copr-fe: consolidate coprs.conf and coprs_ssl.conf.j2

I finally found a motivation to do this, after problems with reporting https://github.com/GrahamDumpleton/mod_wsgi/issues/542 I noticed that we had duplicate VirtualHost for 443 after d2ec98c7a2 so I dropped the duplication.
2020-04-17 08:01:50 +02:00 · 2020-04-17 08:01:50 +02:00 · be297ae16e
commit be297ae16e
parent 877774c7ee
3 changed files with 79 additions and 97 deletions
--- a/roles/copr/frontend-cloud/tasks/main.yml
+++ b/roles/copr/frontend-cloud/tasks/main.yml
@ -76,13 +76,6 @@
  tags:
  - config
 - name: copy apache files to conf.d (templates)
  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
  with_items:
  - "coprs.conf"
  tags:
  - config
 # This was state=yes for https://bugzilla.redhat.com/show_bug.cgi?id=1535689 for
 # some time, and since requests were fixed we want it the other way around
 # again.
@ -117,11 +110,20 @@
  tags:
  - config
- name: install copr-frontend ssl vhost
+- name: copy apache files to conf.d (templates)
-  template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/coprs_ssl.conf"
+  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
  with_items:
  - "coprs.conf"
  notify:
  - reload httpd
  tags:
  - config
 - name: drop old and now unused coprs_ssl.conf
  file: path=/etc/httpd/conf.d/coprs_ssl.conf state=absent
  notify:
  - reload httpd
 - name: enable services
  service: state=started enabled=yes name={{ item }}
  with_items:
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@ -35,6 +35,74 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
 {% endif %}
 </VirtualHost>
 <VirtualHost *:443>
    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
    Header always add Strict-Transport-Security "max-age=31536000; preload"
    {% if not devel %}
    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
    {% else %}
    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
    {% endif %}
    ServerName {{ copr_frontend_public_hostname }}
    {% if not devel %}
    ServerAlias copr.fedoraproject.org
    Redirect 302 / https://copr.fedorainfracloud.org/
    {% endif %}
    WSGIPassAuthorization On
    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    WSGIProcessGroup 127.0.0.1
    <Location /api>
        WSGIProcessGroup api
    </Location>
    <Location /backend>
        WSGIProcessGroup backend
    </Location>
    <Location /stats_rcv>
        WSGIProcessGroup stats
    </Location>
    <Location /tmp>
        WSGIProcessGroup tmp
    </Location>
    <LocationMatch "/repo/">
        WSGIProcessGroup repo
    </LocationMatch>
    <LocationMatch "^/coprs/.*/packages/">
        WSGIProcessGroup packages
        <RequireAll>
            Require all granted
            Require not ip 192.47.255.254
        </RequireAll>
    </LocationMatch>
    #ErrorLog logs/error_coprs
    #CustomLog logs/access_coprs common
    <Directory /usr/share/copr>
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]
    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
 </VirtualHost>
 <IfModule mod_status.c>
 ExtendedStatus On
@ -53,4 +121,3 @@ ExtendedStatus On
    MaxClients          50
    MaxRequestsPerChild   10000
 </IfModule>
--- a/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs_ssl.conf.j2
@ -1,87 +0,0 @@
 <VirtualHost *:443>
    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
    Header always add Strict-Transport-Security "max-age=31536000; preload"
    {% if not devel %}
    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
    {% else %}
    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
    {% endif %}
    ServerName {{ copr_frontend_public_hostname }}
    WSGIPassAuthorization On
    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
    WSGIProcessGroup 127.0.0.1
    <Location /api>
        WSGIProcessGroup api
    </Location>
    <Location /backend>
        WSGIProcessGroup backend
    </Location>
    <Location /stats_rcv>
        WSGIProcessGroup stats
    </Location>
    <Location /tmp>
        WSGIProcessGroup tmp
    </Location>
    <LocationMatch "/repo/">
        WSGIProcessGroup repo
    </LocationMatch>
    <LocationMatch "^/coprs/.*/packages/">
        WSGIProcessGroup packages
        <RequireAll>
            Require all granted
            Require not ip 192.47.255.254
        </RequireAll>
    </LocationMatch>
    #ErrorLog logs/error_coprs
    #CustomLog logs/access_coprs common
    <Directory /usr/share/copr>
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
    RewriteEngine on
    RewriteRule ^/coprs/sgallagh/cockpit-preview/repo/(.*)/.*\.repo$ /coprs/g/cockpit/cockpit-preview/repo/$1/ [R=301]
    RewriteRule ^/coprs/sgallagh/cockpit-preview/(.*)$ /coprs/g/cockpit/cockpit-preview/$1 [R=301]
    # https://bugzilla.redhat.com/show_bug.cgi?id=1582294 - yum copr enable does not work
    RewriteRule ^/coprs/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/$1/$2/repo/epel-$3/$5 [PT]
    RewriteRule ^/coprs/g/([^/]*)/([^/]*)/repo/epel-(.*)-(.*)/(.*)$ /coprs/g/$1/$2/repo/epel-$3/$5 [PT]
 </VirtualHost>
 <VirtualHost *:443>
    SSLEngine on
    SSLProtocol {{ ssl_protocols }}
    # Use secure TLSv1.1 and TLSv1.2 ciphers
    SSLCipherSuite {{ ssl_ciphers }}
    SSLHonorCipherOrder on
    Header always add Strict-Transport-Security "max-age=31536000; preload"
    {% if not devel %}
    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
    SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
    {% else %}
    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
    {% endif %}
    {% if not devel %}
    ServerAlias copr.fedoraproject.org
    Redirect 302 / https://copr.fedorainfracloud.org/
    {% endif %}
 </VirtualHost>