opendev/system-config
Code Issues Proposed changes

Remove static site puppet

Browse Source 
Remove the puppet related to the static server

Story: #2006598
Task: #36758

Change-Id: I744da83d811e715ff8049eacf3013cd4831e1c49
This commit is contained in:
Ian Wienand 2020-02-28 16:48:10 +11:00
parent f55580fbf0
commit dcc23be55b
9 changed files with 0 additions and 965 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
inventory/openstack.yaml
View File

@ -709,13 +709,6 @@ all:
region_name: DFW
public_v4: 23.253.245.150
public_v6: 2001:4800:7818:101:be76:4eff:fe04:7c28
static.openstack.org:
ansible_host: 2001:4800:7817:104:be76:4eff:fe05:dbee
location:
cloud: openstackci-rax
region_name: DFW
public_v4: 23.253.108.137
public_v6: 2001:4800:7817:104:be76:4eff:fe05:dbee
status.openstack.org:
ansible_host: 2001:4800:7818:103:be76:4eff:fe06:905
location:

19
manifests/site.pp
View File

@ -405,25 +405,6 @@ node /^storyboard-dev\d+\.opendev\.org$/ {
}
# A machine to serve static content.
# Node-OS: trusty
# Node-OS: xenial
node /^static\d*\.open.*\.org$/ {
class { 'openstack_project::server': }
class { 'openstack_project::static':
project_config_repo => 'https://opendev.org/openstack/project-config',
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
swift_user => 'infra-files-ro',
swift_key => hiera('infra_files_ro_password'),
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
swift_region_name => 'DFW',
swift_default_container => 'infra-files',
ssl_cert_file_contents => hiera('static_ssl_cert_file_contents'),
ssl_key_file_contents => hiera('static_ssl_key_file_contents'),
ssl_chain_file_contents => hiera('static_ssl_chain_file_contents'),
}
}
# Node-OS: xenial
node /^zk\d+\.open.*\.org$/ {
# We use IP addresses here so that zk listens on the public facing addresses

