Option to allow HTTPS for the proxy

If you want to use Javascript to include status.json within the context of a page served via HTTPS, browsers will basically insist that the status.json be served via HTTPS as well. This patch provides an option to add HTTPS for the Apache proxy vhost if desired. Change-Id: I9799f39bf170f660bcbc17719937e1e87b68ac4a
2015-02-12 20:25:41 +00:00 · 2015-02-12 20:25:41 +00:00 · 76163b2f7b
commit 76163b2f7b
parent 2fdb369f14
2 changed files with 118 additions and 6 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -48,6 +48,9 @@ class zuul (
  $swift_default_container = '',
  $swift_default_logserver_prefix = '',
  $swift_default_expiry = 7200,
+  $proxy_ssl_cert_file_contents = '',
+  $proxy_ssl_key_file_contents = '',
+  $proxy_ssl_chain_file_contents = '',
 ) {
  include apache
  include pip
@ -320,10 +323,58 @@ class zuul (
    source => 'puppet:///modules/zuul/zuul-merger.init',
  }

+  if $proxy_ssl_cert_file_contents == '' {
+    $ssl = false
+  } else {
+    $ssl = true
+    file { '/etc/ssl/certs':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/ssl/private':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+    file { "/etc/ssl/certs/${vhost_name}.pem":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => $proxy_ssl_cert_file_contents,
+      require => File['/etc/ssl/certs'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    file { "/etc/ssl/private/${vhost_name}.key":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $proxy_ssl_key_file_contents,
+      require => File['/etc/ssl/private'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    if $proxy_ssl_chain_file_contents != '' {
+      file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $proxy_ssl_cert_file_contents,
+        require => File['/etc/ssl/certs'],
+        before  => Apache::Vhost[$vhost_name],
+      }
+    }
+  }
+
  apache::vhost { $vhost_name:
-    port     => 443,
+    port     => 443, # Is required despite not being used.
    docroot  => 'MEANINGLESS ARGUMENT',
    priority => '50',
+    ssl      => $ssl,
    template => 'zuul/zuul.vhost.erb',
  }
  if ! defined(A2mod['rewrite']) {
--- a/templates/zuul.vhost.erb
+++ b/templates/zuul.vhost.erb
@ -1,6 +1,6 @@
 <VirtualHost *:80>
-  ServerName <%= scope.lookupvar("::zuul::vhost_name") %>
-  ServerAdmin <%= scope.lookupvar("::zuul::serveradmin") %>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
  DocumentRoot /var/lib/zuul/www

  <Directory /var/lib/zuul/www>
@ -12,11 +12,11 @@
    Satisfy Any
  </Directory>

-  ErrorLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-error.log
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log

  LogLevel warn

-  CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-access.log combined
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined

  RewriteEngine on
  RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
@ -47,5 +47,66 @@
      CacheRoot /var/cache/apache2/mod_cache_disk
    </IfModule>
  </IfModule>
-
 </VirtualHost>
+
+<% if @proxy_ssl_cert_file_contents != '' %>
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
+  DocumentRoot /var/lib/zuul/www
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+<% if @proxy_ssl_chain_file_contents != '' %>
+  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+<% end %>
+
+  <Directory /var/lib/zuul/www>
+    Allow from all
+    Satisfy Any
+  </Directory>
+  <Directory /usr/lib/git-core>
+    Allow from all
+    Satisfy Any
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
+
+  RewriteEngine on
+  RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
+
+  AddOutputFilterByType DEFLATE application/json
+
+  SetEnv GIT_PROJECT_ROOT /var/lib/zuul/git/
+  SetEnv GIT_HTTP_EXPORT_ALL
+
+  AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/zuul/git/$1
+  AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/zuul/git/$1
+  ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
+
+  <IfModule mod_cache.c>
+    CacheDefaultExpire 5
+    <IfModule mod_mem_cache.c>
+      CacheEnable mem /status.json
+      # 12MByte total cache size.
+      MCacheSize 12288
+      MCacheMaxObjectCount 10
+      MCacheMinObjectSize 1
+      # 8MByte max size per cache entry
+      MCacheMaxObjectSize 8388608
+      MCacheMaxStreamingBuffer 8388608
+    </IfModule>
+    <IfModule mod_cache_disk.c>
+      CacheEnable disk /status.json
+      CacheRoot /var/cache/apache2/mod_cache_disk
+    </IfModule>
+  </IfModule>
+</VirtualHost>
+</IfModule>
+<% end %>