--- /dev/null
+<!doctype html>
+<html>
+ <head>
+ <title>Maintenance</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+ <style>
+ body {
+ padding-left: 5px;
+ padding-right: 5px;
+ text-align: center;
+ margin: auto;
+ font: 20px Helvetica, sans-serif;
+ color: #333;
+ }
+ h1 {
+ margin: 0px;
+ font-size: 40px;
+ }
+ article {
+ display: block;
+ max-width: 650px;
+ margin: 0 auto;
+ padding-top: 30px;
+ }
+ article + article {
+ border-top: 1px solid lightgrey;
+ }
+ article div {
+ text-align: justify;
+ }
+ a {
+ color: #dc8100;
+ text-decoration: none;
+ }
+ a:hover {
+ color: #333;
+ }
+ </style>
+ <script type="text/javascript">
+ setTimeout(function () { location.reload(true); }, 5000);
+ </script>
+ </head>
+ <body>
+ <article>
+ <h1>Erreur serveur ou maintenance en cours !</h1>
+ <div>
+ <p>Une mise à jour ou une opération de maintenance est en cours sur le site. <a href="">Retentez</a> dans quelques instants ou patientez, la page se rechargera automatiquement.</p>
+ </div>
+ </article>
+
+ <article>
+ <h1>Server error or website in maintenance!</h1>
+ <div>
+ <p>An update or a maintenance is on track on the website. Please try <a href="">again</a> in a few seconds or wait, the page will reload automatically.</p>
+ </div>
+ </article>
+ </body>
+</html>
--- /dev/null
+class profile::apache {
+ class { 'apache':
+ root_directory_secured => true,
+ root_directory_options => ["All"],
+ default_mods => false,
+ default_vhost => false,
+ log_formats => {
+ combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p',
+ common => '%h %l %u %t \"%r\" %>s %b',
+ }
+ }
+
+ ::apache::custom_config { 'log_config.conf':
+ content => 'CustomLog "/var/log/httpd/access_log" combined',
+ filename => 'log_config.conf'
+ }
+
+ ::apache::custom_config { 'protocols.conf':
+ content => 'Protocols h2 http/1.1',
+ filename => 'protocols.conf'
+ }
+
+ ::apache::custom_config { 'document_root.conf':
+ source => "puppet:///modules/profile/apache/document_root.conf",
+ filename => "document_root.conf"
+ }
+
+ ::apache::custom_config { 'immae.conf':
+ source => "puppet:///modules/profile/apache/immae.conf",
+ filename => 'immae.conf'
+ }
+
+ ::apache::custom_config { 'letsencrypt.conf':
+ source => "puppet:///modules/profile/apache/letsencrypt.conf",
+ filename => 'letsencrypt.conf'
+ }
+
+ # FIXME: default values ignored?
+ Apache::Vhost {
+ no_proxy_uris => [
+ "/maintenance_immae.html",
+ "/googleb6d69446ff4ca3e5.html",
+ "/.well-known/acme-challenge"
+ ],
+ no_proxy_uris_match => [
+ '^/licen[cs]es?_et_tip(ping)?$',
+ '^/licen[cs]es?_and_tip(ping)?$',
+ '^/licen[cs]es?$',
+ '^/tip(ping)?$',
+ ]
+ }
+
+ $real_hostname = lookup("base_installation::real_hostname") |$key| { {} }
+ unless empty($real_hostname) {
+ apache::vhost { "default_ssl":
+ port => '443',
+ docroot => '/srv/http',
+ servername => $real_hostname,
+ directoryindex => 'index.htm index.html',
+ priority => 0,
+ }
+ }
+
+ apache::vhost { "redirect_no_ssl":
+ port => '80',
+ error_log => false,
+ log_level => undef,
+ access_log => false,
+ docroot => false,
+ servername => "",
+ serveraliases => "*",
+ priority => 99,
+ rewrites => [
+ {
+ rewrite_cond => '"%{REQUEST_URI}" "!^/\.well-known"',
+ rewrite_rule => '^(.+) https://%{HTTP_HOST}$1 [R=301]'
+ }
+ ]
+ }
+
+ class { 'apache::mod::ssl':
+ ssl_protocol => [ 'all', '-SSLv3' ],
+ # Given by
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ ssl_cipher => "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS",
+ # FIXME: need SSLSessionTickets off
+ ssl_stapling => true,
+ ssl_stapling_return_errors => false,
+ # FIXME: SSLStaplingResponderTimeout 5
+ ssl_ca => '/etc/ssl/certs/ca-certificates.crt',
+ }
+ class { 'apache::mod::alias': }
+ class { 'apache::mod::autoindex': }
+ # Included by ssl
+ # class { 'apache::mod::mime': }
+ class { 'apache::mod::deflate': }
+ class { 'apache::mod::rewrite': }
+
+ class { 'apache::mod::dir':
+ indexes => ["index.html"]
+ }
+
+ file { [
+ "/srv/http",
+ "/srv/http/.well-known",
+ "/srv/http/.well-known/acme-challenge"]:
+ ensure => "directory",
+ mode => "0755",
+ owner => "root",
+ group => "root",
+ }
+
+ file { "/srv/http/maintenance_immae.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/maintenance_immae.html",
+ }
+ file { "/srv/http/googleb6d69446ff4ca3e5.html":
+ mode => "0644",
+ owner => "root",
+ group => "root",
+ source => "puppet:///modules/profile/apache/googleb6d69446ff4ca3e5.html",
+ }
+}
include "base_installation"
include "profile::postgresql"
+ include "profile::apache"
$password_seed = lookup("base_installation::puppet_pass_seed") |$key| { {} }
order => "b0",
}
- class { 'nginx': }
-
- nginx::resource::server { $cf_front_app_host:
- listen_port => 80,
- proxy => 'http://localhost:8000',
+ apache::vhost { $cf_front_app_host:
+ port => '80',
+ docroot => false,
+ manage_docroot => false,
+ proxy_dest => "http://localhost:8000",
+ proxy_preserve_host => true,
+ no_proxy_uris => [
+ "/maintenance_immae.html",
+ "/googleb6d69446ff4ca3e5.html",
+ "/.well-known/acme-challenge"
+ ],
+ no_proxy_uris_match => [
+ '^/licen[cs]es?_et_tip(ping)?$',
+ '^/licen[cs]es?_and_tip(ping)?$',
+ '^/licen[cs]es?$',
+ '^/tip(ping)?$',
+ ]
}
user { $cf_user: