96aec261da
This is a near-copy of the vhost template from puppet-openstackci. Change-Id: I191e41b501629e2cdd82381d66daa3b850e0be81
194 lines
6.9 KiB
Plaintext
194 lines
6.9 KiB
Plaintext
# -*- apache -*-
|
|
# ************************************
|
|
# Managed by Puppet
|
|
# ************************************
|
|
|
|
NameVirtualHost <%= @vhost_name %>:80
|
|
NameVirtualHost <%= @vhost_name %>:443
|
|
|
|
<VirtualHost *:80>
|
|
ServerName <%= @vhost_name %>
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
|
<% elsif ! ['', nil].include?(@serveraliases) -%>
|
|
<%= " ServerAlias #{@serveraliases}" %>
|
|
<% end -%>
|
|
RewriteEngine On
|
|
RewriteRule ^/(.*)$ https://<%= @vhost_name %>/$1 [L,R=301]
|
|
DocumentRoot <%= @docroot %>
|
|
<Directory <%= @docroot %>>
|
|
Options Indexes FollowSymLinks MultiViews
|
|
AllowOverride None
|
|
AllowOverrideList Redirect RedirectMatch
|
|
Satisfy Any
|
|
Require all granted
|
|
</Directory>
|
|
LogLevel warn
|
|
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
|
|
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
|
|
ServerSignature Off
|
|
</VirtualHost>
|
|
|
|
<VirtualHost *:443>
|
|
ServerName <%= @vhost_name %>
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
|
<% elsif ! ['', nil, :undef].include?(@serveraliases) -%>
|
|
<%= " ServerAlias #{@serveraliases}" %>
|
|
<% end -%>
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Once the machine is using something to terminate TLS that supports ECDHE
|
|
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
|
# only is guarenteed.
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
SSLCertificateFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.cer
|
|
SSLCertificateKeyFile /etc/letsencrypt-certs/logs.opendev.org/logs.opendev.org.key
|
|
SSLCertificateChainFile /etc/letsencrypt-certs/logs.opendev.org/ca.cer
|
|
|
|
DocumentRoot <%= @docroot %>
|
|
|
|
# Authorize cross request, e.g. fetch job-output from the zuul builds page
|
|
Header set Access-Control-Allow-Origin "*"
|
|
|
|
WSGIDaemonProcess logs2 user=www-data group=www-data processes=16 threads=1
|
|
WSGIProcessGroup logs2
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
|
|
AddType text/plain .log
|
|
AddType text/plain .sh
|
|
AddType text/plain .yaml
|
|
AddType text/plain .yml
|
|
|
|
# use Apache to compress the results afterwards, to save on the wire
|
|
# it's approx 18x savings of wire traffic to compress. We need to
|
|
# compress by content types that htmlify can produce
|
|
AddOutputFilterByType DEFLATE text/plain text/html application/x-font-ttf image/svg+xml
|
|
|
|
<FilesMatch \.html\.gz$>
|
|
ForceType text/html
|
|
AddDefaultCharset UTF-8
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.css\.gz$>
|
|
ForceType text/css
|
|
AddDefaultCharset UTF-8
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.js\.gz$>
|
|
ForceType text/javascript
|
|
AddDefaultCharset UTF-8
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.ttf\.gz$>
|
|
ForceType application/x-font-ttf
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.svg\.gz$>
|
|
ForceType image/svg+xml
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.json\.gz$>
|
|
ForceType application/json
|
|
AddEncoding x-gzip gz
|
|
</FilesMatch>
|
|
<FilesMatch \.css$>
|
|
# mod_mime_magic is sometimes passing css files as asm sources
|
|
# e.g css files generated by coverage reports
|
|
ForceType text/css
|
|
</FilesMatch>
|
|
<Directory <%= @docroot %>>
|
|
Options Indexes FollowSymLinks MultiViews
|
|
AllowOverride None
