apache: update apache config for hosted projects to use includes

This review updates the configuration for tf.o and mlp.o servers to use the new include method for apache configuration. It also renames the config files for mlp to use the proper hostnames. Change-Id: I60c6b55655176093d1115e160a6eb26326a2e9a2 Reviewed-on: https://review.linaro.org/30153 Reviewed-by: Kelley Spoon <kelley.spoon@linaro.org>
author: Kelley Spoon <kelley.spoon@linaro.org> 2019-02-06 01:52:12 -0600
committer: Kelley Spoon <kelley.spoon@linaro.org> 2019-02-08 23:51:44 +0000
commit: adad0d81fabc3019090c6b2919dd7c0e62dab228 (patch)
tree: bc4f71f77a3465e480710fe7bc2425c010206926
parent: 23bc578e1e29317d1d33bb49da28aeb7ab6e7e35 (diff)
4 files changed, 41 insertions, 50 deletions
diff --git a/files/apache/git-mi.linaro.org.conf b/files/apache/git.mlplatform.org.conf
index f6fbf658..f6fbf658 120000
--- a/files/apache/git-mi.linaro.org.conf
+++ b/files/apache/git.mlplatform.org.conf
diff --git a/files/apache/git.trustedfirmware.org.conf b/files/apache/git.trustedfirmware.org.conf
index 0ac7e2af..8e401cd2 100644
--- a/files/apache/git.trustedfirmware.org.conf
+++ b/files/apache/git.trustedfirmware.org.conf
@@ -22,6 +22,7 @@ ServerTokens Prod
     ExpiresByType   image/jpeg      "access plus 1 month"
     ExpiresByType   image/x-icon    "access plus 1 month"
 
+    Include /etc/apache2/linaro/headers-http.conf
     Header append Cache-Control "no-transform"
 
     <FilesMatch "\.(html|htm)$">
@@ -51,10 +52,6 @@ ServerTokens Prod
     MaxKeepAliveRequests 150
 
     RewriteEngine On
-    # Following directives removed from Apache 2.4
-    # http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
-    #RewriteLog ${APACHE_LOG_DIR}/git.trustedfirmware.org-rewrite.log
-    #RewriteLogLevel 0
 
     AllowEncodedSlashes On
 
@@ -95,10 +92,7 @@ ServerTokens Prod
 
     ScriptAliasMatch "(?x)^/git/(.*/(HEAD | info/refs | objects/info/[^/]+ | git-(upload|receive)-pack))$" /var/www/cgit/git-http-backend.cgi
 
-    Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/"
-    <Directory "/srv/certbot/.well-known/acme-challenge/">
-        Require all granted
-    </Directory>
+    Include /etc/apache2/linaro/letsencrypt.conf
 
     <Directory "/srv/repositories">
         AllowOverride None
@@ -126,16 +120,7 @@ ServerTokens Prod
     ServerName git.trustedfirmware.org
     ServerAlias git.trustedfirmware.org
 
-    SSLEngine On
-    SSLProtocol All -SSLv2 -SSLv3
-    SSLCompression Off
-    SSLHonorCipherOrder On
-    SSLOptions +StdEnvVars
-    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
-    EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
-    !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
-    CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
-
+    Include /etc/apache2/linaro/settings-ssl.conf
     SSLCertificateFile {{ssl_cert}}
     SSLCertificateKeyFile {{ssl_key}}
     SSLCACertificateFile {{ssl_ca}}
@@ -155,7 +140,7 @@ ServerTokens Prod
     ExpiresByType   image/jpeg      "access plus 1 month"
     ExpiresByType   image/x-icon    "access plus 1 month"
 
-    Header always set Strict-Transport-Security "max-age=63072000"
+    Include /etc/apache2/linaro/headers-https.conf
     Header append Cache-Control "no-transform"
 
     <FilesMatch "\.(html|htm)$">
@@ -187,10 +172,6 @@ ServerTokens Prod
     AllowEncodedSlashes On
 
     RewriteEngine On
-    # Following directives removed from Apache 2.4
-    # http://httpd.apache.org/docs/2.4/mod/mod_rewrite.html#logging
-    #RewriteLog ${APACHE_LOG_DIR}/git.trustedfirmware.org-rewrite.log
-    #RewriteLogLevel 0
 
     RewriteCond %{HTTP_USER_AGENT} (AhrefsBot|bingbot|Baidu|Baiduspider|360Spider|360) [nocase]
     RewriteRule ^(.*)$ - [forbidden,last]
diff --git a/files/apache/mi.linaro.org.conf b/files/apache/review.mlplatform.org.conf
index e6e57706..e517b1eb 100644
--- a/files/apache/mi.linaro.org.conf
+++ b/files/apache/review.mlplatform.org.conf
@@ -2,20 +2,21 @@
 	ServerName {{inventory_hostname}}
 	ServerAlias {{inventory_hostname}}
 
