ServerName {{ name }} {% if server_aliases %} ServerAlias {{ server_aliases | join(" ") }} {% endif %} ServerAdmin {{ server_admin }} TraceEnable Off {% if gzip %} SetOutputFilter DEFLATE {% endif %} {% if certbot %} ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge" {% endif %} {% if sslonly %} RewriteEngine On RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} !/.well-known/acme-challenge/.* RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE] {% else %} Include "conf.d/{{ name }}/*.conf" {% endif %} {% if ssl %} ServerName {{ name }} {% if server_aliases %} ServerAlias {{ server_aliases | join(" ") }} {% endif %} ServerAdmin {{ server_admin }} {% if gzip %} SetOutputFilter DEFLATE {% endif %} SSLEngine on SSLCertificateFile /etc/pki/tls/certs/{{ cert_name }}.cert SSLCertificateKeyFile /etc/pki/tls/private/{{ cert_name }}.key {% if SSLCertificateChainFile %} SSLCertificateChainFile /etc/pki/tls/certs/{{ SSLCertificateChainFile }} {% endif %} SSLHonorCipherOrder On # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. SSLProtocol {{ ssl_protocols }} SSLCipherSuite {{ ssl_ciphers }} {% if sslonly %} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" {% endif %} Include "conf.d/{{ name }}/*.conf" {% endif %}