529
modules/openstack_project/manifests/static.pp
View File

@ -1,529 +0,0 @@
# == Class: openstack_project::static
#
class openstack_project::static (
$swift_authurl = '',
$swift_user = '',
$swift_key = '',
$swift_tenant_name = '',
$swift_region_name = '',
$swift_default_container = '',
$project_config_repo = '',
$ssl_cert_file = '',
$ssl_cert_file_contents = '',
$ssl_key_file = '',
$ssl_key_file_contents = '',
$ssl_chain_file = '',
$ssl_chain_file_contents = '',
$jenkins_gitfullname = 'OpenStack Jenkins',
$jenkins_gitemail = 'jenkins@openstack.org',
) {
class { 'project_config':
url => $project_config_repo,
}
include openstack_project
class { 'jenkins::jenkinsuser':
ssh_key => $openstack_project::jenkins_ssh_key,
gitfullname => $jenkins_gitfullname,
gitemail => $jenkins_gitemail,
}
# This will try to index our millions of logs and docs by default
# and cause all sorts of IO and disk-usage issues.
package { 'mlocate':
ensure => absent,
}
include ::httpd
include ::httpd::mod::wsgi
if ! defined(Httpd::Mod['rewrite']) {
httpd::mod { 'rewrite':
ensure => present,
}
}
if ! defined(Httpd::Mod['proxy']) {
httpd::mod { 'proxy':
ensure => present,
}
}
if ! defined(Httpd::Mod['proxy_http']) {
httpd::mod { 'proxy_http':
ensure => present,
}
}
if ! defined(Httpd::Mod['alias']) {
httpd::mod { 'alias': ensure => present }
}
if ! defined(Httpd::Mod['headers']) {
httpd::mod { 'headers': ensure => present }
}
if ! defined(File['/srv/static']) {
file { '/srv/static':
ensure => directory,
}
}
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
# To use the standard ssl-certs package snakeoil certificate, leave both
# $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
# certificate, specify its path for $ssl_cert_file and leave
# $ssl_cert_file_contents empty. To manage the certificate with puppet,
# provide $ssl_cert_file_contents and optionally specify the path to use for
# it in $ssl_cert_file.
if ($ssl_cert_file == '') and ($ssl_cert_file_contents == '') {
$cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
} else {
if $ssl_cert_file == '' {
$cert_file = "/etc/ssl/certs/${::fqdn}.pem"
} else {
$cert_file = $ssl_cert_file
}
if $ssl_cert_file_contents != '' {
file { $cert_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_cert_file_contents,
require => File['/etc/ssl/certs'],
}
}
}
# To use the standard ssl-certs package snakeoil key, leave both
# $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
# specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
# To manage the key with puppet, provide $ssl_key_file_contents and
# optionally specify the path to use for it in $ssl_key_file.
if ($ssl_key_file == '') and ($ssl_key_file_contents == '') {
$key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
} else {
if $ssl_key_file == '' {
$key_file = "/etc/ssl/private/${::fqdn}.key"
} else {
$key_file = $ssl_key_file
}
if $ssl_key_file_contents != '' {
file { $key_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $ssl_key_file_contents,
require => File['/etc/ssl/private'],
}
}
}
# To avoid using an intermediate certificate chain, leave both
# $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
# chain, specify its path for $ssl_chain_file and leave
# $ssl_chain_file_contents empty. To manage the chain with puppet, provide
# $ssl_chain_file_contents and optionally specify the path to use for it in
# $ssl_chain_file.
if ($ssl_chain_file == '') and ($ssl_chain_file_contents == '') {
$chain_file = ''
} else {
if $ssl_chain_file == '' {
$chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
} else {
$chain_file = $ssl_chain_file
}
if $ssl_chain_file_contents != '' {
file { $chain_file:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $ssl_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File[$cert_file],
}
}
}
###########################################################
# Tarballs
::httpd::vhost { 'tarballs.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/tarballs',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'tarballs.openstack.org',
require => [
File['/srv/static/tarballs'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/tarballs':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# legacy ci.openstack.org site redirect
::httpd::vhost { 'ci.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/ci.vhost.erb',
}
###########################################################
# Logs
class { 'openstackci::logserver':
jenkins_ssh_key => $openstack_project::jenkins_ssh_key,
domain => 'openstack.org',
ara_middleware => true,
wsgi_processes => 16,
swift_authurl => $swift_authurl,
swift_user => $swift_user,
swift_key => $swift_key,
swift_tenant_name => $swift_tenant_name,
swift_region_name => $swift_region_name,
swift_default_container => $swift_default_container,
readmes => {
'/*/*/*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
'/periodic*/*/*-tempest-dsvm*/*' => '/help/tempest-overview.html',
'/*/*/*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
'/periodic*/*/*-tempest-dsvm*/*/logs/' => '/help/tempest-logs.html',
'/*/*/*/*/*tripleo-ci-*/*/logs/' => '/help/tripleo-quickstart-logs.html'
}
}
::httpd::vhost { "logs.opendev.org":
port => 443,
priority => '50',
ssl => true,
docroot => '/srv/static/logs',
require => File['/srv/static/logs'],
vhost_name => 'logs.opendev.org',
template => 'openstack_project/logs.vhost.erb',
}
vcsrepo { '/opt/devstack-gate':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://opendev.org/openstack/devstack-gate',
}
file { '/srv/static/logs/help':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
require => File['/srv/static/logs'],
}
file { '/srv/static/logs/help/tempest-logs.html':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'file:///opt/devstack-gate/help/tempest-logs.html',
