dev-tools/ansible/roles/django/templates/django-ssl-vhost.conf.j2 - airavata - Git at Google

 {#
 #
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #
 #}

 {% if vhost_server_redirect is defined %}
 <VirtualHost *:{{httpd_default_http_port}}>
     ServerName {{ vhost_server_redirect }}
     Redirect "/" "https://{{ vhost_servername }}"
 </VirtualHost>

 {% if vhost_server_redirect_ssl_certificate_file is defined %}
 <VirtualHost *:{{httpd_default_https_port}}>
     ServerName {{ vhost_server_redirect }}
     Redirect "/" "https://{{ vhost_servername }}"

     SSLEngine on
     # Disable SSLv3 which is vulnerable to the POODLE attack
     SSLProtocol All -SSLv2 -SSLv3
     SSLCertificateFile {{ vhost_server_redirect_ssl_certificate_file }}
     SSLCertificateChainFile {{ vhost_server_redirect_ssl_certificate_chain_file }}
     SSLCertificateKeyFile {{ vhost_server_redirect_ssl_certificate_key_file }}
 </VirtualHost>
 {% endif %}
 {% endif %}

 <VirtualHost *:{{ httpd_default_http_port }}>
     ServerName {{ vhost_servername }}

     ## Redirect all http traffic to https
     RewriteEngine On
     RewriteCond %{HTTPS} off
     RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 </VirtualHost>

 <VirtualHost *:{{ httpd_default_https_port }}>
     ServerName {{ vhost_servername }}
     TimeOut {{ vhost_timeout }}

     Alias /robots.txt {{ doc_root_dir }}/static/robots.txt
     Alias /favicon.ico {{ doc_root_dir }}/static/favicon.ico

     Alias /static/ {{ doc_root_dir }}/static/

     <Directory {{ doc_root_dir }}/static>
     Require all granted
     AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

     # Force browser to revalidate cached static resources
     Header set Cache-Control "no-cache"
     # Workaround for ETag bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=45023#c22
     RequestHeader edit "If-None-Match" '^"((.*)-gzip)"$' '"$1", "$2"'
     # If file has a content hash, cache for a year
     <FilesMatch "\.[0-9a-f]{8}\.(css|js)$">
         Header set Cache-Control "max-age=31536000, public"
     </FilesMatch>
     </Directory>

     Alias /media/ {{ airavata_django_checkout }}/django_airavata/media/

     <Directory {{ airavata_django_checkout }}/django_airavata/media>
         Require all granted
     </Directory>

     {# Additional aliases #}
     {% for alias in vhost_aliases %}
     Alias "{{ alias.url }}" "{{ alias.path }}"
     <Directory "{{ alias.path }}">
         Require all granted
         {% for header in alias.headers|default([]) %}
         Header set {{ header.name }} {{ header.value }}
         {% endfor %}
     </Directory>
     {% endfor %}

     {# Custom redirects #}
     {% for redirect in vhost_redirects %}
     {% if redirect.regex is defined and redirect.regex %}
     RedirectMatch "{{ redirect.from }}" "{{ redirect.to }}"
     {% else %}
     Redirect "{{ redirect.from }}" "{{ redirect.to }}"
     {% endif %}
     {% endfor %}

     WSGIDaemonProcess {{ vhost_servername }} \
             display-name=%{GROUP} \
             python-home={{ doc_root_dir }}/venv \
             python-path={{ doc_root_dir }}/airavata-django-portal \
             processes={{ django_wsgi_processes }} \
             user={{ user }} \
             group={{ group }} \
             lang=en_US.UTF-8 \
             locale=en_US.UTF-8
     WSGIProcessGroup {{ vhost_servername }}

     WSGIScriptAlias / {{ doc_root_dir }}/airavata-django-portal/django_airavata/wsgi.py
     WSGIApplicationGroup %{GLOBAL}
     # To allow bearer token based authorization, pass 'Authorization' through to Django process
     WSGIPassAuthorization On

     <Directory {{ doc_root_dir }}/airavata-django-portal/django_airavata>
         <Files wsgi.py>
         Require all granted
         </Files>
     </Directory>

     ErrorLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.error.log
     CustomLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.requests.log combined

     SSLEngine on
     # Disable SSLv3 which is vulnerable to the POODLE attack
     SSLProtocol All -SSLv2 -SSLv3
     SSLCertificateFile {{ ssl_certificate_file }}
     SSLCertificateChainFile {{ ssl_certificate_chain_file }}
     SSLCertificateKeyFile {{ ssl_certificate_key_file }}
 </VirtualHost>
	{#
	#
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#
	#}

