X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ftemplates%2Fstatic-mirroring%2Fvhost%2Fstatic-vhosts-simple.erb;h=2107a36bd15141725c7ea793ae32b39fcefb8992;hb=f6a4eb4d0eb7078ffb261191abab23801e12db17;hp=d01dc636765d0458d2089015e5b65c4cde09a0c4;hpb=f2b38e8aba64eea463246187ee44ec71bb0d204d;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
index d01dc6367..2107a36bd 100644
--- a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
+++ b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
@@ -3,253 +3,530 @@
 ######################
 # deb.debian.org
 <% if scope.function_has_static_component(['deb.debian.org']) -%>
-<Macro vhost-deb.debian.org-extra>
-	Redirect /debian/           http://cdn-fastly.deb.debian.org/debian/
-	Redirect /debian-debug/     http://cdn-fastly.deb.debian.org/debian-debug/
-	Redirect /debian-ports/     http://cdn-fastly.deb.debian.org/debian-ports/
-	Redirect /debian-security/  http://cdn-fastly.deb.debian.org/debian-security/
+<Macro vstatic-vhost-extra-deb.debian.org>
+	ServerAlias httpredir.debian.org
+	ServerAlias cdn.debian.net
+	ServerAlias http.debian.net
+
+	Redirect /debian            http://cdn-fastly.deb.debian.org/debian
+	Redirect /debian-debug      http://cdn-fastly.deb.debian.org/debian-debug
+	Redirect /debian-ports      http://cdn-fastly.deb.debian.org/debian-ports
+	Redirect /debian-security   http://cdn-fastly.deb.debian.org/debian-security
 </Macro>
-<% end -%>
 
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName deb.debian.org
 
-<%=
+	ErrorLog /var/log/apache2/deb.debian.org-error.log
+	CustomLog /var/log/apache2/deb.debian.org-access.log privacyssl
 
-def vhost(lines, sn, type=nil, extra=nil)
-  if scope.function_has_static_component([sn])
-    t = 'common-static-vhost'
-    if type then t += "-#{type}"; end
+	Use common-debian-service-ssl deb.debian.org
+	Use common-ssl-HSTS
 
-    e = ''
-    if extra then e += " #{extra}"; end
+	ServerAdmin debian-admin@lists.debian.org
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+	ServerSignature On
 
-    lines << "Use #{t} #{sn}#{e}"
-  end
-end
+	DocumentRoot /srv/static.debian.org/mirrors/deb.debian.org/cur
+	<Directory /srv/static.debian.org/mirrors/deb.debian.org/cur>
+		AllowOverride FileInfo Indexes Options=Multiviews
+		Options Indexes SymLinksIfOwnerMatch
+		Require all granted
+	</Directory>
 
-lines = []
-vhost(lines, "mozilla.debian.net")
-vhost(lines, "backports.debian.org", "ssl")
-vhost(lines, "incoming.debian.org")
-vhost(lines, "incoming.ports.debian.org")
-vhost(lines, "debdeltas.debian.net")
-vhost(lines, "news.debian.net"         , "ssl")
-vhost(lines, "debaday.debian.net"      , "ssl")
-vhost(lines, "timeline.debian.net"     , "ssl")
-vhost(lines, "network-test.debian.org" , "with-extra", '"ServerAlias network-test-backend.debian.org"')
-vhost(lines, "blends.debian.org"       , "ssl")
-vhost(lines, "wnpp-by-tags.debian.net" , "ssl")
-vhost(lines, "security-team.debian.org", "ssl")
-vhost(lines, "d-i.debian.org"      , "ssl")
-vhost(lines, "appstream.debian.org", "ssl")
-vhost(lines, "dsa.debian.org"      , "ssl")
-vhost(lines, "rtc.debian.org"      , "ssl")
-
-vhost(lines, "10years.debconf.org" , "ssl")
-vhost(lines, "debconf0.debconf.org", "ssl")
-vhost(lines, "debconf1.debconf.org", "ssl")
-vhost(lines, "debconf2.debconf.org", "ssl")
-vhost(lines, "debconf3.debconf.org", "ssl")
-vhost(lines, "debconf4.debconf.org", "ssl")
-vhost(lines, "debconf5.debconf.org", "ssl")
-vhost(lines, "debconf6.debconf.org", "ssl")
-vhost(lines, "debconf7.debconf.org", "ssl")
-vhost(lines, "es.debconf.org"      , "ssl")
-vhost(lines, "fr.debconf.org"      , "ssl")
-vhost(lines, "miniconf10.debconf.org" , "ssl")
-
-vhost(lines, "deb.debian.org", "with-extra", '"Use vhost-deb.debian.org-extra"')
+	Header set Surrogate-Key <%= @hostname %>
 
