<VirtualHost *:80>
  ServerName {{ inventory_hostname }}

  ErrorLog /var/log/apache2/nodepool_error.log
  LogLevel warn
  CustomLog /var/log/apache2/nodepool_access.log combined
  ServerSignature Off

  Redirect / https://{{ inventory_hostname }}/

</VirtualHost>


<VirtualHost *:443>
  ServerName {{ inventory_hostname }}

  SSLEngine on

  SSLCertificateFile      /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
  SSLCertificateKeyFile   /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
  SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer

  SSLProtocol All -SSLv2 -SSLv3
  # Note: this list should ensure ciphers that provide forward secrecy
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
  SSLHonorCipherOrder on

  DocumentRoot /var/log/nodepool/builds
  <Directory /var/log/nodepool/builds>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  # Allow access to image files
  Alias /images /opt/nodepool_dib
  <Directory /opt/nodepool_dib>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
    # Only allow access to the qcow2 files as they are smallest
    <FilesMatch ".+\.(vhd|raw)(\.(md5|sha256))?$">
      Require all denied
    </FilesMatch>
  </Directory>
  # Exclude the dib build dir as well.
  <Directory /opt/nodepool_dib/*.d/>
    Require all denied
  </Directory>

  AddType text/plain .log
  <IfModule mod_deflate.c>
      SetOutputFilter DEFLATE
  </IfModule>

  ErrorLog /var/log/apache2/nodepool_error.log
  LogLevel warn
  CustomLog /var/log/apache2/nodepool_access.log combined
  ServerSignature Off

</VirtualHost>