61 lines
1.8 KiB
Django/Jinja
61 lines
1.8 KiB
Django/Jinja
<VirtualHost *:80>
|
|
ServerName {{ inventory_hostname }}
|
|
ServerAlias grafana.opendev.org
|
|
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/grafana-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/grafana-access.log combined
|
|
|
|
Redirect / https://grafana.opendev.org/
|
|
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
ServerName {{ inventory_hostname }}
|
|
ServerAlias grafana.opendev.org
|
|
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
AllowEncodedSlashes On
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/grafana-ssl-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/grafana-ssl-access.log combined
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Note: this list should ensure ciphers that provide forward secrecy
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
|
|
SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
|
|
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
|
|
SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
|
|
|
|
# NOTE(ianw) 2021-02-19
|
|
# This was for a security issue fixed in 7.4.2
|
|
# where anonymous users could cause a write to disk, fixed
|
|
# with
|
|
# https://github.com/grafana/grafana/pull/31263/
|
|
# We leave it because we don't use the API, but if we need
|
|
# it, we can remove this.
|
|
RewriteEngine on
|
|
RewriteRule "^/api/snapshots(.*?)$" "-" [F]
|
|
|
|
# This is for the websocket endpoint /api/live/ws
|
|
RewriteCond %{HTTP:Upgrade} websocket [NC]
|
|
RewriteCond %{HTTP:Connection} upgrade [NC]
|
|
RewriteRule ^/?(.*) "ws://localhost:3000/$1" [P,L]
|
|
|
|
ProxyPass / http://localhost:3000/ retry=0
|
|
ProxyPassReverse / http://localhost:3000/
|
|
|
|
</VirtualHost>
|
|
|