s
RewriteRule "^(/api/v1/assets)" "$1\.gz" [QSA]
RedirectMatch ^/api/v1/murano_repo/liberty/(.*)$ http://storage.apps.openstack.org/$1
ErrorLog /var/log/apache2/app_site-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/app_site-access.log combined
ServerSignature Off
</VirtualHost>