-lines.join("\n")
--%>
+	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
 
-######################
-# metadata.ftp-master.debian.org
-<% if scope.function_has_static_component(['metadata.ftp-master.debian.org']) -%>
-<VirtualHost <%= vhost_listen %> >
-	ServerName metadata.ftp-master.debian.org
-	ServerAdmin debian-admin@lists.debian.org
+	Redirect /debian            https://cdn-aws.deb.debian.org/debian
+	Redirect /debian-debug      https://cdn-aws.deb.debian.org/debian-debug
+	Redirect /debian-ports      https://cdn-aws.deb.debian.org/debian-ports
+	Redirect /debian-security   https://cdn-aws.deb.debian.org/debian-security
+</VirtualHost>
+<% end -%>
 
-	ErrorLog /var/log/apache2/metadata.ftp-master.debian.org-error.log
-	CustomLog /var/log/apache2/metadata.ftp-master.debian.org-access.log privacy
+<Macro vstatic-vhost-extra-network-test.debian.org>
+	ServerAlias network-test-backend.debian.org
+	<Location /nm>
+		Header set Cache-Control "must-revalidate, max-age=0"
+	</Location>
+</Macro>
+
+<Macro vstatic-vhost-extra-bits.debian.org>
+	<IfModule mod_geoip.c>
+		CustomLog /var/log/apache2/bits.debian.org-public-access.log privacy+geo
+	</IfModule>
+</Macro>
 
-	Use common-static-base metadata.ftp-master.debian.org
+<Macro vstatic-vhost-extra-metadata.ftp-master.debian.org>
 	AddDefaultCharset utf-8
+
+	# Rewrite away double slashes
+	RewriteEngine on
+	RewriteCond %{REQUEST_URI} ^(.*)//(.*)$ [NC]
+	RewriteRule . %1/%2 [R=301,L,NE]
+
 	<LocationMatch "/changelogs/(main|contrib|non-free)">
 		ForceType text/plain
 	</LocationMatch>
-</VirtualHost>
-<% end -%>
+</Macro>
 
-######################
-# bits.debian.org
-<% if scope.function_has_static_component(['bits.debian.org']) -%>
-<Macro static-bits.debian.org-base>
-	ServerName bits.debian.org
-	ServerAdmin debian-admin@lists.debian.org
+<Macro vstatic-vhost-extra-release.debian.org>
+	RewriteEngine	on
+	RewriteRule		^/migration/$			/migration/testing.pl
+	RewriteRule		^/migration/search/(.+)/$	/migration/testing.pl?package=$1
+	RewriteCond		%{QUERY_STRING} package=((.)(.*))
+	RewriteRule		^/migration/testing.pl		/migration/cache/%2/%1.html [PT,L]
+	RewriteRule		^/migration/testing.pl		/migration/cache/_index.html
+
+	Alias /oldstable-proposed-updates/ /srv/static.debian.org/mirrors/release.debian.org-pu/cur/
+	Alias /proposed-updates/ /srv/static.debian.org/mirrors/release.debian.org-pu/cur/
+	<Directory /srv/static.debian.org/mirrors/release.debian.org-pu/cur>
+		Require all granted
+		Options Indexes SymLinksIfOwnerMatch MultiViews
+
+		AddEncoding gzip .gz
+		FilterDeclare gzip CONTENT_SET
+		FilterProvider gzip inflate "%{req:Accept-Encoding} !~ /gzip/"
+		FilterChain gzip
+		<Files *.debdiff.gz>
+			ForceType text/plain
+			AddDefaultCharset utf-8
+		</Files>
+		<Files *.debdiff.html.gz>
+			ForceType text/html
+			AddDefaultCharset utf-8
+		</Files>
+		AddType text/plain .wml
+	</Directory>
+</Macro>
 
