diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml new file mode 100644 index 0000000000..75e134ff4a --- /dev/null +++ b/roles/httpd/reverseproxy/tasks/main.yml @@ -0,0 +1,19 @@ +# Expected vars +# - website... +# - localpath.. +# - remotepath.. +# - proxyurl +# - rewrite + +- name: Copy in ProxyPassReverse for {{website}}/{{remotepath}} + template: > + src=reversepassproxy.conf + dest=/etc/httpd/conf.d/{{website}}/{{destname}}.conf + owner=root + group=root + mode=0644 + notify: + - restart httpd + tags: + - httpd + - httpd/reversepassproxy diff --git a/roles/httpd/reverseproxy/templates/logs.conf b/roles/httpd/reverseproxy/templates/logs.conf new file mode 100644 index 0000000000..f4b06d9711 --- /dev/null +++ b/roles/httpd/reverseproxy/templates/logs.conf @@ -0,0 +1,2 @@ +CustomLog "logs/{{ name }}-access.log" combined +ErrorLog "logs/{{ name }}-error.log" diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf new file mode 100644 index 0000000000..ab4e3e588f --- /dev/null +++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf @@ -0,0 +1,7 @@ +{% if rewrite %} +RewriteEngine On +RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301] +{% endif %} + +ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}} +ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}} diff --git a/roles/httpd/reverseproxy/templates/robots.conf b/roles/httpd/reverseproxy/templates/robots.conf new file mode 100644 index 0000000000..040f48d397 --- /dev/null +++ b/roles/httpd/reverseproxy/templates/robots.conf @@ -0,0 +1 @@ +Alias /robots.txt /srv/web/robots.txt.{{ name }} diff --git a/roles/httpd/reverseproxy/templates/website.conf b/roles/httpd/reverseproxy/templates/website.conf new file mode 100644 index 0000000000..f70b434834 --- /dev/null +++ b/roles/httpd/reverseproxy/templates/website.conf @@ -0,0 +1,51 @@ + + ServerName {{ name }} +{% if server_aliases %} + ServerAlias {{ server_aliases | join(" ") }} +{% endif %} + ServerAdmin {{ server_admin }} + TraceEnable Off + +{% if gzip %} + SetOutputFilter DEFLATE +{% endif %} + +{% if sslonly %} + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE] +{% else %} + Include "conf.d/{{ name }}/*.conf" +{% endif %} + + +{% if ssl %} + + ServerName {{ name }} +{% if server_aliases %} + ServerAlias {{ server_aliases | join(" ") }} +{% endif %} + ServerAdmin {{ server_admin }} + +{% if gzip %} + SetOutputFilter DEFLATE +{% endif %} + + SSLEngine on + SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert + SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key +{% if SSLCertificateChainFile %} + SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }} +{% endif %} + SSLHonorCipherOrder On + + # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 + # If you change the protocols or cipher suites, you should probably update + # modules/squid/files/squid.conf-el6 too, to keep it in sync. + SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + + Include "conf.d/{{ name }}/*.conf" + +{% endif %} + diff --git a/roles/httpd/reverseproxy/vars/main.yml b/roles/httpd/reverseproxy/vars/main.yml new file mode 100644 index 0000000000..17df0b4878 --- /dev/null +++ b/roles/httpd/reverseproxy/vars/main.yml @@ -0,0 +1,4 @@ +remotepath: / +localpath: / +rewrite: false +destname: reversepassproxy