[mirror/dsa-puppet.git] / modules / roles / templates / static-mirroring / vhost / static-vhosts-simple.erb

# puppet maintained

######################
# deb.debian.org
<% if scope.function_has_static_component(['deb.debian.org']) -%>
<Macro vstatic-vhost-extra-deb.debian.org>
        ServerAlias httpredir.debian.org
        ServerAlias cdn.debian.net
        ServerAlias http.debian.net

        Redirect /debian            http://cdn-fastly.deb.debian.org/debian
        Redirect /debian-debug      http://cdn-fastly.deb.debian.org/debian-debug
        Redirect /debian-ports      http://cdn-fastly.deb.debian.org/debian-ports
        Redirect /debian-security   http://cdn-fastly.deb.debian.org/debian-security
</Macro>

<VirtualHost <%= @vhost_listen_443 %> >
        ServerName deb.debian.org

        ErrorLog /var/log/apache2/deb.debian.org-error.log
        CustomLog /var/log/apache2/deb.debian.org-access.log privacyssl

        Use common-debian-service-ssl deb.debian.org
        Use common-ssl-HSTS

        ServerAdmin debian-admin@lists.debian.org
        <IfModule mod_userdir.c>
                UserDir disabled
        </IfModule>
        ServerSignature On

        DocumentRoot /srv/static.debian.org/mirrors/deb.debian.org/cur
        <Directory /srv/static.debian.org/mirrors/deb.debian.org/cur>
                AllowOverride FileInfo Indexes Options=Multiviews
                Options Indexes SymLinksIfOwnerMatch
                Require all granted
        </Directory>

        Header set Surrogate-Key <%= @hostname %>

        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css

        Redirect /debian            https://cdn-aws.deb.debian.org/debian
        Redirect /debian-debug      https://cdn-aws.deb.debian.org/debian-debug
        Redirect /debian-ports      https://cdn-aws.deb.debian.org/debian-ports
        Redirect /debian-security   https://cdn-aws.deb.debian.org/debian-security
</VirtualHost>
<% end -%>

<Macro vstatic-vhost-extra-network-test.debian.org>
        ServerAlias network-test-backend.debian.org
        <Location /nm>
                Header set Cache-Control "must-revalidate, max-age=0"
        </Location>
</Macro>

<Macro vstatic-vhost-extra-bits.debian.org>
        <IfModule mod_geoip.c>
                CustomLog /var/log/apache2/bits.debian.org-public-access.log privacy+geo
        </IfModule>
</Macro>

<Macro vstatic-vhost-extra-metadata.ftp-master.debian.org>
        AddDefaultCharset utf-8

        # Rewrite away double slashes
        RewriteEngine on
        RewriteCond %{REQUEST_URI} ^(.*)//(.*)$ [NC]
        RewriteRule . %1/%2 [R=301,L,NE]

        <LocationMatch "/changelogs/(main|contrib|non-free)">
                ForceType text/plain
        </LocationMatch>
</Macro>

<Macro vstatic-vhost-extra-metadata-backend.ftp-master.debian.org>
        Use vstatic-vhost-extra-metadata.ftp-master.debian.org>
</Macro>

<Macro vstatic-vhost-extra-release.debian.org>
        RewriteEngine   on
        RewriteRule             ^/migration/$                   /migration/testing.pl
        RewriteRule             ^/migration/search/(.+)/$       /migration/testing.pl?package=$1
        RewriteCond             %{QUERY_STRING} package=((.)(.*))
        RewriteRule             ^/migration/testing.pl          /migration/cache/%2/%1.html [PT,L]
        RewriteRule             ^/migration/testing.pl          /migration/cache/_index.html

        Alias /oldstable-proposed-updates/ /srv/static.debian.org/mirrors/release.debian.org-pu/cur/
        Alias /proposed-updates/ /srv/static.debian.org/mirrors/release.debian.org-pu/cur/
        <Directory /srv/static.debian.org/mirrors/release.debian.org-pu/cur>
                Require all granted
                Options Indexes SymLinksIfOwnerMatch MultiViews

