From 57427cf6fddd5d66439f9c3f63349b64fa70e81e Mon Sep 17 00:00:00 2001 From: Rafael Monnerat <rafael@nexedi.com> Date: Thu, 17 Nov 2016 18:11:36 +0100 Subject: [PATCH] apache-frontend: Small clean up on template for default virtual host --- software/apache-frontend/common.cfg | 2 +- .../templates/default-virtualhost.conf.in | 67 ++++++++----------- 2 files changed, 29 insertions(+), 40 deletions(-) diff --git a/software/apache-frontend/common.cfg b/software/apache-frontend/common.cfg index 64f59a89a..9e45f8753 100644 --- a/software/apache-frontend/common.cfg +++ b/software/apache-frontend/common.cfg @@ -121,7 +121,7 @@ mode = 640 [template-default-slave-virtualhost] recipe = slapos.recipe.build:download url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in -md5sum = 8975fd41fae2dcac92e18df3c6375f9a +md5sum = e5ed71c5e22ab91e33a71bd09879e23c mode = 640 [template-cached-slave-virtualhost] diff --git a/software/apache-frontend/templates/default-virtualhost.conf.in b/software/apache-frontend/templates/default-virtualhost.conf.in index cdbf00a29..e0a7dd10b 100644 --- a/software/apache-frontend/templates/default-virtualhost.conf.in +++ b/software/apache-frontend/templates/default-virtualhost.conf.in @@ -1,22 +1,27 @@ -{% set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} -{% set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%} -{% set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%} +{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%} +{%- set disable_no_cache_header = ('' ~ slave_parameter.get('disable-no-cache-request', '')).lower() in TRUE_VALUES -%} +{%- set disable_via_header = ('' ~ slave_parameter.get('disable-via-header', '')).lower() in TRUE_VALUES -%} {%- set prefer_gzip = ('' ~ slave_parameter.get('prefer-gzip-encoding-to-backend', '')).lower() in TRUE_VALUES -%} - +{%- set server_alias_list = slave_parameter.get('server-alias', '').split() -%} +{%- set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} +{%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() -%} +{%- set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%} +{%- set slave_type = slave_parameter.get('type', '') -%} +{%- set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'), + ('SSLCertificateKeyFile', 'path_to_ssl_key'), + ('SSLCACertificateFile', 'path_to_ssl_ca_crt'), + ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%} + <VirtualHost *:{{ https_port }}> ServerName {{ slave_parameter.get('custom_domain') }} ServerAlias {{ slave_parameter.get('custom_domain') }} -{%- if 'server-alias' in slave_parameter -%} - {% set server_alias_list = slave_parameter.get('server-alias', '').split() %} - {%- for server_alias in server_alias_list %} +{%- for server_alias in server_alias_list %} ServerAlias {{ server_alias }} - {% endfor %} -{%- endif %} +{% endfor %} SSLEngine on SSLProxyEngine on -{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} {% if ssl_proxy_verify -%} {% if 'ssl_proxy_ca_crt' in slave_parameter -%} SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} @@ -29,18 +34,12 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on -{% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'), - ('SSLCertificateKeyFile', 'path_to_ssl_key'), - ('SSLCACertificateFile', 'path_to_ssl_ca_crt'), - ('SSLCertificateChainFile', 'path_to_ssl_ca_crt')] -%} - {% for key, value in ssl_configuration_list -%} {% if value in slave_parameter -%} {{ ' %s' % key }} {{ slave_parameter.get(value) }} {% endif -%} {% endfor -%} - # One Slave two logs ErrorLog "{{ slave_parameter.get('error_log') }}" LogLevel info @@ -50,28 +49,26 @@ # Rewrite part ProxyPreserveHost On ProxyTimeout 600 + RewriteEngine On + {% if disable_via_header %} Header unset Via {% endif -%} - RewriteEngine On {% if disable_no_cache_header %} RequestHeader unset Cache-Control RequestHeader unset Pragma {% endif -%} -{% if 'disabled-cookie-list' in slave_parameter -%} - {% set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %} - {%- for disabled_cookie in disabled_cookie_list %} +{%- for disabled_cookie in disabled_cookie_list %} {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }} - {% endfor -%} -{% endif %} +{% endfor -%} {%- if prefer_gzip %} RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip" {% endif %} -{% if slave_parameter.get('type', '') == 'zope' -%} +{% if slave_type == 'zope' -%} {% if 'default-path' in slave_parameter %} RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L] {% endif -%} @@ -79,8 +76,8 @@ # If so, let's use Virtual Host Monster rewrite # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables) RewriteRule ^/(.*)$ {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }}/VirtualHostBase/https//%{SERVER_NAME}:443/{{ slave_parameter.get('path', '') }}/VirtualHostRoot/$1 [L,P] -{% elif slave_parameter.get('type', '') == 'redirect' -%} - RewriteRule (.*) {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L] +{% elif slave_type == 'redirect' -%} + RewriteRule (.*) {{ slave_parameter.get('https-url', slave_parameter.get('url', ''))}}$1 [R,L] {% else -%} {% if 'default-path' in slave_parameter %} RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L] @@ -93,15 +90,11 @@ ServerName {{ slave_parameter.get('custom_domain') }} ServerAlias {{ slave_parameter.get('custom_domain') }} -{%- if 'server-alias' in slave_parameter %} - {% set server_alias_list = slave_parameter.get('server-alias', '').split() %} - {%- for server_alias in server_alias_list %} +{%- for server_alias in server_alias_list %} ServerAlias {{ server_alias }} - {% endfor -%} -{% endif %} +{% endfor -%} SSLProxyEngine on -{% set ssl_proxy_verify = ('' ~ slave_parameter.get('ssl-proxy-verify', '')).lower() in TRUE_VALUES -%} {% if ssl_proxy_verify -%} {% if 'ssl_proxy_ca_crt' in slave_parameter -%} SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }} @@ -132,28 +125,24 @@ RequestHeader unset Pragma {% endif -%} -{% if 'disabled-cookie-list' in slave_parameter -%} - {% set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %} - {%- for disabled_cookie in disabled_cookie_list %} +{%- for disabled_cookie in disabled_cookie_list %} {{' RequestHeader edit Cookie "(^%(disabled_cookie)s=[^;]*; |; %(disabled_cookie)s=[^;]*|^%(disabled_cookie)s=[^;]*$)" ""' % dict(disabled_cookie=disabled_cookie) }} - {% endfor -%} -{% endif %} +{% endfor -%} {%- if prefer_gzip %} RequestHeader edit Accept-Encoding "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" "gzip" {% endif %} # Next line is forbidden and people who copy it will be hanged short -{% set https_only = ('' ~ slave_parameter.get('https-only', '')).lower() in TRUE_VALUES -%} {% if https_only -%} # Not using HTTPS? Ask that guy over there. # Dummy redirection to https. Note: will work only if https listens # on standard port (443). RewriteCond %{SERVER_PORT} !^{{ https_port }}$ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [NC,R,L] -{% elif slave_parameter.get('type', '') == 'redirect' -%} +{% elif slave_type == 'redirect' -%} RewriteRule (.*) {{slave_parameter.get('url', '')}}$1 [R,L] -{% elif slave_parameter.get('type', '') == 'zope' -%} +{% elif slave_type == 'zope' -%} {% if 'default-path' in slave_parameter %} RewriteRule ^/?$ {{ slave_parameter.get('default-path') }} [R=301,L] {% endif -%} -- 2.30.9