puppet/modules/site_static/templates/apache.conf.erb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

<%-
  ##
  ## An apache config for static websites.
  ##
  def location_directory(name, location)
    if location['format'] == 'amber'
      File.join(@base_dir, name, 'public')
    else
      File.join(@base_dir, name)
    end
  end
  document_root = '/var/www'
  @locations.each do |name, location|
    if location['path'] == '/'
      document_root = location_directory(name, location)
    end
  end
  document_root = document_root.gsub(%r{^/|/$}, '')
-%>

<VirtualHost *:80>
  ServerName <%= @domain %>
  ServerAlias www.<%= @domain %>
  RewriteEngine On
  RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L]
</VirtualHost>

<VirtualHost *:443>
  ServerName <%= @domain %>
  ServerAlias www.<%= @domain %>

  #RewriteLog "/var/log/apache2/rewrite.log"
  #RewriteLogLevel 3

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder on
  SSLCompression off
  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"

  Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
  Header set X-Frame-Options "deny"

  SSLCertificateKeyFile    /etc/x509/keys/<%= @domain %>.key
  SSLCertificateFile       /etc/x509/certs/<%= @domain %>.crt
  SSLCertificateChainFile  /etc/ssl/certs/<%= @domain %>_ca.pem

  RequestHeader set X_FORWARDED_PROTO 'https'

  DocumentRoot "/<%= document_root %>/"
  AccessFileName .htaccess

<%- @locations.each do |name, location| -%>
  <%- path = location['path'].gsub(%r{^/|/$}, '') -%>
  <%- directory = location_directory(name, location) -%>
  ##
  ## <%= name %>
  ##
  <%- if path == '' -%>
  <Directory "/<%= document_root %>/">
    AllowOverride FileInfo Indexes Options=All,MultiViews
    Order deny,allow
    Allow from all
  </Directory>
  <%- else -%>
  AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1"
  Alias /<%=path%> "/<%=directory%>/"
  <Directory "/<%=directory%>/">
    AllowOverride FileInfo Indexes Options=All,MultiViews
    Order deny,allow
    Allow from all
  </Directory>
  <%- end -%>

<%- end -%>

</VirtualHost>