-	ErrorLog /var/log/apache2/bits.debian.org-error.log
-	<IfModule mod_geoip.c>
-		CustomLog /var/log/apache2/bits.debian.org-public-access.log privacy+geo
-	</IfModule>
+<Macro vstatic-vhost-extra-www.ports.debian.org>
+	<Directory /srv/static.debian.org/mirrors/www.ports.debian.org/cur>
+		AllowOverride FileInfo Indexes Options=Multiviews
+		Options Multiviews Indexes FollowSymLinks Includes
+		Require all granted
+	</Directory>
 
-	Use common-static-base bits.debian.org
+	AddOutputFilter INCLUDES .xhtml
 </Macro>
 
-<Virtualhost <%= vhost_listen %> >
+
+<Macro vstatic-vhost-extra-lintian.debian.org>
+	AddDefaultCharset utf-8
+
+	<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur>
+		Require all granted
+
+		# These three lines makes apache serve
+		# "lintian.log.gz" as a text/plain with encoding gzip
+		# making it easier to view the log in the browser.
+		RemoveType .gz
+		AddEncoding x-gzip .gz
+		AddType text/plain .log
+
+		AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css image/svg+xml
+	</Directory>
+
+	<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur/resources>
+		# Cache these for a year (3600 * 24 * 365.25)
+		# Files in here will change name if their content change
+		Header set Cache-Control "max-age=31557600, public"
+	</Directory>
+
 	RewriteEngine on
+	RewriteMap source-map txt:/srv/static.debian.org/mirrors/lintian.debian.org/cur/lookup-tables/source-packages
+
+	# Re-direct from the "old" locations to the new ones
+	RewriteRule ^/reports/T(.*)\.html$ /tags/$1.html [L,R=permanent]
+	RewriteRule ^/reports/(.*)$ /$1 [L,R=permanent]
+
+	# Map source packages to reports (this mapping is re-written once per lintian run,
+	# serve it as a 302 rather than a permanent redirect)
+	# Version-less request
+	RewriteRule ^/source/([a-z0-9-]+)/?$ /${source-map:$1} [L,R,NE]
+	# Versioned request
+	RewriteRule ^/source/([a-z0-9-]+)/([a-zA-Z0-9.+:~-]+)$ /${source-map:$1/$2} [L,R,NE]
+
+	Header always set Content-Security-Policy "default-src 'self'; media-src 'none'; object-src 'none';"
+	<FilesMatch "\.(svg)$">
+		Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline';"
+	</FilesMatch>
+</Macro>
 
-	RewriteEngine On
-	RewriteCond %{REQUEST_URI} !^/feeds/
-	RewriteRule ^/(.*)$ https://bits.debian.org/$1 [R,L]
-	#RewriteRule ^/(.*)$ https://bits.debian.org/$1 [R=301,L]
+<Macro vstatic-vhost-extra-wiki.debconf.org>
+	<Location /wiki/>
+		ForceType text/html
+	</Location>
+	<Location /action/>
+		ForceType text/html
+	</Location>
 
-	Use static-bits.debian.org-base
-	CustomLog /var/log/apache2/bits.debian.org-access.log privacy
-</VirtualHost>
+	RewriteEngine on
+	RewriteRule ^/$ /wiki/Main_Page [L,R=permanent]
+	RewriteRule ^/wiki/$ /wiki/Main_Page [L,R=permanent]
 
