{# This file configures apache to redirect requests from ports to specific urls. # It provides SSL support for server and optionaly for client. # # All parameters are given through the `parameter_dict` variable, see the # list entries : # # parameter_dict = { # # The path given to "PidFile" # "pid-file": "<file_path>", # # # The number given to "TimeOut" # "timeout": 300, # # # The path given to "SSLCertificateFile" # "cert": "<file_path>", # # # The path given to "SSLCertificateKeyFile" # "key": "<file_path>", # # # The value given to "SSLCipherSuite" (can be empty) # "cipher": "", # # # The path given to "SSLSessionCache shmcb:<folder_path>(512000)" # "ssl-session-cache": "<folder_path>", # # # The path given to "SSLCACertificateFile" (can be empty) # # If this value is not empty, it enables client certificate check. # # (Enabling "SSLVerifyClient require") # "ca-cert": "<file_path>", # # # The path given to "SSLCARevocationFile" (used if ca-cert is not # # empty) # "crl": "<file_path>", # # # The path given to "ErrorLog" # "error-log": "<file_path>", # # # The path given to "AccessLog" # "access-log": "<file_path>", # # # The list of ip which apache will listen to. # "ip-list": [ # "0.0.0.0", # "[::1]", # ], # # # The list of backends which apache should redirect to. # "backend-list": [ # # (port, unused, internal_scheme, enable_authentication) # (8000, _, "http://10.0.0.10:8001", True), # (8002, _, "http://10.0.0.10:8003", False), # ], # # # The mapping of zope paths this apache should redirect to. # # This is a Zope specific feature. # # `enable_authentication` has same meaning as for `backend-list`. # "zope-virtualhost-monster-backend-dict": { # # {(ip, port): ( enable_authentication, {frontend_path: ( internal_scheme ) }, ) } # ('[::1]', 8004): ( # True, { # 'zope-1': 'http://10.0.0.10:8001', # 'zope-2': 'http://10.0.0.10:8002', # }, # ), # }, # } # # This sample of `parameter_dict` will make apache listening to : # From to `backend-list`: # - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and # - [::1]:8000 redirecting internaly to http://10.0.0.10:8001 # only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`. # - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003 # - [::1]:8002 redirecting internaly to http://10.0.0.10:8003 # accepting requests from any client. # # From zope-virtualhost-monster-backend-dict`: # - [::1]:8004 with some path based rewrite-rules redirecting to: # * http://10.0.0.10/8001 when path matches /zope-1(.*) # * http://10.0.0.10/8002 when path matches /zope-2(.*) # with some VirtualHostMonster rewrite rules so zope writes URLs with # [::1]:8004 as server name. # For more details, refer to # https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together -#} LoadModule unixd_module modules/mod_unixd.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule headers_module modules/mod_headers.so LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm PidFile "{{ parameter_dict['pid-file'] }}" ServerAdmin admin@ TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz ServerTokens Prod ServerSignature Off TraceEnable Off TimeOut {{ parameter_dict['timeout'] }} SSLCertificateFile {{ parameter_dict['cert'] }} SSLCertificateKeyFile {{ parameter_dict['key'] }} SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on {% if parameter_dict['cipher'] -%} SSLCipherSuite {{ parameter_dict['cipher'] }} {% else %} SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 {%- endif %} SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000) SSLProxyEngine On # As backend is trusting Remote-User header unset it always RequestHeader unset Remote-User {% if parameter_dict['ca-cert'] -%} SSLVerifyClient optional RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'" SSLCACertificateFile {{ parameter_dict['ca-cert'] }} {% if parameter_dict['crl'] -%} SSLCARevocationCheck chain SSLCARevocationFile {{ parameter_dict['crl'] }} {%- endif %} {%- endif %} ErrorLog "{{ parameter_dict['error-log'] }}" # Default apache log format with request time in microsecond at the end LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined CustomLog "{{ parameter_dict['access-log'] }}" combined <Directory /> Options FollowSymLinks AllowOverride None Allow from all </Directory> RewriteEngine On {% for port, _, backend, enable_authentication in parameter_dict['backend-list'] -%} {% for ip in parameter_dict['ip-list'] -%} Listen {{ ip }}:{{ port }} {% endfor -%} <VirtualHost *:{{ port }}> SSLEngine on {% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%} SSLVerifyClient require SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCARevocationCheck chain SSLCARevocationFile {{ parameter_dict['crl'] }} LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined # We would like to separate the the authentificated logs. ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-error.log" CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-access.log" combined {% endif -%} RewriteRule ^/(.*) {{ backend }}/$1 [L,P] </VirtualHost> {% endfor -%} {% for (ip, port), (enable_authentication, path_mapping) in parameter_dict.get('zope-virtualhost-monster-backend-dict', {}).items() -%} Listen {{ ip }}:{{ port }} <VirtualHost {{ ip }}:{{ port }}> SSLEngine on Timeout 3600 {% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%} SSLVerifyClient require SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCARevocationCheck chain SSLCARevocationFile {{ parameter_dict['crl'] }} LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined # We would like to separate the the authentificated logs. # XXX filename ? is it log-rotated ? ErrorLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-error.log" CustomLog "{{ parameter_dict['log-dir'] }}/apache-service-virtual-host-access.log" combined {% endif -%} {% for path, backend in path_mapping.items() %} RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P] {% endfor -%} </VirtualHost> {% endfor -%}