From 76163b2f7b409b2d4548a79ca876a58f6f0f8f82 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Thu, 12 Feb 2015 20:25:41 +0000
Subject: [PATCH] Option to allow HTTPS for the proxy

If you want to use Javascript to include status.json within the
context of a page served via HTTPS, browsers will basically insist
that the status.json be served via HTTPS as well. This patch
provides an option to add HTTPS for the Apache proxy vhost if
desired.

Change-Id: I9799f39bf170f660bcbc17719937e1e87b68ac4a
---
 manifests/init.pp        | 53 +++++++++++++++++++++++++++++-
 templates/zuul.vhost.erb | 71 +++++++++++++++++++++++++++++++++++++---
 2 files changed, 118 insertions(+), 6 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 00ea9a6..6ebaa12 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -48,6 +48,9 @@ class zuul (
   $swift_default_container = '',
   $swift_default_logserver_prefix = '',
   $swift_default_expiry = 7200,
+  $proxy_ssl_cert_file_contents = '',
+  $proxy_ssl_key_file_contents = '',
+  $proxy_ssl_chain_file_contents = '',
 ) {
   include apache
   include pip
@@ -320,10 +323,58 @@ class zuul (
     source => 'puppet:///modules/zuul/zuul-merger.init',
   }
 
+  if $proxy_ssl_cert_file_contents == '' {
+    $ssl = false
+  } else {
+    $ssl = true
+    file { '/etc/ssl/certs':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755',
+    }
+    file { '/etc/ssl/private':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0700',
+    }
+    file { "/etc/ssl/certs/${vhost_name}.pem":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      content => $proxy_ssl_cert_file_contents,
+      require => File['/etc/ssl/certs'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    file { "/etc/ssl/private/${vhost_name}.key":
+      ensure  => present,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0600',
+      content => $proxy_ssl_key_file_contents,
+      require => File['/etc/ssl/private'],
+      before  => Apache::Vhost[$vhost_name],
+    }
+    if $proxy_ssl_chain_file_contents != '' {
+      file { "/etc/ssl/certs/${vhost_name}_intermediate.pem":
+        ensure  => present,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        content => $proxy_ssl_cert_file_contents,
+        require => File['/etc/ssl/certs'],
+        before  => Apache::Vhost[$vhost_name],
+      }
+    }
+  }
+
   apache::vhost { $vhost_name:
-    port     => 443,
+    port     => 443, # Is required despite not being used.
     docroot  => 'MEANINGLESS ARGUMENT',
     priority => '50',
+    ssl      => $ssl,
     template => 'zuul/zuul.vhost.erb',
   }
   if ! defined(A2mod['rewrite']) {
diff --git a/templates/zuul.vhost.erb b/templates/zuul.vhost.erb
index fc36b4a..b011487 100644
--- a/templates/zuul.vhost.erb
+++ b/templates/zuul.vhost.erb
@@ -1,6 +1,6 @@
 <VirtualHost *:80>
-  ServerName <%= scope.lookupvar("::zuul::vhost_name") %>
-  ServerAdmin <%= scope.lookupvar("::zuul::serveradmin") %>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
   DocumentRoot /var/lib/zuul/www
 
   <Directory /var/lib/zuul/www>
@@ -12,11 +12,11 @@
     Satisfy Any
   </Directory>
 
-  ErrorLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-error.log
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
 
   LogLevel warn
 
-  CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("::zuul::vhost_name") %>-access.log combined
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
 
   RewriteEngine on
   RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
@@ -47,5 +47,66 @@
       CacheRoot /var/cache/apache2/mod_cache_disk
     </IfModule>
   </IfModule>
-
 </VirtualHost>
+
+<% if @proxy_ssl_cert_file_contents != '' %>
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  ServerAdmin <%= @serveradmin %>
+  DocumentRoot /var/lib/zuul/www
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+<% if @proxy_ssl_chain_file_contents != '' %>
+  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+<% end %>
+
+  <Directory /var/lib/zuul/www>
+    Allow from all
+    Satisfy Any
+  </Directory>
+  <Directory /usr/lib/git-core>
+    Allow from all
+    Satisfy Any
+  </Directory>
+
+  ErrorLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-error.log
+
+  LogLevel warn
+
+  CustomLog ${APACHE_LOG_DIR}/<%= @vhost_name %>-access.log combined
+
+  RewriteEngine on
+  RewriteRule ^/status.json$ http://127.0.0.1:8001/status.json [P]
+
+  AddOutputFilterByType DEFLATE application/json
+
+  SetEnv GIT_PROJECT_ROOT /var/lib/zuul/git/
+  SetEnv GIT_HTTP_EXPORT_ALL
+
+  AliasMatch ^/p/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /var/lib/zuul/git/$1
+  AliasMatch ^/p/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/lib/zuul/git/$1
+  ScriptAlias /p/ /usr/lib/git-core/git-http-backend/
+
+  <IfModule mod_cache.c>
+    CacheDefaultExpire 5
+    <IfModule mod_mem_cache.c>
+      CacheEnable mem /status.json
+      # 12MByte total cache size.
+      MCacheSize 12288
+      MCacheMaxObjectCount 10
+      MCacheMinObjectSize 1
+      # 8MByte max size per cache entry
+      MCacheMaxObjectSize 8388608
+      MCacheMaxStreamingBuffer 8388608
+    </IfModule>
+    <IfModule mod_cache_disk.c>
+      CacheEnable disk /status.json
+      CacheRoot /var/cache/apache2/mod_cache_disk
+    </IfModule>
+  </IfModule>
+</VirtualHost>
+</IfModule>
+<% end %>