apache-frontend: Add Custom SSL posibility for default mode, fix various problems

software/apache-frontend/apache-yakari.cfg.in

@@ -51,6 +51,26 @@ extra-context =
     raw error_log {{ error_log }}
 {{ '\n' }}
 
+# Set ssl certificates for each slave
+{%   for cert_name in ('ssl_key', 'ssl_crt', 'ssl_ca_crt', 'ssl_csr')-%}
+{%     if cert_name in slave_instance -%}
+{%       set cert_title = '%s-%s' % (slave_reference, cert_name.replace('ssl_', '')) -%}
+{%       set cert_file = '/'.join([custom_ssl_directory, cert_title.replace('-','.')]) -%}
+{%       do part_list.append(cert_title) -%}
+{%       do slave_instance.__setitem__('path_to_' ~ cert_name, cert_file) -%}
+# Store certificates on fs
+[{{ cert_title }}]
+< = jinja2-template-base
+template = {{ empty_template }}
+rendered = {{ cert_file }}
+extra-context =
+    key content {{ cert_title + '-config:value' }}
+# Store certificate in config
+[{{ cert_title + '-config' }}]
+value = {{ dumps(slave_instance.get(cert_name)) }}
+{%     endif -%}
+{%   endfor -%}
+
 # Set apache configuration for slave
 [{{ ('slave-instance-%s-configuration' % slave_reference) }}]
 {%   for key, value in slave_instance.iteritems() -%}

software/apache-frontend/default-virtualhost.conf.in

 {% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
-<VirtualHost *:{{ http_port }}>
+ 
+<VirtualHost *:{{ https_port }}>
   ServerName {{ slave_parameter.get('domain') }}
   ServerAlias {{ slave_parameter.get('domain') }}
+
   SSLEngine on
   SSLProxyEngine on
-  # Rewrite part
-  ProxyVia On
-  ProxyPreserveHost On
-  ProxyTimeout 600
-  RewriteEngine On
+  SSLProtocol -ALL +SSLv3 +TLSv1
+  SSLHonorCipherOrder On
+  SSLCipherSuite RC4-SHA:HIGH:!ADH
+
+{% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
+       			      	 ('SSLCertificateKeyFile', 'path_to_ssl_key'),
+                                 ('SSLCACertificateFile', 'path_to_ssl_ca_crt'),
+                                 ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%}
+
+{% for key, value in ssl_configuration_list -%}
+{%   if value in slave_parameter -%}
+{{ '  %s' % key }} {{ slave_parameter.get(value) }}
+{% endif -%}
+{% endfor -%}
+
 
   # One Slave two logs
   ErrorLog "{{ error_log }}"
@@ -16,30 +28,26 @@
   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
   CustomLog "{{ access_log }}" combined
 
-# Next line is forbidden and people who copy it will be hanged short
-{% set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
-{% if https_only in slave_parameter -%}
-  # Not using HTTPS? Ask that guy over there.
-  # Dummy redirection to https. Note: will work only if https listens
-  # on standard port (443).
-  RewriteRule ^/(.*)$ https://%{DOMAIN}%{REQUEST_URI}
-{% elif slave_parameter.get('type', '') ==  'zope' -%}
+  # Rewrite part
+  ProxyVia On
+  ProxyPreserveHost On
+  ProxyTimeout 600
+  RewriteEngine On
+
+{% if slave_parameter.get('type', '') ==  'zope' -%}
   # First, we check if we have a zope backend server
   # If so, let's use Virtual Host Daemon rewrite
-  # We suppose that Apache listens to 80 (even indirectly thanks to things like iptables)
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/{{ slave_parameter.get('domain', '') }}:80/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
+  # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
+  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/https/{{ slave_parameter.get('domain', '') }}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
 {% else -%}
   RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
 {% endif -%}
-  # If nothing exist : put a nice error
-#  ErrorDocument 404 /notfound.html
-# Dadiboom
-
 </VirtualHost>
 
-<VirtualHost *:{{ https_port }}>
+<VirtualHost *:{{ http_port }}>
   ServerName {{ slave_parameter.get('domain') }}
   ServerAlias {{ slave_parameter.get('domain') }}
+  SSLEngine on
   SSLProxyEngine on
   # Rewrite part
   ProxyVia On
@@ -56,12 +64,23 @@
   # Remove "Secure" from cookies, as backend may be https
   Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
 
-{% if slave_parameter.get('type', '') ==  'zope' -%}
+# Next line is forbidden and people who copy it will be hanged short
+{% set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
+{% if https_only in slave_parameter -%}
+  # Not using HTTPS? Ask that guy over there.
+  # Dummy redirection to https. Note: will work only if https listens
+  # on standard port (443).
+  RewriteRule ^/(.*)$ https://%{DOMAIN}%{REQUEST_URI}
+{% elif slave_parameter.get('type', '') ==  'zope' -%}
   # First, we check if we have a zope backend server
   # If so, let's use Virtual Host Daemon rewrite
-  # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
-  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/https/{{ slave_parameter.get('domain', '') }}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
+  # We suppose that Apache listens to 80 (even indirectly thanks to things like iptables)
+  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http/{{ slave_parameter.get('domain', '') }}:80/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
 {% else -%}
   RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
 {% endif -%}
+  # If nothing exist : put a nice error
+#  ErrorDocument 404 /notfound.html
+# Dadiboom
+
 </VirtualHost>