| <Directory "/var/www"> |
| AllowOverride None |
| Require all granted |
| </Directory> |
| |
| DocumentRoot /var/www/ |
| |
| Alias /icons/ "/usr/share/httpd/icons/" |
| |
| <Directory "/usr/share/httpd/icons"> |
| Options Indexes MultiViews FollowSymlinks |
| AllowOverride None |
| Require all granted |
| </Directory> |
| |
| <Directory "/var/www/keys"> |
| Options Indexes |
| AllowOverride None |
| Require all granted |
| IndexOptions FancyIndexing HTMLTable NameWidth=* SuppressDescription |
| </Directory> |
| |
| RewriteEngine On |
| |
| # Disable caching of static or api files |
| <LocationMatch "/static"> |
| CacheDisable on |
| </LocationMatch> |
| <LocationMatch "/api"> |
| CacheDisable on |
| </LocationMatch> |
| |
| # Enable cross request for cgit content |
| <Location "/cgit"> |
| Header set Access-Control-Allow-Origin '*' |
| </Location> |
| |
| {% if _zuul_job_version is defined %} |
| Alias "/docs/zuul-jobs" "/usr/share/doc/zuul-jobs-doc-{{ _zuul_job_version.stdout.split('-')[3] }}/html" |
| {% endif %} |
| Alias "/docs/managesf" "/usr/share/doc/managesf/" |
| Alias "/docs" "/usr/share/doc/software-factory/" |
| <Directory "/usr/share/doc/"> |
| Require all granted |
| </Directory> |
| {% for directory in gateway_directories -%} |
| Alias "/{{ directory.name }}" "{{ directory.path }}" |
| <Directory {{ directory.path }}> |
| {% for option in directory.options %} |
| {{ option }} |
| {% endfor -%} |
| </Directory> |
| {% endfor -%} |
| <Directory /var/www> |
| AllowOverride None |
| Order allow,deny |
| allow from all |
| </Directory> |
| <Directory /var/www/managesf> |
| Order allow,deny |
| Deny from all |
| </Directory> |
| |
| {% if 'grafana' in roles %} |
| <LocationMatch "^/grafana/"> |
| RequestHeader unset X-Forwarded-User |
| </LocationMatch> |
| |
| {% endif %} |
| <IfModule mod_proxy.c> |
| ProxyVia On |
| ProxyRequests Off |
| |
| {% if 'gerrit' in roles %} |
| ProxyPass /r {{ gerrit_internal_url | regex_replace('\\/$', '') }} nocanon retry=0 |
| ProxyPassReverse /r {{ gerrit_internal_url | regex_replace('\\/$', '') }} |
| |
| RewriteRule ^/r/gitweb(.*)$ /r/plugins/gitiles/$1/ [R] |
| |
| {% endif %} |
| |
| {% if 'zuul' in roles %} |
| ProxyPass /zuul {{ zuul_web_url }} nocanon retry=0 |
| ProxyPassReverse /zuul {{ zuul_web_url }} |
| |
| RewriteRule ^/zuul/*$ /zuul/t/{{ tenant_name }}/status [R,L] |
| |
| # Rewrite api to zuul-web |
| |
| RewriteRule ^/zuul/api/tenant/(.*)/console-stream$ {{ zuul_ws_url }}/api/tenant/$1/console-stream [P,L] |
| RewriteRule ^/zuul/api/(.*)$ {{ zuul_web_url }}/api/$1 [P,L] |
| |
| Redirect "/docs/zuul" "https://zuul-ci.org/docs/zuul/{{ _zuul_version.stdout }}" |
| Redirect "/docs/nodepool" "https://zuul-ci.org/docs/nodepool/{{ _nodepool_version.stdout }}" |
| {% endif %} |
| {% if tenant_deployment %} |
| ProxyPass /zuul {{ master_sf_url }}/zuul nocanon retry=0 |
| ProxyPassReverse /zuul {{ master_sf_url }}/zuul |
| |
| RewriteRule ^/zuul/*$ /zuul/status [R,L] |
| |
| SSLProxyEngine On |
| <location /zuul> |
| RequestHeader set Host "{{ master_sf_fqdn }}" |
| ProxyPreserveHost Off |
| </location> |
| |
| # Rewrite api to zuul-web |
