OpenDev is no longer running an openstackid instance and the puppet
module isn't used by the folks running the current instance. We can go
ahead and clean this repo up.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/818170
Change-Id: Ifab5aa7a839d8353aee9acacd5fd2eec525cc924
added rules to redirect registration/password lost
and resend verification to www site
Change-Id: I487a973826fb40675e5e9999be89d69481a7312e
Depends-On: https://review.opendev.org/#/c/656396/
Added php 7.x support and xenial support using external
ppa from andrej
Depends-On: https://review.openstack.org/611936
Change-Id: Ic30cc62216be3035c363fa0203a757df662acf47
In order to avoid 503 by timeouts from
php-fpm service timeout values were increased
as also the max request nbr
per php child proccess.
Change-Id: I06d94b88716895987ea97cf86365b39caeafa385
Checking the apache2 log i saw a lots of timeout errors like
[proxy_fcgi:error] (70007)The timeout specified has expired: AH01075
so timeout setting of the proxy was increased to solve it.
Change-Id: I805fcd0e21259905e4db51283a708c9a54a0557b
In order to avoid http 503 errors and taking a look
at php fpm logs , its has been increased the
start_servers, min_spare_servers and max_spare_servers
values to avoid erros like WARNING: [pool www] seems busy
(you may need to increase pm.start_servers, or
pm.min/max_spare_servers).
Change-Id: I5d47625ac4702c1b6704c66967d76fac2a895907
* Updated site config to change MPM from fork to event model
and to start using php5-fpm (fast cgi) to get a better site
performance and a better use or server resources.
* Updated mysql php driver to newer one (php5-mysqlnd).
* Added missing dependencies : php5-json (json functions) and
php5-gmp( big number functions used by jose4php).
* Replaced puppet-httpd with puppetlabs-apache.
* added www.conf to tweak php5-fpm connection settings
* update vhost template to support proxy_fcgi.
* updated apache connections settings to improve performance on
mpm events.
* updated dependency to puppetlabs/apache (1.8.1)
Change-Id: I66c6ad413a6b0c31a19cc663058a53edc3bec5cc
* Prefer the ECDHE + AESGCM ciper suites first, these represent the
best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
just not mentioning them so that they can be renabled simply by
removing the !AES256. We exclude them because they are not
meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
specifying every cipher by name, and we're not specifying any
authentication. This will ensure that no matter what we'll always
have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
included ciphers have encryption specified. It exists primarily for
symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
specify a digest anywhere, so we want to make sure we don't support
MD5.
* Finally we exclude DSS, PSK, and SRP. These are just to make
debugging the list easier. It's basically impossible to get a DSS
certificate issued instead of a RSA certificate and nobody really
uses PSK or SRP.
This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.
Change-Id: I4744a6f42b8f7ab4a4b41ad856ecaa424d8ce3fc
According to https://wiki.apache.org/httpd/CommonMisconfigurations
is is wrong to specify server name in opening tag. ServerName
should be used instead.
Indentations also fixed in some files.
Change-Id: Id9d20a672103221efa01be61a174b62706036e57
It turns out that specifying the ciphers we want to use leads to
breakage. So instead we'll explicitly tell Apache which ciphers
we don't want to use.
Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
The poodle SSLv3 vulnerability is a good reason to stop using SSLv3.
Switch to TLS everywhere in our apache vhost configs.
Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
Refactor the openstack_project::openstackid_dev module out into a
top-level openstackid module in preparation for multiple servers,
set up Apache to serve content out of /srv/openstackid, add an
/etc/openstackid/database.php file with connection details injected
from hiera and keep an updated clone of openstack-infra/openstackid
in /opt/openstackid.
Change-Id: Icdde594384e3af27c8dd185a51b9e5a71619fb7b
Clark Boylan