diff options
author | elijah <elijah@riseup.net> | 2014-04-05 11:39:03 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2014-04-05 11:39:03 -0700 |
commit | c07e3d075149af0bbcd840ad0743df46d3baca5f (patch) | |
tree | e7ef4a7519411f41685670ddcb34d4ecbd9333ff | |
parent | 6af957a1c20f75a827655a3cd75e40a03cffe7c4 (diff) |
update site_static to work with new amber and have better tls ciphers
-rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 70 |
1 files changed, 19 insertions, 51 deletions
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 76534911..2abe1a98 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -15,6 +15,7 @@ document_root = location_directory(name, location) end end + document_root = document_root.gsub(%r{^/|/$}, '') -%> <VirtualHost *:80> @@ -32,9 +33,10 @@ #RewriteLogLevel 3 SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" Header set X-Frame-Options "deny" @@ -45,64 +47,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot <%= document_root %> + DocumentRoot "/<%= document_root %>/" + AccessFileName .htaccess <%- @locations.each do |name, location| -%> + <%- path = location['path'].gsub(%r{^/|/$}, '') -%> + <%- directory = location_directory(name, location) -%> ## ## <%= name %> ## - <%- if location['path'] == '/' -%> - # Location / - <%- else -%> - Alias <%= location['path'] %> <%= location_directory(name, location) %> - <Location <%= location['path'] %>> - <%- end -%> - # remove trailing slashes - RewriteEngine On - RewriteRule ^(.+)/$ /$1 [R=301,L] - - # e.g. /de/blah => /blah/index.de.html - RewriteCond %{DOCUMENT_ROOT}/$2/index.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2/index.$1.html [L] - - # e.g. /de/foo/bar => /foo/bar.de.html - RewriteCond %{DOCUMENT_ROOT}/$2.$1.html -f - RewriteRule ^/([a-z]{2})/(.*) /$2.$1.html [L] - - # e.g. /de => /index.de.html - RewriteCond %{DOCUMENT_ROOT}/index.$1.html -f - RewriteRule ^/([a-z]{2})$ /index.$1.html [L] - - # e.g. /de/img.png => /img.png - RewriteCond %{DOCUMENT_ROOT}/$2 -f - RewriteRule ^/([a-z]{2})/(.*) /$2 [L] - - # Simulate "DirectorySlash On" - # e.g. /foo/bar => /foo/bar/ (so that MultiViews will negotiate correct locale file) - RewriteCond %{DOCUMENT_ROOT}/$1 -d - RewriteRule ^/(.*[^/])$ /$1/ [PT] - <%- if location['path'] == '/' -%> - # end Location / + <%- if path == '' -%> + <Directory "/<%= document_root %>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> <%- else -%> - </Location> - <%- end -%> - <Directory <%= location_directory(name, location) %>> - ## - ## PERMISSIONS - ## - AllowOverride None + AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" + Alias /<%=path%> "/<%=directory%>/" + <Directory "/<%=directory%>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews Order deny,allow Allow from all - - ## - ## LOCALE SUPPORT (e.g. index.en.html) - ## - LanguagePriority en - ForceLanguagePriority Prefer Fallback - DirectoryIndex index - DirectorySlash Off - Options +MultiViews </Directory> + <%- end -%> <%- end -%> |