summaryrefslogtreecommitdiff
path: root/modules/crustytoothpaste/templates/role/http/website/site.erb
blob: 0e7d0766c7a06d627b00834f4ffc110910c1dee5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
<%
  host = @name
  params = @options[host]['params']
  security = @options[host]['security']
  features = @options[host]['features']
  permissions = <<-EOM.gsub(/^[ \t]+/, '    ')

    Order allow,deny
    Allow from all
  EOM
  kerberos = if security['realm']
               <<-EOM.gsub(/^[ \t]+/, '    ')

                 AuthType Kerberos
                 AuthName "Kerberos Login"
                 KrbMethodNegotiate on
                 KrbMethodK5Passwd off
                 KrbAuthRealms #{security['realm']}
                 Krb5Keytab /etc/krb5.apache.keytab
               EOM
             else
               ''
             end
  methods = %w[GET POST] + (features['dav'] ? %w[PROPFIND OPTIONS] : [])
  limits = <<-EOM.gsub(/^[ \t]+/, '    ')

             #{features['dav'] ? "Dav on" : ""}
             <LimitExcept #{methods.join(" ")}>
               Require valid-user
             </LimitExcept>
            EOM
-%>
<VirtualHost *:80>
  ServerAdmin webmaster@<%= params['root_domain'] %>
  ServerName <%= host %>
  <%- params['aliases'].each do |domain| -%>
  ServerAlias <%= domain %>
  <%- end -%>

  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]

  ErrorLog ${APACHE_LOG_DIR}/error.log

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log default
</VirtualHost>
<VirtualHost *:443>
  ServerAdmin webmaster@<%= params['root_domain'] %>
  ServerName <%= host %>
  <%- params['aliases'].each do |domain| -%>
  ServerAlias <%= domain %>
  <%- end -%>

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<%= params['root_domain'] %>/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<%= params['root_domain'] %>/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/<%= params['root_domain'] %>/chain.pem

  <%- unless features['userdir'] -%>
  UserDir disabled
  <%- end -%>

  Protocols h2 http/1.1

  DocumentRoot /srv/www/<%= host %>/root
  <Directory />
    Options FollowSymlinks
    AllowOverride None
  </Directory>
  <Directory /srv/www/<%= host %>/root>
    Options FollowSymlinks MultiViews <%= features['indexes'] ? "Indexes" : '' %>
    AllowOverride FileInfo
<%= permissions %>
<%= kerberos %>
<%= limits %>
  </Directory>

  <%- if features['separate_css'] -%>
  Alias /css /srv/www/<%= host %>/css
  <Directory /srv/www/<%= host %>/css>
    Options FollowSymlinks MultiViews <%= features['indexes'] ? "Indexes" : '' %>
    AllowOverride FileInfo
<%= permissions %>
<%= kerberos %>
<%= limits %>
  </Directory>
  <%- end -%>

  <%- if features['cgi'] -%>
  Alias /cgi-bin /srv/www/<%= host %>/cgi-bin
  <Directory /srv/www/<%= host %>/cgi-bin>
    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
    AllowOverride None
<%= permissions %>
<%= kerberos %>
<%= limits %>
  </Directory>
  <%- end -%>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  <%- if security['sts_subdomains'] -%>
  Header add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
  <%- else -%>
  Header add Strict-Transport-Security "max-age=15768000"
  <%- end -%>
  <%- if security['csp'] == 'strict' -%>
  Header add Content-Security-Policy "default-src https:; block-all-mixed-content"
  <%- elsif security['csp'] == 'jekyll' -%>
  Header add Content-Security-Policy "default-src 'self'; block-all-mixed-content"
  <%- else -%>
  <%- end -%>
  Header add Referrer-Policy "no-referrer, strict-origin-when-cross-origin"
  Header add X-Xss-Protection "1; mode=block"
  Header add Permissions-Policy "interest-cohort=()"

  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn

  CustomLog ${APACHE_LOG_DIR}/access.log default
</VirtualHost>