blob: b24d1353ec93b25b1da73312fedb04588c203bc1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
<VirtualHost *:80>
ServerName <%= @webapp_domain %>
ServerAlias <%= @domain_name %>
ServerAlias <%= @domain %>
ServerAlias www.<%= @domain %>
RewriteEngine On
RewriteRule ^.*$ https://<%= @webapp_domain -%>%{REQUEST_URI} [R=permanent,L]
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @webapp_domain %>
ServerAlias <%= @domain_name %>
ServerAlias <%= @domain %>
ServerAlias www.<%= @domain %>
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
SSLCACertificatePath /etc/ssl/certs
SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
Include include.d/ssl_common.inc
<IfModule mod_headers.c>
<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<% end -%>
Header always unset X-Powered-By
Header always unset X-Runtime
</IfModule>
<% if (defined? @services) and (@services.include? 'webapp') -%>
DocumentRoot /srv/leap/webapp/public
<% if scope.function_guess_apache_version([]) == '2.4' %>
<Directory /srv/leap/webapp/public>
AllowOverride None
Require all granted
</Directory>
<% end %>
RewriteEngine On
# Check for maintenance file and redirect all requests
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
# http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
AllowEncodedSlashes on
PassengerAllowEncodedSlashes on
PassengerFriendlyErrorPages off
SetEnv TMPDIR /var/tmp
# Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
<Location /assets/>
Header unset ETag
FileETag None
ExpiresActive On
ExpiresDefault "access plus 1 year"
</Location>
<% end -%>
<% if (defined? @services) and (@services.include? 'monitor') -%>
<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets|/usr/share/pnp4nagios)>
<% if (defined? @services) and (@services.include? 'webapp') -%>
PassengerEnabled off
<% end -%>
AllowOverride all
# Nagios won't work with setting this option to "DENY",
# as set in conf.d/security (#4169). Therefor we allow
# it here, only for nagios.
Header set X-Frame-Options: "ALLOW"
</DirectoryMatch>
<% end -%>
</VirtualHost>
|