From b98f37f7e8c5ab31b55054d1b7fe41c10719da31 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 12 Dec 2014 15:04:28 +0000 Subject: [PATCH] Starting a fedora-web/main role. --- roles/fedora-web/main/files/deflate.conf | 29 ++++++++ roles/fedora-web/main/files/expires.conf | 17 +++++ roles/fedora-web/main/files/fedora-web.conf | 24 +++++++ roles/fedora-web/main/files/persona.conf | 5 ++ .../fedora-web/main/files/redirects.conf.prod | 35 +++++++++ .../fedora-web/main/files/redirects.conf.stg | 22 ++++++ roles/fedora-web/main/tasks/main.yml | 71 +++++++++++++++++++ .../templates/browserid.fedoraproject.org | 5 ++ roles/fedora-web/main/templates/sponsor.conf | 1 + 9 files changed, 209 insertions(+) create mode 100644 roles/fedora-web/main/files/deflate.conf create mode 100644 roles/fedora-web/main/files/expires.conf create mode 100644 roles/fedora-web/main/files/fedora-web.conf create mode 100644 roles/fedora-web/main/files/persona.conf create mode 100644 roles/fedora-web/main/files/redirects.conf.prod create mode 100644 roles/fedora-web/main/files/redirects.conf.stg create mode 100644 roles/fedora-web/main/tasks/main.yml create mode 100644 roles/fedora-web/main/templates/browserid.fedoraproject.org create mode 100644 roles/fedora-web/main/templates/sponsor.conf diff --git a/roles/fedora-web/main/files/deflate.conf b/roles/fedora-web/main/files/deflate.conf new file mode 100644 index 0000000000..76c9733f79 --- /dev/null +++ b/roles/fedora-web/main/files/deflate.conf @@ -0,0 +1,29 @@ +LoadModule deflate_module modules/mod_deflate.so +SetOutputFilter DEFLATE + + + # Insert filter + SetOutputFilter DEFLATE + + # Netscape 4.x has some problems... + BrowserMatch ^Mozilla/4 gzip-only-text/html + + # Netscape 4.06-4.08 have some more problems + BrowserMatch ^Mozilla/4\.0[678] no-gzip + + # MSIE masquerades as Netscape, but it is fine + # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + + # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48 + # the above regex won't work. You can use the following + # workaround to get the desired effect: + BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html + + # Don't compress images + SetEnvIfNoCase Request_URI \ + \.(?:gif|jpe?g|png)$ no-gzip dont-vary + + # Make sure proxies don't deliver the wrong content + Header append Vary User-Agent env=!dont-vary + + diff --git a/roles/fedora-web/main/files/expires.conf b/roles/fedora-web/main/files/expires.conf new file mode 100644 index 0000000000..4c7262d95a --- /dev/null +++ b/roles/fedora-web/main/files/expires.conf @@ -0,0 +1,17 @@ +ExpiresActive On +ExpiresByType image/png "access plus 1 week" +ExpiresByType image/gif "access plus 1 week" +ExpiresByType image/vnd.microsoft.icon "access plus 1 week" + + ExpiresDefault "access plus 1 week" + +FileETag none +# +# We want this file to never cache, it's used to determine if a client is +# behind a caching proxy of some kind. +# + + Header set Cache-Control "must-revalidate" + ExpiresActive On + ExpiresDefault "now" + diff --git a/roles/fedora-web/main/files/fedora-web.conf b/roles/fedora-web/main/files/fedora-web.conf new file mode 100644 index 0000000000..e369744939 --- /dev/null +++ b/roles/fedora-web/main/files/fedora-web.conf @@ -0,0 +1,24 @@ +Alias /favicon.ico /srv/web/fedoraproject.org/static/images/favicon.ico +DocumentRoot /srv/web/fedoraproject.org/ + +ErrorDocument 404 /e/404 + +FileETag MTime Size + +AddType image/svg+xml .svg +AddType image/svg+xml .svgz +AddEncoding gzip .svgz + + + mod_gzip_on No + + + + + SetEnvIfNoCase Origin "https?://.