-<Virtualhost <%= vhost_listen_443 %> >
-	Use static-bits.debian.org-base
-	CustomLog /var/log/apache2/bits.debian.org-access.log privacyssl
+	RewriteCond %{QUERY_STRING} (^|&)modules=mediawiki.legacy.commonPrint,shared|skins.monobook(&|$)
+	RewriteCond %{QUERY_STRING} (^|&)only=styles(&|$)
+	RewriteRule ^/load.php$ /load-monobook-styles.css [L,QSD]
 
-	Use common-debian-service-ssl bits.debian.org
-	Use common-ssl-HSTS
-</VirtualHost>
-<% end -%>
+	RewriteCond %{QUERY_STRING} (^|&)modules=site(&|$)
+	RewriteCond %{QUERY_STRING} (^|&)only=styles(&|$)
+	RewriteRule ^/load.php$ /load-site-styles.css [L,QSD]
 
-######################
-# release.debian.org
-<% if scope.function_has_static_component(['release.debian.org']) -%>
-Use common-dsa-vhost-https-redirect release.debian.org
-<VirtualHost <%= vhost_listen_443 %> >
-	ServerName release.debian.org
-	ServerAdmin debian-admin@debian.org
+	RewriteCond %{QUERY_STRING} (^|&)modules=startup(&|$)
+	RewriteCond %{QUERY_STRING} (^|&)only=scripts(&|$)
+	RewriteRule ^/load.php$ /load-startup-scripts.js [L,QSD]
 
-	ErrorLog /var/log/apache2/release.debian.org-error.log
-	CustomLog /var/log/apache2/release.debian.org-access.log privacy
+	RewriteCond %{QUERY_STRING} (^|&)modules=site(&|$)
+	RewriteCond %{QUERY_STRING} (^|&)only=scripts(&|$)
+	RewriteRule ^/load.php$ /load-site-scripts.js [L,QSD]
 
-	Use common-debian-service-ssl release.debian.org
-	Use common-ssl-HSTS
+	RewriteCond %{QUERY_STRING} (^|&)modules=jquery%2Cmediawiki(&|$)
+	RewriteCond %{QUERY_STRING} (^|&)only=scripts(&|$)
+	RewriteRule ^/load.php$ /load-jquery-scripts.js [L,QSD]
 
