summaryrefslogtreecommitdiff
path: root/puppet/modules/site_static/templates
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-06-23 12:08:54 -0400
committerMicah <micah@leap.se>2016-08-25 15:13:05 -0400
commitfc78e094919257f523707ec02d897505d7107699 (patch)
tree67747ebcf196abbb07793a832642a548a78872d2 /puppet/modules/site_static/templates
parentf0e3e302ac6235c5c3c881983926f58084f211e8 (diff)
Make static tor hidden services work (#8212).
When tor hidden services were enabled for static sites, only a very basic configuration was setup and it didn't take into account the different location configurations that can be configured for a static site. This commit resolves that by making a site_static::hidden_service class similar to the site_webapp::hidden_service class, and fixes up the apache vhost template to properly create the location blocks for the hidden service vhost. Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
Diffstat (limited to 'puppet/modules/site_static/templates')
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb47
1 files changed, 46 insertions, 1 deletions
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 6b969d1c..bd088180 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -23,12 +23,56 @@
bootstrap_client = scope.lookupvar('site_static::bootstrap_client')
-%>
+<Directory "/srv/static/public/">
+ Require all granted
+</Directory>
+
+<%- if @tor -%>
+<VirtualHost 127.0.0.1:80>
+ ServerName <%= @tor_domain %>
+ ServerAlias www.<%= @tor_domain %>
+
+ <IfModule mod_headers.c>
+ Header set X-Frame-Options "deny"
+ Header always unset X-Powered-By
+ Header always unset X-Runtime
+ </IfModule>
+
+ DocumentRoot "/<%= @document_root %>/"
+ AccessFileName .htaccess
+
+<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%>
+ Alias /provider.json /srv/leap/provider.json
+ <Location /provider.json>
+ Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %>
+ </Location>
+<%- end -%>
+
+<%- if @apache_config -%>
+<%= @apache_config.gsub(':percent:','%') %>
+<%- end -%>
+
+<%- @locations && @locations.each do |name, location| -%>
+<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%>
+<%- directory = location_directory(name, location) -%>
+<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%>
+<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%>
+<%- break unless File.exists?(template_path) -%>
+ ##
+ ## <%= name %> (<%= location['format'] %>)
+ ##
+<%= scope.function_templatewlv([template_path, local_vars]) %>
+<%- end -%>
+<%- end -%>
+</VirtualHost>
+
<VirtualHost *:80>
ServerName <%= @domain %>
ServerAlias www.<%= @domain %>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
<%- end -%>
+
<%- if @tls_only -%>
RewriteEngine On
RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L]
@@ -47,12 +91,14 @@
Include include.d/ssl_common.inc
+ <IfModule mod_headers.c>
<%- if @tls_only -%>
Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains"
<%- end -%>
Header set X-Frame-Options "deny"
Header always unset X-Powered-By
Header always unset X-Runtime
+ </IfModule>
SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key
SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt
@@ -84,5 +130,4 @@
##
<%= scope.function_templatewlv([template_path, local_vars]) %>
<%- end -%>
-
</VirtualHost>