First try at a reversepassproxy role.

6 files changed, 84 insertions, 0 deletions

diff --git a/roles/httpd/reverseproxy/tasks/main.yml b/roles/httpd/reverseproxy/tasks/main.yml
new file mode 100644
index 000000000..75e134ff4
--- /dev/null
+++ b/roles/httpd/reverseproxy/tasks/main.yml
@@ -0,0 +1,19 @@
+# Expected vars
+# - website...
+# - localpath..
+# - remotepath..
+# - proxyurl
+# - rewrite
+
+- name: Copy in ProxyPassReverse for {{website}}/{{remotepath}}
+  template: >
+    src=reversepassproxy.conf
+    dest=/etc/httpd/conf.d/{{website}}/{{destname}}.conf
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/reversepassproxy
diff --git a/roles/httpd/reverseproxy/templates/logs.conf b/roles/httpd/reverseproxy/templates/logs.conf
new file mode 100644
index 000000000..f4b06d971
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/logs.conf
@@ -0,0 +1,2 @@
+CustomLog "logs/{{ name }}-access.log" combined
+ErrorLog "logs/{{ name }}-error.log"
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
new file mode 100644
index 000000000..ab4e3e588
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.conf
@@ -0,0 +1,7 @@
+{% if rewrite %}
+RewriteEngine On
+RewriteRule ^{{remotepath}}$ %{REQUEST_URI}/ [R=301]
+{% endif %}
+
+ProxyPass {{ localpath }} {{ proxyurl }}{{remotepath}}
+ProxyPassReverse {{ localpath }} {{ proxyurl }}{{remotepath}}
diff --git a/roles/httpd/reverseproxy/templates/robots.conf b/roles/httpd/reverseproxy/templates/robots.conf
new file mode 100644
index 000000000..040f48d39
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/robots.conf
@@ -0,0 +1 @@
+Alias /robots.txt /srv/web/robots.txt.{{ name }}
diff --git a/roles/httpd/reverseproxy/templates/website.conf b/roles/httpd/reverseproxy/templates/website.conf
new file mode 100644
index 000000000..f70b43483
--- /dev/null
+++ b/roles/httpd/reverseproxy/templates/website.conf
@@ -0,0 +1,51 @@
+<VirtualHost{% for ip in ips %} {{ip}}:80{% endfor %}>
+  ServerName {{ name }}
+{% if server_aliases %}
+  ServerAlias {{ server_aliases | join(" ") }}
+{% endif %}
+  ServerAdmin {{ server_admin }}
+  TraceEnable Off
+
+{% if gzip %}
+  SetOutputFilter DEFLATE
+{% endif %}
+
+{% if sslonly %}
+  RewriteEngine On
+  RewriteCond %{HTTPS} off
+  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+{% else %}
+  Include "conf.d/{{ name }}/*.conf"
+{% endif %}
+</VirtualHost>
+
+{% if ssl %}
+<VirtualHost{% for ip in ips %} {{ip}}:443{% endfor %}>
+  ServerName {{ name }}
+{% if server_aliases %}
+  ServerAlias {{ server_aliases | join(" ") }}
+{% endif %}
+  ServerAdmin {{ server_admin }}
+
+{% if gzip %}
+  SetOutputFilter DEFLATE
+{% endif %}
+
+  SSLEngine on
+  SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key
+{% if SSLCertificateChainFile %}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }}
+{% endif %}
+  SSLHonorCipherOrder On
+
+  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
+  # If you change the protocols or cipher suites, you should probably update
+  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
+  SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+  Include "conf.d/{{ name }}/*.conf"
+</VirtualHost>
+{% endif %}
+
diff --git a/roles/httpd/reverseproxy/vars/main.yml b/roles/httpd/reverseproxy/vars/main.yml
new file mode 100644
index 000000000..17df0b487
--- /dev/null
+++ b/roles/httpd/reverseproxy/vars/main.yml
@@ -0,0 +1,4 @@
+remotepath: /
+localpath: /
+rewrite: false
+destname: reversepassproxy