57f9e54ad8
These changes are squashed together to simplify applying them to config management without zuul and ansible running one of these without the others. We essentially need them all in place at the same time to accurately reflect the post upgrade state. We stop blocking /p/ in gerrit's apache vhost. /p/ is used for dashboards. We add a few java options that new gerrit sets by default. We update the gerrit image in docker compose to 3.2. We update zuul to use basic auth instead of digest auth when talking to Gerrit. Change-Id: I6ea38313544ce1ecbc4cfd914b1f33e77d0d2d03
90 lines
2.5 KiB
Django/Jinja
90 lines
2.5 KiB
Django/Jinja
<VirtualHost *:80>
|
|
ServerName {{ gerrit_vhost_name }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
|
|
|
|
Redirect / https://{{ gerrit_vhost_name }}/
|
|
|
|
</VirtualHost>
|
|
|
|
<IfModule mod_ssl.c>
|
|
<VirtualHost *:443>
|
|
ServerName {{ gerrit_vhost_name }}
|
|
ServerAdmin webmaster@openstack.org
|
|
|
|
AllowEncodedSlashes On
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
|
|
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
|
|
|
|
SSLEngine on
|
|
SSLProtocol All -SSLv2 -SSLv3
|
|
# Note: this list should ensure ciphers that provide forward secrecy
|
|
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
|
SSLHonorCipherOrder on
|
|
|
|
SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer
|
|
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key
|
|
SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer
|
|
|
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory /usr/lib/cgi-bin>
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
|
|
BrowserMatch "MSIE [2-6]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
# MSIE 7 and newer should be able to use keepalive
|
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
|
|
|
RewriteEngine on
|
|
|
|
ProxyRequests off
|
|
ProxyVia off
|
|
ProxyPreserveHost on
|
|
ProxyStatus On
|
|
|
|
# Uncomment to show a temporary maintenance message
|
|
#ProxyPassMatch ^/maintenance.html$ !
|
|
#Alias /maintenance.html /home/gerrit2/review_site/static/maintenance.html
|
|
#RewriteCond %{REQUEST_URI} !^/maintenance.html$
|
|
#RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]
|
|
|
|
ProxyPassMatch ^/robots.txt$ !
|
|
ProxyPassMatch ^/server-status !
|
|
# Comment out these two lines if the maintenance message above is in use
|
|
ProxyPass / http://localhost:8081/ nocanon
|
|
ProxyPassReverse / http://localhost:8081/
|
|
|
|
Alias /robots.txt /home/gerrit2/review_site/static/robots.txt
|
|
|
|
<Directory /home/gerrit2/review_site/git/>
|
|
Require all granted
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
<Directory /usr/lib/git-core>
|
|
Require all granted
|
|
Allow from all
|
|
Satisfy Any
|
|
</Directory>
|
|
<Directory /home/gerrit2/review_site/static/>
|
|
Require all granted
|
|
Allow from all
|
|
Satisfy Any
|
|
</Directory>
|
|
|
|
</VirtualHost>
|
|
</IfModule>
|