copr-fe: style cleanup for coprs.conf

- some documentation for things I think I know why we did them - drop duplicated statements - white-space lint - dev: drop enforced redirect to https, we don't do that in production so it is weird to do that on stage (and Let's Encrypt doesn't insist on that rule anyways as I initially thought)
2020-04-17 09:04:17 +02:00 · 2020-04-17 09:04:17 +02:00 · 2036e377df
commit 2036e377df
parent be297ae16e
1 changed files with 33 additions and 39 deletions
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@ -9,33 +9,38 @@ WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats
 WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess repo user=copr-fe group=copr-fe threads=15 display-name=repo maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess packages user=copr-fe group=copr-fe processes=1 threads=6 maximum-requests=100 display-name=packages graceful-timeout=20
-WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
+
+WSGIApplicationGroup %{GLOBAL}

 <VirtualHost *:80>
-    ServerName copr.fedorainfracloud.org
-    ServerAlias copr-fe.cloud.fedoraproject.org
-    WSGIPassAuthorization On
+    ServerName {{ copr_frontend_public_hostname }}
+    ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org

+    # We don't strictly enforce https (only HSTS) for python-processed content.
+    # This is still useful at least for *.repo URLs.  But, that's why we still
+    # configure port 80 here.
+    WSGIPassAuthorization On
    <Location />
        WSGIProcessGroup 127.0.0.1
    </Location>
-
-    #ErrorLog logs/error_coprs
-    #CustomLog logs/access_coprs common
-
    <Directory /usr/share/copr>
-        WSGIApplicationGroup %{GLOBAL}
-    Require all granted
+        Require all granted
    </Directory>

 {% if letsencrypt is defined %}
+    # For ansible.git roles/copr/certbot role.  Needs to run on port 80.
    RewriteEngine on
    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
-    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
 {% endif %}
 </VirtualHost>

 <VirtualHost *:443>
+    ServerName {{ copr_frontend_public_hostname }}
+{% if not devel %}
+    ServerAlias copr.fedoraproject.org
+    Redirect 302 / https://copr.fedorainfracloud.org/
+{% endif %}
+
    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    # Use secure TLSv1.1 and TLSv1.2 ciphers
@ -43,25 +48,17 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    SSLHonorCipherOrder on
    Header always add Strict-Transport-Security "max-age=31536000; preload"

-    {% if not devel %}
-    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
+{% if not devel %}
+    SSLCertificateFile      /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
+    SSLCertificateKeyFile   /etc/pki/tls/private/copr.fedorainfracloud.org.key
    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
-    {% else %}
-    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
-    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
+{% else %}
+    SSLCertificateFile      /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
+    SSLCertificateKeyFile   /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
-    {% endif %}
-
-    ServerName {{ copr_frontend_public_hostname }}
-
-    {% if not devel %}
-    ServerAlias copr.fedoraproject.org
-    Redirect 302 / https://copr.fedorainfracloud.org/
-    {% endif %}
+{% endif %}

    WSGIPassAuthorization On
-    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    WSGIProcessGroup 127.0.0.1

    <Location /api>
@ -87,11 +84,7 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
        </RequireAll>
    </LocationMatch>

-    #ErrorLog logs/error_coprs
-    #CustomLog logs/access_coprs common
-
    <Directory /usr/share/copr>
-        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>

@ -105,19 +98,20 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
 </VirtualHost>

 <IfModule mod_status.c>
-ExtendedStatus On
-
-<Location /server-status>
-    SetHandler server-status
-    Require all denied
-    Require host localhost .redhat.com
-</Location>
+    ExtendedStatus On
+    <Location /server-status>
+        SetHandler server-status
+        Require all denied
+        Require host localhost .redhat.com
+    </Location>
 </IfModule>

 <IfModule mpm_prefork_module>
    StartServers          8
    MinSpareServers       8
-    MaxSpareServers      20
-    MaxClients          50
+    MaxSpareServers       20
+    MaxClients            50
    MaxRequestsPerChild   10000
 </IfModule>
+
+# vim: ft=apache