[Ovirt-devel] [PATCH server] Switch ovirt appliance httpd conf to use ssl, redirect http to https.

Jason Guiditta jguiditt at redhat.com
Thu Feb 26 15:41:18 UTC 2009 

On Tue, 2009-02-24 at 10:29 -0600, Steve Linabery wrote:
> ---
>  conf/ovirt-server.conf                     |   20 +++++++++++++++++++-
>  installer/modules/ovirt/manifests/ovirt.pp |   15 +++++++++++++++
>  2 files changed, 34 insertions(+), 1 deletions(-)
> 
> diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
> index 7ab77b4..1d8cb7a 100644
> --- a/conf/ovirt-server.conf
> +++ b/conf/ovirt-server.conf
> @@ -1,6 +1,24 @@
>  NameVirtualHost *:80
>  <VirtualHost *:80>
> -ProxyRequests Off
> +  RewriteEngine on
> +  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> +</VirtualHost>
> +
> +NameVirtualHost 192.168.50.2:443
> +<VirtualHost 192.168.50.2:443>
> +
> +  RequestHeader set X_FORWARDED_PROTO 'https'
> +
> +  ErrorLog /etc/httpd/logs/error_log
> +  TransferLog /etc/httpd/logs/access_log
> +  LogLevel warn
> +  NSSEngine on
> +  NSSCipherSuite +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> +  NSSProtocol SSLv3,TLSv1
> +  NSSNickname Server-Cert
> +  NSSCertificateDatabase /etc/httpd/alias
> +
> +  ProxyRequests Off
>  
>  <ProxyMatch ^.*/ovirt/login.*$>
>    AuthType Kerberos
> diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp
> index c81b6f2..c34eae0 100644
> --- a/installer/modules/ovirt/manifests/ovirt.pp
> +++ b/installer/modules/ovirt/manifests/ovirt.pp
> @@ -20,6 +20,21 @@
>  
>  class ovirt::setup {
>  
> +        #until ace offers a global replacement, we need to change each
> +        #occurrence of the ip address in the httpd conf file
> +	file_replacement{"ovirt_httpd_config_change_1":
> +	        file => "/etc/httpd/conf.d/ovirt-server.conf",
> +	        pattern => "192\.168\.50\.2",
> +	        replacement => "$mgmt_ipaddr",
> +		require => Package[ovirt-server]
> +        }
> +	file_replacement{"ovirt_httpd_config_change_2":
> +	        file => "/etc/httpd/conf.d/ovirt-server.conf",
> +	        pattern => "192\.168\.50\.2",
> +	        replacement => "$mgmt_ipaddr",
> +		require => Package[ovirt-server]
> +        }
> +
>          package {"ovirt-server":
>  		ensure => installed,
>  		require => Single_exec[set_pw_expiration]

ACK, provided you remove one of those file_replace blocks above ^^

-j

More information about the ovirt-devel mailing list