libravatar: we need a separate ssl configuration for seccdn.libravatar.org

2019-02-18 14:13:22 +01:00 · 2019-02-18 14:13:22 +01:00 · e75f1366cc
commit e75f1366cc
parent 6dcac4d3f9
5 changed files with 42 additions and 25 deletions
--- a/inventory/group_vars/libravatar
+++ b/inventory/group_vars/libravatar
@ -2,4 +2,5 @@ resolvconf: "resolv.conf/cloud"
 git_branch: master
 server_name: www.libravatar.org
 server_alias: "*.libravatar.org"
 server_seccdn_name: seccdn.libravatar.org
 server_redirect_name: "libravatar.org libravatar.com www.libravatar.com"
--- a/inventory/group_vars/libravatar-stg
+++ b/inventory/group_vars/libravatar-stg
@ -2,4 +2,5 @@ resolvconf: "resolv.conf/cloud"
 git_branch: devel
 server_name: libravatar-stg.fedorainfracloud.org
 server_alias: libravatar-stg.fedorainfracloud.org
 server_seccdn_name: libravatar-stg.fedorainfracloud.org
 server_redirect_name: libravatar-stg.fedorainfracloud.org
--- a/roles/libravatar/tasks/main.yml
+++ b/roles/libravatar/tasks/main.yml
@ -112,6 +112,7 @@
  template: src="httpd/{{ item }}" dest="/etc/httpd/conf.d/{{ item }}"
  with_items:
  - "libravatar.conf"
  - "libravatar-app.include"
  notify:
  - reload httpd
  tags:
--- a/roles/libravatar/templates/httpd/libravatar-app.include
+++ b/roles/libravatar/templates/httpd/libravatar-app.include
@ -0,0 +1,29 @@
 WSGIPassAuthorization On
 WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=10000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
 WSGIScriptAlias / /mnt/data/wsgi.py
 ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"
 Alias /robots.txt /srv/libravatar/static/robots.txt
 Alias /favicon.ico /srv/libravatar/static/favicon.ico
 Alias /media/ /srv/libravatar/media/
 Alias /static/ /srv/libravatar/static/
 <Directory /srv/libravatar/static>
    Require all granted
 </Directory>
 <Directory /srv/libravatar/media>
    Require all granted
 </Directory>
 <Location />
    WSGIProcessGroup libravatar
    Require all granted
 </Location>
 <Directory /srv/libravatar>
    WSGIApplicationGroup %{GLOBAL}
    Require all granted
 </Directory>
--- a/roles/libravatar/templates/httpd/libravatar.conf
+++ b/roles/libravatar/templates/httpd/libravatar.conf
@ -23,35 +23,20 @@ RewriteEngine on
    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
-    WSGIPassAuthorization On
+    Include /etc/httpd/conf.d/libravatar-app.include
-    WSGIDaemonProcess libravatar user=apache group=apache threads=25 display-name=libravatar maximum-requests=10000 graceful-timeout=20 python-home=/mnt/data/.virtualenv python-path=/srv/libravatar
+</VirtualHost>
    WSGIScriptAlias / /mnt/data/wsgi.py
-    ScriptAlias "/cgi-bin/" "/mnt/data/cgi-bin/"
+<VirtualHost *:443>
    ServerName {{ server_seccdn_name }}
-    Alias /robots.txt /srv/libravatar/static/robots.txt
+    SSLCertificateFile    /etc/letsencrypt/live/{{ server_seccdn_name }}/cert.pem
-    Alias /favicon.ico /srv/libravatar/static/favicon.ico
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ server_seccdn_name }}/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/{{ server_seccdn_name }}/fullchain.pem
    Header always add Strict-Transport-Security "max-age=31536000; preload"
-    Alias /media/ /srv/libravatar/media/
+    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
    Alias /static/ /srv/libravatar/static/
-    <Directory /srv/libravatar/static>
+    Include /etc/httpd/conf.d/libravatar-app.include
        Require all granted
    </Directory>
    <Directory /srv/libravatar/media>
        Require all granted
    </Directory>
    <Location />
        WSGIProcessGroup libravatar
        Require all granted
    </Location>
    <Directory /srv/libravatar>
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
 </VirtualHost>
 <VirtualHost *:443>