apache-backend.conf.in 9.55 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
{# This file configures apache to redirect requests from ports to specific urls.
 # It provides SSL support for server and optionaly for client.
 #
 # All parameters are given through the `parameter_dict` variable, see the
 # list entries :
 #
 #     parameter_dict = {
 #       #  The path given to "PidFile"
 #       "pid-file": "<file_path>",
 #
 #       #  The number given to "TimeOut"
 #       "timeout": 300,
 #
 #       #  The path given to "SSLCertificateFile"
 #       "cert": "<file_path>",
 #
 #       #  The path given to "SSLCertificateKeyFile"
 #       "key": "<file_path>",
 #
 #       #  The value given to "SSLCipherSuite" (can be empty)
 #       "cipher": "",
 #
 #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
 #       "ssl-session-cache": "<folder_path>",
 #
 #       #  The path given to "SSLCACertificateFile" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
 #       "ca-cert": "<file_path>",
 #
 #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
 #       #  empty)
 #       "crl": "<file_path>",
 #
35 36 37 38 39 40 41 42 43
 #       #  The path given to "SSLCACertificatePath" (can be empty)
 #       #  If this value is not empty, it enables client certificate check.
 #       #  (Enabling "SSLVerifyClient require")
 #       "ca-cert-dir": "<directory_path>",
 #
 #       #  The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
 #       #  empty)
 #       "crl-dir": "<directory_path>",
 #
44 45 46 47 48 49 50 51 52 53 54 55 56 57
 #       #  The path given to "ErrorLog"
 #       "error-log": "<file_path>",
 #
 #       #  The path given to "AccessLog"
 #       "access-log": "<file_path>",
 #
 #       #  The list of ip which apache will listen to.
 #       "ip-list": [
 #         "0.0.0.0",
 #         "[::1]",
 #       ],
 #
 #       #  The list of backends which apache should redirect to.
 #       "backend-list": [
58 59 60
 #         # (port, unused, internal_scheme, enable_authentication)
 #         (8000, _, "http://10.0.0.10:8001", True),
 #         (8002, _, "http://10.0.0.10:8003", False),
61
 #       ],
62 63 64 65 66 67 68 69 70 71 72 73 74
 #
 #       # The mapping of zope paths this apache should redirect to.
 #       # This is a Zope specific feature.
 #       # `enable_authentication` has same meaning as for `backend-list`.
 #       "zope-virtualhost-monster-backend-dict": {
 #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) }
 #          ('[::1]', 8004): (
 #            True, {
 #              'zope-1': 'http://10.0.0.10:8001',
 #              'zope-2': 'http://10.0.0.10:8002',
 #            },
 #          ),
 #        },
75 76
 #     }
 #
77
 #  This sample of `parameter_dict` will make apache listening to :
78
 #  From to `backend-list`:
79 80 81 82 83 84
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
 #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
 #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
 #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
 #  accepting requests from any client.
85 86 87 88 89 90 91 92 93
 #
 # From zope-virtualhost-monster-backend-dict`:
 #   - [::1]:8004 with some path based rewrite-rules redirecting to:
 #     * http://10.0.0.10/8001 when path matches /zope-1(.*)
 #     * http://10.0.0.10/8002 when path matches /zope-2(.*)
 #   with some VirtualHostMonster rewrite rules so zope writes URLs with
 #  [::1]:8004 as server name.
 #  For more details, refer to
 #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
94
-#}
95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule headers_module modules/mod_headers.so
112 113 114
LoadModule deflate_module modules/mod_deflate.so
LoadModule filter_module modules/mod_filter.so

115
AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132

PidFile "{{ parameter_dict['pid-file'] }}"
ServerAdmin admin@
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

ServerTokens Prod
ServerSignature Off
TraceEnable Off

TimeOut {{ parameter_dict['timeout'] }}

SSLCertificateFile {{ parameter_dict['cert'] }}
SSLCertificateKeyFile {{ parameter_dict['key'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
133 134
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
135 136
{% if parameter_dict['cipher'] -%}
SSLCipherSuite {{ parameter_dict['cipher'] }}
137 138
{% else %}
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
139 140 141 142
{%- endif %}
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On