                AddEncoding gzip .gz
                FilterDeclare gzip CONTENT_SET
                FilterProvider gzip inflate "%{req:Accept-Encoding} !~ /gzip/"
                FilterChain gzip
                <Files *.debdiff.gz>
                        ForceType text/plain
                        AddDefaultCharset utf-8
                </Files>
                <Files *.debdiff.html.gz>
                        ForceType text/html
                        AddDefaultCharset utf-8
                </Files>
        </Directory>
</Macro>

<Macro vstatic-vhost-extra-www.ports.debian.org>
        <Directory /srv/static.debian.org/mirrors/www.ports.debian.org/cur>
                AllowOverride FileInfo Indexes Options=Multiviews
                Options Multiviews Indexes FollowSymLinks Includes
                Require all granted
        </Directory>

        AddOutputFilter INCLUDES .xhtml
</Macro>


<Macro vstatic-vhost-extra-lintian.debian.org>
        AddDefaultCharset utf-8

        <Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur>
                Require all granted

                # These three lines makes apache serve
                # "lintian.log.gz" as a text/plain with encoding gzip
                # making it easier to view the log in the browser.
                RemoveType .gz
                AddEncoding x-gzip .gz
                AddType text/plain .log

                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css image/svg+xml
        </Directory>

        <Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur/resources>
                # Cache these for a year (3600 * 24 * 365.25)
                # Files in here will change name if their content change
                Header set Cache-Control "max-age=31557600, public"
        </Directory>

        RewriteEngine on
        RewriteMap source-map txt:/srv/static.debian.org/mirrors/lintian.debian.org/cur/lookup-tables/source-packages

        # Re-direct from the "old" locations to the new ones
        RewriteRule ^/reports/T(.*)\.html$ /tags/$1.html [L,R=permanent]
        RewriteRule ^/reports/(.*)$ /$1 [L,R=permanent]

        # Map source packages to reports (this mapping is re-written once per lintian run,
        # serve it as a 302 rather than a permanent redirect)
        # Version-less request
        RewriteRule ^/source/([a-z0-9-]+)/?$ /${source-map:$1} [L,R,NE]
        # Versioned request
        RewriteRule ^/source/([a-z0-9-]+)/([a-zA-Z0-9.+:~-]+)$ /${source-map:$1/$2} [L,R,NE]

        Header always set Content-Security-Policy "default-src 'self'; media-src 'none'; object-src 'none';"
        <FilesMatch "\.(svg)$">
                Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline';"
        </FilesMatch>
</Macro>

<%=

def vhost(lines, sn, kwargs={})
        if scope.function_has_static_component([sn])
                if not kwargs[:extra]
                                lines << "<Macro vstatic-vhost-extra-#{sn}>"
                                lines << "  # mod macro does not like empty macros, so here's some content:"
                                lines << "  <Directory /non-existant>"
                                lines << "  </Directory>"
                                lines << "</Macro>"
                end

                lines << "Use prepare-static-vhost #{sn}"

                if kwargs[:ssl] and kwargs[:ssl_optional]
                        lines << "Use static-vhost-plain-#{sn}"
                        lines << "Use static-vhost-ssl-#{sn}"
                elsif kwargs[:ssl]
                        lines << "Use common-dsa-vhost-https-redirect #{sn}"
                        lines << "Use static-vhost-ssl-#{sn}"
                else
                        lines << "Use static-vhost-plain-#{sn}"
                end

                onion = scope.function_onion_global_service_hostname([sn])
                lines << "Use static-vhost-onion-#{sn} #{onion}" if onion

