opendev
/
puppet-mediawiki
Code Issues Proposed changes
puppet-mediawiki/templates/apache/mediawiki.erb

114 lines
3.8 KiB
Plaintext
Raw Blame History

# ************************************
# Managed by Puppet
# ************************************
# Unconditionally redirect all HTTP traffic for this vhost to HTTPS
<VirtualHost *:80>
ServerName <%= @vhost_name %>
ServerAdmin <%= scope['mediawiki::serveradmin'] %>
RewriteEngine On
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
ServerAdmin <%= scope['mediawiki::serveradmin'] %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guaranteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= scope['mediawiki::cert_file'] %>
SSLCertificateKeyFile <%= scope['mediawiki::key_file'] %>
<% unless [nil, :undef].include?(scope['mediawiki::chain_file']) %>
SSLCertificateChainFile <%= scope['mediawiki::chain_file'] %>
<% end %>
RedirectMatch ^/$ https://<%= @vhost_name %>/wiki/
DocumentRoot <%= @docroot %>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory "<%= scope['mediawiki::mediawiki_images_location'] %>">
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php
# Don't run arbitrary PHP code.
php_admin_flag engine off
</Directory>
<Directory "<%= scope['mediawiki::mediawiki_location'] %>">
Require all granted
</Directory>
<IfModule mod_expires.c>
ExpiresActive On
<Directory "<%= scope['mediawiki::mediawiki_location'] %>">
<FilesMatch "\.(gif|jpe?g|png|css|js|woff|svg|eot|ttf)$">
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType application/x-font-woff A2592000
ExpiresByType image/svg+xml A2592000
ExpiresByType application/vnd.ms-fontobject A2592000
ExpiresByType application/x-font-ttf A2592000
## I think it's likely dangerous to enable this for the entire domain.
## I'm nearly positive we only need to do so for the WebFonts.
## For now I'm going to keep this disabled.
#Header add Access-Control-Allow-Origin "*"
</FilesMatch>
</Directory>
</IfModule>
AddType application/x-font-woff .woff
AddType application/vnd.ms-fontobject .eot
# TTF doesn't have an official MIME type, but I really don't want to use application/octet-stream for it
AddType application/x-font-ttf .ttf
Alias /w/images <%= scope['mediawiki::mediawiki_images_location'] %>
Alias /w <%= scope['mediawiki::mediawiki_location'] %>
Alias /wiki <%= scope['mediawiki::mediawiki_location'] %>/index.php
# Redirect old /Article_Name urls
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/w/
RewriteCond %{REQUEST_URI} !^/wiki/
RewriteRule ^/(.*)$ https://<%= @vhost_name %>/wiki/$1 [L,R]
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
View Git Blame Copy Permalink