Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

176 lines
6.4 KiB

<VirtualHost 0.0.0.0:80>
ServerName {{ llng_portal_vhost }}
Include ansible_conf.d/common_env.inc
Include ansible_conf.d/common_letsencrypt.inc
Include ansible_conf.d/common_force_ssl.inc
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost 0.0.0.0:443>
ServerName {{ llng_portal_vhost }}
SSLEngine On
Alias /_deferror/ "/usr/share/httpd/error/"
Include ansible_conf.d/common_env.inc
Include ansible_conf.d/common_perf.inc
Include ansible_conf.d/common_filter.inc
Include ansible_conf.d/common_letsencrypt.inc
{% if llng_portal_ssl is defined %}
{% if llng_portal_ssl.cert is defined and llng_portal_ssl.key is defined %}
SSLCertificateFile {{ llng_portal_ssl.cert }}
SSLCertificateKeyFile {{ llng_portal_ssl.key }}
{% if llng_portal_ssl.cert_chain is defined %}
SSLCertificateChainFile {{ llng_portal_ssl.cert_chain }}
{% endif %}
{% elif llng_portal_ssl.letsencrypt_cert is defined %}
SSLCertificateFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/cert.pem
SSLCertificateKeyFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/privkey.pem
SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_portal_ssl.letsencrypt_cert }}/chain.pem
{% endif %}
{% endif %}
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
Require all granted
Options +ExecCGI +FollowSymLinks
</Directory>
{% if llng_portal_ssl is defined and llng_portal_ssl.ca is defined %}
SSLCACertificateFile {{ llng_portal_ssl.ca }}
{% if llng_portal_ssl.crl is defined %}
SSLCARevocationFile {{ llng_portal_ssl.crl }}
{% endif %}
<LocationMatch "^/($|\?url=.*|cas/login.*)">
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
</LocationMatch>
{% endif %}
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
#CGIPassAuth on
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# Uncomment this if status is enabled
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static//
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
Require all granted
Options +FollowSymLinks
</Directory>
<Location /static/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<IfModule mod_dir.c>
DirectoryIndex index.fcgi index.html
</IfModule>
# Enabe compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
</VirtualHost>
</IfModule>
{% if (llng_soap_src_ip is defined and llng_soap_src_ip | length > 0) or (llng_soap_htpasswd is defined) %}
<IfModule mod_ssl.c>
<VirtualHost 0.0.0.0:443>
ServerName {{ llng_soap_vhost }}
SSLEngine On
Alias /_deferror/ "/usr/share/httpd/error/"
Include ansible_conf.d/common_env.inc
Include ansible_conf.d/common_filter.inc
Include ansible_conf.d/common_letsencrypt.inc
{% if llng_soap_ssl is defined %}
{% if llng_soap_ssl.cert is defined and llng_soap_ssl.key is defined %}
SSLCertificateFile {{ llng_soap_ssl.cert }}
SSLCertificateKeyFile {{ llng_soap_ssl.key }}
{% if llng_soap_ssl.cert_chain is defined %}
SSLCertificateChainFile {{ llng_soap_ssl.cert_chain }}
{% endif %}
{% elif llng_soap_ssl.letsencrypt_cert is defined %}
SSLCertificateFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/cert.pem
SSLCertificateKeyFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/privkey.pem
SSLCertificateChainFile /var/lib/dehydrated/certificates/certs/{{ llng_soap_ssl.letsencrypt_cert }}/chain.pem
{% endif %}
{% endif %}
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
{% if llng_soap_pass is defined %}
<RequireAll>
{% endif %}
Require ip {{ llng_soap_src_ip | join(' ') }}
{% endif %}
{% if llng_soap_pass is defined %}
AuthName "Lemonldap::NG SOAP endpoint"
AuthType Basic
AuthBasicProvider file
AuthUserFile /etc/lemonldap-ng/soap.htpasswd
Require valid-user
{% if llng_soap_src_ip is defined and llng_soap_src_ip | length > 0 %}
</RequireAll>
{% endif %}
{% endif %}
Options +ExecCGI +FollowSymlinks
</Directory>
RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
#CGIPassAuth on
Options +ExecCGI
header unset Lm-Remote-User
</Files>
<LocationMatch "^(?!/index\.pl/(adminSessions|sessions|config|notifications))">
Require all denied
</LocationMatch>
# Enabe compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
</VirtualHost>
</IfModule>
{% endif %}