                lines << ""
        end
end

lines = []
vhost(lines, "mozilla.debian.net"            , :ssl => true, :ssl_optional => true)
vhost(lines, "backports.debian.org"          , :ssl => true)
vhost(lines, "incoming.debian.org"           , :ssl => true, :ssl_optional => true)
vhost(lines, "incoming.ports.debian.org"     , :ssl => true, :ssl_optional => true)
vhost(lines, "debdeltas.debian.net"          , :ssl => true, :ssl_optional => true)
vhost(lines, "news.debian.net"               , :ssl => true)
vhost(lines, "bootstrap.debian.net"          , :ssl => true)
vhost(lines, "debaday.debian.net"            , :ssl => true)
vhost(lines, "timeline.debian.net"           , :ssl => true)
vhost(lines, "network-test.debian.org"       , :extra => true)
vhost(lines, "blends.debian.org"             , :ssl => true)
vhost(lines, "wnpp-by-tags.debian.net"       , :ssl => true)
vhost(lines, "security-team.debian.org"      , :ssl => true)
vhost(lines, "d-i.debian.org"                , :ssl => true)
vhost(lines, "appstream.debian.org"          , :ssl => true)
vhost(lines, "apt.buildd.debian.org"         , :ssl => true)
vhost(lines, "dpl.debian.org"                , :ssl => true)
vhost(lines, "dsa.debian.org"                , :ssl => true)
vhost(lines, "rtc.debian.org"                , :ssl => true)
vhost(lines, "mirror-master.debian.org"      , :ssl => true)
vhost(lines, "onion.debian.org"              , :ssl => true)
vhost(lines, "manpages.debian.org"           , :ssl => true, :extra => true)
vhost(lines, "cdbuilder-logs.debian.org"     , :ssl => true)

vhost(lines, "bits.debian.org"               , :ssl => true, :extra => true)
vhost(lines, "micronews.debian.org"          , :ssl => true)
vhost(lines, "metadata.ftp-master.debian.org", :extra => true)
vhost(lines, "metadata-backend.ftp-master.debian.org", :ssl => true, :ssl_optional => true, :extra => true)

vhost(lines, "10years.debconf.org"           , :ssl => true)
vhost(lines, "debconf0.debconf.org"          , :ssl => true)
vhost(lines, "debconf1.debconf.org"          , :ssl => true)
vhost(lines, "debconf2.debconf.org"          , :ssl => true)
vhost(lines, "debconf3.debconf.org"          , :ssl => true)
vhost(lines, "debconf4.debconf.org"          , :ssl => true)
vhost(lines, "debconf5.debconf.org"          , :ssl => true)
vhost(lines, "debconf6.debconf.org"          , :ssl => true)
vhost(lines, "debconf7.debconf.org"          , :ssl => true)
vhost(lines, "debconf16.debconf.org"         , :ssl => true)
vhost(lines, "debconf17.debconf.org"         , :ssl => true)
vhost(lines, "debconf18.debconf.org"         , :ssl => true)
vhost(lines, "es.debconf.org"                , :ssl => true)
vhost(lines, "fr.debconf.org"                , :ssl => true)
vhost(lines, "miniconf10.debconf.org"        , :ssl => true)

vhost(lines, "deb.debian.org"                , :extra => true)
vhost(lines, "release.debian.org"            , :ssl => true, :extra => true)
vhost(lines, "www.ports.debian.org"          , :ssl => true, :extra => true)
vhost(lines, "lintian.debian.org"            , :ssl => true, :extra => true)

lines.join("\n")
-%>

# www.backports.org
###################
# www.backports.org is the historical place for the backports
# website and archive.  It is now a CNAME to backports.debian.org:
# redirect http requests.
<VirtualHost <%= @vhost_listen %> >
        ServerName www.backports.org
        ServerAlias lists.backports.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / https://backports.debian.org/
</VirtualHost>

######################
<VirtualHost <%= @vhost_listen %> >
        ServerName www.debian-ports.org
        ServerAlias debian-ports.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / https://www.ports.debian.org/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName ports.debian.org
        ServerAlias ports.debian.net
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / https://www.ports.debian.org/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName incoming.debian-ports.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / http://incoming.ports.debian.org/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName ftp.debian-ports.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent /archive https://www.ports.debian.org
        RedirectPermanent /debian http://ftp.ports.debian.org/debian-ports
        RedirectPermanent /debian-cd https://cdimage.debian.org/cdimage/ports/
        RedirectPermanent / http://ftp.ports.debian.org/
</VirtualHost>

