From 5493d362f7b3abd6c8aa9350341a551c53622604 Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 3 Nov 2012 11:33:38 +0100 Subject: configure apache ssl proxy for couchdb --- puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf new file mode 100644 index 00000000..79ad931d --- /dev/null +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -0,0 +1,10 @@ +Listen 0.0.0.0:6984 + + + SSLEngine On + SSLProxyEngine On + SSLCertificateKeyFile /etc/couchdb/server_key.pem + SSLCertificateFile /etc/couchdb/server_cert.pem + ProxyPass / http://127.0.0.1:5984/ + ProxyPassReverse / http://127.0.0.1:5984/ + -- cgit v1.2.3 From 0876cc7c712f273991cbb1177d7416afd0a1462d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 11:49:08 -0500 Subject: add site_webapp class to install the certs/keys/CAs and virtual host configurations --- .../site_apache/templates/vhosts.d/api.conf.erb | 36 ++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 39 ++++++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb create mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb new file mode 100644 index 00000000..fc26190c --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -0,0 +1,36 @@ + + ServerName <%= api_domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= api_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateKeyFile /etc/x509/keys/leap_api.key + SSLCertificateFile /etc/x509/certs/leap_api.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb new file mode 100644 index 00000000..bb035cd2 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -0,0 +1,39 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key + SSLCertificateFile /etc/x509/certs/leap_webapp.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + -- cgit v1.2.3 From e49f4038b9a5c6b8b0d3f0eed8735abf5ef54c0e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 14:40:10 -0500 Subject: map /1 -> document root --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index fc26190c..49bd5c79 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -20,6 +20,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index bb035cd2..f2b43928 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,9 +22,10 @@ RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public - # Check for maintenance file and redirect all requests RewriteEngine On + # Check for maintenance file and redirect all requests RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f RewriteCond %{SCRIPT_FILENAME} !maintenance.html RewriteCond %{REQUEST_URI} !/images/maintenance.jpg -- cgit v1.2.3 From ea60af41f4a5a7bdd67fd7da129716c8f698cf1a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 27 Nov 2012 16:03:16 -0500 Subject: fix location of SSLCertificateChainFile location --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 +- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 49bd5c79..37c4a727 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -13,7 +13,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.crt + SSLCertificateChainFile /etc/ssl/certs/leap_api.pem SSLCertificateKeyFile /etc/x509/keys/leap_api.key SSLCertificateFile /etc/x509/certs/leap_api.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index f2b43928..85e7289b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -15,7 +15,7 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.crt + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key SSLCertificateFile /etc/x509/certs/leap_webapp.crt -- cgit v1.2.3 From 3f0bbccb1b0020530ae4e4a0682fbf9f5f401e3b Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 10 Dec 2012 23:36:48 +0100 Subject: couchdb: use x509 module to deploy certs (fixes #1063) --- puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf index 79ad931d..0dff2cd6 100644 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -3,8 +3,8 @@ Listen 0.0.0.0:6984 SSLEngine On SSLProxyEngine On - SSLCertificateKeyFile /etc/couchdb/server_key.pem - SSLCertificateFile /etc/couchdb/server_cert.pem + SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key + SSLCertificateFile /etc/x509/certs/leap_couchdb.crt ProxyPass / http://127.0.0.1:5984/ ProxyPassReverse / http://127.0.0.1:5984/ -- cgit v1.2.3 From efb434fff348ee38ce688851791a91a1814240e7 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 11 Dec 2012 16:04:18 -0500 Subject: replace Documentroot path from - to _ --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 37c4a727..05d5f69d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -19,8 +19,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 85e7289b..8c820788 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests -- cgit v1.2.3 From c3c23bbc27dee3fdcdf9aec6addcc816ad7b52ba Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 19 Dec 2012 12:12:16 -0800 Subject: webapp api now uses a customizable port (so that we don't try to rely on SNI for hosting two TLS domains on one IP). --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 05d5f69d..cdfcbd68 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -1,10 +1,12 @@ ServerName <%= api_domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] - +Listen 0.0.0.0:<%= api_port %> + +> ServerName <%= api_domain %> SSLEngine on -- cgit v1.2.3 From c4805af340ae63e9129696e0c96f9896417eb9c4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Thu, 31 Jan 2013 15:58:16 -0500 Subject: install an apache Directory override block to disable passenger for nagios, if the node is a monitor node --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 8c820788..4928cdd6 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -36,5 +36,12 @@ PassengerAllowEncodedSlashes on PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + + <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + + PassengerEnabled off + AllowOverride all + + <% end -%> -- cgit v1.2.3