puppet-refstack/templates/refstack_https.vhost.erb

<VirtualHost <%= @hostname %>:80>
  <% if !!@server_admin %>
    ServerAdmin <%= @server_admin %>
  <% end %>
    ServerName <%= @hostname %>

    DocumentRoot <%= @install_www_root %>

    Redirect / https://<%= @hostname %>/

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/refstack-error.log
    CustomLog ${APACHE_LOG_DIR}/refstack-access.log combined

</VirtualHost>
<IfModule mod_ssl.c>
  <VirtualHost <%= @hostname %>:443>
  <% if !!@server_admin %>
    ServerAdmin <%= @server_admin %>
  <% end %>
    ServerName <%= @hostname %>

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/refstack-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/refstack-ssl-access.log combined

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3

    SSLCertificateFile      <%= @ssl_cert %>
    SSLCertificateKeyFile   <%= @ssl_key %>
  <% if !!@resolved_ssl_ca %>
    SSLCertificateChainFile <%= @resolved_ssl_ca %>
  <% end %>

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    DocumentRoot <%= @install_www_root %>

    WSGIDaemonProcess refstack user=<%= @user %> group=<%= @group %> threads=5
    WSGIScriptAlias /api /etc/refstack/app.wsgi
    WSGIPassAuthorization On

    <Directory "/etc/refstack">
      Require all granted
    </Directory>
  </VirtualHost>
</IfModule>