diff options
author | Holger Levsen <holger@layer-acht.org> | 2015-07-27 14:31:57 +0200 |
---|---|---|
committer | Holger Levsen <holger@layer-acht.org> | 2015-07-27 14:31:57 +0200 |
commit | 315ead533e3d4e67ce3908a13ebe5b75ef9060c4 (patch) | |
tree | b13a53cbace131ef2afedbd7697f724f9e674c0d /hosts/jenkins/etc/apache2 | |
parent | 16a5099a82e9c12322e7bea561a5f43448b013d4 (diff) | |
download | jenkins.debian.net-315ead533e3d4e67ce3908a13ebe5b75ef9060c4.tar.xz |
move etc to hosts/jenkins/etc
Diffstat (limited to 'hosts/jenkins/etc/apache2')
l--------- | hosts/jenkins/etc/apache2/conf-available/munin.conf | 1 | ||||
-rw-r--r-- | hosts/jenkins/etc/apache2/ports.conf | 23 | ||||
-rw-r--r-- | hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net | 275 | ||||
-rw-r--r-- | hosts/jenkins/etc/apache2/ssl/gsdomainvalsha2g2r1.crt | 27 |
4 files changed, 326 insertions, 0 deletions
diff --git a/hosts/jenkins/etc/apache2/conf-available/munin.conf b/hosts/jenkins/etc/apache2/conf-available/munin.conf new file mode 120000 index 00000000..56fedfa9 --- /dev/null +++ b/hosts/jenkins/etc/apache2/conf-available/munin.conf @@ -0,0 +1 @@ +../../munin/apache.conf
\ No newline at end of file diff --git a/hosts/jenkins/etc/apache2/ports.conf b/hosts/jenkins/etc/apache2/ports.conf new file mode 100644 index 00000000..7830895d --- /dev/null +++ b/hosts/jenkins/etc/apache2/ports.conf @@ -0,0 +1,23 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default +# This is also true if you have upgraded from before 2.2.9-3 (i.e. from +# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# README.Debian.gz + +#NameVirtualHost *:80 +Listen 80 + +<IfModule mod_ssl.c> + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to <VirtualHost *:443> + # Server Name Indication for SSL named virtual hosts is currently not + # supported by MSIE on Windows XP. + Listen 443 +</IfModule> + +<IfModule mod_gnutls.c> + Listen 443 +</IfModule> + diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net new file mode 100644 index 00000000..668bcf3f --- /dev/null +++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net @@ -0,0 +1,275 @@ +NameVirtualHost *:80 +NameVirtualHost *:443 + +<Macro localhost-directives $ipaddress> + <VirtualHost $ipaddress:80> + ServerName $ipaddress + ServerAdmin holger@layer-acht.org + CustomLog /var/log/apache2/access.log combined + ErrorLog /var/log/apache2/error.log + <Proxy *> + Require all granted + </Proxy> + ProxyPreserveHost on + AllowEncodedSlashes NoDecode + # proxy everything but a few urls + ProxyPass /server-status ! + # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs + ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ + ProxyPass /userContent ! + ProxyPass / http://localhost:8080/ nocanon + ProxyPassReverse / http://localhost:8080/ + </VirtualHost> +</Macro> + +<Macro common-debian-service-https-redirect $name> + <VirtualHost *:80> + ServerName $name + ServerAdmin holger@layer-acht.org + CustomLog /var/log/apache2/access.log combined + ErrorLog /var/log/apache2/error.log + Redirect permanent / https://$name/ + </VirtualHost> +</Macro> + +<Macro common-directives $name> + SSLEngine on + SSLCertificateChainFile /etc/apache2/ssl/gsdomainvalsha2g2r1.crt + + ServerName $name + ServerAdmin holger@layer-acht.org + + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www/> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + AddType text/plain .log + </Directory> + <Directory /var/lib/jenkins/userContent> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Require all granted + AddType text/plain .log + </Directory> + + <FilesMatch "\.gz$"> + AddEncoding gzip .gz + ForceType text/plain + FilterDeclare gzipInflate CONTENT_SET + <IfVersion >= 2.4> + FilterProvider gzipInflate inflate "%{req:Accept-Encoding} !~ /gzip/" + </IfVersion> + <IfVersion < 2.4> + FilterProvider gzipInflate inflate req=Accept-Encoding !