require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
}
file { '/srv/static/logs/help/tempest-overview.html':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'file:///opt/devstack-gate/help/tempest-overview.html',
require => [File['/srv/static/logs/help'], Vcsrepo['/opt/devstack-gate']],
}
vcsrepo { '/opt/tripleo-ci':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://opendev.org/openstack/tripleo-ci',
}
file { '/srv/static/logs/help/tripleo-quickstart-logs.html':
ensure => present,
owner => 'root',
group => 'root',
mode => '0444',
source => 'file:///opt/tripleo-ci/docs/tripleo-quickstart-logs.html',
require => [File['/srv/static/logs/help'], Vcsrepo['/opt/tripleo-ci']],
}
###########################################################
# Security
::httpd::vhost { 'security.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/security',
priority => '50',
ssl => true,
template => 'openstack_project/static-https-redirect.vhost.erb',
vhost_name => 'security.openstack.org',
require => [
File['/srv/static/security'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/security':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# Governance (TC and UC) & Election
# Extra aliases and directories needed for vhost template:
$governance_aliases = {
'/election/' => '/srv/static/election/',
'/sigs/' => '/srv/static/sigs/',
'/tc/' => '/srv/static/tc/',
'/uc/' => '/srv/static/uc/',
}
# Extra redirects needed for vhost template:
$governance_redirects = {
'/badges/' => '/tc/badges/',
'/goals/' => '/tc/goals/',
'/reference/' => '/tc/reference/',
'/resolutions/' => '/tc/resolutions/',
}
# One of these must also be the docroot
$governance_directories = [
'/srv/static/election',
'/srv/static/governance',
'/srv/static/sigs',
'/srv/static/tc',
'/srv/static/uc',
]
::httpd::vhost { 'governance.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/governance',
priority => '50',
ssl => true,
template => 'openstack_project/static-governance.vhost.erb',
vhost_name => 'governance.openstack.org',
require => [
File[$governance_directories],
File[$cert_file],
File[$key_file],
],
}
file { $governance_directories:
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# Specs
::httpd::vhost { 'specs.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/specs',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'specs.openstack.org',
require => [
File['/srv/static/specs'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/specs':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# legacy summit.openstack.org site redirect
::httpd::vhost { 'summit.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/summit.vhost.erb',
}
###########################################################
# legacy site redirects
::httpd::vhost { 'devstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
serveraliases => ['*.devstack.org'],
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'cinder.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'glance.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'horizon.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'keystone.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'nova.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'qa.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
::httpd::vhost { 'swift.openstack.org':
port => 80,
priority => '50',
docroot => 'MEANINGLESS_ARGUMENT',
template => 'openstack_project/legacy.vhost.erb',
}
###########################################################
# Trystack
::httpd::vhost { 'trystack.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/opt/trystack',
priority => '50',
ssl => true,
template => 'openstack_project/static-http-and-https.vhost.erb',
vhost_name => 'trystack.openstack.org',
serveraliases => ['trystack.org', 'www.trystack.org'],
require => [
Vcsrepo['/opt/trystack'],
File[$cert_file],
File[$key_file],
],
}
vcsrepo { '/opt/trystack':
ensure => latest,
provider => git,
revision => 'master',
source => 'https://opendev.org/x/trystack-site',
}
###########################################################
# Releases
::httpd::vhost { 'releases.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/releases',
priority => '50',
ssl => true,
template => 'openstack_project/static-https-redirect.vhost.erb',
vhost_name => 'releases.openstack.org',
require => [
File['/srv/static/releases'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/releases':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
###########################################################
# service-types.openstack.org
::httpd::vhost { 'service-types.openstack.org':
port => 443, # Is required despite not being used.
docroot => '/srv/static/service-types',
priority => '50',
ssl => true,
template => 'openstack_project/static-https-redirect.vhost.erb',
vhost_name => 'service-types.openstack.org',
require => [
File['/srv/static/service-types'],
File[$cert_file],
File[$key_file],
],
}
file { '/srv/static/service-types':
ensure => directory,
owner => 'jenkins',
group => 'jenkins',
require => User['jenkins'],
}
# Until Apache 2.4.24 the event MPM has some issues scalability
# bottlenecks that were seen to drop connections, especially on
# larger files; see
# https://httpd.apache.org/docs/2.4/mod/event.html
#
# The main advantage of event MPM is for keep-alive requests which
# are not really a big issue on this static file server. Therefore
# we switch to the threaded worker MPM as a workaround. This can be
# reconsidered when the apache version running is sufficient to
# avoid these problems.
httpd::mod { 'mpm_event': ensure => 'absent' }
httpd::mod { 'mpm_worker': ensure => 'present' }
}

