Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

copr-backend: unify dev/prod lighttpd configuration

Browse source 
By syncing the devel instance with production (not vice versa).  The
exception is that I've dropped the trailing white-spaces in production
config.
This commit is contained in:
Pavel Raiskup 2021-01-10 21:35:25 +01:00
parent 9ef275491c
commit c2f9f58813
8 changed files with 51 additions and 551 deletions
Download patch file Download diff file Expand all files Collapse all files

2
inventory/group_vars/copr_back
View file

@ -1,6 +1,4 @@
---
_lighttpd_conf_src: "lighttpd/lighttpd.conf"
copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
copr_nova_tenant_id: "5d99f099b7fe4b0387f0352f6301ba6a"
copr_nova_tenant_name: "copr"

2
inventory/group_vars/copr_back_aws
View file

@ -1,8 +1,6 @@
---
description: copr dispatcher and repo server
_lighttpd_conf_src: "lighttpd/lighttpd.conf"
copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
copr_nova_tenant_id: "5d99f099b7fe4b0387f0352f6301ba6a"
copr_nova_tenant_name: "copr"

2
inventory/group_vars/copr_back_dev
View file

@ -1,6 +1,4 @@
---
_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437"
copr_nova_tenant_name: "coprdev"

2
inventory/group_vars/copr_back_dev_aws
View file

@ -1,8 +1,6 @@
---
description: copr dispatcher and repo server - dev instance
_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437"
copr_nova_tenant_name: "coprdev"

2
inventory/group_vars/copr_back_stg
View file

@ -1,8 +1,6 @@
---
resolvconf: "resolv.conf/cloud"
_lighttpd_conf_src: "lighttpd/lighttpd_dev.conf"
copr_nova_auth_url: "https://fedorainfracloud.org:5000/v2.0"
copr_nova_tenant_id: "a6ff2158641c439a8426d7facab45437"
copr_nova_tenant_name: "coprdev"

2
roles/copr/backend/tasks/main.yml
View file

@ -108,7 +108,7 @@
- config
- name: add config for copr-repo path
template: src="{{ _lighttpd_conf_src }}" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644
template: src="lighttpd/lighttpd.conf" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644
notify:
- restart lighttpd
tags:

64
roles/copr/backend/templates/lighttpd/lighttpd.conf
View file

@ -19,16 +19,16 @@ var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
var.conf_dir = "/etc/lighttpd"
##
##
## run the server chrooted.
##
##
## This requires root permissions during startup.
##
## If you run Chrooted set the the variables to directories relative to
## the chroot dir.
##
## example chroot configuration:
##
##
#var.log_root = "/logs"
#var.server_root = "/"
#var.state_dir = "/run"
@ -82,7 +82,9 @@ server.modules = (
"mod_redirect",
"mod_rewrite",
"mod_indexfile",
"mod_cgi"
"mod_cgi"{% if devel %},
"mod_openssl"
{% endif %}
)
cgi.assign = ( ".pl" => "/usr/bin/perl",
@ -114,12 +116,12 @@ server.use-ipv6 = "disable"
##
## Run as a different username/groupname.
## This requires root permissions during startup.
## This requires root permissions during startup.
##
server.username = "lighttpd"
server.groupname = "lighttpd"
##
##
## enable core files.
##
#server.core-files = "disable"
@ -156,14 +158,14 @@ server.pid-file = state_dir + "/lighttpd.pid"
server.errorlog = log_root + "/error.log"
##
## If you want to log to syslog you have to unset the
## If you want to log to syslog you have to unset the
## server.errorlog setting and uncomment the next line.
##
#server.errorlog-use-syslog = "enable"
##
## Access log config
##
##
include "conf.d/access_log.conf"
##
@ -198,7 +200,7 @@ server.event-handler = "linux-sysepoll"
##
## The basic network interface for all platforms at the syscalls read()
## and write(). Every modern OS provides its own syscall to help network
## servers transfer files as fast as possible
## servers transfer files as fast as possible
##
## linux-sendfile - is recommended for small files.
## writev - is recommended for sending many large files
@ -243,7 +245,7 @@ server.max-connections = 1024
##
## How many seconds to keep a keep-alive connection open,
## until we consider it idle.
## until we consider it idle.
##
## Default: 5
##
@ -279,7 +281,7 @@ server.max-keep-alive-idle = 2
#server.max-write-idle = 360
##
## Traffic Shaping
## Traffic Shaping
## -----------------
##
## see /usr/share/doc/lighttpd/traffic-shaping.txt
@ -288,7 +290,7 @@ server.max-keep-alive-idle = 2
##
## Keep in mind that a limit below 32kB/s might actually limit the
## traffic to 32kB/s. This is caused by the size of the TCP send
## buffer.
## buffer.
##
## per server:
##
@ -376,7 +378,7 @@ include "conf.d/dirlisting.conf"
##
## Should lighttpd follow symlinks?
##
##
server.follow-symlink = "enable"
##
@ -396,7 +398,7 @@ server.upload-dirs = ( "/var/tmp" )
#######################################################################
##
## SSL Support
## -------------
## -------------
##
## To enable SSL for the whole server you have to provide a valid
## certificate and have to enable the SSL engine.::
@ -461,6 +463,8 @@ server.upload-dirs = ( "/var/tmp" )
##
#######################################################################
{% if not devel %}
# production still uses normal configuration
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/copr.fedorainfracloud.org.pem"
@ -470,6 +474,38 @@ $SERVER["socket"] == ":443" {
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
}
{% else %}
# devel runs on letsencrypt
# Used for letsencrypt validation
$HTTP["url"] =~ "^/.well-known/" {
dir-listing.activate = "enable"
}
# Enable HTTPS
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
{% for hostname, _ in letsencrypt.certificates.items() %}
ssl.ca-file = "/etc/letsencrypt/live/{{ hostname }}/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/{{ hostname }}/combined.pem"
{% endfor %}
ssl.honor-cipher-order = "enable"
# The following is OPTIONAL
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Force HTTPS
$SERVER["socket"] == ":80" {
url.redirect = (
"^/(.*)" => "https://copr-be-dev.cloud.fedoraproject.org/$1"
)
}
{% endif %}
url.redirect = ( "^/results/sgallagh/cockpit-preview/(.+)" => "/results/@cockpit/cockpit-preview/$1" )