-	Use common-static-base release.debian.org
-</VirtualHost>
-<% end -%>
+	RewriteCond %{QUERY_STRING} (^|&)modules=jquery.client%2Ccookie%2CmessageBox%2CmwExtension|mediawiki.legacy.ajax%2Cwikibits|mediawiki.page.startup|mediawiki.util(&|$)
+	RewriteRule ^/load.php$ /load-jquery.client.js [L,QSD]
+
+	RewriteCond %{QUERY_STRING} (^|&)modules=jquery.checkboxShiftClick%2CmakeCollapsible%2Cmw-jump%2Cplaceholder%7Cmediawiki.page.ready%7Cmediawiki.user(&|$)
+	RewriteRule ^/load.php$ /load-jquery.checkbox.js [L,QSD]
+</Macro>
+
+<Macro vstatic-vhost-extra-www.debconf.org>
+	ServerAlias www-test.debconf.org
+
+	<Directory /srv/static.debian.org/mirrors/www.debconf.org/cur>
+		Options +IncludesNOEXEC
+		SSILegacyExprParser on
+		DirectoryIndex index.shtml
+	</Directory>
+
+	AddOutputFilter INCLUDES .shtml
+
+	RewriteEngine On
+	# A few redirects for older debconf sites, so old links work
+	RewriteRule ^/gallery/(.*)$ https://gallery.debconf.org/v/$1 [R=permanent,L]
+	RewriteRule ^/.*years$ https://10years.debconf.org/ [R=permanent,L]
+	RewriteRule ^/debconf2$ https://debconf2.debconf.org/ [R=permanent,L]
+	RewriteRule ^/debconf3$ https://debconf3.debconf.org/ [R=permanent,L]
+	RewriteRule ^/debconf4$ https://debconf4.debconf.org/ [R=permanent,L]
+	RewriteRule ^/debconf5$ https://debconf5.debconf.org/ [R=permanent,L]
+	RewriteRule ^/10years/(.*)$ https://10years.debconf.org/$1 [R=permanent,L]
+	RewriteRule ^/debconf2/(.*)$ https://debconf2.debconf.org/$1 [R=permanent,L]
+	RewriteRule ^/debconf3/(.*)$ https://debconf3.debconf.org/$1 [R=permanent,L]
+	RewriteRule ^/debconf4/(.*)$ https://debconf4.debconf.org/$1 [R=permanent,L]
+	RewriteRule ^/debconf5/(.*)$ https://debconf5.debconf.org/$1 [R=permanent,L]
+</Macro>
+
+<%=
+
+def vhost(lines, sn, kwargs={})
+	if scope.function_has_static_component([sn])
+		if not kwargs[:extra]
+				lines << "<Macro vstatic-vhost-extra-#{sn}>"
+				lines << "  # mod macro does not like empty macros, so here's some content:"
+				lines << "  <Directory /non-existant>"
+				lines << "  </Directory>"
+				lines << "</Macro>"
+		end
+
+		lines << "Use prepare-static-vhost #{sn}"
+
+		if kwargs[:ssl] and kwargs[:ssl_optional]
+			lines << "Use static-vhost-plain-#{sn}"
+			lines << "Use static-vhost-ssl-#{sn}"
+		elsif kwargs[:ssl]
+			lines << "Use common-dsa-vhost-https-redirect #{sn}"
+			lines << "Use static-vhost-ssl-#{sn}"
+		else
+			lines << "Use static-vhost-plain-#{sn}"
+		end
+
+		onion = scope.function_onion_global_service_hostname([sn])
+		lines << "Use static-vhost-onion-#{sn} #{onion}" if onion
+
+		lines << ""
+	end
+end
+
+lines = []
+vhost(lines, "mozilla.debian.net"            , :ssl => true, :ssl_optional => true)
+vhost(lines, "backports.debian.org"          , :ssl => true)
+vhost(lines, "incoming.debian.org"           , :ssl => true, :ssl_optional => true)
+vhost(lines, "incoming.ports.debian.org"     , :ssl => true, :ssl_optional => true)
+vhost(lines, "debdeltas.debian.net"          , :ssl => true, :ssl_optional => true)
+vhost(lines, "news.debian.net"               , :ssl => true)
+vhost(lines, "bootstrap.debian.net"          , :ssl => true)
+vhost(lines, "debaday.debian.net"            , :ssl => true)
+vhost(lines, "timeline.debian.net"           , :ssl => true)
+vhost(lines, "network-test.debian.org"       , :extra => true)
+vhost(lines, "blends.debian.org"             , :ssl => true)
+vhost(lines, "wnpp-by-tags.debian.net"       , :ssl => true)
+vhost(lines, "security-team.debian.org"      , :ssl => true)
+vhost(lines, "d-i.debian.org"                , :ssl => true)
+vhost(lines, "appstream.debian.org"          , :ssl => true)
+vhost(lines, "dpl.debian.org"                , :ssl => true)
+vhost(lines, "dsa.debian.org"                , :ssl => true)
+vhost(lines, "rtc.debian.org"                , :ssl => true)
+vhost(lines, "mirror-master.debian.org"      , :ssl => true)
+vhost(lines, "onion.debian.org"              , :ssl => true)
+vhost(lines, "manpages.debian.org"           , :ssl => true, :extra => true)
+vhost(lines, "cdbuilder-logs.debian.org"     , :ssl => true)
+
+vhost(lines, "bits.debian.org"               , :ssl => true, :extra => true)
+vhost(lines, "micronews.debian.org"          , :ssl => true)
+vhost(lines, "metadata.ftp-master.debian.org", :extra => true)
+
+vhost(lines, "10years.debconf.org"           , :ssl => true)
+vhost(lines, "debconf0.debconf.org"          , :ssl => true)
+vhost(lines, "debconf1.debconf.org"          , :ssl => true)
+vhost(lines, "debconf2.debconf.org"          , :ssl => true)
+vhost(lines, "debconf3.debconf.org"          , :ssl => true)
+vhost(lines, "debconf4.debconf.org"          , :ssl => true)
+vhost(lines, "debconf5.debconf.org"          , :ssl => true)
+vhost(lines, "debconf6.debconf.org"          , :ssl => true)
+vhost(lines, "debconf7.debconf.org"          , :ssl => true)
+vhost(lines, "debconf16.debconf.org"         , :ssl => true)
+vhost(lines, "debconf17.debconf.org"         , :ssl => true)
+vhost(lines, "debconf18.debconf.org"         , :ssl => true)
+vhost(lines, "debconf19.debconf.org"         , :ssl => true)
+vhost(lines, "es.debconf.org"                , :ssl => true)
+vhost(lines, "fr.debconf.org"                , :ssl => true)
+vhost(lines, "miniconf10.debconf.org"        , :ssl => true)
+vhost(lines, "wiki.debconf.org"              , :ssl => true, :extra => true)
+vhost(lines, "www.debconf.org"               , :ssl => true, :extra => true)
+
+vhost(lines, "deb.debian.org"                , :extra => true)
+vhost(lines, "release.debian.org"            , :ssl => true, :extra => true)
+vhost(lines, "www.ports.debian.org"          , :ssl => true, :extra => true)
+vhost(lines, "lintian.debian.org"            , :ssl => true, :extra => true)
+
+lines.join("\n")
+-%>
 