|
|
Order allow,deny
|
|
allow from all
|
|
Satisfy Any
|
|
ExpiresActive On
|
|
# Data in the logs server is static once generated by a job
|
|
ExpiresDefault "access plus 2 weeks"
|
|
</Directory>
|
|
<Directory /usr/local/lib/python2.7/dist-packages/os_loganalyze>
|
|
Allow from all
|
|
Satisfy Any
|
|
</Directory>
|
|
|
|
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*>
|
|
ReadmeName /help/tempest-overview.html
|
|
</Directory>
|
|
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*>
|
|
ReadmeName /help/tempest-overview.html
|
|
</Directory>
|
|
<Directory /srv/static/logs/*/*/*/*/*-tempest-dsvm*/*/logs/>
|
|
ReadmeName /help/tempest-logs.html
|
|
</Directory>
|
|
<Directory /srv/static/logs/periodic*/*/*-tempest-dsvm*/*/logs/>
|
|
ReadmeName /help/tempest-logs.html
|
|
</Directory>
|
|
<Directory /srv/static/logs/*/*/*/*/*tripleo-ci-*/*/logs/>
|
|
ReadmeName /help/tripleo-quickstart-logs.html
|
|
</Directory>
|
|
|
|
<Directory <%= @docroot %>/periodic*/*>
|
|
IndexOrderDefault Descending Date
|
|
</Directory>
|
|
|
|
RewriteEngine On
|
|
<Directory "/usr/local/bin">
|
|
<Files "ara-wsgi-sqlite">
|
|
Allow from all
|
|
Satisfy Any
|
|
</Files>
|
|
</Directory>
|
|
# ARA sqlite middleware configuration
|
|
# See docs for details: https://ara.readthedocs.io/en/latest/advanced.html
|
|
SetEnv ARA_WSGI_TMPDIR_MAX_AGE 3600
|
|
SetEnv ARA_WSGI_LOG_ROOT /srv/static/logs
|
|
SetEnv ARA_WSGI_DATABASE_DIRECTORY ara-report
|
|
|
|
# Redirect .*/ara-report to the ARA sqlite wsgi middleware
|
|
# This middleware automatically loads the ARA web application with the
|
|
# database located at .*/ara-report/ansible.sqlite.
|
|
# If we get a request directly to the database file, don't load the middleware
|
|
# so that users can download the raw database if they wish.
|
|
WSGIScriptAliasMatch ^.*/ara-report(?!/ansible.sqlite) /usr/local/bin/ara-wsgi-sqlite
|
|
|
|
# Everything beyond this point is rewritten to htmlify.
|
|
# Make sure we don't do that for dynamic ARA reports.
|
|
RewriteCond %{REQUEST_URI} ^.*/ara-report [NC]
|
|
RewriteRule .* - [L]
|
|
|
|
# If the specified file does not exist, look if there is a gzipped version
|
|
# If there is, serve that one instead
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.gz -f
|
|
RewriteRule ^/(.*)$ %{REQUEST_URI}.gz
|
|
|
|
# rewrite (txt|log).gz & console.html[.gz] files to map to our
|
|
# internal htmlify wsgi app
|
|
# PT, Pass-through: to come back around and get picked up by the
|
|
# WSGIScriptAlias
|
|
# NS, No-subrequest: on coming back through, mod-autoindex may have added
|
|
# index.html which would match the !-f condition. We
|
|
# therefore ensure the rewrite doesn't trigger by
|
|
# disallowing subrequests.
|
|
RewriteRule ^/(.*\.(txt|log)\.gz)$ /htmlify/$1 [QSA,L,PT,NS]
|
|
RewriteRule ^/(.*console\.html(\.gz)?)$ /htmlify/$1 [QSA,L,PT,NS]
|
|
|
|
# Check if the request exists as a file, directory or symbolic link
|
|
# If not, write the request to htmlify to see if we can fetch from swift
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
|
|
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-l
|
|
RewriteCond %{REQUEST_FILENAME} !^/icon
|
|
RewriteRule ^/(.*)$ /htmlify/$1 [QSA,L,PT,NS]
|
|
|
|
WSGIScriptAlias /htmlify /usr/local/lib/python2.7/dist-packages/os_loganalyze/wsgi.py
|
|
|
|
ErrorLog /var/log/apache2/<%= @vhost_name %>_ssl_error.log
|
|
LogLevel warn
|
|
CustomLog /var/log/apache2/<%= @vhost_name %>_ssl_access.log combined
|
|
ServerSignature Off
|
|
</VirtualHost>
|