526
roles/copr/backend/templates/lighttpd/lighttpd_dev.conf
View file

@ -1,526 +0,0 @@
#######################################################################
##
## /etc/lighttpd/lighttpd.conf
##
## check /etc/lighttpd/conf.d/*.conf for the configuration of modules.
##
#######################################################################
#######################################################################
##
## Some Variable definition which will make chrooting easier.
##
## if you add a variable here. Add the corresponding variable in the
## chroot example aswell.
##
var.log_root = "/var/log/lighttpd"
var.server_root = "/var/www"
var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
var.conf_dir = "/etc/lighttpd"
##
## run the server chrooted.
##
## This requires root permissions during startup.
##
## If you run Chrooted set the the variables to directories relative to
## the chroot dir.
##
## example chroot configuration:
##
#var.log_root = "/logs"
#var.server_root = "/"
#var.state_dir = "/run"
#var.home_dir = "/lib/lighttpd"
#var.vhosts_dir = "/vhosts"
#var.conf_dir = "/etc"
#
#server.chroot = "/srv/www"
##
## Some additional variables to make the configuration easier
##
##
## Base directory for all virtual hosts
##
## used in:
## conf.d/evhost.conf
## conf.d/simple_vhost.conf
## vhosts.d/vhosts.template
##
var.vhosts_dir = server_root + "/vhosts"
##
## Cache for mod_compress
##
## used in:
## conf.d/compress.conf
##
var.cache_dir = "/var/cache/lighttpd"
##
## Base directory for sockets.
##
## used in:
## conf.d/fastcgi.conf
## conf.d/scgi.conf
##
var.socket_dir = home_dir + "/sockets"
##
#######################################################################
#######################################################################
##
## Load the modules.
#include "modules.conf"
server.modules = (
"mod_access",
"mod_setenv",
"mod_redirect",
"mod_rewrite",
"mod_indexfile",
"mod_cgi",
"mod_openssl"
)
cgi.assign = ( ".pl" => "/usr/bin/perl",
".cgi" => "/usr/bin/perl",
".rb" => "/usr/bin/ruby",
".erb" => "/usr/bin/eruby",
".py" => "/usr/bin/python",
".php" => "/usr/bin/php-cgi" )
##
#######################################################################
#######################################################################
##
## Basic Configuration
## ---------------------
##
server.port = 80
##
## Use IPv6?
##
server.use-ipv6 = "disable"
##
## bind to a specific IP
##
#server.bind = "localhost"
##
## Run as a different username/groupname.
## This requires root permissions during startup.
##
server.username = "lighttpd"
server.groupname = "lighttpd"
##
## enable core files.
##
#server.core-files = "disable"
##
## Document root
##
server.document-root = "/var/lib/copr/public_html"
##
## The value for the "Server:" response field.
##
## It would be nice to keep it at "lighttpd".
##
#server.tag = "lighttpd"
##
## store a pid file
##
server.pid-file = state_dir + "/lighttpd.pid"
##
#######################################################################
#######################################################################
##
## Logging Options
## ------------------
##
## all logging options can be overwritten per vhost.
##
## Path to the error log file
##
server.errorlog = log_root + "/error.log"
##
## If you want to log to syslog you have to unset the
## server.errorlog setting and uncomment the next line.
##
#server.errorlog-use-syslog = "enable"
##
## Access log config
##
include "conf.d/access_log.conf"
##
## The debug options are moved into their own file.
## see conf.d/debug.conf for various options for request debugging.
##
include "conf.d/debug.conf"
##
#######################################################################
#######################################################################
##
## Tuning/Performance
## --------------------
##
## corresponding documentation:
## http://www.lighttpd.net/documentation/performance.html
##
## set the event-handler (read the performance section in the manual)
##
## possible options on linux are:
##
## select
## poll
## linux-sysepoll
##
## linux-sysepoll is recommended on kernel 2.6.
##
server.event-handler = "linux-sysepoll"