	{% if vhost_server_redirect is defined %}
	<VirtualHost *:{{httpd_default_http_port}}>
	ServerName {{ vhost_server_redirect }}
	Redirect "/" "https://{{ vhost_servername }}"
	</VirtualHost>

	{% if vhost_server_redirect_ssl_certificate_file is defined %}
	<VirtualHost *:{{httpd_default_https_port}}>
	ServerName {{ vhost_server_redirect }}
	Redirect "/" "https://{{ vhost_servername }}"

	SSLEngine on
	# Disable SSLv3 which is vulnerable to the POODLE attack
	SSLProtocol All -SSLv2 -SSLv3
	SSLCertificateFile {{ vhost_server_redirect_ssl_certificate_file }}
	SSLCertificateChainFile {{ vhost_server_redirect_ssl_certificate_chain_file }}
	SSLCertificateKeyFile {{ vhost_server_redirect_ssl_certificate_key_file }}
	</VirtualHost>
	{% endif %}
	{% endif %}

	<VirtualHost *:{{ httpd_default_http_port }}>
	ServerName {{ vhost_servername }}

	## Redirect all http traffic to https
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
	</VirtualHost>

	<VirtualHost *:{{ httpd_default_https_port }}>
	ServerName {{ vhost_servername }}
	TimeOut {{ vhost_timeout }}

	Alias /robots.txt {{ doc_root_dir }}/static/robots.txt
	Alias /favicon.ico {{ doc_root_dir }}/static/favicon.ico

	Alias /static/ {{ doc_root_dir }}/static/

	<Directory {{ doc_root_dir }}/static>
	Require all granted
	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

	# Force browser to revalidate cached static resources
	Header set Cache-Control "no-cache"
	# Workaround for ETag bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=45023#c22
	RequestHeader edit "If-None-Match" '^"((.*)-gzip)"$' '"$1", "$2"'
	# If file has a content hash, cache for a year
	<FilesMatch "\.[0-9a-f]{8}\.(css\|js)$">
	Header set Cache-Control "max-age=31536000, public"
	</FilesMatch>
	</Directory>

	Alias /media/ {{ airavata_django_checkout }}/django_airavata/media/

	<Directory {{ airavata_django_checkout }}/django_airavata/media>
	Require all granted
	</Directory>

	{# Additional aliases #}
	{% for alias in vhost_aliases %}
	Alias "{{ alias.url }}" "{{ alias.path }}"
	<Directory "{{ alias.path }}">
	Require all granted
	{% for header in alias.headers\|default([]) %}
	Header set {{ header.name }} {{ header.value }}
	{% endfor %}
	</Directory>
	{% endfor %}

	{# Custom redirects #}
	{% for redirect in vhost_redirects %}
	{% if redirect.regex is defined and redirect.regex %}
	RedirectMatch "{{ redirect.from }}" "{{ redirect.to }}"
	{% else %}
	Redirect "{{ redirect.from }}" "{{ redirect.to }}"
	{% endif %}
	{% endfor %}

	WSGIDaemonProcess {{ vhost_servername }} \
	display-name=%{GROUP} \
	python-home={{ doc_root_dir }}/venv \
	python-path={{ doc_root_dir }}/airavata-django-portal \
	processes={{ django_wsgi_processes }} \
	user={{ user }} \
	group={{ group }} \
	lang=en_US.UTF-8 \
	locale=en_US.UTF-8
	WSGIProcessGroup {{ vhost_servername }}

	WSGIScriptAlias / {{ doc_root_dir }}/airavata-django-portal/django_airavata/wsgi.py
	WSGIApplicationGroup %{GLOBAL}
	# To allow bearer token based authorization, pass 'Authorization' through to Django process
	WSGIPassAuthorization On

	<Directory {{ doc_root_dir }}/airavata-django-portal/django_airavata>
	<Files wsgi.py>
	Require all granted
	</Files>
	</Directory>

	ErrorLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.error.log
	CustomLog {{ httpd_log_dir[ansible_os_family] }}/django-{{ gateway_id }}.requests.log combined

	SSLEngine on
	# Disable SSLv3 which is vulnerable to the POODLE attack
	SSLProtocol All -SSLv2 -SSLv3
	SSLCertificateFile {{ ssl_certificate_file }}
	SSLCertificateChainFile {{ ssl_certificate_chain_file }}
	SSLCertificateKeyFile {{ ssl_certificate_key_file }}
	</VirtualHost>