<VirtualHost *:80> ServerName {{ inventory_hostname }} ErrorLog /var/log/apache2/nodepool_error.log LogLevel warn CustomLog /var/log/apache2/nodepool_access.log combined ServerSignature Off Redirect / https://{{ inventory_hostname }}/ </VirtualHost> <VirtualHost *:443> ServerName {{ inventory_hostname }} SSLEngine on SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer SSLProtocol All -SSLv2 -SSLv3 # Note: this list should ensure ciphers that provide forward secrecy SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on DocumentRoot /var/log/nodepool/builds <Directory /var/log/nodepool/builds> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> # Allow access to image files Alias /images /opt/nodepool_dib <Directory /opt/nodepool_dib> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted # Only allow access to the qcow2 files as they are smallest <FilesMatch ".+\.(vhd|raw)(\.(md5|sha256))?$"> Require all denied </FilesMatch> </Directory> # Exclude the dib build dir as well. <Directory /opt/nodepool_dib/*.d/> Require all denied </Directory> AddType text/plain .log <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> ErrorLog /var/log/apache2/nodepool_error.log LogLevel warn CustomLog /var/log/apache2/nodepool_access.log combined ServerSignature Off </VirtualHost>