*\.fedora(project|people|hosted)\.org" ACAO=$0 + Header set Access-Control-Allow-Origin %{ACAO}e env=ACAO + + + + Options Indexes + diff --git a/roles/fedora-web/main/files/persona.conf b/roles/fedora-web/main/files/persona.conf new file mode 100644 index 0000000000..febd293ef2 --- /dev/null +++ b/roles/fedora-web/main/files/persona.conf @@ -0,0 +1,5 @@ +Alias /.well-known/browserid /srv/web/browserid.fedoraproject.org + + + ForceType application/json + diff --git a/roles/fedora-web/main/files/redirects.conf.prod b/roles/fedora-web/main/files/redirects.conf.prod new file mode 100644 index 0000000000..8fc9f96687 --- /dev/null +++ b/roles/fedora-web/main/files/redirects.conf.prod @@ -0,0 +1,35 @@ +RewriteEngine On + +# TODO: Are these still necessary? +RewriteRule ^/CodecBuddy http://fedoraproject.org/wiki/CodecBuddy [NC] +RewriteRule ^/soc.*$ http://fedoraproject.org/wiki/SummerOfCode [R=301,L] + +# Legal redirects +RewriteRule ^/([^/]+/)?legal/licenses/export https://fedoraproject.org/wiki/Legal:Export [R=301,L] +RewriteRule ^/([^/]+/)?legal/licenses https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement [R=301,L] +RewriteRule ^/([^/]+/)?legal/trademarks http://fedoraproject.org/wiki/Legal:Trademark_guidelines [R=301,L] +RewriteRule ^/([^/]+/)?legal https://fedoraproject.org/wiki/Legal:Main [R=301,L] + +# Drop distributed web referrer hits +RewriteCond %{HTTP_REFERER} ^http://.*/feed/index\.php\?pid2=.*&sid2=.*&mb2=.*&partnerid2=.*&redir=.*&multi=.*&aff_id=.*$ +RewriteCond %{HTTP_REFERER} ^http://playdot.net/.*$ +RewriteRule .* - [F] + +# Drop connections from .ru site thats spawning thousands of connections at a time. +RewriteCond %{REMOTE_ADDR} ^95\.24\.237\.122$ +RewriteRule .* - [F] + +# With f20 we dropped this options link +RewriteRule ^(/.*)?/get-fedora-options.*$ $1/get-fedora [R=302] + +# Comment this when there is a prerelease available +#RewriteRule ^(/.*)?/get-prerelease.*$ $1/get-fedora [R=302] +#RewriteRule ^(/.*)?/get-spin-prerelease.*$ $1/get-fedora [R=302] + +RewriteEngine On +RewriteCond %{HTTPS} off +RewriteRule ^/([^/]+/)?(keys|verify)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] + + +RewriteCond %{HTTP_REFERER} .*fedorproject.* +RewriteRule .* http://mmcgrath.fedorapeople.org/spam.html [R=301,L] diff --git a/roles/fedora-web/main/files/redirects.conf.stg b/roles/fedora-web/main/files/redirects.conf.stg new file mode 100644 index 0000000000..6910a053de --- /dev/null +++ b/roles/fedora-web/main/files/redirects.conf.stg @@ -0,0 +1,22 @@ +RewriteEngine On + +# TODO: Are these still necessary? +RewriteRule ^/CodecBuddy http://fedoraproject.org/wiki/CodecBuddy [NC] +RewriteRule ^/soc.*$ http://fedoraproject.org/wiki/SummerOfCode [R=301,L] + +# Legal redirects +RewriteRule ^/([^/]+/)?legal/licenses/export https://fedoraproject.org/wiki/Legal:Export [R=301,L] +RewriteRule ^/([^/]+/)?legal/licenses https://fedoraproject.org/wiki/Legal:Licenses/LicenseAgreement [R=301,L] +RewriteRule ^/([^/]+/)?legal/trademarks http://fedoraproject.org/wiki/Legal:Trademark_guidelines [R=301,L] +RewriteRule ^/([^/]+/)?legal https://fedoraproject.org/wiki/Legal:Main [R=301,L] + +# Comment this when there is a prerelease available +#RewriteRule ^(/.