08dc5c2006
As we migrate things like security contact information off www.openstack.org and onto security.openstack.org, people are going to want some extra assurances they're not looking at a copy that's been monkeyed with in transit. Serve it via HTTPS and redirect prior HTTP URLs. Change-Id: Ifdd8eaa7d92c3103637360ec125e6a6096fed598
39 lines
1.4 KiB
Plaintext
39 lines
1.4 KiB
Plaintext
# ************************************
|
|
# Managed by Puppet
|
|
# ************************************
|
|
|
|
<VirtualHost *:80>
|
|
ServerName <%= @vhost_name %>
|
|
RewriteEngine On
|
|
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
|
|
LogLevel warn
|
|
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
|
|
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
|
|
ServerSignature Off
|
|
</VirtualHost>
|
|
|
|
<IfModule mod_ssl.c>
|
|
<VirtualHost *:443>
|
|
ServerName <%= @vhost_name %>
|
|
DocumentRoot <%= @docroot %>
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Once the machine is using something to terminate TLS that supports ECDHE
|
|
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
|
# only is guarenteed.
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
|
|
SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
|
|
SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
|
|
<Directory <%= @docroot %>>
|
|
Allow from all
|
|
Satisfy Any
|
|
</Directory>
|
|
LogLevel warn
|
|
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
|
|
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
|
|
ServerSignature Off
|
|
</VirtualHost>
|
|
</IfModule>
|