Add SSL support for apps.openstack.org.
This commit enables SSL support for the App Catalog. Partial-Bug: 1496611 Change-Id: I87180f34d583b7319e4964d8e97c53279554f3f3
This commit is contained in:
parent
962f316fb4
commit
c2814473c9
|
@ -1,12 +1,18 @@
|
|||
# == Class: apps_site
|
||||
#
|
||||
class apps_site (
|
||||
$vhost_name = $::fqdn,
|
||||
$root_dir = '/opt/apps_site',
|
||||
$serveradmin = "webmaster@${::domain}",
|
||||
|
||||
$commit = 'master',
|
||||
$vhost_name = $::fqdn,
|
||||
$root_dir = '/opt/apps_site',
|
||||
$serveradmin = "webmaster@${::domain}",
|
||||
$commit = 'master',
|
||||
$ssl_cert_file_contents = undef,
|
||||
$ssl_key_file_contents = undef,
|
||||
$ssl_chain_file_contents = undef,
|
||||
$ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
$ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
$ssl_chain_file = '/etc/ssl/certs/ca-certificates.crt',
|
||||
) {
|
||||
include ::httpd::ssl
|
||||
|
||||
if !defined(Package['git']) {
|
||||
package { 'git':
|
||||
|
@ -24,14 +30,13 @@ class apps_site (
|
|||
]
|
||||
}
|
||||
|
||||
include ::httpd
|
||||
|
||||
::httpd::vhost { $vhost_name:
|
||||
port => 80,
|
||||
port => 443,
|
||||
docroot => "${root_dir}/openstack_catalog/web",
|
||||
priority => '50',
|
||||
template => 'apps_site/vhost.erb',
|
||||
vhost_name => $vhost_name,
|
||||
ssl => true,
|
||||
}
|
||||
|
||||
httpd_mod { 'headers':
|
||||
|
@ -49,6 +54,36 @@ class apps_site (
|
|||
notify => Service['httpd']
|
||||
}
|
||||
|
||||
if $ssl_cert_file_contents != undef {
|
||||
file { $ssl_cert_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_cert_file_contents,
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_key_file_contents != undef {
|
||||
file { $ssl_key_file:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
content => $ssl_key_file_contents,
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_chain_file_contents != undef {
|
||||
file { $ssl_chain_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_chain_file_contents,
|
||||
before => Httpd::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if ! defined(Package['python-yaml']) {
|
||||
package { 'python-yaml':
|
||||
ensure => present,
|
||||
|
|
|
@ -42,5 +42,68 @@
|
|||
|
||||
CustomLog /var/log/apache2/app_site-access.log combined
|
||||
ServerSignature Off
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerAdmin <%= @serveradmin %>
|
||||
ServerName <%= @vhost_name %>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-ssl-error.log
|
||||
CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-ssl-access.log combined
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
|
||||
SSLCertificateFile <%= @ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @ssl_key_file %>
|
||||
<% if @ssl_chain_file != nil %>
|
||||
SSLCertificateChainFile <%= @ssl_chain_file %>
|
||||
<% end %>
|
||||
|
||||
BrowserMatch "MSIE [2-6]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
# MSIE 7 and newer should be able to use keepalive
|
||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||
|
||||
DocumentRoot <%= @docroot %>
|
||||
<Directory />
|
||||
Options FollowSymLinks
|
||||
AllowOverride None
|
||||
</Directory>
|
||||
<Directory <%= @docroot %>>
|
||||
Allow from all
|
||||
Satisfy Any
|
||||
</Directory>
|
||||
<Location "/api/v1/assets">
|
||||
Header set Access-Control-Allow-Origin "*"
|
||||
Header set Content-type "application/json"
|
||||
Header set Access-Control-Allow-Headers "Origin, Accept-Encoding, Content-Type, X-App-Catalog-Versions"
|
||||
Header set Access-Control-Max-Age 3600
|
||||
Header set Cache-Control max-age=3600
|
||||
Header set Access-Control-Allow-Methods "GET, OPTIONS"
|
||||
SetOutputFilter DEFLATE
|
||||
</Location>
|
||||
|
||||
RewriteEngine On
|
||||
|
||||
RewriteRule "^/api/v1/assets\.gz$" "-" [T=application/json,E=no-gzip:1]
|
||||
|
||||
RewriteCond %{REQUEST_METHOD} OPTIONS
|
||||
RewriteRule ^(/api/v1/assets)$ /static/blank.json [QSA,L]
|
||||
|
||||
RewriteCond "%{HTTP:Accept-Encoding}" "gzip"
|
||||
RewriteCond "%{REQUEST_FILENAME}\.gz" -s
|
||||
RewriteRule "^(/api/v1/assets)" "$1\.gz" [QSA]
|
||||
|
||||
RedirectMatch ^/api/v1/murano_repo/liberty/(.*)$ http://storage.apps.openstack.org/$1
|
||||
|
||||
ErrorLog /var/log/apache2/app_site-error.log
|
||||
|
||||
# Possible values include: debug, info, notice, warn, error, crit,
|
||||
# alert, emerg.
|
||||
LogLevel warn
|
||||
|
||||
CustomLog /var/log/apache2/app_site-access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
|
Loading…
Reference in New Issue