32e332b329
This adds a new variable to manage TLS v1.3 cipher suites. The old variable for TLS v1.2 and below ciphers is renamed for consistency, but is still supported as a default where overridden by deployments. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/823943 Change-Id: Ib43d465c8fa24ec7d14174ecc17bce0b3e8bd7a4
79 lines
3.0 KiB
Django/Jinja
79 lines
3.0 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
# If horizon is being served via SSL from this web server,
|
|
# then we must redirect HTTP requests to HTTPS.
|
|
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
|
|
<VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
|
|
ServerName {{ horizon_server_name }}
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} !=on
|
|
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R,L]
|
|
</VirtualHost>
|
|
{% endif %}
|
|
|
|
# If horizon is being served via SSL via a load balancer, we
|
|
# need to listen via HTTP on this web server. If SSL is not
|
|
# enabled, then the same applies.
|
|
<VirtualHost {{ horizon_bind_address }}:{{ ((horizon_enable_ssl | bool) and not (horizon_external_ssl | bool)) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
|
|
ServerName {{ horizon_server_name }}
|
|
LogLevel {{ horizon_log_level }}
|
|
ErrorLog syslog:daemon
|
|
CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
|
|
Options +FollowSymLinks
|
|
{% if (horizon_enable_ssl | bool) and not (horizon_external_ssl | bool) %}
|
|
SSLEngine on
|
|
SSLCertificateFile {{ horizon_ssl_cert }}
|
|
SSLCertificateKeyFile {{ horizon_ssl_key }}
|
|
{% if horizon_user_ssl_ca_cert is defined -%}
|
|
SSLCACertificateFile {{ horizon_ssl_ca_cert }}
|
|
{% endif -%}
|
|
SSLCompression Off
|
|
SSLProtocol {{ horizon_ssl_protocol }}
|
|
SSLHonorCipherOrder On
|
|
{% if horizon_ssl_cipher_suite_tls12 != "" -%}
|
|
SSLCipherSuite {{ horizon_ssl_cipher_suite_tls12 }}
|
|
{% endif -%}
|
|
{% if horizon_ssl_cipher_suite_tls13 != "" -%}
|
|
SSLCipherSuite TLSv1.3 {{ horizon_ssl_cipher_suite_tls13 }}
|
|
{% endif -%}
|
|
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
|
|
{% endif %}
|
|
{% if (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
|
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "https"
|
|
{% elif not (horizon_enable_ssl | bool) and (horizon_external_ssl | bool) %}
|
|
RequestHeader set {{ horizon_secure_proxy_ssl_header }} "http"
|
|
{% endif %}
|
|
|
|
WSGIScriptAlias / {{ horizon_lib_wsgi_file }}
|
|
WSGIDaemonProcess horizon user={{ horizon_system_user_name }} group={{ horizon_system_group_name }} processes={{ horizon_wsgi_processes | default(horizon_wsgi_threads) }} threads={{ horizon_wsgi_threads }} python-path={{ horizon_lib_dir | dirname }}/site-packages
|
|
|
|
WSGIProcessGroup horizon
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
|
|
<Directory {{ horizon_lib_wsgi_file | dirname }}>
|
|
<Files {{ horizon_lib_wsgi_file | basename }} >
|
|
<IfVersion < 2.4>
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfVersion>
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
</Files>
|
|
</Directory>
|
|
|
|
Alias /static {{ horizon_lib_dir }}/static/
|
|
|
|
<Directory {{ horizon_lib_dir }}/static/>
|
|
Options -FollowSymlinks
|
|
<IfVersion < 2.4>
|
|
AllowOverride None
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfVersion>
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
</Directory>
|
|
</VirtualHost>
|