##
## The basic network interface for all platforms at the syscalls read()
## and write(). Every modern OS provides its own syscall to help network
## servers transfer files as fast as possible
##
## linux-sendfile - is recommended for small files.
## writev - is recommended for sending many large files
##
server.network-backend = "linux-sendfile"
##
## As lighttpd is a single-threaded server, its main resource limit is
## the number of file descriptors, which is set to 1024 by default (on
## most systems).
##
## If you are running a high-traffic site you might want to increase this
## limit by setting server.max-fds.
##
## Changing this setting requires root permissions on startup. see
## server.username/server.groupname.
##
## By default lighttpd would not change the operation system default.
## But setting it to 2048 is a better default for busy servers.
##
## With SELinux enabled, this is denied by default and needs to be allowed
## by running the following once : setsebool -P httpd_setrlimit on
#server.max-fds = 2048
##
## Stat() call caching.
##
## lighttpd can utilize FAM/Gamin to cache stat call.
##
## possible values are:
## disable, simple or fam.
##
server.stat-cache-engine = "simple"
##
## Fine tuning for the request handling
##
## max-connections == max-fds/2 (maybe /3)
## means the other file handles are used for fastcgi/files
##
server.max-connections = 1024
##
## How many seconds to keep a keep-alive connection open,
## until we consider it idle.
##
## Default: 5
##
#server.max-keep-alive-idle = 5
##
## How many keep-alive requests until closing the connection.
##
## Default: 16
##
#server.max-keep-alive-requests = 16
##
## Maximum size of a request in kilobytes.
## By default it is unlimited (0).
##
## Uploads to your server cant be larger than this value.
##
#server.max-request-size = 0
##
## Time to read from a socket before we consider it idle.
##
## Default: 60
##
#server.max-read-idle = 60
##
## Time to write to a socket before we consider it idle.
##
## Default: 360
##
#server.max-write-idle = 360
##
## Traffic Shaping
## -----------------
##
## see /usr/share/doc/lighttpd/traffic-shaping.txt
##
## Values are in kilobyte per second.
##
## Keep in mind that a limit below 32kB/s might actually limit the
## traffic to 32kB/s. This is caused by the size of the TCP send
## buffer.
##
## per server:
##
#server.kbytes-per-second = 128
##
## per connection:
##
#connection.kbytes-per-second = 32
##
#######################################################################
#######################################################################
##
## Filename/File handling
## ------------------------
##
## files to check for if .../ is requested
## index-file.names = ( "index.php", "index.rb", "index.html",
## "index.htm", "default.htm" )
##
index-file.names = (
"/dir-generator.php"
)
##
## deny access the file-extensions
##
## ~ is for backupfiles from vi, emacs, joe, ...
## .inc is often used for code includes which should in general not be part
## of the document-root
url.access-deny = ( "~", ".inc" )
##
## disable range requests for pdf files
## workaround for a bug in the Acrobat Reader plugin.
##
$HTTP["url"] =~ "\.pdf$" {
server.range-requests = "disable"
}
##
## url handling modules (rewrite, redirect)
##
#url.rewrite = ( "^/$" => "/server-status" )
#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" )
##
## both rewrite/redirect support back reference to regex conditional using %n
##
#$HTTP["host"] =~ "^www\.(.*)" {
# url.redirect = ( "^/(.*)" => "http://%1/$1" )
#}
##
## which extensions should not be handle via static-file transfer
##
## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
##
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" )
##
## error-handler for status 404
##
#server.error-handler-404 = "/error-handler.html"
#server.error-handler-404 = "/error-handler.php"
##
## Format: <errorfile-prefix><status-code>.html
## -> ..../status-404.html for 'File not found'
##
#server.errorfile-prefix = "/srv/www/htdocs/errors/status-"
##
## mimetype mapping
##
include "conf.d/mime.conf"
