opendev/system-config
Code Issues Proposed changes
system-config/playbooks/roles/zuul-web/templates/zuul.vhost.j2
Clark Boylan 6ca2b9a7d5 Apply apache us filter to Zuul 
This is some evidence these vhosts are impacted. Mitigate that with our
rules.

While we are at it we modify the ruleset to add a newly noticed item.

Change-Id: I8c20193e4e474898a0bdc395b25fd9de94469dd6
2024-04-03 09:34:25 -07:00

76 lines
2.1 KiB
Django/Jinja
Raw Blame History

<VirtualHost *:80>
ServerName zuul.opendev.org
ServerAdmin webmaster@openstack.org
ErrorLog ${APACHE_LOG_DIR}/zuul-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/zuul-access.log combined-cache
Use UserAgentFilter
Redirect / https://zuul.opendev.org/
</VirtualHost>
<VirtualHost *:443>
ServerName zuul.opendev.org
ServerAdmin webmaster@openstack.org
AllowEncodedSlashes On
ErrorLog ${APACHE_LOG_DIR}/zuul-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/zuul-ssl-access.log combined-cache
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt-certs/zuul.opendev.org/zuul.opendev.org.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/zuul.opendev.org/zuul.opendev.org.key
SSLCertificateChainFile /etc/letsencrypt-certs/zuul.opendev.org/ca.cer
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
# This macro relies on mod rewrite rules so put it before any of the
# actual rewrites we want to perform.
Use UserAgentFilter
RewriteEngine on
RewriteRule ^/api/tenant/(.*)/console-stream ws://127.0.0.1:9000/api/tenant/$1/console-stream [P,L]
RewriteRule ^/(.*)$ http://127.0.0.1:9000/$1 [P,L]
AddOutputFilterByType DEFLATE application/json text/css text/javascript application/javascript
# Enable SHM backend for socache
CacheSocache shmcb
# Anything bigger should fall through to disk
CacheSocacheMaxSize 102400
# This is required to match on rewrites correctly
CacheQuickHandler off
# Disk cache settings
CacheRoot /var/cache/apache2/mod_cache_disk
CacheMaxFileSize 10000000
<LocationMatch "^/api/tenant/.*/status">
CacheEnable socache
CacheEnable disk
</LocationMatch>
<Location "/static">
CacheEnable socache
CacheEnable disk
</Location>
</VirtualHost>
View Git Blame Copy Permalink