default-virtualhost.conf.in 6.76 KB
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{%- set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%}
{%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%}
{%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%}
{%- set server_alias_list =  slave_parameter.get('server-alias', '').split() -%}
{%- set enable_h2 = ('' ~ slave_parameter.get('enable-http2', 'true')).lower() in TRUE_VALUES -%}
{%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%}
{%- set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() -%}
{%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%}
{%- set slave_type = slave_parameter.get('type', '') -%}
{%- set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
                                 ('SSLCertificateKeyFile', 'path_to_ssl_key'),
                                 ('SSLCACertificateFile', 'path_to_ssl_ca_crt'),
                                 ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%}

<VirtualHost *:{{ https_port }}>
  ServerName {{ slave_parameter.get('custom_domain') }}
  ServerAlias {{ slave_parameter.get('custom_domain') }}

{%- for server_alias in server_alias_list %}
  ServerAlias {{ server_alias }}
{% endfor %}

  SSLEngine on
  SSLProxyEngine on
{% if ssl_proxy_verify -%}
{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{%   endif %}
  SSLProxyVerify require
  #SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
{% endif %}
  SSLProtocol all -SSLv2 -SSLv3
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
  SSLHonorCipherOrder on

{% if enable_h2 %}
  Protocols h2 http/1.1
{% endif -%}

{% for key, value in ssl_configuration_list -%}
{%   if value in slave_parameter -%}
{{ '  %s' % key }} {{ slave_parameter.get(value) }}
{% endif -%}
{% endfor -%}

  # One Slave two logs
  ErrorLog "{{ slave_parameter.get('error_log') }}"
  LogLevel notice
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
  CustomLog "{{ slave_parameter.get('access_log') }}" combined

  # Rewrite part
  ProxyPreserveHost On
  ProxyTimeout 600
  RewriteEngine On

{% if disable_via_header %}
  Header unset Via
{% endif -%}

{% if disable_no_cache_header %}
  RequestHeader unset Cache-Control
  RequestHeader unset Pragma
{% endif -%}

{%- for disabled_cookie in disabled_cookie_list %}
{{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
{% endfor -%}

{%- if prefer_gzip %}
  RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}

{% if slave_type ==  'zope' -%}
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
  # First, we check if we have a zope backend server
  # If so, let's use Virtual Host Monster rewrite
  # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/VirtualHostBase/https//%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-https-port', '443') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
{% elif slave_type ==  'redirect' -%}
  RewriteRule  (.*)  {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L]
{% else -%}
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
  RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/$1 [L,P]
{% endif -%}
</VirtualHost>

<VirtualHost *:{{ http_port }}>
  ServerName {{ slave_parameter.get('custom_domain') }}
  ServerAlias {{ slave_parameter.get('custom_domain') }}

{%-  for server_alias in server_alias_list %}
  ServerAlias {{ server_alias }}
{% endfor %}

  SSLProxyEngine on
{% if ssl_proxy_verify -%}
{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
  SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
{%   endif %}
  SSLProxyVerify require
  #SSLProxyCheckPeerCN on
  SSLProxyCheckPeerExpire on
{% endif %}
  # Rewrite part
  ProxyPreserveHost On
  ProxyTimeout 600

{% if disable_via_header %}
  Header unset Via
{% endif -%}
  RewriteEngine On

  # One Slave two logs
  ErrorLog "{{ slave_parameter.get('error_log') }}"
  LogLevel notice
  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
  CustomLog "{{ slave_parameter.get('access_log') }}" combined

{% if enable_h2 %}
  Protocols h2 http/1.1
{% endif -%}

{% if disable_no_cache_header %}
  RequestHeader unset Cache-Control
  RequestHeader unset Pragma
{% endif -%}

{%- for disabled_cookie in disabled_cookie_list %}
{{'  RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie)  }}
{% endfor -%}

{%- if prefer_gzip %}
  RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip"
{% endif %}

# Next line is forbidden and people who copy it will be hanged short
{% if https_only -%}
  # Not using HTTPS? Ask that guy over there.
  # Dummy redirection to https. Note: will work only if https listens
  # on standard port (443).
  RewriteCond     %{SERVER_PORT}  !^{{ https_port }}$
  RewriteRule     ^/(.*)          https://%{SERVER_NAME}/$1 [NC,R,L]
{% elif slave_type ==  'redirect' -%}
  RewriteRule     (.*)  {{slave_parameter.get('url', '')}}$1 [R,L]
{% elif slave_type ==  'zope' -%}
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
  # First, we check if we have a zope backend server
  # If so, let's use Virtual Host Daemon rewrite
  # We suppose that Apache listens to 80 (even indirectly thanks to things like iptables)
  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/VirtualHostBase/http//%{SERVER_NAME}:{{ slave_parameter.get('virtualhostroot-http-port', '80') }}/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P]
{% else -%}
  {% if 'default-path' in slave_parameter %}
  RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L]
  {% endif -%}
  RewriteRule ^/(.*)$ {{ slave_parameter.get('url', '') }}/$1 [L,P]
{% endif -%}
  # If nothing exist : put a nice error
#  ErrorDocument 404 /notfound.html
# Dadiboom

</VirtualHost>