Hi everyone,
I would like to push this patch and run pagure's playbook. All this do is changing the order of the vhost in the apache configuration file (and adds a couple of comments). This will allow to serve the SSL cert for pagure.io by default to client that do not support SNI. This will also fix the milter (the mechanism used to reply to a ticket via email), which is currently hotfix to not check the SSL cert.
+1?
Thanks, Pierre
--- roles/pagure/frontend/templates/0_pagure.conf | 72 ++++++++++++++------------- 1 file changed, 37 insertions(+), 35 deletions(-)
diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index 05bb090..34b71d7 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -6,6 +6,8 @@ WSGIPassAuthorization On WSGIDaemonProcess pagure user=git group=git maximum-requests=1000 display-name=pagure processes=4 threads=4 inactivity-timeout=300 WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-name=paguredocs processes=4 threads=4 inactivity-timeout=300
+## Redirects http -> https + <VirtualHost *:80> {% if env == 'pagure-staging' %} ServerName stg.pagure.io @@ -16,7 +18,6 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% endif %} </VirtualHost>
- <VirtualHost *:80> {% if env == 'pagure-staging' %} ServerName docs.stg.pagure.org @@ -49,40 +50,7 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% endif %} </VirtualHost>
- -<VirtualHost *:443> -{% if env == 'pagure-staging' %} - ServerName docs.stg.pagure.org -{% else %} - ServerName docs.pagure.org -{% endif %} - - WSGIScriptAlias / /var/www/docs_pagure.wsgi - - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - # Use secure TLSv1.1 and TLSv1.2 ciphers - Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" - - SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt - SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt - SSLCertificateKeyFile /etc/pki/tls/certs/docs.pagure.org.key - - Alias /static /usr/lib/python2.7/site-packages/pagure/static/ - - <Location /> - WSGIProcessGroup paguredocs - <IfModule mod_authz_core.c> - # Apache 2.4 - Require all granted - </IfModule> - <IfModule !mod_authz_core.c> - # Apache 2.2 - Order deny,allow - Allow from all - </IfModule> - </Location> -</VirtualHost> +## End of redirects http -> https
<VirtualHost *:443> @@ -149,3 +117,37 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
</VirtualHost>
+<VirtualHost *:443> +{% if env == 'pagure-staging' %} + ServerName docs.stg.pagure.org +{% else %} + ServerName docs.pagure.org +{% endif %} + + WSGIScriptAlias / /var/www/docs_pagure.wsgi + + SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 + # Use secure TLSv1.1 and TLSv1.2 ciphers + Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" + + SSLCertificateFile /etc/pki/tls/certs/docs.pagure.org.crt + SSLCertificateChainFile /etc/pki/tls/certs/docs.pagure.org.intermediate.crt + SSLCertificateKeyFile /etc/pki/tls/certs/docs.pagure.org.key + + Alias /static /usr/lib/python2.7/site-packages/pagure/static/ + + <Location /> + WSGIProcessGroup paguredocs + <IfModule mod_authz_core.c> + # Apache 2.4 + Require all granted + </IfModule> + <IfModule !mod_authz_core.c> + # Apache 2.2 + Order deny,allow + Allow from all + </IfModule> + </Location> +</VirtualHost> +
+1.
With kind regards, Patrick Uiterwijk Fedora Infra
----- Original Message -----
Hi everyone,
I would like to push this patch and run pagure's playbook. All this do is changing the order of the vhost in the apache configuration file (and adds a couple of comments). This will allow to serve the SSL cert for pagure.io by default to client that do not support SNI. This will also fix the milter (the mechanism used to reply to a ticket via email), which is currently hotfix to not check the SSL cert.
+1?
Thanks, Pierre
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
infrastructure@lists.fedoraproject.org