Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

copr-fe: style cleanup for coprs.conf

Browse source 
- some documentation for things I think I know why we did them
- drop duplicated statements
- white-space lint
- dev: drop enforced redirect to https, we don't do that in production
  so it is weird to do that on stage (and Let's Encrypt doesn't insist
  on that rule anyways as I initially thought)
This commit is contained in:
Pavel Raiskup 2020-04-17 09:04:17 +02:00 committed by Pierre-Yves Chibon
parent be297ae16e
commit 2036e377df
1 changed files with 33 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

72
roles/copr/frontend-cloud/templates/httpd/coprs.conf
View file

@ -9,33 +9,38 @@ WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats
WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20 WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess repo user=copr-fe group=copr-fe threads=15 display-name=repo maximum-requests=8000 graceful-timeout=20 WSGIDaemonProcess repo user=copr-fe group=copr-fe threads=15 display-name=repo maximum-requests=8000 graceful-timeout=20
WSGIDaemonProcess packages user=copr-fe group=copr-fe processes=1 threads=6 maximum-requests=100 display-name=packages graceful-timeout=20 WSGIDaemonProcess packages user=copr-fe group=copr-fe processes=1 threads=6 maximum-requests=100 display-name=packages graceful-timeout=20
WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
WSGIApplicationGroup %{GLOBAL}
<VirtualHost *:80> <VirtualHost *:80>
ServerName copr.fedorainfracloud.org ServerName {{ copr_frontend_public_hostname }}
ServerAlias copr-fe.cloud.fedoraproject.org ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org
WSGIPassAuthorization On
# We don't strictly enforce https (only HSTS) for python-processed content.
# This is still useful at least for *.repo URLs. But, that's why we still
# configure port 80 here.
WSGIPassAuthorization On
<Location /> <Location />
WSGIProcessGroup 127.0.0.1 WSGIProcessGroup 127.0.0.1
</Location> </Location>
#ErrorLog logs/error_coprs
#CustomLog logs/access_coprs common
<Directory /usr/share/copr> <Directory /usr/share/copr>
WSGIApplicationGroup %{GLOBAL} Require all granted
Require all granted
</Directory> </Directory>
{% if letsencrypt is defined %} {% if letsencrypt is defined %}
# For ansible.git roles/copr/certbot role. Needs to run on port 80.
RewriteEngine on RewriteEngine on
RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L] RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
{% endif %} {% endif %}
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName {{ copr_frontend_public_hostname }}
{% if not devel %}
ServerAlias copr.fedoraproject.org
Redirect 302 / https://copr.fedorainfracloud.org/
{% endif %}
SSLEngine on SSLEngine on
SSLProtocol {{ ssl_protocols }} SSLProtocol {{ ssl_protocols }}
# Use secure TLSv1.1 and TLSv1.2 ciphers # Use secure TLSv1.1 and TLSv1.2 ciphers
@ -43,25 +48,17 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
SSLHonorCipherOrder on SSLHonorCipherOrder on
Header always add Strict-Transport-Security "max-age=31536000; preload" Header always add Strict-Transport-Security "max-age=31536000; preload"
{% if not devel %} {% if not devel %}
SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
{% else %} {% else %}
SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem SSLCertificateFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem SSLCertificateKeyFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
{% endif %} {% endif %}
ServerName {{ copr_frontend_public_hostname }}
{% if not devel %}
ServerAlias copr.fedoraproject.org
Redirect 302 / https://copr.fedorainfracloud.org/
{% endif %}
WSGIPassAuthorization On WSGIPassAuthorization On
WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
WSGIProcessGroup 127.0.0.1 WSGIProcessGroup 127.0.0.1
<Location /api> <Location /api>
@ -87,11 +84,7 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
</RequireAll> </RequireAll>
</LocationMatch> </LocationMatch>
#ErrorLog logs/error_coprs
#CustomLog logs/access_coprs common
<Directory /usr/share/copr> <Directory /usr/share/copr>
WSGIApplicationGroup %{GLOBAL}
Require all granted Require all granted
</Directory> </Directory>
@ -105,19 +98,20 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
</VirtualHost> </VirtualHost>
<IfModule mod_status.c> <IfModule mod_status.c>
ExtendedStatus On ExtendedStatus On
<Location /server-status>
<Location /server-status> SetHandler server-status
SetHandler server-status Require all denied
Require all denied Require host localhost .redhat.com
Require host localhost .redhat.com </Location>
</Location>
</IfModule> </IfModule>
<IfModule mpm_prefork_module> <IfModule mpm_prefork_module>
StartServers 8 StartServers 8
MinSpareServers 8 MinSpareServers 8
MaxSpareServers 20 MaxSpareServers 20
MaxClients 50 MaxClients 50
MaxRequestsPerChild 10000 MaxRequestsPerChild 10000
</IfModule> </IfModule>
# vim: ft=apache