ServerName {{ inventory_hostname }} ServerAdmin infra-root@openstack.org ErrorLog ${APACHE_LOG_DIR}/refstack-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/refstack-access.log combined Redirect / https://refstack.openstack.org/ ServerName {{ inventory_hostname }} ServerAdmin webmaster@openstack.org RewriteCond %{HTTP_HOST} !^refstack\.openstack\.org [nocase] RewriteRule ^/(.*) https://refstack.openstack.org/$1 [last,redirect=permanent] AllowEncodedSlashes On ErrorLog ${APACHE_LOG_DIR}/refstack-ssl-error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/refstack-ssl-access.log combined SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Note: this list should ensure ciphers that provide forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer ProxyPass / http://localhost:8000/ retry=0 ProxyPassReverse / http://localhost:8000/ # Redirect all /api requests to the internal server's address for backward # compatibility - previously the vhost configuration redirected all /api # requests to a wsgi app which executed refstack to handle the request. # Now the refstack server is containerized and the server is served by pecan # where 'pecan serve' does the same as the wsgi app before plus it also # serves the UI interface. This has caused that the resources previously # found under /api/ are one level higher (omitting the /api part of the # URLs). # Example: /api/v1/results is now at /v1/results ProxyPass "http://localhost:8000/" ProxyPass ! Require all granted Alias /robots.txt /var/lib/refstack/www/robots.txt