<Macro vstatic-vhost-video.debian.net>
        ServerName video.debian.net
        ServerAdmin debian-admin@debian.org
        Redirect / https://meetings-archive.debian.net/pub/debian-meetings/
</Macro>

<VirtualHost <%= @vhost_listen %> >
        Use vstatic-vhost-video.debian.net
</VirtualHost>

<VirtualHost <%= @vhost_listen_443 %> >
        Use vstatic-vhost-video.debian.net
        Use common-debian-service-ssl video.debian.net
        Use common-ssl-HSTS
</VirtualHost>

Use common-dsa-vhost-https-redirect lists.alioth.debian.org
<VirtualHost <%= @vhost_listen_443 %> >
        ServerName lists.alioth.debian.org
        ServerAdmin debian-admin@debian.org
        Use common-debian-service-ssl lists.alioth.debian.org
        Use common-ssl-HSTS
        Redirect / https://alioth-lists.debian.net/
</VirtualHost>

Use common-dsa-vhost-https-redirect pkg-ruby-extras.alioth.debian.org
<VirtualHost <%= @vhost_listen_443 %> >
        ServerName pkg-ruby-extras.alioth.debian.org
        ServerAdmin debian-admin@debian.org
        Use common-debian-service-ssl pkg-ruby-extras.alioth.debian.org
        Use common-ssl-HSTS
        Redirect / https://gemwatch.debian.net/
</VirtualHost>

Use common-dsa-vhost-https-redirect video.debconf.org
<VirtualHost <%= @vhost_listen_443 %> >
        ServerName video.debconf.org
        ServerAdmin debian-admin@debian.org
        Use common-debian-service-ssl video.debconf.org
        Use common-ssl-HSTS
        Redirect / https://debconf-video-team.pages.debian.net/docs/
</VirtualHost>

# historical sites
##################
# now only redirects remain
<VirtualHost <%= @vhost_listen %> >
        ServerName women.debian.org
        ServerAdmin debian-admin@debian.org

        RedirectPermanent / https://www.debian.org/women/

        RedirectPermanent /about/ https://www.debian.org/women/about
        RedirectPermanent /contact/ https://www.debian.org/women/contact
        RedirectPermanent /faqs/ https://www.debian.org/women/faq
        RedirectPermanent /home/ https://www.debian.org/women/
        RedirectPermanent /images/dw.png https://www.debian.org/women/dw.png
        RedirectPermanent /involvement/ https://www.debian.org/women/participate
        RedirectPermanent /mentoring/ https://www.debian.org/women/mentoring
        RedirectPermanent /press/ https://wiki.debian.org/DebianWomen/Press
        RedirectPermanent /profiles/ https://www.debian.org/women/profiles/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName volatile.debian.org
        ServerAlias volatile-master.debian.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / https://www.debian.org/volatile/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName ftp-master.metadata.debian.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / http://metadata.ftp-master.debian.org/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName backports-master.debian.org
        ServerAdmin debian-admin@debian.org
        RedirectPermanent / https://backports.debian.org/
</VirtualHost>

<VirtualHost <%= @vhost_listen %> >
        ServerName manpages.debian.net
        ServerAdmin debian-admin@debian.org
        Redirect / https://manpages.debian.org/
</VirtualHost>

Use common-dsa-vhost-https-redirect sources.debian.net
<VirtualHost <%= @vhost_listen_443 %> >
        ServerName sources.debian.net
        ServerAdmin debian-admin@debian.org
        Use common-debian-service-ssl sources.debian.net
        Use common-ssl-HSTS
        Redirect permanent / https://sources.debian.org/
</VirtualHost>

# error pages
#############

Use common-dsa-vhost-https-redirect archive.debian.net
<VirtualHost <%= @vhost_listen_443 %> >
        ServerName archive.debian.net
        ServerAdmin debian-admin@debian.org
        ErrorLog /var/log/apache2/archive.debian.net-error.log
        CustomLog /var/log/apache2/archive.debian.net-access.log privacyssl
        Use common-debian-service-ssl archive.debian.net
        Use common-ssl-HSTS
        Use common-disabled-service
</VirtualHost>


# vim:ft=apache: