copr-fe: consolidate coprs.conf and coprs_ssl.conf.j2

I finally found a motivation to do this, after problems with reporting https://github.com/GrahamDumpleton/mod_wsgi/issues/542 I noticed that we had duplicate VirtualHost for 443 after d2ec98c7a2 so I dropped the duplication.
2020-04-17 08:01:50 +02:00 · 2020-04-17 08:01:50 +02:00 · be297ae16e
commit be297ae16e
parent 877774c7ee
3 changed files with 79 additions and 97 deletions
--- a/roles/copr/frontend-cloud/tasks/main.yml
+++ b/roles/copr/frontend-cloud/tasks/main.yml
@ -76,13 +76,6 @@
  tags:
  - config

- name: copy apache files to conf.d (templates)
-  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
-  with_items:
-  - "coprs.conf"
-  tags:
-  - config
-
 # This was state=yes for https://bugzilla.redhat.com/show_bug.cgi?id=1535689 for
 # some time, and since requests were fixed we want it the other way around
 # again.
@ -117,11 +110,20 @@
  tags:
  - config

- name: install copr-frontend ssl vhost
-  template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf"
+- name: copy apache files to conf.d (templates)
+  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
+  with_items:
+  - "coprs.conf"
+  notify:
+  - reload httpd
  tags:
  - config

+- name: drop old and now unused coprs_ssl.conf
+  file: path=/etc/httpd/conf.d/coprs_ssl.conf state=absent
+  notify:
+  - reload httpd
+
 - name: enable services
  service: state=started enabled=yes name={{ item }}
  with_items:
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@ -35,6 +35,74 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
 {% endif %}
 </VirtualHost>

+<VirtualHost *:443>
+    SSLEngine on
+    SSLProtocol {{ ssl_protocols }}
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite {{ ssl_ciphers }}
+    SSLHonorCipherOrder on
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
+
+    {% if not devel %}
+    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
+    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
+    {% else %}
+    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
+    {% endif %}
+
+    ServerName {{ copr_frontend_public_hostname }}
+
+    {% if not devel %}
+    ServerAlias copr.fedoraproject.org
+    Redirect 302 / https://copr.fedorainfracloud.org/
+    {% endif %}
+
+    WSGIPassAuthorization On
+    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
+    WSGIProcessGroup 127.0.0.1
+
+    <Location /api>
+        WSGIProcessGroup api
+    </Location>
+    <Location /backend>
+        WSGIProcessGroup backend
+    </Location>
+    <Location /stats_rcv>
+        WSGIProcessGroup stats
+    </Location>
+    <Location /tmp>
+        WSGIProcessGroup tmp
+    </Location>
+    <LocationMatch "/repo/">
+        WSGIProcessGroup repo
+    </LocationMatch>
+    <LocationMatch "^/coprs/.*/packages/">
+        WSGIProcessGroup packages
+        <RequireAll>
+            Require all granted
+            Require not ip 192.47.255.254
+        </RequireAll>
+    </LocationMatch>
+
+    #ErrorLog logs/error_coprs
+    #CustomLog logs/access_coprs common
+
+    <Directory /usr/share/copr>
+        WSGIApplicationGroup %{GLOBAL}
+        Require all granted
+    </Directory>
+
+    RewriteEngine on
+    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
+    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]
+
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
+    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
+    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
+</VirtualHost>

 <IfModule mod_status.c>
 ExtendedStatus On
@ -53,4 +121,3 @@ ExtendedStatus On
    MaxClients          50
    MaxRequestsPerChild   10000
 </IfModule>
-
--- a/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2
@ -1,87 +0,0 @@
-<VirtualHost *:443>
-    SSLEngine on
-    SSLProtocol {{ ssl_protocols }}
-    # Use secure TLSv1.1 and TLSv1.2 ciphers
-    SSLCipherSuite {{ ssl_ciphers }}
-    SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=31536000; preload"
-
-    {% if not devel %}
-    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
-    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
-    {% else %}
-    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
-    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
-    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
-    {% endif %}
-
-    ServerName {{ copr_frontend_public_hostname }}
-
-    WSGIPassAuthorization On
-    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
-    WSGIProcessGroup 127.0.0.1
-
-    <Location /api>
-        WSGIProcessGroup api
-    </Location>
-    <Location /backend>
-        WSGIProcessGroup backend
-    </Location>
-    <Location /stats_rcv>
-        WSGIProcessGroup stats
-    </Location>
-    <Location /tmp>
-        WSGIProcessGroup tmp
-    </Location>
-    <LocationMatch "/repo/">
-        WSGIProcessGroup repo
-    </LocationMatch>
-    <LocationMatch "^/coprs/.*/packages/">
-        WSGIProcessGroup packages
-        <RequireAll>
-            Require all granted
-            Require not ip 192.47.255.254
-        </RequireAll>
-    </LocationMatch>
-
-    #ErrorLog logs/error_coprs
-    #CustomLog logs/access_coprs common
-
-    <Directory /usr/share/copr>
-        WSGIApplicationGroup %{GLOBAL}
-        Require all granted
-    </Directory>
-
-    RewriteEngine on
-    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
-    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]
-
-    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
-    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
-    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
-</VirtualHost>
-
-<VirtualHost *:443>
-    SSLEngine on
-    SSLProtocol {{ ssl_protocols }}
-    # Use secure TLSv1.1 and TLSv1.2 ciphers
-    SSLCipherSuite {{ ssl_ciphers }}
-    SSLHonorCipherOrder on
-    Header always add Strict-Transport-Security "max-age=31536000; preload"
-
-    {% if not devel %}
-    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
-    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
-    {% else %}
-    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
-    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
-    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
-    {% endif %}
-
-    {% if not devel %}
-    ServerAlias copr.fedoraproject.org
-    Redirect 302 / https://copr.fedorainfracloud.org/
-    {% endif %}
-</VirtualHost>