<%- ## ## An apache config for static websites. ## def location_directory(name, location) if ['amber', 'rack'].include?(location['format']) File.join(@base_dir, name, 'public') else File.join(@base_dir, name) end end @document_root = begin root = '/var/www' @locations && @locations.each do |name, location| root = location_directory(name, location) if location['path'] == '/' end root.gsub(%r{^/|/$}, '') end bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> ServerName <%= @domain %> ServerAlias www.<%= @domain %> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> <%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] <%- end -%> ServerName <%= @domain %> ServerAlias www.<%= @domain %> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCompression off SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt SSLCertificateChainFile /etc/ssl/certs/<%= @domain %>_ca.pem RequestHeader set X_FORWARDED_PROTO 'https' DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess <%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> Alias /provider.json /srv/leap/provider.json Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> <%- end -%> <%- if @apache_config -%> <%= @apache_config.gsub(':percent:','%') %> <%- end -%> <%- @locations && @locations.each do |name, location| -%> <%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> <%- directory = location_directory(name, location) -%> <%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> <%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> <%- break unless File.exists?(template_path) -%> ## ## <%= name %> (<%= location['format'] %>) ## <%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%>