[Ovirt-devel] [PATCH server] Switch ovirt appliance httpd conf to use ssl, redirect http to https.
Jason Guiditta
jguiditt at redhat.com
Thu Feb 26 15:41:18 UTC 2009
On Tue, 2009-02-24 at 10:29 -0600, Steve Linabery wrote:
> ---
> conf/ovirt-server.conf | 20 +++++++++++++++++++-
> installer/modules/ovirt/manifests/ovirt.pp | 15 +++++++++++++++
> 2 files changed, 34 insertions(+), 1 deletions(-)
>
> diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
> index 7ab77b4..1d8cb7a 100644
> --- a/conf/ovirt-server.conf
> +++ b/conf/ovirt-server.conf
> @@ -1,6 +1,24 @@
> NameVirtualHost *:80
> <VirtualHost *:80>
> -ProxyRequests Off
> + RewriteEngine on
> + RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> +</VirtualHost>
> +
> +NameVirtualHost 192.168.50.2:443
> +<VirtualHost 192.168.50.2:443>
> +
> + RequestHeader set X_FORWARDED_PROTO 'https'
> +
> + ErrorLog /etc/httpd/logs/error_log
> + TransferLog /etc/httpd/logs/access_log
> + LogLevel warn
> + NSSEngine on
> + NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> + NSSProtocol SSLv3,TLSv1
> + NSSNickname Server-Cert
> + NSSCertificateDatabase /etc/httpd/alias
> +
> + ProxyRequests Off
>
> <ProxyMatch ^.*/ovirt/login.*$>
> AuthType Kerberos
> diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp
> index c81b6f2..c34eae0 100644
> --- a/installer/modules/ovirt/manifests/ovirt.pp
> +++ b/installer/modules/ovirt/manifests/ovirt.pp
> @@ -20,6 +20,21 @@
>
> class ovirt::setup {
>
> + #until ace offers a global replacement, we need to change each
> + #occurrence of the ip address in the httpd conf file
> + file_replacement{"ovirt_httpd_config_change_1":
> + file => "/etc/httpd/conf.d/ovirt-server.conf",
> + pattern => "192\.168\.50\.2",
> + replacement => "$mgmt_ipaddr",
> + require => Package[ovirt-server]
> + }
> + file_replacement{"ovirt_httpd_config_change_2":
> + file => "/etc/httpd/conf.d/ovirt-server.conf",
> + pattern => "192\.168\.50\.2",
> + replacement => "$mgmt_ipaddr",
> + require => Package[ovirt-server]
> + }
> +
> package {"ovirt-server":
> ensure => installed,
> require => Single_exec[set_pw_expiration]
ACK, provided you remove one of those file_replace blocks above ^^
-j
More information about the ovirt-devel
mailing list