| RewriteRule ^/zuul/api/console-stream$ wss://{{ master_sf_fqdn }}/zuul/api/tenant/{{ tenant_name }}/console-stream [P,L] |
| RewriteRule ^/zuul/api/(.*)$ {{ master_sf_url }}/zuul/api/tenant/{{ tenant_name }}/$1 [P,L] |
| |
| Redirect "/docs/zuul" "{{ master_sf_url }}/docs/zuul" |
| Redirect "/docs/nodepool" "{{ master_sf_url }}/docs/nodepool" |
| {% endif %} |
| |
| # SF-UI: Rewrite HTML5 url to the index.html |
| <Directory /usr/share/sf-ui> |
| DirectoryIndex index.html |
| Require all granted |
| Order allow,deny |
| Allow from all |
| </Directory> |
| # If the request match an sf-ui SPA route |
| RewriteRule ^/(project|login|logout).*$ /usr/share/sf-ui/index.html [L] |
| RewriteRule ^/auth/settings$ /usr/share/sf-ui/index.html [L] |
| RewriteRule ^/$ /usr/share/sf-ui/index.html [L] |
| # If the request match an sf-ui filename, then redirect to it |
| RewriteCond /usr/share/sf-ui/%{REQUEST_FILENAME} -f |
| RewriteRule .* /usr/share/sf-ui/%{REQUEST_FILENAME} [L] |
| |
| {% if 'managesf' in roles %} |
| ProxyPass /manage/ http://managesf:20001/ retry=0 timeout=2400 |
| ProxyPassReverse /manage/ http://managesf:20001/ timeout=2400 |
| |
| {% endif %} |
| {% if 'etherpad' in roles %} |
| RewriteRule ^/etherpad$ etherpad/ [R] |
| ProxyPass /etherpad/ http://127.0.0.1:9001/ retry=0 |
| ProxyPassReverse /etherpad/ http://127.0.0.1:9001/ |
| |
| {% endif %} |
| {% if 'lodgeit' in roles %} |
| RewriteRule ^/paste$ paste/ [R] |
| ProxyPass /paste http://127.0.0.1:5000/paste retry=0 |
| ProxyPassReverse /paste http://127.0.0.1:5000/paste |
| {% endif %} |
| {% if koji_host|default(False) %} |
| |
| ProxyPass /koji/ http://{{ koji_host }}/koji/ retry=0 |
| ProxyPassReverse /koji/ http://{{ koji_host }}/koji/ |
| |
| ProxyPass /koji-static/ http://{{ koji_host }}/koji-static/ retry=0 |
| ProxyPassReverse /koji-static/ http://{{ koji_host }}/koji-static/ |
| |
| ProxyPass /kojifiles/ http://{{ koji_host }}/kojifiles/ retry=0 |
| ProxyPassReverse /kojifiles/ http://{{ koji_host }}/kojifiles/ |
| |
| {% endif %} |
| |
| {% if 'nodepool-builder' in roles %} |
| {% for builder in groups['nodepool-builder'] %} |
| {% if builder != gateway_host %} |
| ProxyPass /nodepool-builder/{{ builder }}/ http://{{ builder }}/nodepool-builder/ |
| ProxyPassReverse /nodepool-builder/{{ builder }}/ http://{{ builder }}/nodepool-builder/ |
| {% endif %} |
| {% endfor %} |
| {% endif %} |
| |
| {% if 'nodepool-launcher' in roles %} |
| {% for launcher in groups['nodepool-launcher'] %} |
| {% if launcher != gateway_host %} |
| ProxyPass /nodepool-launcher/{{ launcher }}/ http://{{ launcher }}/nodepool-launcher/ |
| ProxyPassReverse /nodepool-launcher/{{ launcher }}/ http://{{ launcher }}/nodepool-launcher/ |
| {% endif %} |
| {% endfor %} |
| {% endif %} |
| |
| {% if 'logserver' in roles %} |
| ProxyPass /logs/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs/ |
| ProxyPassReverse /logs/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs/ |
| |
| ProxyPass /logs-raw/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs-raw/ |
| ProxyPassReverse /logs-raw/ http://{{ logserver_host }}:{{ logserver_http_port }}/logs-raw/ |
| |
| {% endif %} |
