# ************************************
# Managed by Puppet
# ************************************

<VirtualHost *:80>
  ServerName <%= @vhost_name %>
  RewriteEngine On
  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName <%= @vhost_name %>
  DocumentRoot <%= @docroot %>
  SSLEngine on
  SSLProtocol All -SSLv2 -SSLv3
  # Once the machine is using something to terminate TLS that supports ECDHE
  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
  # only is guarenteed.
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on
  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
  <Directory <%= @docroot %>>
    Allow from all
    Satisfy Any
  </Directory>
  LogLevel warn
  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
  ServerSignature Off
</VirtualHost>
</IfModule>