From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_apache/manifests/common.pp | 21 +-------------------- puppet/modules/site_apache/manifests/common/tls.pp | 6 ++++++ 2 files changed, 7 insertions(+), 20 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common/tls.pp (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 2b83ffa5..64beb231 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,27 +1,8 @@ class site_apache::common { - # installs x509 cert + key and common config - # that both nagios + leap webapp use - - $web_domain = hiera('domain') - $domain_name = $web_domain['name'] - - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] include site_apache::module::rewrite class { '::apache': no_default_site => true, ssl => true } - apache::vhost::file { - 'common': - content => template('site_apache/vhosts.d/common.conf.erb') - } - - apache::config::include{ 'ssl_common.inc': } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp new file mode 100644 index 00000000..040868bf --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/tls.pp @@ -0,0 +1,6 @@ +class site_apache::common::tls { + # class to setup common SSL configurations + + apache::config::include{ 'ssl_common.inc': } + +} -- cgit v1.2.3 From 9b18f7880aad97320cd5d118c31f04a0afc7c542 Mon Sep 17 00:00:00 2001 From: guido Date: Mon, 19 Oct 2015 15:07:30 -0300 Subject: Redirect to webapp_domain instead of domain This is needed for webapp when running on a subdomain. --- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ee5cd707..7f9fd5ab 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -4,7 +4,7 @@ ServerAlias <%= domain %> ServerAlias www.<%= domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common -- cgit v1.2.3 From 1ade690d20618ca5adb0c4a1647b36200197fd26 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:17:39 -0400 Subject: Provide tor hidden service configuration for static sites (#7546) Without this configuration, a very basic, and non-functional virtualhost is created, making the hidden service not work Change-Id: Ibe87c6acf5c21cff2388247c4ba320a5b6af7933 --- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 0c6f3b8e..2c8d5eb5 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -30,4 +30,14 @@ ExpiresDefault "access plus 1 year" <% end -%> + +<% if (defined? @services) and (@services.include? 'static') -%> + DocumentRoot "/srv/static/root/public" + AccessFileName .htaccess + + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version 0.5 + +<% end -%> -- cgit v1.2.3 From 40455b8d66d2680debfa408de63533e80baee259 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 3 Nov 2015 19:19:33 +0100 Subject: [feat] Query erb variables like puppet 3 needs it - Related: #6920 --- .../site_apache/templates/vhosts.d/common.conf.erb | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 7f9fd5ab..21c3a211 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -1,18 +1,18 @@ - ServerName <%= webapp_domain %> - ServerAlias <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> + ServerName <%= @webapp_domain %> + ServerAlias <%= @domain_name %> + ServerAlias <%= @domain %> + ServerAlias www.<%= @domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= @webapp_domain -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common - ServerName <%= webapp_domain %> - ServerAlias <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> + ServerName <%= @webapp_domain %> + ServerAlias <%= @domain_name %> + ServerAlias <%= @domain %> + ServerAlias www.<%= @domain %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs @@ -69,4 +69,3 @@ <% end -%> - -- cgit v1.2.3 From 20dd8f27004a5dac0ad68113f4b8038cb34bc791 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 21:13:31 +0100 Subject: [bug] [jessie] Load needed modules for apache 2.4 - Related: #6920 --- puppet/modules/site_apache/manifests/common.pp | 20 +++++++++++++++++++- puppet/modules/site_apache/manifests/module/alias.pp | 5 ----- .../modules/site_apache/manifests/module/expires.pp | 4 ---- .../modules/site_apache/manifests/module/headers.pp | 5 ----- .../modules/site_apache/manifests/module/removeip.pp | 5 ----- .../modules/site_apache/manifests/module/rewrite.pp | 5 ----- 6 files changed, 19 insertions(+), 25 deletions(-) delete mode 100644 puppet/modules/site_apache/manifests/module/alias.pp delete mode 100644 puppet/modules/site_apache/manifests/module/expires.pp delete mode 100644 puppet/modules/site_apache/manifests/module/headers.pp delete mode 100644 puppet/modules/site_apache/manifests/module/removeip.pp delete mode 100644 puppet/modules/site_apache/manifests/module/rewrite.pp (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 64beb231..6d63f5e1 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,8 +1,26 @@ +# install basic apache modules needed for all services (nagios, webapp) class site_apache::common { - include site_apache::module::rewrite + include apache::module::rewrite + include apache::module::env class { '::apache': no_default_site => true, ssl => true } + # needed for the mod_ssl config + include apache::module::mime + + # load mods depending on apache version + if ( versioncmp($::apache_version, '2.4') >= 0 ) { + # apache >= 2.4, debian jessie + # needed for mod_ssl config + include apache::module::socache_shmcb + # generally needed + include apache::module::mpm_prefork + } else { + # apache < 2.4, debian wheezy + # for "Order" directive, i.e. main apache2.conf + include apache::module::authz_host + } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/module/alias.pp b/puppet/modules/site_apache/manifests/module/alias.pp deleted file mode 100644 index c1f5e185..00000000 --- a/puppet/modules/site_apache/manifests/module/alias.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::alias ( $ensure = present ) -{ - - apache::module { 'alias': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/expires.pp b/puppet/modules/site_apache/manifests/module/expires.pp deleted file mode 100644 index f73a5607..00000000 --- a/puppet/modules/site_apache/manifests/module/expires.pp +++ /dev/null @@ -1,4 +0,0 @@ -class site_apache::module::expires ( $ensure = present ) -{ - apache::module { 'expires': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/headers.pp b/puppet/modules/site_apache/manifests/module/headers.pp deleted file mode 100644 index f7caa28c..00000000 --- a/puppet/modules/site_apache/manifests/module/headers.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::headers ( $ensure = present ) -{ - - apache::module {'headers': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/removeip.pp b/puppet/modules/site_apache/manifests/module/removeip.pp deleted file mode 100644 index f106167a..00000000 --- a/puppet/modules/site_apache/manifests/module/removeip.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::removeip ( $ensure = present ) -{ - package { 'libapache2-mod-removeip': ensure => $ensure } - apache::module { 'removeip': ensure => $ensure } -} diff --git a/puppet/modules/site_apache/manifests/module/rewrite.pp b/puppet/modules/site_apache/manifests/module/rewrite.pp deleted file mode 100644 index 7ad00a0c..00000000 --- a/puppet/modules/site_apache/manifests/module/rewrite.pp +++ /dev/null @@ -1,5 +0,0 @@ -class site_apache::module::rewrite ( $ensure = present ) -{ - - apache::module { 'rewrite': ensure => $ensure } -} -- cgit v1.2.3 From e433b14fa14837f9889e08cb662bf29498179237 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 5 Nov 2015 22:43:42 +0100 Subject: [bug] [jessie] Allow apache to access webapp dir - Resolves: #7580 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 ++++++ puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 6 ++++++ 2 files changed, 12 insertions(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 0396f54b..a54112f8 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -27,6 +27,12 @@ Listen 0.0.0.0:<%= api_port %> DocumentRoot /srv/leap/webapp/public + <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + + AllowOverride None + Require all granted + + <% end %> # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 21c3a211..cbb08c30 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -32,6 +32,12 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public + <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + + AllowOverride None + Require all granted + + <% end %> RewriteEngine On # Check for maintenance file and redirect all requests -- cgit v1.2.3 From 5e78892e07d94d3d3da8d97fef9d67a15297070d Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 16 Nov 2015 13:46:35 +0100 Subject: [bug] use $lsbdistcodename to query apache version Using $::apache_version won't work because the facts are evaluated before compiling the catalog and with this, before the installation of apache. so on an install from scratch, this fact won't contain anything. --- puppet/modules/site_apache/manifests/common.