libravatar: update httpd config

2019-02-05 17:55:11 +01:00 · 2019-02-05 17:55:11 +01:00 · 37802e5189
commit 37802e5189
parent 0317c50c03
1 changed files with 26 additions and 6 deletions
--- a/roles/libravatar/templates/httpd/libravatar.conf
+++ b/roles/libravatar/templates/httpd/libravatar.conf
@ -1,16 +1,28 @@
 WSGISocketPrefix /var/run/wsgi
 RewriteEngine on

+<Directory "/var/www/html/.well-known/">
+    Require all granted
+</Directory>
+
 <VirtualHost *:80>
    ServerName {{ inventory_hostname }}
+    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
+    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ inventory_hostname }}
+
+    SSLCertificateFile    /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+    Header always add Strict-Transport-Security "max-age=31536000; preload"

    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
-    <Directory "/var/www/html/.well-known/">
-        Require all granted
-    </Directory>

    WSGIPassAuthorization On
-    WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=8000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
+    WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=10000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
    WSGIScriptAlias / /mnt/data/wsgi.py

    ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"
@ -38,16 +50,24 @@ RewriteEngine on
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
+</VirtualHost>

+<VirtualHost *:443>
+    SSLCertificateFile    /etc/letsencrypt/live/{{ inventory_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
+
+    #ServerName {{ inventory_hostname }}
+    #RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
 </VirtualHost>

 <IfModule mod_status.c>
    ExtendedStatus On
-
    <Location /server-status>
        SetHandler server-status
        Require all denied
-        Require host localhost .redhat.com
+        Require host localhost
    </Location>
 </IfModule>