default-virtualhost.conf.in 14.2 KB
Newer Older
1
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %}
2 3 4
{%- set disable_no_cache_header = slave_parameter.get('disable-no-cache-request', '').lower() in TRUE_VALUES %}
{%- set disable_via_header = slave_parameter.get('disable-via-header', '').lower() in TRUE_VALUES %}
{%- set prefer_gzip = slave_parameter.get('prefer-gzip-encoding-to-backend', '').lower() in TRUE_VALUES %}
5 6 7 8
{%- set proxy_append_list = [('', 'Default proxy configuration')] %}
{%- if prefer_gzip %}
{%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %}
{%- endif %} {#- if prefer_gzip #}
9
{%- set server_alias_list =  slave_parameter.get('server-alias', '').split() %}
10 11
{%- set enable_h2 = slave_parameter['global_disable_http2'].lower() not in TRUE_VALUES and slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default']).lower() in TRUE_VALUES %}
{%- set ssl_proxy_verify = slave_parameter.get('ssl-proxy-verify', '').lower() in TRUE_VALUES %}
12
{%- set disabled_cookie_list =  slave_parameter.get('disabled-cookie-list', '').split() %}
13
{%- set https_only = slave_parameter.get('https-only', '').lower() in TRUE_VALUES %}
14
{%- set slave_type = slave_parameter.get('type', '') %}
15 16 17 18
{%- set host_list = server_alias_list %}
{%- if slave_parameter.get('custom_domain') not in host_list %}
{%-   do host_list.append(slave_parameter.get('custom_domain')) %}
{%- endif %}
19
{%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')).rstrip('/') %}
20 21 22
{%- set http_host_list = [] %}
{%- set https_host_list = [] %}
{%- for host in host_list %}
23 24
{%-   do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %}
{%-   do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %}
25
{%- endfor %} {#- for host in host_list #}
26
{%- set default_path = slave_parameter.get('default-path', '').strip('/') | urlencode %}
27 28

# SSL enabled hosts
29
{% set ssl = {} %}
30
{% if os_module.path.exists(slave_parameter['certificate']) %}
31 32 33
{%   do ssl.__setitem__('certificate', slave_parameter['certificate']) %}
{%   do ssl.__setitem__('key', slave_parameter['certificate']) %}
{#- BBB: SlapOS Master non-zero knowledge BEGIN -#}
34
{% elif 'path_to_ssl_crt' in slave_parameter  %}
35
{%   do ssl.__setitem__('certificate', slave_parameter['path_to_ssl_crt']) %}
36 37
{%   do ssl.__setitem__('key', slave_parameter['path_to_ssl_crt']) %}
{% elif os_module.path.getsize(slave_parameter['apache_certificate']) > 0 %}
38
{%   do ssl.__setitem__('certificate', slave_parameter['apache_certificate']) %}
39
{%   do ssl.__setitem__('key', slave_parameter['apache_certificate']) %}
40 41 42
{% endif %}
{#- BBB: SlapOS Master non-zero knowledge END -#}
{% if 'key' in ssl %}
43
{{ https_host_list|join(', ') }} {
44
  bind {{ slave_parameter['local_ipv4'] }}
45 46
  # Compress the output
  gzip
47
  tls {{ ssl['certificate'] }} {{ ssl['key'] }} {
48 49
{%- if enable_h2 %}
    # Allow HTTP2
50
    alpn h2 http/1.1
51
{%- else %} {#- if enable_h2 #}
52
    # Disallow HTTP2
53
    alpn http/1.1
54 55
{%- endif %} {#- if enable_h2 #}
  } {# tls #}
56
  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
57
  errors {{ slave_parameter.get('error_log') }}
58

59 60
{%- if not (slave_type == 'zope' and backend_url) %}
{%    if prefer_gzip %}
61
  rewrite {
62
    regexp (.*)
63
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
64 65 66 67 68 69 70 71 72 73 74
    to /prefer-gzip{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to {1}
  }
{%    else %}
  rewrite {
    regexp (.*)
    to {1}
75
  }
76 77
{%    endif %}
{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}
78

