opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/etherpad/templates/etherpad.vhost.j2
Clark Boylan 39d8d6ffb5 Update etherpad to 2.2.4 
There are 2.2.0 and 2.2.1 tags but no built releases and they don't show
up in the changelog for 2.2.2 either. Thats fine we can ignore them and
upgrade to latest (2.2.4) instead. The changelog for 2.2.4 can be found
here:

  https://github.com/ether/etherpad-lite/blob/v2.2.4/CHANGELOG.md

Notable this changes how plugins are loaded into the js shipped to the
browser. We should confirm that our plugins are working as expected as
part of this update.

On the config management side of things there are some small updates to
the Dockerfile to sync up with upstream changes to how etherpad is
built. We also update the settings json file to configure log type. Note
this change was only made to the normal settings file and not the docker
settings file upstream so we match that in this change as well.

Finally we also update our mod_rewrite rules in apache to prevent new
javascript loading locations from being redirected to /p/
inappropriately. Previously we were redirecting foo.min.js to
/p/foo.min.js which caused the server to return html instead of js which
led to syntax errors. This then resulted in js errors from the
ep_headings plugin. It appears this plugin is ancient and no longer
maintained and seems to rely on require() functionality that was removed
from etherpad in 2.2.2. We switch to the ep_headings2 plugin instead.
This will allow us to file bugs against maintained software should
problems persist.

Fungi tested ep_headings2 against our production db content and things
seem to work despite this issue existing [0]. We should upgrade
carefully but it seems like things will likely be functional.

We should also check if these redirect rules affect meetpad as well. But
this can likely be done after the upgrade.

[0] https://github.com/ether/ep_headings2/issues/4

Change-Id: I4a907b5170d3612f4525153a0a07c291d6481a92
2024-09-09 08:45:36 -07:00

107 lines
4.0 KiB
Django/Jinja
Raw Blame History

<VirtualHost *:80>
ServerName {{ etherpad_vhost_name }}
ServerAdmin webmaster@openstack.org
ErrorLog ${APACHE_LOG_DIR}/etherpad-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/etherpad-access.log combined
Redirect / https://{{ etherpad_vhost_name }}/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName {{ etherpad_vhost_name }}
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/etherpad-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/etherpad-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/{{ etherpad_vhost_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ etherpad_vhost_name }}/ca.cer
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<IfModule mod_proxy.c>
# The following redirects "nice" urls such as https://etherpad.example.org/padname
# to https://etherpad.example.org/p/padname. It was problematic directly
# supporting "nice" urls as etherpad hardcodes /p/ in many places.
# Adapted from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
RewriteEngine on
# Do not rewrite the /server-status URL (though by default, this
# is only accessible from localhost). Connect to it with:
# ssh -L 8443:localhost:443 $HOSTNAME
# https://localhost:8443/server-status
RewriteRule ^/server-status$ /server-status [L]
RewriteCond %{HTTP_HOST} !{{ etherpad_vhost_name }}
RewriteRule ^.*$ https://{{ etherpad_vhost_name }} [L,R=301]
# Serve robots.txt directly so that it does not affect
# etherpad-lite installation.
RewriteRule ^/robots.txt$ /var/etherpad/www/robots.txt [L]
# Refuse external connections to the API through the proxy
RewriteRule ^/api/ - [F,L]
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/locales/
RewriteCond %{REQUEST_URI} !^/locales.json
RewriteCond %{REQUEST_URI} !^/admin
RewriteCond %{REQUEST_URI} !^/static/
RewriteCond %{REQUEST_URI} !^/pluginfw/
RewriteCond %{REQUEST_URI} !^/javascripts/
RewriteCond %{REQUEST_URI} !^/socket.io/
RewriteCond %{REQUEST_URI} !^/ep/
RewriteCond %{REQUEST_URI} !^/ep_etherpad-lite/
RewriteCond %{REQUEST_URI} !^/minified/
RewriteCond %{REQUEST_URI} !^/padbootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/timeSliderBootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/indexBootstrap-.*\.min\.js$
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/ro/
RewriteCond %{REQUEST_URI} !^/error/
RewriteCond %{REQUEST_URI} !^/jserror
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteRule ^/+(.+)$ https://{{ etherpad_vhost_name }}/p/$1 [NC,L,R=301]
<IfModule mod_proxy_wstunnel.c>
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:9001/$1 [P,L]
ProxyPass /socket.io http://localhost:9001/socket.io retry=0
ProxyPassReverse /socket.io http://localhost:9001/socket.io
</IfModule>
ProxyPass / http://localhost:9001/ retry=0
ProxyPassReverse / http://localhost:9001/
</IfModule>
<Directory /var/etherpad/www/>
Require all granted
</Directory>
</VirtualHost>
</IfModule>
View Git Blame Copy Permalink