22
modules/openstack_project/templates/ci.vhost.erb
View File

@ -1,22 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
ServerName <%= @srvname %>
RewriteEngine On
RewriteRule ^/jenkins-job-builder(/.*|$) https://docs.openstack.org/infra/jenkins-job-builder$1 [last,redirect=permanent]
RewriteRule ^/nodepool(/.*|$) https://docs.openstack.org/infra/nodepool$1 [last,redirect=permanent]
RewriteRule ^/openstackid(/.*|$) https://docs.openstack.org/infra/openstackid$1 [last,redirect=permanent]
RewriteRule ^/shade(/.*|$) https://docs.openstack.org/infra/shade$1 [last,redirect=permanent]
RewriteRule ^/storyboard(/.*|$) https://docs.openstack.org/infra/storyboard$1 [last,redirect=permanent]
RewriteRule ^/zuul(/.*|$) https://docs.openstack.org/infra/zuul$1 [last,redirect=permanent]
RewriteRule ^/(.*) https://docs.openstack.org/infra/system-config/$1 [last,redirect=permanent]
ErrorLog /var/log/apache2/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/apache2/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>

193
modules/openstack_project/templates/logs.vhost.erb
View File

@ -1,193 +0,0 @@
# -*- apache -*-
# ************************************
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:80
NameVirtualHost <%= @vhost_name %>:443
<VirtualHost *:80>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
RewriteEngine On
RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301]
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil, :undef].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key
SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer
DocumentRoot <%= @docroot %>
# Authorize cross request, e.g. fetch job-output from the zuul builds page
Header set Access-Control-Allow-Origin "*"
WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1
WSGIProcessGroup logs2
WSGIApplicationGroup %{GLOBAL}
AddType text/plain .log
AddType text/plain .sh
AddType text/plain .yaml
AddType text/plain .yml
# use Apache to compress the results afterwards, to save on the wire
# it's approx 18x savings of wire traffic to compress. We need to
# compress by content types that htmlify can produce
AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml
<FilesMatch \.html\.gz$>
ForceType text/html
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.css\.gz$>
ForceType text/css
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.js\.gz$>
ForceType text/javascript
AddDefaultCharset UTF-8
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.ttf\.gz$>
ForceType application/x-font-ttf
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.svg\.gz$>
ForceType image/svg+xml
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.json\.gz$>
ForceType application/json
AddEncoding x-gzip gz
</FilesMatch>
<FilesMatch \.css$>
# mod_mime_magic is sometimes passing css files as asm sources
# e.g css files generated by coverage reports
ForceType text/css
</FilesMatch>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
Satisfy Any
ExpiresActive On
# Data in the logs server is static once generated by a job
ExpiresDefault "access plus 2 weeks"
</Directory>
<Directory /usr/local/lib/python2.7/dist-packages/os_loganalyze>
Allow from all
Satisfy Any
</Directory>
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*>
ReadmeName /help/tempest-overview.html
</Directory>
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*>
ReadmeName /help/tempest-overview.html
</Directory>
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*/logs/>
ReadmeName /help/tempest-logs.html
</Directory>
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*/logs/>
ReadmeName /help/tempest-logs.html
</Directory>
<Directory /srv/static/logs/*/*/*/*/*tripleo-ci-*/*/logs/>
ReadmeName /help/tripleo-quickstart-logs.html
</Directory>
<Directory <%= @docroot %>/periodic*/*>
IndexOrderDefault Descending Date
</Directory>
RewriteEngine On
<Directory "/usr/local/bin">
<Files "ara-wsgi-sqlite">
Allow from all
Satisfy Any
</Files>
</Directory>
# ARA sqlite middleware configuration
# See docs for details: https://ara.readthedocs.io/en/latest/advanced.html
SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600
SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs
SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report
# Redirect .*/ara-report to the ARA sqlite wsgi middleware
# This middleware automatically loads the ARA web application with the
# database located at .*/ara-report/ansible.sqlite.
# If we get a request directly to the database file, don't load the middleware
# so that users can download the raw database if they wish.
WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite
# Everything beyond this point is rewritten to htmlify.
# Make sure we don't do that for dynamic ARA reports.
RewriteCond %{REQUEST_URI} ^.*/ara-report [NC]
RewriteRule .* - [L]
# If the specified file does not exist, look if there is a gzipped version
# If there is, serve that one instead
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f
RewriteRule ^/(.*)$ %{REQUEST_URI}.gz
# rewrite (txt|log).gz & console.html[.gz] files to map to our
# internal htmlify wsgi app
# PT, Pass-through: to come back around and get picked up by the
# WSGIScriptAlias
# NS, No-subrequest: on coming back through, mod-autoindex may have added
# index.html which would match the !-f condition. We
# therefore ensure the rewrite doesn't trigger by
# disallowing subrequests.
RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS]
RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS]
# Check if the request exists as a file, directory or symbolic link
# If not, write the request to htmlify to see if we can fetch from swift
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !^/icon
RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS]
WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py
ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log
LogLevel warn
CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined
ServerSignature Off
</VirtualHost>

68
modules/openstack_project/templates/static-governance.vhost.erb
View File

@ -1,68 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
RewriteEngine On
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
# Alias other folders
<% scope.lookupvar('openstack_project::static::governance_aliases').each do |a, d| -%>
Alias "<%= a %>" "<%= d %>"
<% end -%>
# Set up redirects
<% scope.lookupvar('openstack_project::static::governance_redirects').each do |a, d| -%>
Redirect "<%= a %>" "<%= d %>"
<% end -%>
<% scope.lookupvar('openstack_project::static::governance_directories').each do |dirname| -%>
<Directory <%= dirname %>>
Options Indexes FollowSymLinks MultiViews
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
<% end -%>
<Directory /srv/static/governance/badges>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Satisfy Any
Require all granted
<IfModule mod_headers.c>
Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
</IfModule>
ErrorDocument 404 /badges/project-unofficial.svg
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

58
modules/openstack_project/templates/static-http-and-https.vhost.erb
View File

@ -1,58 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
# Permanently redirect these ServerAlias entries to ServerName
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
RewriteEngine On
RewriteCond %{HTTP_HOST} !<%= @vhost_name %>$ [NC]
RewriteRule ^/(.*)$ http://<%= @vhost_name %>/$1 [L,R=301]
<% end -%>
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

48
modules/openstack_project/templates/static-https-redirect.vhost.erb
View File

@ -1,48 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @vhost_name %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
RewriteEngine On
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
<% if scope['openstack_project::static::chain_file'] != '' %>
SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
<% end %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverrideList Redirect RedirectMatch
Satisfy Any
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

21
modules/openstack_project/templates/summit.vhost.erb
View File

@ -1,21 +0,0 @@
# ************************************
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif ! ['', nil].include?(@serveraliases) -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
RewriteEngine On
RewriteRule ^/(.*) http://openstack.org/summit/$1 [last,redirect=permanent]
ErrorLog /var/log/apache2/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/apache2/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>