143 144
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
145
{% if parameter_dict.get('ca-cert') or parameter_dict.get('ca-cert-dir') -%}
146
SSLVerifyClient optional
147
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
148
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
149
{%   if parameter_dict.get('ca-cert') -%}
150
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
151 152 153 154
{%   elif parameter_dict.get('ca-cert-dir') -%}
SSLCACertificatePath {{ parameter_dict['ca-cert-dir'] }}
{%   endif -%}
{%   if parameter_dict.get('crl') or parameter_dict.get('crl-dir') -%}
155
SSLCARevocationCheck chain
156
{%     if parameter_dict.get('crl') -%}
157
SSLCARevocationFile {{ parameter_dict['crl'] }}
158 159 160 161 162
{%     elif parameter_dict.get('crl-dir') -%}
SSLCARevocationPath {{ parameter_dict['crl-dir'] }}
{%     endif -%}
{%   endif -%}
{% endif -%}
163 164 165 166 167 168 169 170 171 172 173 174 175

ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ parameter_dict['access-log'] }}" combined

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Allow from all
</Directory>

RewriteEngine On
176
{% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%}
177 178 179 180 181
{%   for ip in parameter_dict['ip-list'] -%}
Listen {{ ip }}:{{ port }}
{%   endfor -%}
<VirtualHost *:{{ port }}>
  SSLEngine on
182
{% if enable_authentication and (parameter_dict.get('ca-cert') or parameter_dict.get('ca-cert-dir')) and (parameter_dict.get('crl') or parameter_dict.get('crl-dir')) -%}
183
  SSLVerifyClient require
184
{%   if parameter_dict.get('ca-cert') -%}
185
  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
186 187 188
{%   elif parameter_dict.get('ca-cert-dir') -%}
  SSLCACertificatePath {{ parameter_dict['ca-cert-dir'] }}
{%   endif -%}
189
  SSLCARevocationCheck chain
190
{%   if parameter_dict.get('crl') -%}
191
  SSLCARevocationFile {{ parameter_dict['crl'] }}
192 193 194
{%   elif parameter_dict.get('crl-dir') -%}
  SSLCARevocationPath {{ parameter_dict['crl-dir'] }}
{%   endif -%}
195 196 197 198 199 200 201

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

  # We would like to separate the the authentificated logs.
  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log"
  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" combined
{% endif -%}
202 203 204
  RewriteRule ^/(.*) {{ backend }}/$1 [L,P]
</VirtualHost>
{% endfor -%}
205 206 207 208 209 210


{% for (ip, port), (enable_authentication, path_mapping) in parameter_dict.get('zope-virtualhost-monster-backend-dict', {}).items() -%}
Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
  SSLEngine on
211
  Timeout 3600
212
{%   if enable_authentication and (parameter_dict.get('ca-cert') or parameter_dict.get('ca-cert-dir')) and (parameter_dict.get('crl') or parameter_dict.get('crl-dir')) -%}
213
  SSLVerifyClient require
214
{%   if parameter_dict.get('ca-cert') -%}
215
  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
216 217 218
{%   elif parameter_dict.get('ca-cert-dir') -%}
  SSLCACertificatePath {{ parameter_dict['ca-cert-dir'] }}
{%   endif -%}
219
  SSLCARevocationCheck chain
220
{%   if parameter_dict.get('crl') -%}
221
  SSLCARevocationFile {{ parameter_dict['crl'] }}
222 223 224
{%   elif parameter_dict.get('crl-dir') -%}
  SSLCARevocationPath {{ parameter_dict['crl-dir'] }}
{%   endif -%}
225 226 227 228 229 230 231 232 233 234 235 236 237 238

  LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

  # We would like to separate the the authentificated logs.
  # XXX filename ? is it log-rotated ?
  ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-error.log"
  CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-access.log" combined
{%   endif -%}

{%   for path, backend in path_mapping.items() %}
  RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
{%   endfor -%}
</VirtualHost>
{% endfor -%}