Ansible handling of Apache SSL config
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/ca9f9382 Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/ca9f9382 Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/ca9f9382 Branch: refs/heads/develop Commit: ca9f938238fbbc79fc5ced5576fc580c49443f8f Parents: 749a84d Author: Marcus Christie <[email protected]> Authored: Tue Apr 4 17:04:36 2017 -0400 Committer: Marcus Christie <[email protected]> Committed: Tue Apr 4 17:04:36 2017 -0400 ---------------------------------------------------------------------- .../scigap/production/group_vars/all/vars.yml | 4 ++ .../production/group_vars/pga-seagrid/vars.yml | 56 ++++++++++++++++++++ .../production/group_vars/pga-seagrid/vault.yml | 18 +++++++ .../ansible/inventories/scigap/production/hosts | 3 ++ dev-tools/ansible/roles/pga/defaults/main.yml | 5 +- dev-tools/ansible/roles/pga/tasks/main.yml | 10 +++- .../roles/pga/templates/pga-ssl-vhost.conf.j2 | 29 ++++++++++ .../roles/pga/templates/pga-vhost.conf.j2 | 3 ++ 8 files changed, 124 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml index ecc6641..3984024 100644 --- a/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml +++ b/dev-tools/ansible/inventories/scigap/production/group_vars/all/vars.yml @@ -111,6 +111,10 @@ monitor_email_password: "{{ vault_monitor_email_password }}" # PGA variables pga_repo: "https://github.com/apache/airavata-php-gateway.git"; user_data_dir: "/var/www/portals/gateway-user-data" +## Airavata Client related variables +#airavata_server: "tls://gw77.iu.xsede.org" +airavata_server: "tls://{{ groups['api-orch'][0] }}" +airavata_port: "9930" # Sharing Registry related variables sharing_registry_host: "{{ groups['api-orch'][0] }}" http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vars.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vars.yml b/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vars.yml new file mode 100644 index 0000000..90ac459 --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vars.yml @@ -0,0 +1,56 @@ +# +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +--- +pga_repo: "https://github.com/apache/airavata-php-gateway.git"; +git_branch: "master" +user: "pga" +group: "pga" +doc_root_dir: "/var/www/portals/{{ gateway_id }}" +# TODO: disable SSL temporarily for testing +#vhost_servername: "seagrid.org" +#vhost_serveralias: "www.portal.seagrid.org" +vhost_servername: "{{ groups['pga'][0][0] }}" +vhost_ssl: False +# TODO: have Ansible manage these files as well +ssl_certificate_file: "/etc/pki/tls/certs/seagrid_org_cert.cer" +ssl_certificate_chain_file: "/etc/pki/tls/certs/seagrid_org_interm.cer" +ssl_certificate_key_file: "/etc/pki/tls/private/portal.seagrid.key" + +## WSO2 IS related variables +tenant_domain: "prod.seagrid" +admin_username: "admin" +admin_password: "{{ vault_admin_password }}" +oauth_client_key: "{{ vault_oauth_client_key }}" +oauth_client_secret: "{{ vault_oauth_client_secret }}" + +gateway_id: "seagrid" +# relative to document root dir +experiment_data_dir: "{{ user_data_dir }}/seagrid" +# TODO: fix this +gateway_data_store_resource_id: "149.165.156.11_b5f26430-14d5-4372-8a7e-39b125aa640b" + +## Portal related variables +super_admin_portal: "false" +admin_emails: "['[email protected]', '[email protected]']" +portal_email_username: "[email protected]" +portal_email_password: "{{ vault_portal_email_password }}" + +... http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vault.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vault.yml b/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vault.yml new file mode 100644 index 0000000..b253227 --- /dev/null +++ b/dev-tools/ansible/inventories/scigap/production/group_vars/pga-seagrid/vault.yml @@ -0,0 +1,18 @@ +$ANSIBLE_VAULT;1.1;AES256 +66333335376433663761356636313739303836383431366135633735663262366262663737613936 +6238613036636365653530353538373031623562373335300a316462306231653531613330303030 +61383138343832616162353239303331663164326635336566663666316232366562616633316139 +6365666632373662340a666238353135396239373062383331386137353134336539386636623237 +37326237326233303437386666646138666530663766376238366263653730353938363064663336 +62336662643831653833633835653666363134303830633834336162383265666131303434346466 +32323937663766323632396631616264326232613361333834303031636239333435343563396366 +35643766376466613535383938623038653634303035323065363031303032303835343866643330 +37303462333839313265353063613937623431336635623839386137353433396136623162333233 +62633536616437376366663566393430626533323232383733353761643738376366316631353562 +35366133373866393737653665326566353963643138633630393838643363633562623430373132 +62383531356430646633323933633130623935653139363566326232653965333764363238333137 +30663863363566353035393437316135303265643165353034326664656336623930613632376237 +62393231336539656636636530643863323834363130636238323732373738316265306665643962 +62333437313064623566386438636136613461373332343462613733623736666338333064346661 +62643035636435663135613437383036663034363536646634633966666633643033303634633639 +63396139343037353433613936333962366130333336333231353836353161636365 http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/inventories/scigap/production/hosts ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/inventories/scigap/production/hosts b/dev-tools/ansible/inventories/scigap/production/hosts index 3d4d311..dbd7789 100644 --- a/dev-tools/ansible/inventories/scigap/production/hosts +++ b/dev-tools/ansible/inventories/scigap/production/hosts @@ -16,6 +16,9 @@ gf5.ucs.indiana.edu [gfac] gf6.ucs.indiana.edu +[pga:children] +pga-seagrid + [pga-seagrid] gf4.ucs.indiana.edu http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/roles/pga/defaults/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/defaults/main.yml b/dev-tools/ansible/roles/pga/defaults/main.yml index 19dc062..aec2ea6 100644 --- a/dev-tools/ansible/roles/pga/defaults/main.yml +++ b/dev-tools/ansible/roles/pga/defaults/main.yml @@ -19,11 +19,10 @@ # --- -pga_user: "pga" -pga_group: "pga" -doc_root_dir: "/var/www/html/php-gateway" +doc_root_dir: "/var/www/{{ gateway_id }}" user_data_dir: "/var/www/user_data" vhost_servername: "{{ groups['pga'][0] }}" +vhost_ssl: False httpd_confd_file_location: RedHat: "/etc/httpd/conf.d/pga-{{ gateway_id }}.conf" Debian: "/etc/apache2/sites-available/pga-{{ gateway_id }}.conf" http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/roles/pga/tasks/main.yml ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml index 3018f1c..8caa24b 100644 --- a/dev-tools/ansible/roles/pga/tasks/main.yml +++ b/dev-tools/ansible/roles/pga/tasks/main.yml @@ -84,8 +84,16 @@ - https become: yes -- name: copy httpd.conf file +- name: copy virtual host config file template: src=pga-vhost.conf.j2 dest={{ httpd_confd_file_location[ansible_os_family] }} backup=yes become: yes notify: - restart httpd + when: not vhost_ssl + +- name: copy SSL enabled virtual host config file + template: src=pga-ssl-vhost.conf.j2 dest={{ httpd_confd_file_location[ansible_os_family] }} backup=yes + become: yes + notify: + - restart httpd + when: vhost_ssl http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/roles/pga/templates/pga-ssl-vhost.conf.j2 ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/templates/pga-ssl-vhost.conf.j2 b/dev-tools/ansible/roles/pga/templates/pga-ssl-vhost.conf.j2 new file mode 100644 index 0000000..b55697d --- /dev/null +++ b/dev-tools/ansible/roles/pga/templates/pga-ssl-vhost.conf.j2 @@ -0,0 +1,29 @@ +<VirtualHost *:80> + ServerName {{ vhost_servername }} + {% if vhost_serveralias is defined %} + ServerAlias {{ vhost_serveralias }} + {% endif %} + + ## Redirect all http traffic to https + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} +</VirtualHost> + +<VirtualHost *:443> + ServerName {{ vhost_servername }} + {% if vhost_serveralias is defined %} + ServerAlias {{ vhost_serveralias }} + {% endif %} + + DocumentRoot {{ doc_root_dir }}/public + <Directory "{{ doc_root_dir }}/public"> + AllowOverride All + </Directory> + ErrorLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.error.log + CustomLog {{ httpd_log_dir[ansible_os_family] }}/{{ gateway_id }}.requests.log combined + SSLEngine on + SSLCertificateFile {{ ssl_certificate_file }} + SSLCertificateChainFile {{ ssl_certificate_chain_file }} + SSLCertificateKeyFile {{ ssl_certificate_key_file }} +</VirtualHost> http://git-wip-us.apache.org/repos/asf/airavata/blob/ca9f9382/dev-tools/ansible/roles/pga/templates/pga-vhost.conf.j2 ---------------------------------------------------------------------- diff --git a/dev-tools/ansible/roles/pga/templates/pga-vhost.conf.j2 b/dev-tools/ansible/roles/pga/templates/pga-vhost.conf.j2 index 59e8406..0305ef2 100644 --- a/dev-tools/ansible/roles/pga/templates/pga-vhost.conf.j2 +++ b/dev-tools/ansible/roles/pga/templates/pga-vhost.conf.j2 @@ -1,5 +1,8 @@ <VirtualHost *:80> ServerName {{ vhost_servername }} + {% if vhost_serveralias is defined %} + ServerAlias {{ vhost_serveralias }} + {% endif %} DocumentRoot {{ doc_root_dir }}/public <Directory "{{ doc_root_dir }}/public">