 # www.backports.org
 ###################
 # www.backports.org is the historical place for the backports
 # website and archive.  It is now a CNAME to backports.debian.org:
 # redirect http requests.
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName www.backports.org
 	ServerAlias lists.backports.org
 	ServerAdmin debian-admin@debian.org
-	RedirectPermanent / http://backports.debian.org/
+	RedirectPermanent / https://backports.debian.org/
 </VirtualHost>
 
 ######################
-# www.ports.debian.org
-<% if scope.function_has_static_component(['www.ports.debian.org']) -%>
-
-Use common-dsa-vhost-https-redirect www.ports.debian.org
-
-<Virtualhost <%= vhost_listen_443 %> >
-	ServerName www.ports.debian.org
-	ServerAlias www.ports-backend.debian.org
-	ServerAdmin debian-admin@lists.debian.org
-
-	ErrorLog /var/log/apache2/www.ports.debian.org-error.log
-	CustomLog /var/log/apache2/www.ports.debian.org-access.log privacy
-
-	Use common-debian-service-ssl www.ports.debian.org
-	Use common-ssl-HSTS
-
-	<IfModule mod_userdir.c>
-		UserDir disabled
-	</IfModule>
-	ServerSignature On
-
-	DocumentRoot /srv/static.debian.org/mirrors/www.ports.debian.org/cur
-	<Directory /srv/static.debian.org/mirrors/www.ports.debian.org/cur>
-		AllowOverride FileInfo Indexes Options=Multiviews
-		Options Multiviews Indexes FollowSymLinks Includes
-		IndexOptions FancyIndexing NameWidth=*
-		Require all granted
-	</Directory>
-
-	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
-	AddOutputFilter INCLUDES .xhtml
-</VirtualHost>
-<% end -%>
-
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName www.debian-ports.org
 	ServerAlias debian-ports.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / https://www.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ports.debian.org
 	ServerAlias ports.debian.net
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / https://www.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName incoming.debian-ports.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / http://incoming.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ftp.debian-ports.org
 	ServerAdmin debian-admin@debian.org
-	RedirectPermanent /archive http://www.ports.debian.org
+	RedirectPermanent /archive https://www.ports.debian.org
 	RedirectPermanent /debian http://ftp.ports.debian.org/debian-ports
-	RedirectPermanent /debian-cd http://ftp.ports.debian.org/debian-ports-cd
+	RedirectPermanent /debian-cd https://cdimage.debian.org/cdimage/ports/
 	RedirectPermanent / http://ftp.ports.debian.org/
 </VirtualHost>
 
