From 236c0fd355d14fa18c8917abfaae2b0e31091307 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Fri, 21 Oct 2016 20:47:46 +0000
Subject: [PATCH] Yet more https for jenkins

---
 roles/jenkins/master/files/jenkins.conf       |  1 +
 roles/jenkins/master/tasks/main.yml           | 12 +++++-
 .../master/templates/jenkins-httpd.conf.j2    | 40 +++++++++++++++++++
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 roles/jenkins/master/templates/jenkins-httpd.conf.j2

diff --git a/roles/jenkins/master/files/jenkins.conf b/roles/jenkins/master/files/jenkins.conf
index 40e2f47d7e..c5706e8e17 100644
--- a/roles/jenkins/master/files/jenkins.conf
+++ b/roles/jenkins/master/files/jenkins.conf
@@ -66,6 +66,7 @@ JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true"
 # Set to -1 to disable
 #
 JENKINS_PORT="8080"
+JENKINS_LISTEN_ADDRESS="127.0.0.1"
 
 ## Type:        integer(0:65535)
 ## Default:     8009
diff --git a/roles/jenkins/master/tasks/main.yml b/roles/jenkins/master/tasks/main.yml
index 1dfaf372b2..e26956c1c3 100644
--- a/roles/jenkins/master/tasks/main.yml
+++ b/roles/jenkins/master/tasks/main.yml
@@ -125,4 +125,14 @@
   - jenkins
   - jenkins/master
   - config
-  
+
+- name: install jenkins httpd config
+  template: >
+    src="jenkins-httpd.conf.j2"
+    dest="/etc/httpd/conf.d/jenkins-httpd.conf"
+  notify:
+  - restart httpd
+  tags:
+  - jenkins
+  - jenkins/master
+  - config
diff --git a/roles/jenkins/master/templates/jenkins-httpd.conf.j2 b/roles/jenkins/master/templates/jenkins-httpd.conf.j2
new file mode 100644
index 0000000000..7f8f9b46a1
--- /dev/null
+++ b/roles/jenkins/master/templates/jenkins-httpd.conf.j2
@@ -0,0 +1,40 @@
+<VirtualHost *:80>
+  ServerName jenkins.fedorainfracloud.org
+  ServerAdmin webmaster@fedoraproject.org
+  TraceEnable Off
+
+  RewriteEngine on
+  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+  RewriteCond %{HTTPS} off
+  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName jenkins.fedorainfracloud.org
+  ServerAdmin webmaster@fedoraproject.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/pki/tls/certs/jenkins.fedorainfracloud.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/jenkins.fedorainfracloud.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert
+  SSLHonorCipherOrder On
+
+  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
+  # If you change the protocols or cipher suites, you should probably update
+  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
+  SSLProtocol {{ ssl_protocols }}
+  SSLCipherSuite {{ ssl_ciphers }}
+
+  RequestHeader set X-Forwarded-Scheme https early
+  RequestHeader set X-Scheme https early
+  RequestHeader set X-Forwarded-Proto https early
+
+  Alias /robots.txt /srv/web/robots.txt.jenkins.fedorainfracloud.org
+
+  ProxyPass / http://localhost:8080/ nocanon
+  ProxyPassReverse / http://localhost:8080/
+  ProxyRequests     Off
+  AllowEncodedSlashes NoDecode
+
+</VirtualHost>