You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2020/01/29 20:13:12 UTC
[airavata] branch master updated: Ansible: exclude /dreg/gbrowser
from HTTPS
This is an automated email from the ASF dual-hosted git repository.
machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata.git
The following commit(s) were added to refs/heads/master by this push:
new 594f7b7 Ansible: exclude /dreg/gbrowser from HTTPS
594f7b7 is described below
commit 594f7b7c7d77fa7f80bc9dcc6ea5b7e814e4ac19
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Wed Jan 29 15:12:32 2020 -0500
Ansible: exclude /dreg/gbrowser from HTTPS
---
.../host_vars/dreg/files/django-ssl-vhost.conf.j2 | 88 ++++++++++++++++++++++
.../scigap/production/host_vars/dreg/vars.yml | 1 +
2 files changed, 89 insertions(+)
diff --git a/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/files/django-ssl-vhost.conf.j2 b/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/files/django-ssl-vhost.conf.j2
new file mode 100644
index 0000000..8c7333d
--- /dev/null
+++ b/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/files/django-ssl-vhost.conf.j2
@@ -0,0 +1,88 @@
+{#
+#
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#}
+
+{% if vhost_server_redirect is defined %}
+<VirtualHost *:{{httpd_default_http_port}}>
+ ServerName {{ vhost_server_redirect }}
+ Redirect "/" "https://{{ vhost_servername }}"
+</VirtualHost>
+{% endif %}
+
+<VirtualHost *:{{ httpd_default_http_port }}>
+ ServerName {{ vhost_servername }}
+
+ ## Redirect all http traffic to https
+ RewriteEngine On
+ RewriteCond %{HTTPS} off
+ # Don't redirect /gbrowser and /gbfile requests to HTTPS
+ RewriteCond %{THE_REQUEST} !\s/dreg/(gbrowser|gbfile)
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:{{ httpd_default_https_port }}>
+ ServerName {{ vhost_servername }}
+
+ Alias /robots.txt {{ doc_root_dir }}/static/robots.txt
+ Alias /favicon.ico {{ doc_root_dir }}/static/favicon.ico
+
+ Alias /static/ {{ doc_root_dir }}/static/
+
+ <Directory {{ doc_root_dir }}/static>
+ Require all granted
+ AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+ </Directory>
+
+ Alias /media/ {{ airavata_django_checkout }}/django_airavata/media/
+
+ <Directory {{ airavata_django_checkout }}/django_airavata/media>
+ Require all granted
+ </Directory>
+
+ {# Additional aliases #}
+ {% for alias in vhost_aliases %}
+ Alias "{{ alias.url }}" "{{ alias.path }}"
+ <Directory "{{ alias.path }}">
+ Require all granted
+ </Directory>
+ {% endfor %}
+
+ WSGIDaemonProcess {{ vhost_servername }} display-name=%{GROUP} python-home={{ doc_root_dir }}/venv python-path={{ doc_root_dir }}/airavata-django-portal processes={{ django_wsgi_processes }} user={{ user }} group={{ group }}
+ WSGIProcessGroup {{ vhost_servername }}
+
+ WSGIScriptAlias / {{ doc_root_dir }}/airavata-django-portal/django_airavata/wsgi.py
+
+ <Directory {{ doc_root_dir }}/airavata-django-portal/django_airavata>
+ <Files wsgi.py>
+ Require all granted
+ </Files>
+ </Directory>
+
+ ErrorLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.error.log
+ CustomLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.requests.log combined
+
+ SSLEngine on
+ # Disable SSLv3 which is vulnerable to the POODLE attack
+ SSLProtocol All -SSLv2 -SSLv3
+ SSLCertificateFile {{ ssl_certificate_file }}
+ SSLCertificateChainFile {{ ssl_certificate_chain_file }}
+ SSLCertificateKeyFile {{ ssl_certificate_key_file }}
+</VirtualHost>
diff --git a/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/vars.yml b/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/vars.yml
index 2c017b5..23d6f0f 100644
--- a/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/vars.yml
+++ b/dev-tools/ansible/inventories/scigap/production/host_vars/dreg/vars.yml
@@ -36,6 +36,7 @@ vhost_ssl: True
ssl_certificate_file: "/etc/letsencrypt/live/django.dreg.scigap.org/cert.pem"
ssl_certificate_chain_file: "/etc/letsencrypt/live/django.dreg.scigap.org/fullchain.pem"
ssl_certificate_key_file: "/etc/letsencrypt/live/django.dreg.scigap.org/privkey.pem"
+django_ssl_vhost_template: "{{ inventory_dir }}/host_vars/dreg/files/django-ssl-vhost.conf.j2"
## Keycloak related variables
tenant_domain: "cornelldna"