-# video.debian.net
-###################
-<VirtualHost <%= vhost_listen %> >
+<Macro vstatic-vhost-video.debian.net>
 	ServerName video.debian.net
 	ServerAdmin debian-admin@debian.org
+	Redirect / https://meetings-archive.debian.net/pub/debian-meetings/
+</Macro>
+
+<VirtualHost <%= @vhost_listen %> >
+	Use vstatic-vhost-video.debian.net
+</VirtualHost>
+
+<VirtualHost <%= @vhost_listen_443 %> >
+	Use vstatic-vhost-video.debian.net
+	Use common-debian-service-ssl video.debian.net
+	Use common-ssl-HSTS
+</VirtualHost>
+
+Use common-dsa-vhost-https-redirect lists.alioth.debian.org
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName lists.alioth.debian.org
+	ServerAdmin debian-admin@debian.org
+	Use common-debian-service-ssl lists.alioth.debian.org
+	Use common-ssl-HSTS
+	Redirect / https://alioth-lists.debian.net/
+</VirtualHost>
 
-	Redirect / http://meetings-archive.debian.net/pub/debian-meetings/
+Use common-dsa-vhost-https-redirect pkg-ruby-extras.alioth.debian.org
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName pkg-ruby-extras.alioth.debian.org
+	ServerAdmin debian-admin@debian.org
+	Use common-debian-service-ssl pkg-ruby-extras.alioth.debian.org
+	Use common-ssl-HSTS
+	Redirect / https://gemwatch.debian.net/
+</VirtualHost>
+
+Use common-dsa-vhost-https-redirect video.debconf.org
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName video.debconf.org
+	ServerAdmin debian-admin@debian.org
+	Use common-debian-service-ssl video.debconf.org
+	Use common-ssl-HSTS
+	Redirect / https://debconf-video-team.pages.debian.net/docs/
+</VirtualHost>
+
+<% if scope.function_has_static_component(['metadata.ftp-master.debian.org']) -%>
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName metadata.ftp-master.debian.org
+	ServerAlias metadata-backend.ftp-master.debian.org
+	# all self-referential URLs should use the public host name
+	UseCanonicalName On
+	Use common-debian-service-ssl metadata-backend.ftp-master.debian.org
+	ErrorLog /var/log/apache2/metadata-backend.ftp-master.debian.org-error.log
+	CustomLog /var/log/apache2/metadata-backend.ftp-master.debian.org-access.log privacy
+
+	Use static-vhost-base-metadata.ftp-master.debian.org
+</VirtualHost>
+<% end -%>
+
+Use common-dsa-vhost-https-redirect debconf.org
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName debconf.org
+	ServerAdmin debian-admin@debian.org
+	Use common-debian-service-ssl debconf.org
+	Use common-ssl-HSTS
+	Redirect / https://www.debconf.org/
 </VirtualHost>
 
 # historical sites
 ##################
 # now only redirects remain
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName women.debian.org
 	ServerAdmin debian-admin@debian.org
 
