summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
blob: 3360ac59a1cd2cc58f3c45480e794d2807ae5520 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<VirtualHost *:80>
  ServerName <%= api_domain %>
  RewriteEngine On
  RewriteRule ^.*$ https://<%= api_domain -%>:<%= api_port -%>%{REQUEST_URI} [R=permanent,L]
</VirtualHost>

Listen 0.0.0.0:<%= api_port %>

<VirtualHost *:<%= api_port -%>>
  ServerName <%= api_domain %>

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"

  SSLCACertificatePath /etc/ssl/certs
  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt

  RequestHeader set X_FORWARDED_PROTO 'https'

  <IfModule mod_headers.c>
<% if @webapp['secure'] -%>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<% end -%>
    Header always unset X-Powered-By
    Header always unset X-Runtime
  </IfModule>

  DocumentRoot /srv/leap/webapp/public

  # Check for maintenance file and redirect all requests
  RewriteEngine On
  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]

  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
  AllowEncodedSlashes on
  PassengerAllowEncodedSlashes on
  PassengerFriendlyErrorPages off
  SetEnv TMPDIR /var/tmp
</VirtualHost>