From 8b0910f1caf19884b6b46976b72536ee1f570ed5 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 15 Sep 2015 11:52:20 -0400 Subject: Fix server-status availability to tor hidden services (#7456) Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb --- puppet/modules/site_apache/manifests/common.pp | 21 +-------------------- puppet/modules/site_apache/manifests/common/tls.pp | 6 ++++++ 2 files changed, 7 insertions(+), 20 deletions(-) create mode 100644 puppet/modules/site_apache/manifests/common/tls.pp (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 2b83ffa5..64beb231 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -1,27 +1,8 @@ class site_apache::common { - # installs x509 cert + key and common config - # that both nagios + leap webapp use - - $web_domain = hiera('domain') - $domain_name = $web_domain['name'] - - include x509::variables - include site_config::x509::commercial::cert - include site_config::x509::commercial::key - include site_config::x509::commercial::ca - - Class['Site_config::X509::Commercial::Key'] ~> Service[apache] - Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] - Class['Site_config::X509::Commercial::Ca'] ~> Service[apache] include site_apache::module::rewrite class { '::apache': no_default_site => true, ssl => true } - apache::vhost::file { - 'common': - content => template('site_apache/vhosts.d/common.conf.erb') - } - - apache::config::include{ 'ssl_common.inc': } + include site_apache::common::tls } diff --git a/puppet/modules/site_apache/manifests/common/tls.pp b/puppet/modules/site_apache/manifests/common/tls.pp new file mode 100644 index 00000000..040868bf --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/tls.pp @@ -0,0 +1,6 @@ +class site_apache::common::tls { + # class to setup common SSL configurations + + apache::config::include{ 'ssl_common.inc': } + +} -- cgit v1.2.3 From 9b18f7880aad97320cd5d118c31f04a0afc7c542 Mon Sep 17 00:00:00 2001 From: guido Date: Mon, 19 Oct 2015 15:07:30 -0300 Subject: Redirect to webapp_domain instead of domain This is needed for webapp when running on a subdomain. --- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index ee5cd707..7f9fd5ab 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -4,7 +4,7 @@ ServerAlias <%= domain %> ServerAlias www.<%= domain %> RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + RewriteRule ^.*$ https://<%= webapp_domain -%>%{REQUEST_URI} [R=permanent,L] CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common -- cgit v1.2.3 From 1ade690d20618ca5adb0c4a1647b36200197fd26 Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 20 Oct 2015 17:17:39 -0400 Subject: Provide tor hidden service configuration for static sites (#7546) Without this configuration, a very basic, and non-functional virtualhost is created, making the hidden service not work Change-Id: Ibe87c6acf5c21cff2388247c4ba320a5b6af7933 --- .../site_apache/templates/vhosts.d/hidden_service.conf.erb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 0c6f3b8e..2c8d5eb5 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -30,4 +30,14 @@ ExpiresDefault "access plus 1 year" <% end -%> + +<% if (defined? @services) and (@services.include? 'static') -%> + DocumentRoot "/srv/static/root/public" + AccessFileName .htaccess + + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version 0.5 + +<% end -%> -- cgit v1.2.3