$gzip + </IfVersion> + FilterChain +gzipInflate + </FilesMatch> + + RewriteEngine on + ProxyRequests Off + + # HSTS + RequestHeader set X-Forwarded-Proto "https" + RequestHeader set X-Forwarded-Port "443" + Header always add Strict-Transport-Security "max-age=15552000" + + ErrorLog ${APACHE_LOG_DIR}/error.log + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/access.log combined +</Macro> + +Use localhost-directives 127.0.0.1 +Use localhost-directives 10.0.2.1 + +Use common-debian-service-https-redirect jenkins.debian.net +Use common-debian-service-https-redirect reproducible.debian.net + +<VirtualHost *:443> + Use common-directives jenkins.debian.net + SSLCertificateFile /etc/apache2/ssl/jenkins.debian.net.pem + + DocumentRoot /var/www + + # allow certain params only from alioth (token is used to trigger builds) + RewriteCond %{REMOTE_ADDR} !5\.153\.231\.21 + # this is git.d.o which is really moszumanska.d.o + # etc/cron.daily/jenkins checks for changes in this IP address, so root will be notified and can adopt this... + RewriteCond %{QUERY_STRING} token + RewriteRule ^ - [F] + + # a bunch of redirects to point people to https://reproducible.debian.net + RewriteCond %{HTTP_HOST} jenkins\.debian\.net + RewriteCond %{REQUEST_URI} ^/userContent/reproducible.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/reproducible.json$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_issues.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_notes.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_schedule.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_last_24h.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_last_48h.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_all_abc.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_dd-list.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_stats.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_pkg_sets.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_reproducible.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_FTBR_with_buildinfo.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_FTBR.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_FTBFS.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_404.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_not_for_us.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/index_blacklisted.html$ [or] + RewriteCond %{REQUEST_URI} ^/userContent/rb-pkg/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/buildinfo/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/dbd/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/issues/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/notes/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/artifacts/ [or] + RewriteCond %{REQUEST_URI} ^/userContent/rbuild/ + RewriteRule ^/?(.*) https://reproducible.debian.net/$1 [R=301,L] + + <Proxy *> + Require all granted + </Proxy> + ProxyPreserveHost on + AllowEncodedSlashes NoDecode + # proxy everything but a few urls + ProxyPass /munin ! + ProxyPass /server-status ! + ProxyPass /calamaris ! + ProxyPass /robots.txt http://localhost:8080/userContent/robots.txt + # map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs + ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/ + ProxyPass /userContent ! + ProxyPass / http://localhost:8080/ nocanon + ProxyPassReverse / http://localhost:8080/ +</VirtualHost> + + +<VirtualHost *:443> + Use common-directives reproducible.debian.net + SSLCertificateFile /etc/apache2/ssl/reproducible.debian.net.pem + + DocumentRoot /var/lib/jenkins/userContent/reproducible + + <Directory /var/lib/jenkins/userContent/reproducible/artifacts> + HeaderName .HEADER.html + </Directory> + + # use reproducible.html as "home page" + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_URI} ^/$ + RewriteRule ^/(.*) /reproducible.html [R,L] + + # drop the (old|ugly) /userContent/ directory from the url + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_URI} ^/userContent + RewriteRule ^/userContent/(.*)$ /$1 [R=301,L] + + # redirect rb.d.n/issues/$ISSUE → rb.d.n/issues/unstable/$ISSUE + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/issues/unstable/$1 -f + RewriteRule ^/issues/([a-z0-9.+-_]+) /issues/unstable/$1 [R=302,L] + + # redirect rb.d.n/$PKG → rb.d.n/rb-pkg/unstable/amd64/$PKG.html + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/rb-pkg/unstable/amd64/$1.html -f + RewriteRule ^/([a-z0-9.+-]+) /rb-pkg/unstable/amd64/$1.html [R=302,L] + + # redirect rb.d.n/$PKG → rb.d.n/rb-pkg/experimental/amd64/$PKG.html + # (this is the fallback for the previous redirect and should only catch packages which are only in experimental) + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/rb-pkg/experimental/amd64/$1.html -f + RewriteRule ^/([a-z0-9.+-]+) /rb-pkg/experimental/amd64/$1.html [R=302,L] + + # redirect rb.d.n/$suite/amd64/$PKG → rb.d.n/rb-pkg/$suite/amd64/$PKG.html + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/rb-pkg/$1/amd64/$2.html -f + RewriteRule ^/(unstable|testing|experimental)/amd64/([a-z0-9.