soc-ops/global/overlay/etc/puppet/modules/soc/templates/intelmq/intelmq-vhost.conf.erb

<VirtualHost *:80>
        ServerName <%= @servername %>
        ServerAdmin cert@cert.sunet.se
        DocumentRoot /var/www/html

        RewriteEngine   On
        RewriteRule     ^(.*)$          https://<%= @servername %>/$1     [R,L]

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:443>
        ServerName <%= @servername %>
        ServerAdmin cert@cert.sunet.se

        SSLEngine on
        <% if @use_snakeoil -%>
        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
        <% else -%> 
        SSLCertificateFile      <%= @tls_cert %>
        SSLCertificateKeyFile   <%= @tls_key %>
        SSLCertificateChainFile <%= @tls_chain %>
        <% end -%>

        SSLCACertificatePath /etc/ssl/certs/
        SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt

        Protocols               h2 http/1.1
        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
        SSLHonorCipherOrder     off
        SSLSessionTickets       off
        Header                  always set Strict-Transport-Security "max-age=63072000"

        <IfModule mod_proxy.c>
                ProxyRequests   Off
                <Location "/api">
                        ProxyPass               "http://127.0.0.1:8666/api"
                        ProxyPassReverse        "http://127.0.0.1:8666/api"
                        Header                  always set X-DEBUG-PATH "/api"
                </Location>
        </IfModule>

#        RewriteEngine on
#        RewriteCond %{REQUEST_URI} !^/(index.html|static|api|intelmq-webinput)
#        RewriteRule .* /index.html [PT]

        DocumentRoot /opt/intelmq/www-fody
        <Directory /opt/intelmq/www-fody>
            <IfModule mod_headers.c>
                Header set Content-Security-Policy "script-src 'self'"
                Header set X-Content-Security-Policy "script-src 'self'"
            </IfModule>
            Require all granted
            Options FollowSymLinks
        </Directory>

        Alias /intelmq-manager /usr/share/intelmq_manager/html/
        <Directory /usr/share/intelmq_manager/html>
#                AuthType                Basic
#                AuthName                "IntelMQ"
#                AuthBasicProvider       file
#                AuthUserFile            /etc/apache2/htpasswd
#                Require                 user sunetcert

            <IfModule mod_headers.c>
                    Header set Content-Security-Policy "script-src 'self'"
                    Header set X-Content-Security-Policy "script-src 'self'"
            </IfModule>
        </Directory>

        <Location /intelmq/>
                ProxyPass unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
                ProxyPassReverse unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock|http://127.0.0.1/
        </Location>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
IntelMQ API. 2024-11-14 14:16:39 +01:00			`<VirtualHost *:80>`
			`ServerName <%= @servername %>`
			`ServerAdmin cert@cert.sunet.se`
			`DocumentRoot /var/www/html`

			`RewriteEngine On`
			`RewriteRule ^(.*)$ https://<%= @servername %>/$1 [R,L]`

			`ErrorLog ${APACHE_LOG_DIR}/error.log`
			`CustomLog ${APACHE_LOG_DIR}/access.log combined`
			`</VirtualHost>`

			`<VirtualHost *:443>`
			`ServerName <%= @servername %>`
			`ServerAdmin cert@cert.sunet.se`

			`SSLEngine on`
			`<% if @use_snakeoil -%>`
Bugfix. 2024-11-14 14:30:19 +01:00			`SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem`
			`SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key`
IntelMQ API. 2024-11-14 14:16:39 +01:00			`<% else -%>`
			`SSLCertificateFile <%= @tls_cert %>`
			`SSLCertificateKeyFile <%= @tls_key %>`
			`SSLCertificateChainFile <%= @tls_chain %>`
			`<% end -%>`

			`SSLCACertificatePath /etc/ssl/certs/`
			`SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt`

			`Protocols h2 http/1.1`
			`SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2`
			`SSLHonorCipherOrder off`
			`SSLSessionTickets off`
			`Header always set Strict-Transport-Security "max-age=63072000"`

			`<IfModule mod_proxy.c>`
			`ProxyRequests Off`
			`<Location "/api">`
			`ProxyPass "http://127.0.0.1:8666/api"`
			`ProxyPassReverse "http://127.0.0.1:8666/api"`
			`Header always set X-DEBUG-PATH "/api"`
			`</Location>`
			`</IfModule>`

			`# RewriteEngine on`
			`# RewriteCond %{REQUEST_URI} !^/(index.html\|static\|api\|intelmq-webinput)`
			`# RewriteRule .* /index.html [PT]`

			`DocumentRoot /opt/intelmq/www-fody`
			`<Directory /opt/intelmq/www-fody>`
			`<IfModule mod_headers.c>`
			`Header set Content-Security-Policy "script-src 'self'"`
			`Header set X-Content-Security-Policy "script-src 'self'"`
			`</IfModule>`
			`Require all granted`
			`Options FollowSymLinks`
			`</Directory>`

			`Alias /intelmq-manager /usr/share/intelmq_manager/html/`
			`<Directory /usr/share/intelmq_manager/html>`
			`# AuthType Basic`
			`# AuthName "IntelMQ"`
			`# AuthBasicProvider file`
			`# AuthUserFile /etc/apache2/htpasswd`
			`# Require user sunetcert`

			`<IfModule mod_headers.c>`
			`Header set Content-Security-Policy "script-src 'self'"`
			`Header set X-Content-Security-Policy "script-src 'self'"`
			`</IfModule>`
			`</Directory>`

			`<Location /intelmq/>`
			`ProxyPass unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock\|http://127.0.0.1/`
			`ProxyPassReverse unix:/opt/intelmq/venv/lib/python3.11/site-packages/intelmq_api/intelmq_api.sock\|http://127.0.0.1/`
			`</Location>`

			`ErrorLog ${APACHE_LOG_DIR}/error.log`
			`CustomLog ${APACHE_LOG_DIR}/access.log combined`
			`</VirtualHost>`