[mailman3] Add ssl configuration for apache

Signed-off-by: Michal Konecny <mkonecny@redhat.com>
2024-03-26 16:22:07 +01:00 · 2024-03-26 16:22:07 +01:00 · ed6e67512e
commit ed6e67512e
parent 35a2da98e7
2 changed files with 52 additions and 2 deletions
--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@ -373,8 +373,11 @@
 # Httpd
 - name: Import needed httpd configurations
  ansible.builtin.template:
-    src: "mailmanweb.conf.j2"
-    dest: "/etc/httpd/conf.d/mailmanweb.conf"
+    src: "{{item}}.j2"
+    dest: "/etc/httpd/conf.d/{{item}}"
+  with_items:
+    - mailmanweb.conf
+    - ssl-mailmanweb.conf
  notify:
    - reload apache
  tags:
--- a/roles/mailman3/templates/ssl-mailmanweb.conf.j2
+++ b/roles/mailman3/templates/ssl-mailmanweb.conf.j2
@ -0,0 +1,47 @@
+<VirtualHost *:443>
+  ServerAdmin admin@fedoraproject.org
+  ServerName {{ mailman_httpd_hostname }}
+  DocumentRoot /var/www/html
+
+  Header always set Strict-Transport-Security "max-age=31536000"
+  Header always set X-Frame-Options "SAMEORIGIN"
+  Header always set X-Xss-Protection "1; mode=block"
+  Header always set X-Content-Type-Options "nosniff"
+  Header always set Referrer-Policy "same-origin"
+  RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
+
+  # Web ui
+  Alias /favicon.ico {{ mailman_webui_basedir }}/static/favicon.ico
+  Alias /robots.txt  {{ mailman_webui_basedir }}/static-fedora/robots.txt
+  Alias /static      {{ mailman_webui_basedir }}/static/
+
+  # Imported mailman2 archives/html files (aka pipermail)
+  Alias /pipermail   {{ mailman_webui_basedir }}/old-archives/pipermail
+
+  # Redirecting to hyperkitty if nothing is specified
+  RewriteEngine on
+  RewriteRule  ^/$    /hyperkitty [R,L]
+
+  ProxyPreserveHost On
+  ProxyRequests off
+
+  # Not redirecting/proxying static content (served locally)
+  ProxyPass /static !
+  ProxyPass /pipermail !
+
+  # Proxying to gunicorn mailmanweb backend
+  ProxyPass / http://127.0.0.1:8000/
+  ProxyPassReverse / http://127.0.0.1:8000/
+
+  <Directory "{{ mailman_webui_basedir }}/static">
+      Order deny,allow
+      Allow from all
+      Require all granted
+  </Directory>
+
+  <Directory "{{ mailman_webui_basedir }}/old-archives/pipermail">
+      Order deny,allow
+      Allow from all
+      Require all granted
+  </Directory>
+</VirtualHost>