74 lines
2.5 KiB
Plaintext
74 lines
2.5 KiB
Plaintext
<VirtualHost *:80>
|
|
ServerName www.<%= scope.lookupvar("openstackid::vhost_name") %>
|
|
ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/openstackid-error.log
|
|
LogLevel warn
|
|
Redirect / https://<%= scope.lookupvar("openstackid::vhost_name") %>/
|
|
|
|
</VirtualHost>
|
|
|
|
|
|
<VirtualHost *:80>
|
|
ServerName <%= scope.lookupvar("openstackid::vhost_name") %>
|
|
ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/openstackid-error.log
|
|
LogLevel warn
|
|
Redirect / https://<%= scope.lookupvar("openstackid::vhost_name") %>/
|
|
|
|
</VirtualHost>
|
|
|
|
<IfModule mod_ssl.c>
|
|
|
|
<VirtualHost *:443>
|
|
ServerName www.<%= scope.lookupvar("openstackid::vhost_name") %>
|
|
ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/openstackid-error.log
|
|
LogLevel warn
|
|
Redirect / https://<%= scope.lookupvar("openstackid::vhost_name") %>/
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
ServerName <%= scope.lookupvar("openstackid::vhost_name") %>
|
|
ServerAdmin <%= scope.lookupvar("openstackid::serveradmin") %>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/openstackid-ssl-error.log
|
|
LogLevel warn
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Once the machine is using something to terminate TLS that supports ECDHE
|
|
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
|
# only is guarenteed.
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
SSLCertificateFile <%= scope.lookupvar("openstackid::ssl_cert_file") %>
|
|
SSLCertificateKeyFile <%= scope.lookupvar("openstackid::ssl_key_file") %>
|
|
<% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>
|
|
SSLCertificateChainFile <%= scope.lookupvar("openstackid::ssl_chain_file") %>
|
|
<% end %>
|
|
|
|
RewriteEngine on
|
|
|
|
RewriteCond %{HTTP_HOST} !<%= scope.lookupvar("openstackid::vhost_name") %>
|
|
RewriteRule ^.*$ <%= scope.lookupvar("openstackid::canonicalweburl") %>
|
|
|
|
# send basic auth header
|
|
RewriteCond %{HTTP:Authorization} ^(.*)
|
|
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
|
|
|
DocumentRoot <%= @docroot %>
|
|
<Directory <%= @docroot %>/>
|
|
Options -Indexes +FollowSymLinks +MultiViews
|
|
AllowOverride All
|
|
</Directory>
|
|
|
|
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000<%= @docroot %>/$1 retry=0 timeout=1800
|
|
|
|
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
|
|
|
|
</VirtualHost>
|
|
</IfModule>
|