summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
blob: 30f0a6b156ed0b6307e21d9b99bf224fbca0cf4a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<VirtualHost *:80>
  ServerName <%= domain %>
  ServerAlias www.<%= domain %>
  RewriteEngine On
  RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
</VirtualHost>

<VirtualHost *:443>
  ServerName <%= domain_name %>
  ServerAlias <%= domain %>
  ServerAlias www.<%= domain %>

  SSLEngine on
  SSLProtocol -all +SSLv3 +TLSv1
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
  SSLHonorCipherOrder on

  SSLCACertificatePath /etc/ssl/certs
  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt

  RequestHeader set X_FORWARDED_PROTO 'https'

  <IfModule mod_headers.c>
<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<% end -%>
    Header always unset X-Powered-By
    Header always unset X-Runtime
  </IfModule>

<% if (defined? @services) and (@services.include? 'webapp') -%>
  DocumentRoot /srv/leap/webapp/public

  RewriteEngine On
  # Check for maintenance file and redirect all requests
  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]

  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
  AllowEncodedSlashes on
  PassengerAllowEncodedSlashes on
  PassengerFriendlyErrorPages off
  SetEnv TMPDIR /var/tmp

  # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
  <Location /assets/>
    Header unset ETag
    FileETag None
    ExpiresActive On
    ExpiresDefault "access plus 1 year"
  </Location>
<% end -%>


<% if (defined? @services) and (@services.include? 'monitor') -%>
 <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
 <% if (defined? @services) and (@services.include? 'webapp') -%>
    PassengerEnabled off
 <% end -%>
    AllowOverride all
    # Nagios won't work with setting this option to "DENY",
    # as set in conf.d/security (#4169). Therefor we allow
    # it here, only for nagios.
    Header set X-Frame-Options: "ALLOW"
  </DirectoryMatch>
<% end -%>
</VirtualHost>