opendev/puppet-etherpad_lite
Code Issues Proposed changes
puppet-etherpad_lite/templates/etherpadlite.vhost.erb
Colleen Murphy cec0248653 Fix scope of vhost template variables 
Dynamic scoping for variables in ERB templates was removed in puppet
4[1] which means that the variables defined in the
manifest cannot be found when it is referenced in
the httpd::vhost defined type and will be evaluated as nil when
puppet runs. Use the scope object instead to be explicit about the
variable's source. The scope object and scope.lookupvar return :undef
instead of nil if the variable is undefined, and we expect it to
sometimes be undefined, so handle that too.

[1] https://puppet.com/docs/puppet/4.10/lang_updating_manifests.html#dynamic-scoping-in-erb

Change-Id: Ie9d943424aafa5d1d09586dc2cb61441c6d2628b
2018-04-28 00:55:00 +02:00

118 lines
4.8 KiB
Plaintext
Raw Blame History

<VirtualHost *:80>
ServerName <%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>
ServerAdmin <%= scope.lookupvar("etherpad_lite::apache::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-access.log combined
Redirect / https://<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>
ServerAdmin <%= scope.lookupvar("etherpad_lite::apache::serveradmin") %>
ErrorLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>-ssl-access.log combined
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile <%= scope.lookupvar("etherpad_lite::apache::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("etherpad_lite::apache::ssl_key_file") %>
<% if scope.lookupvar("etherpad_lite::apache::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("etherpad_lite::apache::ssl_chain_file") %>
<% end %>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<% auth_openid = scope["etherpad_lite::apache::auth_openid"] %>
<% if ! [nil, :undef].include?(auth_openid) %>
<Location /p/>
AuthType OpenID
AuthName "<%= auth_openid['banner'] %>"
AuthOpenIDSecureCookie On
AuthOpenIDCookieLifespan 3600
AuthOpenIDTrustRoot https://<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>
AuthOpenIDServerName https://<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>
AuthOpenIDSingleIdP <%= auth_openid['singleIdp'] %>
AuthOpenIDTrusted <%= auth_openid['trusted'] %>
<% if auth_openid['any_valid_user'] %>
Require valid-user
<% elsif !auth_openid['users'].empty? %>
<% auth_openid['users'].each do |user| -%>
Require user <%= user %>
<% end -%>
<% end %>
</Location>
<% end %>
<IfModule mod_proxy.c>
# The following redirects "nice" urls such as https://etherpad.example.org/padname
# to https://etherpad.example.org/p/padname. It was problematic directly
# supporting "nice" urls as etherpad hardcodes /p/ in many places.
# Adapted from https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy
RewriteEngine on
# Do not rewrite the /server-status URL (though by default, this
# is only accessible from localhost). Connect to it with:
# ssh -L 8443:localhost:443 $HOSTNAME
# https://localhost:8443/server-status
RewriteRule ^/server-status$ /server-status [L]
RewriteCond %{HTTP_HOST} !<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>
RewriteRule ^.*$ https://<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %> [L,R=301]
# Server robots.txt directly so that it does not affect
# etherpad-lite installation.
RewriteRule ^/robots.txt$ <%= scope.lookupvar("etherpad_lite::apache::docroot") %>/robots.txt [L]
# Refuse external connections to the API through the proxy
RewriteRule ^/api/ - [F,L]
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/locales/
RewriteCond %{REQUEST_URI} !^/locales.json
RewriteCond %{REQUEST_URI} !^/admin
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/static/
RewriteCond %{REQUEST_URI} !^/pluginfw/
RewriteCond %{REQUEST_URI} !^/javascripts/
RewriteCond %{REQUEST_URI} !^/socket.io/
RewriteCond %{REQUEST_URI} !^/ep/
RewriteCond %{REQUEST_URI} !^/minified/
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/ro/
RewriteCond %{REQUEST_URI} !^/error/
RewriteCond %{REQUEST_URI} !^/jserror
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteRule ^/+(.+)$ https://<%= scope.lookupvar("etherpad_lite::apache::vhost_name") %>/p/$1 [NC,L,R=301]
<IfModule mod_proxy_wstunnel.c>
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:9001/$1 [P,L]
ProxyPass /socket.io http://localhost:9001/socket.io retry=0
ProxyPassReverse /socket.io http://localhost:9001/socket.io
</IfModule>
ProxyPass / http://localhost:9001/ retry=0
ProxyPassReverse / http://localhost:9001/
</IfModule>
</VirtualHost>
</IfModule>
View Git Blame Copy Permalink