opendev/puppet-graphite
Code Issues Proposed changes
puppet-graphite/templates/graphite.ssl.vhost.erb
Jeremy Stanley 2658fb41ba Enable RFC 6797 HSTS signaling 
The HTTP Strict Transport Security (HSTS) mechanism defined in IETF
RFC 6797 allows us to indicate to clients that the site to which
they are connecting should only every be reached over an encrypted
HTTPS connection, in an effort to thwart protocol downgrade attacks
which could convince a client to fall back to plaintext HTTP. Set
such a policy header for the SSL vhost, valid for one year, and
indicate that this policy also applies to any subdomains of the
hostname with which the site is served (even though it's unlikely
that there would ever be any in this case, this is useful for
consistency with inclusion in other vhost templates in the future).
While HSTS policy can't prevent downgrade attacks the very first
time a client connects to this site, thereafter their browser would
be wary of connecting over plain HTTP for subsequent connections for
a full year.

Change-Id: If5c2f3b70e7f7646bf6168e8942aee0ecb7c2ec8
2019-04-14 14:56:38 +00:00

74 lines
3.2 KiB
Plaintext
Raw Blame History

<VirtualHost *:80>
ErrorLog /var/log/apache2/graphite-error.log
CustomLog /var/log/apache2/graphite-access.log common
LogLevel warn
ServerSignature Off
Redirect / https://<%= scope.lookupvar("graphite::vhost_name") %>/
</VirtualHost>
<VirtualHost *:443>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
SSLEngine on
SSLCertificateFile <%= scope.lookupvar("graphite::ssl_cert_file") %>
SSLCertificateKeyFile <%= scope.lookupvar("graphite::ssl_key_file") %>
<% if scope.lookupvar("graphite::ssl_chain_file") != "" %>
SSLCertificateChainFile <%= scope.lookupvar("graphite::ssl_chain_file") %>
<% end %>
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
DocumentRoot "/var/lib/graphite/webapp"
ErrorLog /var/log/apache2/graphite-error.log
CustomLog /var/log/apache2/graphite-access.log common
# Add CORS authorization to the header so third-party services can pull
# metrics data via API calls for things like vizualiation dashboards.
Header set Access-Control-Allow-Origin "*"
# I've found that an equal number of processes & threads tends
# to show the best performance for Graphite (ymmv).
WSGIDaemonProcess graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120
WSGIProcessGroup graphite
WSGIApplicationGroup %{GLOBAL}
SetEnv GRAPHITE_STORAGE_DIR /var/lib/graphite/storage
WSGIImportScript /etc/graphite/graphite.wsgi process-group=graphite application-group=%{GLOBAL}
# XXX You will need to create this file! There is a graphite.wsgi.example
# file in this directory that you can safely use, just copy it to graphite.wgsi
WSGIScriptAlias / /etc/graphite/graphite.wsgi
Alias /content/ /var/lib/graphite/webapp/content/
<Location "/content/">
SetHandler None
</Location>
# XXX In order for the django admin site media to work you
# must change @DJANGO_ROOT@ to be the path to your django
# installation, which is probably something like:
# /usr/lib/python2.6/site-packages/django
Alias /media/ "/usr/lib/python2.7/dist-packages/django/contrib/admin/media/"
<Location "/media/">
SetHandler None
</Location>
# The graphite.wsgi file has to be accessible by apache. It won't
# be visible to clients because of the DocumentRoot though.
<Directory /etc/graphite/>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
</Directory>
<IfVersion >= 2.4>
<Directory /var/lib/graphite/webapp/content/>
Require all granted
</Directory>
</IfVersion>
</VirtualHost>
View Git Blame Copy Permalink