79 80
{%- if slave_type ==  'zope' and backend_url %}
  # Zope configuration
81 82 83
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
84 85
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
86 87 88 89
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
90 91
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
92 93 94 95
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}
96

97
{%-   if disable_via_header %}
98
    header_downstream -Via
99
{%-   endif %} {#-   if disable_via_header #}
100

101
{%-   if disable_no_cache_header %}
102 103
    header_upstream -Cache-Control
    header_upstream -Pragma
104
{%-   endif %} {#-   if disable_no_cache_header #}
105
    transparent
106
    timeout 600s
107
{%-   if ssl_proxy_verify %}
108 109 110
{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
111
{%-   else %} {#-   if ssl_proxy_verify #}
112
    insecure_skip_verify
113 114
{%-   endif %} {#-   if ssl_proxy_verify #}
  } {# proxy #}
115
{%-   endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
116
  {%- if default_path %}
117 118
  redir 301 {
    if {path} is /
119
    / {scheme}://{host}/{{ default_path }}
120
  } {# redir #}
121
  {%- endif %} {#- if default_path #}
122 123 124 125
{%- if prefer_gzip  %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
126
    to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
127
  }
128 129 130 131 132
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
133
{%- else %}
134 135
  rewrite {
    regexp (.*)
136
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
137
  } {# rewrite #}
138
{%- endif %} {#- if prefer_gzip #}
139
{%- elif slave_type ==  'redirect' and backend_url %} {#- if slave_type ==  'zope' and backend_url #}
140
  # Redirect configuration
141
  redir 302 {
142
    /  {{ backend_url }}{rewrite_uri}
143 144
  } {# redir #}
{%- else %} {#- if slave_type ==  'zope' and backend_url #}
145
  # Default configuration
146
{%-   if default_path %}
147 148
  redir 301 {
    if {path} is /
149
    / {scheme}://{host}/{{ default_path }}
150
  }  {# redir #}
151
{%-   endif %} {#-   if default_path #}
152
{%-   if backend_url %}
153

154 155 156
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
157 158
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
159 160 161 162
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
163 164
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
165 166 167 168
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}
169

170
{%-     if disable_via_header %}
171
    header_downstream -Via
172
{%-     endif %} {#-     if disable_via_header #}
173

174
{%-     if disable_no_cache_header %}
175 176
    header_upstream -Cache-Control
    header_upstream -Pragma
177
{%-     endif %} {#-     if disable_no_cache_header #}
178
    transparent
179
    timeout 600s
180
{%-     if ssl_proxy_verify %}
181 182 183
{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
184
{%-     else %} {#-     if ssl_proxy_verify #}
185
    insecure_skip_verify
186 187
{%-     endif %} {#-     if ssl_proxy_verify #}
  }  {# proxy #}
188
{%-    endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
189 190 191
{%-   endif %} {#-   if backend_url #}
{%- endif %} {#- if slave_type ==  'zope' and backend_url #}
}  {# https_host_list|join(', ') #}
192
{% endif %}
193

194
# SSL-disabled hosts
195
{{ http_host_list|join(', ') }} {
196
  bind {{ slave_parameter['local_ipv4'] }}
197 198
  # Compress the output
  gzip
199

200
  log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}"
201
  errors {{ slave_parameter.get('error_log') }}
202

203 204
{%- if not (slave_type == 'zope' and backend_url) %}
{%-   if prefer_gzip  %}
205
  rewrite {
206
    regexp (.*)
207
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
208 209 210 211 212 213 214 215 216 217 218
    to /prefer-gzip{1}
  }
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to {1}
  }
{%    else %}
  rewrite {
    regexp (.*)
    to {1}
219
  }
220 221
{%    endif %}
{%- endif %} {#- if not (slave_type == 'zope' and backend_url) #}
222

