b23515c623
Upstream likes building the settings file into the image, but that's less exciting, let's bind-mount ours in. Depends-On: https://review.opendev.org/717491/ Change-Id: Ia1894d884ef2a84e1282345b77fe07bf8898f367
100 lines
3.7 KiB
Django/Jinja
100 lines
3.7 KiB
Django/Jinja
<VirtualHost *:80>
|
|
ServerName {{ etherpad_vhost_name }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
|
|
|
|
Redirect / https://{{ etherpad_vhost_name }}/
|
|
|
|
</VirtualHost>
|
|
|
|
<IfModule mod_ssl.c>
|
|
<VirtualHost *:443>
|
|
ServerName {{ etherpad_vhost_name }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
AllowEncodedSlashes On
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/etherpad-ssl-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/etherpad-ssl-access.log combined
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Note: this list should ensure ciphers that provide forward secrecy
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
|
|
SSLCertificateFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.cer
|
|
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.key
|
|
SSLCertificateChainFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/ca.cer
|
|
|
|
BrowserMatch "MSIE [2-6]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
# MSIE 7 and newer should be able to use keepalive
|
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
|
|
|
<IfModule mod_proxy.c>
|
|
# The following redirects "nice" urls such as https://etherpad.example.org/padname
|
|
# to https://etherpad.example.org/p/padname. It was problematic directly
|
|
# supporting "nice" urls as etherpad hardcodes /p/ in many places.
|
|
# Adapted from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
|
|
RewriteEngine on
|
|
|
|
# Do not rewrite the /server-status URL (though by default, this
|
|
# is only accessible from localhost). Connect to it with:
|
|
# ssh -L 8443:localhost:443 $HOSTNAME
|
|
# https://localhost:8443/server-status
|
|
RewriteRule ^/server-status$ /server-status [L]
|
|
|
|
RewriteCond %{HTTP_HOST} !{{ etherpad_vhost_name }}
|
|
RewriteRule ^.*$ https://{{ etherpad_vhost_name }} [L,R=301]
|
|
|
|
# Server robots.txt directly so that it does not affect
|
|
# etherpad-lite installation.
|
|
RewriteRule ^/robots.txt$ /var/etherpad/robots.txt [L]
|
|
|
|
# Refuse external connections to the API through the proxy
|
|
RewriteRule ^/api/ - [F,L]
|
|
|
|
RewriteCond %{REQUEST_URI} !^/p/
|
|
RewriteCond %{REQUEST_URI} !^/locales/
|
|
RewriteCond %{REQUEST_URI} !^/locales.json
|
|
RewriteCond %{REQUEST_URI} !^/admin
|
|
RewriteCond %{REQUEST_URI} !^/p/
|
|
RewriteCond %{REQUEST_URI} !^/static/
|
|
RewriteCond %{REQUEST_URI} !^/pluginfw/
|
|
RewriteCond %{REQUEST_URI} !^/javascripts/
|
|
RewriteCond %{REQUEST_URI} !^/socket.io/
|
|
RewriteCond %{REQUEST_URI} !^/ep/
|
|
RewriteCond %{REQUEST_URI} !^/minified/
|
|
RewriteCond %{REQUEST_URI} !^/api/
|
|
RewriteCond %{REQUEST_URI} !^/ro/
|
|
RewriteCond %{REQUEST_URI} !^/error/
|
|
RewriteCond %{REQUEST_URI} !^/jserror
|
|
RewriteCond %{REQUEST_URI} !/favicon.ico
|
|
RewriteCond %{REQUEST_URI} !/robots.txt
|
|
RewriteRule ^/+(.+)$ https://{{ etherpad_vhost_name }}/p/$1 [NC,L,R=301]
|
|
|
|
<IfModule mod_proxy_wstunnel.c>
|
|
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
|
|
RewriteCond %{QUERY_STRING} transport=websocket [NC]
|
|
RewriteRule /(.*) ws://localhost:9001/$1 [P,L]
|
|
ProxyPass /socket.io http://localhost:9001/socket.io retry=0
|
|
ProxyPassReverse /socket.io http://localhost:9001/socket.io
|
|
</IfModule>
|
|
|
|
ProxyPass / http://localhost:9001/ retry=0
|
|
ProxyPassReverse / http://localhost:9001/
|
|
</IfModule>
|
|
|
|
</VirtualHost>
|
|
</IfModule>
|