+-]+) /rb-pkg/$1/amd64/$2.html [R=302,L] + + # redirect rb.d.n/rb-pkg/$PKG.html → rb.d.n/rb-pkg/$suite/$arch/$PKG.html + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/rb-pkg/unstable/amd64/$1 -f + RewriteRule ^/rb-pkg/([a-z0-9.+-]+) /rb-pkg/unstable/amd64/$1 [R=301,L] + # the same for /dbd/ + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/dbd/unstable/amd64/$1 -f + RewriteRule ^/dbd/([a-z0-9.+-_]+) /dbd/unstable/amd64/$1 [R=301,L] + # the same for /rbuild/ + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/rbuild/unstable/amd64/$1 -f + RewriteRule ^/rbuild/([a-z0-9.+-_]+) /rbuild/unstable/amd64/$1 [R=301,L] + # the same for /buildinfo/ + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond /var/lib/jenkins/userContent/reproducible/buildinfo/unstable/amd64/$1 -f + RewriteRule ^/buildinfo/([a-z0-9.+-_]+) /buildinfo/unstable/amd64/$1 [R=301,L] + # redirect some rb.d.n/index_*.html to the suite/arch relative one + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_URI} ^/index_reproducible.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_FTBR.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_FTBFS.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_404.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_not_for_us.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_blacklisted.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_last_24h.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_last_48h.html$ [or] + RewriteCond %{REQUEST_URI} ^/index_all_abc.html$ + RewriteRule ^/?(.+) /unstable/amd64/$1 [R=301,L] + + # redirect (/testing|unstable|/experimental) to (/testing|/unstable|/experimental)/index_suite_stats.html + # note: the missing slash in the RewriteRule is wanted to avoid a double slash + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_URI} ^/(testing|unstable|experimental)/$ + RewriteRule ^/(.*) /$1index_suite_stats.html [R,L] + + # redirect /coreboot/ to coreboot/coreboot.html + # note: the missing slash in the RewriteRule is wanted to avoid a double slash + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_URI} ^/coreboot/$ + RewriteRule ^/(.*) /coreboot/coreboot.html [R,L] + + # redirect /openwrt/ to openwrt/openwrt.html + # note: the missing slash in the RewriteRule is wanted to avoid a double slash + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_URI} ^/openwrt/$ + RewriteRule ^/(.*) /openwrt/openwrt.html [R,L] + + # redirect /netbsd/ to netbsd/netbsd.html + # note: the missing slash in the RewriteRule is wanted to avoid a double slash + RewriteCond %{HTTP_HOST} reproducible\.debian\.net + RewriteCond %{REQUEST_URI} ^/netbsd/$ + RewriteRule ^/(.*) /netbsd/netbsd.html [R,L] + + # redirect /issues/ to /index_issues.html + RewriteCond %{REQUEST_URI} ^/issues/$ + RewriteRule ^/(.*) /index_issues.html [R,L] + + <Proxy *> + Require all granted + </Proxy> + +</VirtualHost> diff --git a/hosts/jenkins/etc/apache2/ssl/gsdomainvalsha2g2r1.crt b/hosts/jenkins/etc/apache2/ssl/gsdomainvalsha2g2r1.crt new file mode 100644 index 00000000..6d67a8d2 --- /dev/null +++ b/hosts/jenkins/etc/apache2/ssl/gsdomainvalsha2g2r1.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw +MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i +YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0 +aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC +jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG +ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX +qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It +INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4 +tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC +AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A +mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v +d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG +Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE +MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290 +cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL +BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex +4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE +GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj +H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj +tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6 +EjxS1QSCVS1npd+3lXzuP8MIugS+wEY= +-----END CERTIFICATE----- + |