##
## directory listing configuration
##
include "conf.d/dirlisting.conf"
##
## Should lighttpd follow symlinks?
##
server.follow-symlink = "enable"
##
## force all filenames to be lowercase?
##
#server.force-lowercase-filenames = "disable"
##
## defaults to /var/tmp as we assume it is a local harddisk
##
server.upload-dirs = ( "/var/tmp" )
##
#######################################################################
#######################################################################
##
## SSL Support
## -------------
##
## To enable SSL for the whole server you have to provide a valid
## certificate and have to enable the SSL engine.::
##
## ssl.engine = "enable"
## ssl.pemfile = "/path/to/server.pem"
##
## The HTTPS protocol does not allow you to use name-based virtual
## hosting with SSL. If you want to run multiple SSL servers with
## one lighttpd instance you must use IP-based virtual hosting: ::
##
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
## #
## # Mitigate BEAST attack:
## #
## # A stricter base cipher suite. For details see:
## # http://blog.ivanristic.com/2011/10/mitigating-the-beast-attack-on-tls.html
## #
## ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
## #
## # Make the server prefer the order of the server side cipher suite instead of the client suite.
## # This is necessary to mitigate the BEAST attack (unless you disable all non RC4 algorithms).
## # This option is enabled by default, but only used if ssl.cipher-list is set.
## #
## # ssl.honor-cipher-order = "enable"
## #
## # Mitigate CVE-2009-3555 by disabling client triggered renegotation
## # This is enabled by default.
## #
## # ssl.disable-client-renegotiation = "enable"
## #
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"
## }
##
## If you have a .crt and a .key file, cat them together into a
## single PEM file:
## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \
## > /etc/ssl/private/lighttpd.pem
##
#ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
##
## optionally pass the CA certificate here.
##
##
#ssl.ca-file = ""
# Used for letsencrypt validation
$HTTP["url"] =~ "^/.well-known/" {
dir-listing.activate = "enable"
}
# Enable HTTPS
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
{% for hostname, _ in letsencrypt.certificates.items() %}
ssl.ca-file = "/etc/letsencrypt/live/{{ hostname }}/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/{{ hostname }}/combined.pem"
{% endfor %}
ssl.honor-cipher-order = "enable"
# The following is OPTIONAL
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
ssl.use-compression = "disable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Force HTTPS
$SERVER["socket"] == ":80" {
url.redirect = (
"^/(.*)" => "https://copr-be-dev.cloud.fedoraproject.org/$1"
)
}
##
#######################################################################
#######################################################################
##
## custom includes like vhosts.
##
#include "conf.d/config.conf"
#include_shell "cat /etc/lighttpd/vhosts.d/*.conf"
##
#######################################################################
#$SERVER["socket"] == ":443" {
# ssl.engine = "enable"
# ssl.pemfile = "/etc/lighttpd/copr-be.fedoraproject.org.pem"
# ssl.ca-file = "/etc/lighttpd/DigiCertCA.crt"
# ssl.disable-client-renegotiation = "enable"
# ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
#}
$HTTP["url"] =~ "\.log\.gz$" {
setenv.add-response-header = ( "Content-Encoding" => "gzip")
mimetype.assign = ("" => "text/plain" )
}
# https://pagure.io/copr/copr/issue/762
$HTTP["url"] =~ "\.log$" {
setenv.add-response-header = ( "Cache-Control" => "no-store")
mimetype.assign = ("" => "text/plain; charset=utf-8" )
}
$HTTP["url"] =~ "/repomd.xml" {
setenv.add-response-header = ( "Cache-Control" => "no-cache")
}
url.redirect = (
"^/results/(.*)/(.*)/mageia-(.*)-i386(.*)" => "/results/$1/$2/mageia-$3-i586$4",
"^/(.*)/redirect-live.log$" => "/$1/builder-live.log.gz"
)
url.rewrite-if-not-file = ("^/(.*)/builder-live.log$" => "/$1/redirect-live.log")
accesslog.filename = "|/usr/sbin/cronolog /var/log/lighttpd/access.log"