*)?/get-prerelease$ $1/get-fedora [R=302] + +RewriteEngine On +RewriteCond %{HTTPS} off +RewriteRule ^/([^/]+/)?(keys|verify)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] + + +RewriteCond %{HTTP_REFERER} .*fedorproject.* +RewriteRule .* http://mmcgrath.fedorapeople.org/spam.html [R=301,L] diff --git a/roles/fedora-web/main/tasks/main.yml b/roles/fedora-web/main/tasks/main.yml new file mode 100644 index 0000000000..1913940e82 --- /dev/null +++ b/roles/fedora-web/main/tasks/main.yml @@ -0,0 +1,71 @@ + +# TODO -- still port this cronjob +# cron { "sync-fedora-web": +# # TODO: Make add some locking to this. +# command => "/usr/bin/rsync --delete -a --no-owner --no-group bapp02::fedoraproject.org/ /srv/web/fedoraproject.org/", +# user => "root", +# minute => 25, +# } + +- name: Copy some config files for {{website}} + copy: > + src={{item}} dest=/etc/httpd/conf.d/{{website}}/{{item}} + owner=root group=root mode=0644 + with_items: + - fedora-web.conf + - languages.conf + - cache.conf + - persona.conf + - expires.conf + - deflate.conf + notify: + - restart httpd + tags: + - fedora-web + - fedora-web/main + +- name: And one template (for {{website}}) + template: > + src={{item}} dest=/etc/httpd/conf.d/{{website}}/{{item}} + owner=root group=root mode=0644 + with_items: + - sponsors.conf + notify: + - restart httpd + tags: + - fedora-web + - fedora-web/main + +- name: And, copy over a template for browserid + template: > + src=browserid.fedoraproject.org dest=/srv/web/browserid.fedoraproject.org + owner=root group=root mode=0644 + notify: + - restart httpd + tags: + - fedora-web + - fedora-web/main + +# TODO -- turn these into redirects in playbooks/groups/proxies-redirect.yml +- name: Copy over some miscellaneous redirects (for stg) + copy: > + src=redirects.conf.stg dest=/etc/httpd/conf.d/{{website}}/redirects.conf + owner=root group=root mode=0644 + when: env == "staging" + notify: + - restart httpd + tags: + - fedora-web + - fedora-web/main + +# TODO -- turn these into redirects in playbooks/groups/proxies-redirect.yml +- name: Copy over some miscellaneous redirects (for prod) + copy: > + src=redirects.conf.prod dest=/etc/httpd/conf.d/{{website}}/redirects.conf + owner=root group=root mode=0644 + when: env != "staging" + notify: + - restart httpd + tags: + - fedora-web + - fedora-web/main diff --git a/roles/fedora-web/main/templates/browserid.fedoraproject.org b/roles/fedora-web/main/templates/browserid.fedoraproject.org new file mode 100644 index 0000000000..9620c5adf3 --- /dev/null +++ b/roles/fedora-web/main/templates/browserid.fedoraproject.org @@ -0,0 +1,5 @@ + {% if env == "staging" %} + "authority": "id.stg.fedoraproject.org" + {% else %} + "authority": "id.fedoraproject.org" + {% end %} diff --git a/roles/fedora-web/main/templates/sponsor.conf b/roles/fedora-web/main/templates/sponsor.conf new file mode 100644 index 0000000000..c5d13842ae --- /dev/null +++ b/roles/fedora-web/main/templates/sponsor.conf @@ -0,0 +1 @@ +Alias /static/js/sponsor.js /srv/web/<%= website %>/static/js/sponsors/<%= sponsor %>.js