-	RedirectPermanent / http://www.debian.org/women/
-
-	RedirectPermanent /about/ http://www.debian.org/women/about
-	RedirectPermanent /contact/ http://www.debian.org/women/contact
-	RedirectPermanent /faqs/ http://www.debian.org/women/faq
-	RedirectPermanent /home/ http://www.debian.org/women/
-	RedirectPermanent /images/dw.png http://www.debian.org/women/dw.png
-	RedirectPermanent /involvement/ http://www.debian.org/women/participate
-	RedirectPermanent /mentoring/ http://www.debian.org/women/mentoring
-	RedirectPermanent /press/ http://wiki.debian.org/DebianWomen/Press
-	RedirectPermanent /profiles/ http://www.debian.org/women/profiles/
+	RedirectPermanent / https://www.debian.org/women/
+
+	RedirectPermanent /about/ https://www.debian.org/women/about
+	RedirectPermanent /contact/ https://www.debian.org/women/contact
+	RedirectPermanent /faqs/ https://www.debian.org/women/faq
+	RedirectPermanent /home/ https://www.debian.org/women/
+	RedirectPermanent /images/dw.png https://www.debian.org/women/dw.png
+	RedirectPermanent /involvement/ https://www.debian.org/women/participate
+	RedirectPermanent /mentoring/ https://www.debian.org/women/mentoring
+	RedirectPermanent /press/ https://wiki.debian.org/DebianWomen/Press
+	RedirectPermanent /profiles/ https://www.debian.org/women/profiles/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName volatile.debian.org
 	ServerAlias volatile-master.debian.org
 	ServerAdmin debian-admin@debian.org
-	RedirectPermanent / http://www.debian.org/volatile/
+	RedirectPermanent / https://www.debian.org/volatile/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ftp-master.metadata.debian.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / http://metadata.ftp-master.debian.org/
 </VirtualHost>
 
+<VirtualHost <%= @vhost_listen %> >
+	ServerName backports-master.debian.org
+	ServerAdmin debian-admin@debian.org
+	RedirectPermanent / https://backports.debian.org/
+</VirtualHost>
+
+<VirtualHost <%= @vhost_listen %> >
+	ServerName manpages.debian.net
+	ServerAdmin debian-admin@debian.org
+	Redirect / https://manpages.debian.org/
+</VirtualHost>
+
+Use common-dsa-vhost-https-redirect sources.debian.net
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName sources.debian.net
+	ServerAdmin debian-admin@debian.org
+	Use common-debian-service-ssl sources.debian.net
+	Use common-ssl-HSTS
+	Redirect permanent / https://sources.debian.org/
+</VirtualHost>
+
+# error pages
+#############
+
+Use common-dsa-vhost-https-redirect archive.debian.net
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName archive.debian.net
+	ServerAdmin debian-admin@debian.org
+	ErrorLog /var/log/apache2/archive.debian.net-error.log
+	CustomLog /var/log/apache2/archive.debian.net-access.log privacyssl
+	Use common-debian-service-ssl archive.debian.net
+	Use common-ssl-HSTS
+	Use common-disabled-service
+</VirtualHost>
+
+<VirtualHost <%= @vhost_listen %> >
+	ServerName cdimage.debian.org
+	ServerAlias cloud.debian.org
+	ServerAlias get.debian.org
+	ServerAlias bttracker.debian.org
+	ServerAlias meetings-archive.debian.net
+	ServerAdmin debian-admin@debian.org
+	ErrorLog /var/log/apache2/cdimage.debian.org-error.log
+	CustomLog /var/log/apache2/cdimage.debian.org-access.log privacyssl
+
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+	DocumentRoot /srv/static.debian.org/puppet/cdimage.debian.org
+	<Directory /srv/static.debian.org/puppet/cdimage.debian.org>
+		Require all granted
+	</Directory>
+	RewriteEngine On
+	RewriteRule !^/503.html / [R=503]
+	ErrorDocument 503 /503.html
+</VirtualHost>
+
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName cdimage.debian.org
+	ServerAlias cloud.debian.org
+	ServerAlias get.debian.org
+	ServerAlias bttracker.debian.org
+	ServerAlias meetings-archive.debian.net
+	ServerAdmin debian-admin@debian.org
+	ErrorLog /var/log/apache2/cdimage.debian.org-error.log
+	CustomLog /var/log/apache2/cdimage.debian.org-access.log privacyssl
+	Use common-debian-service-ssl cdimage.debian.org
+
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+	DocumentRoot /srv/static.debian.org/puppet/cdimage.debian.org
+	<Directory /srv/static.debian.org/puppet/cdimage.debian.org>
+		Require all granted
+	</Directory>
+	RewriteEngine On
+	RewriteRule !^/503.html / [R=503]
+	ErrorDocument 503 /503.html
+</VirtualHost>
+
+
 # vim:ft=apache: