default-virtualhost.conf.in 13.5 KB
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
{%- set disable_no_cache_header = slave_parameter.get('disable-no-cache-request', '').lower() in TRUE_VALUES %}
{%- set disable_via_header = slave_parameter.get('disable-via-header', '').lower() in TRUE_VALUES %}
{%- set prefer_gzip = slave_parameter.get('prefer-gzip-encoding-to-backend', '').lower() in TRUE_VALUES %}
{%- set proxy_append_list = [('', 'Default proxy configuration')] %}
{%- if prefer_gzip %}
{%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %}
{%- endif %} {#- if prefer_gzip #}
{%- set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
{%- set enable_h2 = slave_parameter['global_disable_http2'].lower() not in TRUE_VALUES and slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default']).lower() in TRUE_VALUES %}
{%- set ssl_proxy_verify = slave_parameter.get('ssl-proxy-verify', '').lower() in TRUE_VALUES %}
{%- set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() %}
{%- set https_only = slave_parameter.get('https-only', '').lower() in TRUE_VALUES %}
{%- set slave_type = slave_parameter.get('type', '') %}
{%- set host_list = server_alias_list %}
{%- if slave_parameter.get('custom_domain') not in host_list %}
{%-   do host_list.append(slave_parameter.get('custom_domain')) %}
{%- endif %}
{%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')).rstrip('/') %}
{%- set http_host_list = [] %}
{%- set https_host_list = [] %}
{%- for host in host_list %}
{%-   do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %}
{%-   do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %}
{%- endfor %} {#- for host in host_list #}
{%- set default_path = slave_parameter.get('default-path', '').strip('/') | urlencode %}

# SSL enabled hosts
{{ https_host_list|join(', ') }} {
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip
  tls {{ slave_parameter.get('path_to_ssl_crt', slave_parameter.get('login_certificate')) }} {{ slave_parameter.get('path_to_ssl_key', slave_parameter.get('login_key')) }} {
{%- if enable_h2 %}
    # Allow HTTP2
    alpn h2 http/1.1
{%- else %} {#- if enable_h2 #}
    # Disallow HTTP2
    alpn http/1.1
{%- endif %} {#- if enable_h2 #}
  } {# tls #}
  log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
  errors {{ slave_parameter.get('error_log') }}

{%- if not (slave_type == 'zope' and backend_url) %}
{%    if prefer_gzip %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /prefer-gzip{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to {1}
  }
{%    else %}
  rewrite {
    regexp (.*)
    to {1}
  }
{%    endif %}
{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}

{%- if slave_type ==  'zope' and backend_url %}
  # Zope configuration
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}

{%-   if disable_via_header %}
    header_downstream -Via
{%-   endif %} {#-   if disable_via_header #}

{%-   if disable_no_cache_header %}
    header_upstream -Cache-Control
    header_upstream -Pragma
{%-   endif %} {#-   if disable_no_cache_header #}
    transparent
    timeout 600s
{%-   if ssl_proxy_verify %}
{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%-   else %} {#-   if ssl_proxy_verify #}
    insecure_skip_verify
{%-   endif %} {#-   if ssl_proxy_verify #}
  } {# proxy #}
{%-   endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
  {%- if default_path %}
  redir 301 {
    if {path} is /
    / {scheme}://{host}/{{ default_path }}
  } {# redir #}
  {%- endif %} {#- if default_path #}
{%- if prefer_gzip  %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
{%- else %}
  rewrite {
    regexp (.*)
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  } {# rewrite #}
{%- endif %} {#- if prefer_gzip #}
{%- elif slave_type ==  'redirect' and backend_url %} {#- if slave_type ==  'zope' and backend_url #}
  # Redirect configuration
  redir 302 {
    /  {{ backend_url }}{rewrite_uri}
  } {# redir #}
{%- else %} {#- if slave_type ==  'zope' and backend_url #}
  # Default configuration
{%-   if default_path %}
  redir 301 {
    if {path} is /
    / {scheme}://{host}/{{ default_path }}
  }  {# redir #}
{%-   endif %} {#-   if default_path #}
{%-   if backend_url %}

{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}

{%-     if disable_via_header %}
    header_downstream -Via
{%-     endif %} {#-     if disable_via_header #}

{%-     if disable_no_cache_header %}
    header_upstream -Cache-Control
    header_upstream -Pragma
{%-     endif %} {#-     if disable_no_cache_header #}
    transparent
    timeout 600s
{%-     if ssl_proxy_verify %}
{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%-     else %} {#-     if ssl_proxy_verify #}
    insecure_skip_verify
{%-     endif %} {#-     if ssl_proxy_verify #}
  }  {# proxy #}
{%-    endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
{%-   endif %} {#-   if backend_url #}
{%- endif %} {#- if slave_type ==  'zope' and backend_url #}
}  {# https_host_list|join(', ') #}

# SSL-disabled hosts
{{ http_host_list|join(', ') }} {
  bind {{ slave_parameter['local_ipv4'] }}
  # Compress the output
  gzip

  log / {{ slave_parameter.get('access_log') }} "{remote} {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
  errors {{ slave_parameter.get('error_log') }}

{%- if not (slave_type == 'zope' and backend_url) %}
{%-   if prefer_gzip  %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /prefer-gzip{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to {1}
  }
{%    else %}
  rewrite {
    regexp (.*)
    to {1}
  }
{%    endif %}
{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}

{%- if https_only %}
  # Enforced redirection to SSL-enabled host
  redir 302 {
    / https://{host}{rewrite_uri}
  }
{%- elif slave_type ==  'redirect' and slave_parameter.get('url', '') %} {#- if https_only #}
  # Redirect configuration
  redir 302 {
    /  {{ slave_parameter.get('url', '') }}{rewrite_uri}
  } {# redir #}
{%- elif slave_type ==  'zope' and backend_url %} {#- if https_only #}
  # Zope configuration
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}

{%-   if disable_via_header %}
    header_downstream -Via
{%-   endif %} {#-   if disable_via_header #}

{%-   if disable_no_cache_header %}
    header_upstream -Cache-Control
    header_upstream -Pragma
{%-   endif %} {#-   if disable_no_cache_header #}
    transparent
    timeout 600s
{%-   if ssl_proxy_verify %}
{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%-   else %} {#-   if ssl_proxy_verify #}
    insecure_skip_verify
{%-   endif %} {#-   if ssl_proxy_verify #}
  } {# proxy #}
{%- endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
{%-   if default_path %}
  redir 301 {
    if {path} is /
    / {scheme}://{host}/{{ default_path }}
  } {# redir #}
{%-   endif %} {#-   if default_path #}
{%- if prefer_gzip  %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
{%- else %}
  rewrite {
    regexp (.*)
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  } {# rewrite #}
{% endif %} {#- if prefer_gzip #}
{%- else %} {#- if https_only #}
  # Default configuration
{%-   if default_path %}
  redir 301 {
    if {path} is /
    / {scheme}://{host}/{{ default_path }}
  } {# redir #}
{%-   endif %} {#-   if default_path #}
{%-   if slave_parameter.get('url', '') %}
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ slave_parameter.get('url', '') }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}

{%-     if disable_via_header %}
    header_downstream -Via
{%-     endif %} {#-     if disable_via_header #}

{%-     if disable_no_cache_header %}
    header_upstream -Cache-Control
    header_upstream -Pragma
{%-     endif %} {#-     if disable_no_cache_header #}
    transparent
    timeout 600s
{%-     if ssl_proxy_verify %}
{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
{%-     else %} {#-     if ssl_proxy_verify #}
    insecure_skip_verify
{%-     endif %} {#-     if ssl_proxy_verify #}
  } {# proxy #}
{%-    endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
{%-   endif %} {#-   if slave_parameter.get('url', '') #}
{%- endif %} {#- if https_only #}
} {# http_host_list|join(', ') #}