# -*- apache -*- # ************************************ # Managed by Puppet # ************************************ NameVirtualHost <%= @vhost_name %>:80 NameVirtualHost <%= @vhost_name %>:443 ServerName <%= @vhost_name %> <% if @serveraliases.is_a? Array -%> <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> <% elsif ! ['', nil].include?(@serveraliases) -%> <%= " ServerAlias #{@serveraliases}" %> <% end -%> RewriteEngine On RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301] DocumentRoot <%= @docroot %> > Options Indexes FollowSymLinks MultiViews AllowOverride None AllowOverrideList Redirect RedirectMatch Satisfy Any Require all granted LogLevel warn ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined ServerSignature Off ServerName <%= @vhost_name %> <% if @serveraliases.is_a? Array -%> <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> <% elsif ! ['', nil, :undef].include?(@serveraliases) -%> <%= " ServerAlias #{@serveraliases}" %> <% end -%> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Once the machine is using something to terminate TLS that supports ECDHE # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS # only is guarenteed. SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer DocumentRoot <%= @docroot %> # Authorize cross request, e.g. fetch job-output from the zuul builds page Header set Access-Control-Allow-Origin "*" WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1 WSGIProcessGroup logs2 WSGIApplicationGroup %{GLOBAL} AddType text/plain .log AddType text/plain .sh AddType text/plain .yaml AddType text/plain .yml # use Apache to compress the results afterwards, to save on the wire # it's approx 18x savings of wire traffic to compress. We need to # compress by content types that htmlify can produce AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml ForceType text/html AddDefaultCharset UTF-8 AddEncoding x-gzip gz ForceType text/css AddDefaultCharset UTF-8 AddEncoding x-gzip gz ForceType text/javascript AddDefaultCharset UTF-8 AddEncoding x-gzip gz ForceType application/x-font-ttf AddEncoding x-gzip gz ForceType image/svg+xml AddEncoding x-gzip gz ForceType application/json AddEncoding x-gzip gz # mod_mime_magic is sometimes passing css files as asm sources # e.g css files generated by coverage reports ForceType text/css > Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all Satisfy Any ExpiresActive On # Data in the logs server is static once generated by a job ExpiresDefault "access plus 2 weeks" Allow from all Satisfy Any ReadmeName /help/tempest-overview.html ReadmeName /help/tempest-overview.html ReadmeName /help/tempest-logs.html ReadmeName /help/tempest-logs.html ReadmeName /help/tripleo-quickstart-logs.html /periodic*/*> IndexOrderDefault Descending Date RewriteEngine On Allow from all Satisfy Any # ARA sqlite middleware configuration # See docs for details: https://ara.readthedocs.io/en/latest/advanced.html SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600 SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report # Redirect .*/ara-report to the ARA sqlite wsgi middleware # This middleware automatically loads the ARA web application with the # database located at .*/ara-report/ansible.sqlite. # If we get a request directly to the database file, don't load the middleware # so that users can download the raw database if they wish. WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite # Everything beyond this point is rewritten to htmlify. # Make sure we don't do that for dynamic ARA reports. RewriteCond %{REQUEST_URI} ^.*/ara-report [NC] RewriteRule .* - [L] # If the specified file does not exist, look if there is a gzipped version # If there is, serve that one instead RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f RewriteRule ^/(.*)$ %{REQUEST_URI}.gz # rewrite (txt|log).gz & console.html[.gz] files to map to our # internal htmlify wsgi app # PT, Pass-through: to come back around and get picked up by the # WSGIScriptAlias # NS, No-subrequest: on coming back through, mod-autoindex may have added # index.html which would match the !-f condition. We # therefore ensure the rewrite doesn't trigger by # disallowing subrequests. RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS] RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS] # Check if the request exists as a file, directory or symbolic link # If not, write the request to htmlify to see if we can fetch from swift RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l RewriteCond %{REQUEST_FILENAME} !^/icon RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS] WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log LogLevel warn CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined ServerSignature Off