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 6d63f5e1..dadf7ea5 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -10,7 +10,7 @@ class site_apache::common { include apache::module::mime # load mods depending on apache version - if ( versioncmp($::apache_version, '2.4') >= 0 ) { + if ( $::lsbdistcodename == 'jessie' ) { # apache >= 2.4, debian jessie # needed for mod_ssl config include apache::module::socache_shmcb -- cgit v1.2.3 From d3501d3e81a4a31248829a59ae68a15da4034bf8 Mon Sep 17 00:00:00 2001 From: varac Date: Mon, 9 Nov 2015 10:21:54 +0100 Subject: [deprec] use @ in front of erb template tags Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n] --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index a54112f8..9efc6b41 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -1,14 +1,14 @@ - ServerName <%= api_domain %> + ServerName <%= @api_domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= @api_domain -%>:<%= @api_port -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common -Listen 0.0.0.0:<%= api_port %> +Listen 0.0.0.0:<%= @api_port %> -> - ServerName <%= api_domain %> +> + ServerName <%= @api_domain %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs -- cgit v1.2.3 From 26ece7a240fe842e5645a47bac86699c5d2bd34c Mon Sep 17 00:00:00 2001 From: varac Date: Sat, 12 Dec 2015 23:55:00 +0100 Subject: [bug] Use guess_apache_version in apache templates The apache_version() fact only works if apache is already installed. So we use the guess_apache_version() function from the apache module to determine which apache version is to be installed. - Resolves: #7681 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 2 +- .../modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9efc6b41..d566437a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -27,7 +27,7 @@ Listen 0.0.0.0:<%= @api_port %> DocumentRoot /srv/leap/webapp/public - <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + <% if scope.function_guess_apache_version([]) == '2.4' %> AllowOverride None Require all granted diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index cbb08c30..b24d1353 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -32,7 +32,7 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public - <% if Gem::Version.new(@apache_version) > Gem::Version.new('2.3') %> + <% if scope.function_guess_apache_version([]) == '2.4' %> AllowOverride None Require all granted diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 2c8d5eb5..653664ec 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -8,6 +8,12 @@ <% if (defined? @services) and (@services.include? 'webapp') -%> DocumentRoot /srv/leap/webapp/public + <% if scope.function_guess_apache_version([]) == '2.4' %> + + AllowOverride None + Require all granted + + <% end %> RewriteEngine On # Check for maintenance file and redirect all requests @@ -33,6 +39,12 @@ <% if (defined? @services) and (@services.include? 'static') -%> DocumentRoot "/srv/static/root/public" + <% if scope.function_guess_apache_version([]) == '2.4' %> + + AllowOverride None + Require all granted + + <% end %> AccessFileName .htaccess Alias /provider.json /srv/leap/provider.json -- cgit v1.2.3 From a33a7d634ab33f46814bd154882f3b1c9b3b3978 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 25 Feb 2016 15:59:55 +0100 Subject: remove couchdb_pwhash_alg leftover --- puppet/modules/site_apache/manifests/common.pp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index dadf7ea5..8a11759a 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -4,7 +4,11 @@ class site_apache::common { include apache::module::rewrite include apache::module::env - class { '::apache': no_default_site => true, ssl => true } + class { '::apache': + no_default_site => true, + ssl => true, + ssl_cipher_suite => 'HIGH:MEDIUM:!aNULL:!MD5' + } # needed for the mod_ssl config include apache::module::mime -- cgit v1.2.3 From ee6cad0750e853b3ac210d17b79471772bfae2a5 Mon Sep 17 00:00:00 2001 From: Micah Date: Fri, 11 Mar 2016 12:16:42 -0500 Subject: fix tor-related jessie deprecation problems (#7962) Change-Id: If493b8a1f06a786df36a28aa1fc592e270eba639 --- puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 653664ec..232b1577 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -1,5 +1,5 @@ - ServerName <%= tor_domain %> + ServerName <%= @tor_domain %> Header always unset X-Powered-By -- cgit v1.2.3 From 3b5ce74f81bb56af0b94a119a85649446a3d6e19 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 3 May 2016 13:21:17 -0400 Subject: migrate from obsolete SSLCertificateChainFile apache option (#8055) Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb --- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index b24d1353..bf60e794 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -16,7 +16,6 @@ CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt -- cgit v1.2.3 From 8b5541290fc985acd7364d48aaf357457c7622f7 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 3 May 2016 21:02:18 +0200 Subject: migrate from obsolete SSLCertificateChainFile apache option (#8055) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index d566437a..bfa5d04d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -12,7 +12,6 @@ Listen 0.0.0.0:<%= @api_port %> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt -- cgit v1.2.3