diff options
| author | Micah <micah@leap.se> | 2016-06-23 12:08:54 -0400 |
|---|---|---|
| committer | Micah <micah@leap.se> | 2016-08-25 15:13:05 -0400 |
| commit | fc78e094919257f523707ec02d897505d7107699 (patch) | |
| tree | 67747ebcf196abbb07793a832642a548a78872d2 /puppet/modules/site_static/templates | |
| parent | f0e3e302ac6235c5c3c881983926f58084f211e8 (diff) | |
Make static tor hidden services work (#8212).
When tor hidden services were enabled for static sites, only a very
basic configuration was setup and it didn't take into account the
different location configurations that can be configured for a
static site.
This commit resolves that by making a site_static::hidden_service class
similar to the site_webapp::hidden_service class, and fixes up the
apache vhost template to properly create the location blocks for the
hidden service vhost.
Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
Diffstat (limited to 'puppet/modules/site_static/templates')
| -rw-r--r-- | puppet/modules/site_static/templates/apache.conf.erb | 47 |
1 files changed, 46 insertions, 1 deletions
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 6b969d1c..bd088180 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -23,12 +23,56 @@ bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> +<Directory "/srv/static/public/"> + Require all granted +</Directory> + +<%- if @tor -%> +<VirtualHost 127.0.0.1:80> + ServerName <%= @tor_domain %> + ServerAlias www.<%= @tor_domain %> + + <IfModule mod_headers.c> + Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime + </IfModule> + + DocumentRoot "/<%= @document_root %>/" + AccessFileName .htaccess + +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + <Location /provider.json> + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + </Location> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([template_path, local_vars]) %> +<%- end -%> +<%- end -%> +</VirtualHost> + <VirtualHost *:80> ServerName <%= @domain %> ServerAlias www.<%= @domain %> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> + <%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] @@ -47,12 +91,14 @@ Include include.d/ssl_common.inc + <IfModule mod_headers.c> <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By Header always unset X-Runtime + </IfModule> SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -84,5 +130,4 @@ ## <%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> - </VirtualHost> |