ansible/roles/configure-apache/templates/production.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# Managed via ansbile, do not edit!

<VirtualHost *:80>
    ServerName {{ hostname }}

    Redirect permanent / https://{{ hostname }}/
</VirtualHost>

<VirtualHost *:443>
    ServerName {{ hostname }}
    ServerAdmin webmaster@linaro.org

    DocumentRoot {{ install_base }}/{{ hostname }}

    Alias /bugzilla {{ install_base }}/{{ hostname }}/
    <Directory "{{ install_base }}/{{ hostname }}">
        AddHandler cgi-script cgi
        Options +ExecCGI +FollowSymLinks +Indexes
        DirectoryIndex index.cgi
        AllowOverride Limit FileInfo Indexes Options
        Require all granted
    </Directory>

    CustomLog ${APACHE_LOG_DIR}/{{ hostname }}-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/{{ hostname }}-error.log
    LogLevel info

    KeepAlive On
    KeepAliveTimeout 9
    MaxKeepAliveRequests 150

    SSLEngine On
    SSLProtocol All -SSLv2 -SSLv3
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLCipherSuite "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
        EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:\
        !aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:\
        CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"

    SSLCertificateFile /etc/ssl/certs/{{ hostname }}.pem
    SSLCertificateKeyFile /etc/ss/private/{{ hostname }}.key

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "{{ install_base }}/{{ hostname }}">
        SSLOptions +StdEnvVars 
    </Directory>

    BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 

    ExpiresActive   On
    ExpiresDefault  "access plus 300 seconds"

    ExpiresByType   image/png       "access plus 1 month"
    ExpiresByType   image/jpg       "access plus 1 month"
    ExpiresByType   image/jpeg      "access plus 1 month"
    ExpiresByType   image/x-icon    "access plus 1 month"

    Header always set Strict-Transport-Security "max-age=63072000"
    Header append Cache-Control "no-transform"

    <FilesMatch "\.(html|htm)$">
        Header add Cache-Control "must-revalidate"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

    <FilesMatch "\.(js|css)$">
        Header add Cache-Control "max-age=5356800"
        SetOutputFilter DEFLATE

        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        Header append Vary User-Agent env=!dont-vary
    </FilesMatch>

</VirtualHost>