| {% if 'hound' in roles %} |
| RewriteRule ^/codesearch$ codesearch/ [R] |
| ProxyPass /codesearch/ {{ hound_internal_url }}/ |
| ProxyPassReverse /codesearch/ {{ hound_internal_url }}/ |
| |
| {% endif %} |
| ProxyPass /auth/ http://{{ keycloak_host }}:{{ keycloak_http_port }}/auth/ |
| ProxyPassReverse /auth/ http://{{ keycloak_host }}:{{ keycloak_http_port }}/auth/ |
| |
| ProxyPreserveHost On |
| AllowEncodedSlashes NoDecode |
| <Proxy *> |
| Options FollowSymLinks MultiViews |
| AllowOverride All |
| Order allow,deny |
| allow from all |
| </Proxy> |
| |
| {% if 'grafana' in roles %} |
| RewriteRule ^/grafana$ grafana/ [R] |
| ProxyPass /grafana/ {{ grafana_internal_url }}/ |
| ProxyPassReverse /grafana/ {{ grafana_internal_url }}/ |
| {% endif %} |
| </IfModule> |
| |
| {% if 'nodepool' in roles %} |
| <Directory /var/www/nodepool> |
| IndexOptions FancyIndexing FoldersFirst |
| Options MultiViews Indexes |
| AllowOverride None |
| Order allow,deny |
| Allow from all |
| </Directory> |
| {% endif %} |
| |
| {% if 'nodepool-builder' in roles %} |
| {% for builder in groups['nodepool-builder'] -%} |
| {% if builder == gateway_host -%} |
| Alias /nodepool-builder/{{ builder }}/ /var/www/html/nodepool-builder/ |
| {% endif %} |
| {% endfor %} |
| {% endif %} |
| |
| {% if 'nodepool-launcher' in roles %} |
| {% for launcher in groups['nodepool-launcher'] -%} |
| {% if launcher == gateway_host -%} |
| Alias /nodepool-launcher/{{ launcher }}/ /var/www/html/nodepool-launcher/ |
| {% endif -%} |
| {% endfor -%} |
| {% endif %} |
| |
| <Location "/auth"> |
| RequestHeader add "X-forwarded-proto" "https" |
| RequestHeader set x-ssl-client-cert "%{SSL_CLIENT_CERT}s" |
| </Location> |
| |
| {% if 'managesf' in roles %} |
| <Location "/manage"> |
| RequestHeader unset X-Remote-User |
| AuthType oauth20 |
| Require valid-user |
| RequestHeader set X-Remote-User %{REMOTE_USER}s |
| </Location> |
| |
| <Location "/manage/v2/configurations"> |
| Allow from All |
| Satisfy Any |
| </Location> |
| |
| # Enable "anonymous" access to read resources. |
| <Location "/manage/v2/resources"> |
| RequestHeader unset X-Remote-User |
| AuthType oauth20 |
| <RequireAny> |
| <RequireAll> |
| Require valid-user |
| Require method POST |
| </RequireAll> |
| <RequireAll> |
| Require method GET |
| </RequireAll> |
| </RequireAny> |
| RequestHeader set X-Remote-User %{REMOTE_USER}s |
| </Location> |
| |
| <Location "/manage/about"> |
| Allow from All |
| Satisfy Any |
| </Location> |
| |
| |
| {% endif %} |
| |
| {% if authentication["authenticated_only"] %} |
| # Make sure static files, docs, git and the topmenu are accessible even if |
| # anonymous access is disabled. Git itself is protected by Gerrit |
| <LocationMatch "^(?!/(r/.*/(info/refs|git-upload-pack)|docs|static|auth|index.html|_defconf.tgz|.well-known|zuul/api/connection/[^\/]+/payload|server-status|$))"> |
| Order deny,allow |
| Allow from all |
| AuthType openid-connect |
| Require valid-user |
| </LocationMatch> |
| {% endif %} |
| |
| # Needed for redirection to work |
| <Location "/redirect"> |
| AuthType openid-connect |
| require valid-user |
| </Location> |