LoadModule unixd_module modules/mod_unixd.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule headers_module modules/mod_headers.so LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript image/svg+xml PidFile "{{ parameter_dict['pid-file'] }}" ServerAdmin admin@ TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz ServerTokens Prod ServerSignature Off TraceEnable Off TimeOut {{ parameter_dict['timeout'] }} SSLCertificateFile {{ parameter_dict['cert'] }} SSLCertificateKeyFile {{ parameter_dict['key'] }} SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on {% if parameter_dict['cipher'] -%} SSLCipherSuite {{ parameter_dict['cipher'] }} {% else %} SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 {%- endif %} SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000) SSLProxyEngine On # As backend is trusting REMOTE_USER header unset it always RequestHeader unset REMOTE_USER {% if parameter_dict['ca-cert'] -%} SSLVerifyClient require RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCARevocationCheck chain SSLCARevocationFile {{ parameter_dict['crl'] }} {%- endif %} ErrorLog "{{ parameter_dict['error-log'] }}" # Default apache log format with request time in microsecond at the end LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined CustomLog "{{ parameter_dict['access-log'] }}" combined <Directory /> Options FollowSymLinks AllowOverride None Allow from all </Directory> RewriteEngine On {% for family_name, (port, _, backend, enable_authentication) in parameter_dict['backend-list'].items() -%} {% for ip in parameter_dict['ip-list'] -%} Listen {{ ip }}:{{ port }} {% endfor -%} <VirtualHost *:{{ port }}> {% if enable_authentication -%} SSLVerifyClient require RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }} SSLCARevocationPath {{ parameter_dict['shared-crl'] }} LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined # We would like to separate the the authentificated logs. ErrorLog "{{ parameter_dict['log-dir'] }}/apache-{{ family_name }}-error.log" CustomLog "{{ parameter_dict['log-dir'] }}/apache-{{ family_name }}-access.log" combined {% endif -%} SSLEngine on RewriteRule ^/(.*) {{ backend }}/$1 [L,P] </VirtualHost> {% endfor -%}