223 224
{%- if https_only %}
  # Enforced redirection to SSL-enabled host
225 226 227
  redir 302 {
    / https://{host}{rewrite_uri}
  }
228
{%- elif slave_type ==  'redirect' and slave_parameter.get('url', '') %} {#- if https_only #}
229
  # Redirect configuration
230
  redir 302 {
231
    /  {{ slave_parameter.get('url', '') }}{rewrite_uri}
232 233
  } {# redir #}
{%- elif slave_type ==  'zope' and backend_url %} {#- if https_only #}
234
  # Zope configuration
235 236 237
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ backend_url }} {
238 239
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
240 241 242 243
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
244 245
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
246 247 248 249
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}
250

251
{%-   if disable_via_header %}
252
    header_downstream -Via
253
{%-   endif %} {#-   if disable_via_header #}
254

255
{%-   if disable_no_cache_header %}
256 257
    header_upstream -Cache-Control
    header_upstream -Pragma
258
{%-   endif %} {#-   if disable_no_cache_header #}
259
    transparent
260
    timeout 600s
261
{%-   if ssl_proxy_verify %}
262 263 264
{%-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-     endif %} {#-     if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
265
{%-   else %} {#-   if ssl_proxy_verify #}
266
    insecure_skip_verify
267 268
{%-   endif %} {#-   if ssl_proxy_verify #}
  } {# proxy #}
269
{%- endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
270
{%-   if default_path %}
271 272
  redir 301 {
    if {path} is /
273
    / {scheme}://{host}/{{ default_path }}
274
  } {# redir #}
275
{%-   endif %} {#-   if default_path #}
276 277 278 279
{%- if prefer_gzip  %}
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
280
    to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
281
  }
282 283 284 285 286
  rewrite {
    regexp (.*)
    if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)"
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
  }
287
{%- else %}
288 289
  rewrite {
    regexp (.*)
290
    to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1}
291
  } {# rewrite #}
292
{% endif %} {#- if prefer_gzip #}
293
{%- else %} {#- if https_only #}
294
  # Default configuration
295
{%-   if default_path %}
296 297
  redir 301 {
    if {path} is /
298
    / {scheme}://{host}/{{ default_path }}
299
  } {# redir #}
300
{%-   endif %} {#-   if default_path #}
301
{%-   if slave_parameter.get('url', '') %}
302 303 304
{%-   for (proxy_name, proxy_comment) in proxy_append_list %}
  # {{ proxy_comment }}
  proxy /{{ proxy_name }} {{ slave_parameter.get('url', '') }} {
305 306
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
307 308 309 310
{%-     if proxy_name == 'prefer-gzip' %}
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
{%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
311 312
    # As backend is trusting REMOTE_USER header unset it always
    header_upstream -REMOTE_USER
313 314 315 316
{%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
{%- endfor %} {#- for disabled_cookie in disabled_cookie_list #}
317

318
{%-     if disable_via_header %}
319
    header_downstream -Via
320
{%-     endif %} {#-     if disable_via_header #}
321

322
{%-     if disable_no_cache_header %}
323 324
    header_upstream -Cache-Control
    header_upstream -Pragma
325
{%-     endif %} {#-     if disable_no_cache_header #}
326
    transparent
327
    timeout 600s
328
{%-     if ssl_proxy_verify %}
329 330 331
{%-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter %}
    ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }}
{%-       endif %} {#-       if 'path_to_ssl_proxy_ca_crt' in slave_parameter #}
332
{%-     else %} {#-     if ssl_proxy_verify #}
333
    insecure_skip_verify
334 335
{%-     endif %} {#-     if ssl_proxy_verify #}
  } {# proxy #}
336
{%-    endfor %} {#-   for (proxy_name, proxy_comment) in proxy_append_list #}
337 338 339
{%-   endif %} {#-   if slave_parameter.get('url', '') #}
{%- endif %} {#- if https_only #}
} {# http_host_list|join(', ') #}