default-virtualhost.conf.in 6.99 KB
Newer Older
1
{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
2
{% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%}
3
{% set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%}
4
{%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%}
5 6
 
<VirtualHost *:{{ https_port }}>
7 8
  ServerName {{ slave_parameter.get('custom_domain') }}
  ServerAlias {{ slave_parameter.get('custom_domain') }}
9

10 11 12 13 14 15 16
{%- if 'server-alias' in slave_parameter -%}
  {% set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
  {%- for server_alias in server_alias_list %}
  ServerAlias {{ server_alias }}
  {% endfor %}
{%- endif %}

17 18
  SSLEngine on
  SSLProxyEngine on
19 20 21 22 23 24 25 26 27
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{%   endif %}
  SSLProxyVerify require
  #SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
{% endif %}
28
  SSLProtocol all -SSLv2 -SSLv3
29 30
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
  SSLHonorCipherOrder on
31 32 33 34 35 36 37 38 39 40 41 42

{% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
       			      	 ('SSLCertificateKeyFile', 'path_to_ssl_key'),
                                 ('SSLCACertificateFile', 'path_to_ssl_ca_crt'),
                                 ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%}

{% for key, value in ssl_configuration_list -%}
{%   if value in slave_parameter -%}
{{ '  %s' % key }} {{ slave_parameter.get(value) }}
{% endif -%}
{% endfor -%}

43 44

  # One Slave two logs
45
  ErrorLog "{{ slave_parameter.get('error_log') }}"
46
  LogLevel info
47
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
48
  CustomLog "{{ slave_parameter.get('access_log') }}" combined
49

50 51 52
  # Rewrite part
  ProxyPreserveHost On
  ProxyTimeout 600
53 54 55
{% if disable_via_header %}
  Header unset Via
{% endif -%}
56 57
  RewriteEngine On

58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
{% if disable_no_cache_header %}
  RequestHeader unset Cache-Control
  RequestHeader unset Pragma
{% endif -%}

{% if 'disabled-cookie-list' in slave_parameter -%}
  {% set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() %}
  {%- for disabled_cookie in disabled_cookie_list %}
{{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
  {% endfor -%}
{% endif %}

{%- if prefer_gzip %}
  RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}

74
{% if slave_parameter.get('type', '') ==  'zope' -%}
75 76 77
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
78
  # First, we check if we have a zope backend server
79
  # If so, let's use Virtual Host Monster rewrite
80
  # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
81
  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
82
{% elif slave_parameter.get('type', '') ==  'redirect' -%}
83
  RewriteRule     (.*)  {{ slave_parameter.get('https-url', '')}}$1 [R,L]
84
{% else -%}
85 86 87
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
88
  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', '') }}/$1 [L,P]
89 90 91
{% endif -%}
</VirtualHost>

92
<VirtualHost *:{{ http_port }}>
93 94
  ServerName {{ slave_parameter.get('custom_domain') }}
  ServerAlias {{ slave_parameter.get('custom_domain') }}
95 96 97 98 99 100 101 102

{%- if 'server-alias' in slave_parameter %}
  {% set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
  {%- for server_alias in server_alias_list %}
  ServerAlias {{ server_alias }}
  {% endfor -%}
{% endif %}

103
  SSLProxyEngine on
104 105 106 107 108 109 110 111 112
{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{% if ssl_proxy_verify -%}
{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{%   endif %}
  SSLProxyVerify require
  #SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
{% endif %}
113 114 115
  # Rewrite part
  ProxyPreserveHost On
  ProxyTimeout 600
116 117 118
{% if disable_via_header %}
  Header unset Via
{% endif -%}
119 120 121
  RewriteEngine On

  # One Slave two logs
122
  ErrorLog "{{ slave_parameter.get('error_log') }}"
123
  LogLevel info
124
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
125
  CustomLog "{{ slave_parameter.get('access_log') }}" combined
126 127 128 129

  # Remove "Secure" from cookies, as backend may be https
  Header edit Set-Cookie "(?i)^(.+);secure$" "$1"

130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145
{% if disable_no_cache_header %}
  RequestHeader unset Cache-Control
  RequestHeader unset Pragma
{% endif -%}

{% if 'disabled-cookie-list' in slave_parameter -%}
  {% set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() %}
  {%- for disabled_cookie in disabled_cookie_list %}
{{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
  {% endfor -%}
{% endif %}

{%- if prefer_gzip %}
  RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}

146 147
# Next line is forbidden and people who copy it will be hanged short
{% set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
148
{% if https_only -%}
149 150 151
  # Not using HTTPS? Ask that guy over there.
  # Dummy redirection to https. Note: will work only if https listens
  # on standard port (443).
152 153
  RewriteCond     %{SERVER_PORT}  !^{{ https_port }}$
  RewriteRule     ^/(.*)          https://%{SERVER_NAME}/$1 [NC,R,L]
154 155
{% elif slave_parameter.get('type', '') ==  'redirect' -%}
  RewriteRule     (.*)  {{slave_parameter.get('url', '')}}$1 [R,L]
156
{% elif slave_parameter.get('type', '') ==  'zope' -%}
157 158 159
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
160 161
  # First, we check if we have a zope backend server
  # If so, let's use Virtual Host Daemon rewrite
162
  # We suppose that Apache listens to 80 (even indirectly thanks to things like iptables)
163
  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/%{SERVER_NAME}:80/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
164
{% else -%}
165 166 167
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
168 169
  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
{% endif -%}
170 171 172 173
  # If nothing exist : put a nice error
#  ErrorDocument 404 /notfound.html
# Dadiboom

174
</VirtualHost>