-    RedirectMatch permanent "^/(?!\.well-known/acme-challenge)(.*)" "https://{{hostname}}/$1"
+    Header set Cache-Control private
+    <FilesMatch ".(jpg|jpeg|png|gif|ico)$">
+        Header set Cache-Control "max-age=86400, public"
+    </FilesMatch>
 
-    Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/"
-    <Directory "/srv/certbot/.well-known/acme-challenge/">
-        Require all granted
-    </Directory>
+    RedirectMatch permanent "^/(?!\.well-known/acme-challenge)(.*)" "https://{{hostname}}/$1"
 
+    Include /etc/apache2/linaro/letsencrypt.conf
 </VirtualHost>
 
 <VirtualHost *:443>
 	ServerName {{inventory_hostname}}
 	ServerAlias {{inventory_hostname}}
 
-    SSLEngine On
+    Include /etc/apache2/linaro/settings-ssl.conf
 
     SSLCertificateFile /etc/letsencrypt/live/{{gerrit_host}}/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/{{gerrit_host}}/privkey.pem
@@ -26,6 +27,11 @@
     CustomLog /var/log/apache2/{{inventory_hostname}}-access.log combined
     ErrorLog /var/log/apache2/{{inventory_hostname}}-error.log
 
+    Header set Cache-Control private
+    <FilesMatch ".(jpg|jpeg|png|gif|ico)$">
+        Header set Cache-Control "max-age=86400, public"
+    </FilesMatch>
+
     ProxyRequests Off
     ProxyVia Off
     ProxyPreserveHost On
diff --git a/files/apache/review.trustedfirmware.org.conf b/files/apache/review.trustedfirmware.org.conf
index 5f63d700..23c90fc6 100644
--- a/files/apache/review.trustedfirmware.org.conf
+++ b/files/apache/review.trustedfirmware.org.conf
@@ -2,38 +2,42 @@
 	ServerName {{inventory_hostname}}
 	ServerAlias {{inventory_hostname}}
 
-    RedirectMatch permanent "^/(?!\.well-known/acme-challenge)(.*)" "https://{{hostname}}/$1"
-
-    Alias "/.well-known/acme-challenge/" "/srv/certbot/.well-known/acme-challenge/"
-    <Directory "/srv/certbot/.well-known/acme-challenge/">
-        Require all granted
-    </Directory>
+    Header set Cache-Control private
+    <FilesMatch ".(jpg|jpeg|png|gif|ico)$">
+      Header set Cache-Control "max-age=86400, public"
+    </FilesMatch>
 
+    RedirectMatch permanent "^/(?!\.well-known/acme-challenge)(.*)" "https://{{hostname}}/$1"
+    Include /etc/apache2/linaro/letsencrypt.conf
 </VirtualHost>
 
 <VirtualHost *:443>
 	ServerName {{inventory_hostname}}
 	ServerAlias {{inventory_hostname}}
 
-        SSLEngine On
-        SSLCertificateFile {{ssl_cert}}
-        SSLCertificateKeyFile {{ssl_key}}
-        SSLCACertificateFile {{ssl_ca}}
+    Include /etc/apache2/linaro/settings-ssl.conf
+    SSLCertificateFile {{ssl_cert}}
+    SSLCertificateKeyFile {{ssl_key}}
+    SSLCACertificateFile {{ssl_ca}}
 
 	DocumentRoot /srv/gerrit
 
-        CustomLog /var/log/apache2/{{inventory_hostname}}.linaro.org-access.log combined
-        ErrorLog /var/log/apache2/{{inventory_hostname}}.linaro.org-error.log
+    CustomLog /var/log/apache2/{{inventory_hostname}}.linaro.org-access.log combined
+    ErrorLog /var/log/apache2/{{inventory_hostname}}.linaro.org-error.log
 
-        ProxyRequests Off
-        ProxyVia Off
-        ProxyPreserveHost On
-        <Proxy *>
-                Order deny,allow
-                Allow from all
-        </Proxy>
+    Header set Cache-Control private
+    <FilesMatch ".(jpg|jpeg|png|gif|ico)$">
+        Header set Cache-Control "max-age=86400, public"
+    </FilesMatch>
+
+    ProxyRequests Off
+    ProxyVia Off
+    ProxyPreserveHost On
+    <Proxy *>
+        Order deny,allow
+        Allow from all
+    </Proxy>
 
 	AllowEncodedSlashes On
-        ProxyPass       /       http://127.0.0.1:8080/ nocanon
+    ProxyPass       /       http://127.0.0.1:8080/ nocanon
 </VirtualHost>
-
author	Kelley Spoon <kelley.spoon@linaro.org>	2019-02-06 01:52:12 -0600
committer	Kelley Spoon <kelley.spoon@linaro.org>	2019-02-08 23:51:44 +0000
commit	adad0d81fabc3019090c6b2919dd7c0e62dab228 (patch)
tree	bc4f71f77a3465e480710fe7bc2425c010206926
parent	23bc578e1e29317d1d33bb49da28aeb7ab6e7e35 (diff)