X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Froles%2Ftemplates%2Fstatic-mirroring%2Fvhost%2Fstatic-vhosts-simple.erb;h=329b1cc1f44dd57a074590864d04365b06fbcd8f;hb=0342a12549f2af9adbbfd033087fa1a34019d91e;hp=834c5d99211225c7f92aecacd24ed8cfb3ce3486;hpb=1914af73e5e8f62c3058ac19135802a7777acbb6;p=mirror%2Fdsa-puppet.git

diff --git a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
index 834c5d992..329b1cc1f 100644
--- a/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
+++ b/modules/roles/templates/static-mirroring/vhost/static-vhosts-simple.erb
@@ -3,138 +3,74 @@
 ######################
 # deb.debian.org
 <% if scope.function_has_static_component(['deb.debian.org']) -%>
-<Macro vhost-deb.debian.org-extra>
+<Macro vstatic-vhost-extra-deb.debian.org>
+	ServerAlias httpredir.debian.org
+	ServerAlias cdn.debian.net
+	ServerAlias http.debian.net
+
 	Redirect /debian/           http://cdn-fastly.deb.debian.org/debian/
 	Redirect /debian-debug/     http://cdn-fastly.deb.debian.org/debian-debug/
 	Redirect /debian-ports/     http://cdn-fastly.deb.debian.org/debian-ports/
 	Redirect /debian-security/  http://cdn-fastly.deb.debian.org/debian-security/
 </Macro>
-<% end -%>
 
-<Macro vhost-network-test.debian.org-extra>
-	ServerAlias network-test-backend.debian.org
-</Macro>
+<VirtualHost <%= @vhost_listen_443 %> >
+	ServerName deb.debian.org
 
-<%=
+	ErrorLog /var/log/apache2/deb.debian.org-error.log
+	CustomLog /var/log/apache2/deb.debian.org-access.log privacyssl
 
-def vhost(lines, sn, type=nil)
-  if scope.function_has_static_component([sn])
-    t = 'common-static-vhost'
-    if type then t += "-#{type}"; end
-
-    onion = scope.function_onion_global_service_hostname([sn])
-    onion = "unavailable-onion.invalid" if onion.nil?
-
-    lines << "Use #{t} #{sn} #{onion}"
-  end
-end
+	Use common-debian-service-ssl deb.debian.org
+	Use common-ssl-HSTS
 
-lines = []
-vhost(lines, "mozilla.debian.net")
-vhost(lines, "backports.debian.org", "ssl")
-vhost(lines, "incoming.debian.org")
-vhost(lines, "incoming.ports.debian.org")
-vhost(lines, "debdeltas.debian.net")
-vhost(lines, "news.debian.net"         , "ssl")
-vhost(lines, "debaday.debian.net"      , "ssl")
-vhost(lines, "timeline.debian.net"     , "ssl")
-vhost(lines, "network-test.debian.org" , "with-extra")
-vhost(lines, "blends.debian.org"       , "ssl")
-vhost(lines, "wnpp-by-tags.debian.net" , "ssl")
-vhost(lines, "security-team.debian.org", "ssl")
-vhost(lines, "d-i.debian.org"      , "ssl")
-vhost(lines, "appstream.debian.org", "ssl")
-vhost(lines, "dsa.debian.org"      , "ssl")
-vhost(lines, "rtc.debian.org"      , "ssl")
-
-vhost(lines, "10years.debconf.org" , "ssl")
-vhost(lines, "debconf0.debconf.org", "ssl")
-vhost(lines, "debconf1.debconf.org", "ssl")
-vhost(lines, "debconf2.debconf.org", "ssl")
-vhost(lines, "debconf3.debconf.org", "ssl")
-vhost(lines, "debconf4.debconf.org", "ssl")
-vhost(lines, "debconf5.debconf.org", "ssl")
-vhost(lines, "debconf6.debconf.org", "ssl")
-vhost(lines, "debconf7.debconf.org", "ssl")
-vhost(lines, "es.debconf.org"      , "ssl")
-vhost(lines, "fr.debconf.org"      , "ssl")
-vhost(lines, "miniconf10.debconf.org" , "ssl")
-
-vhost(lines, "deb.debian.org", "with-extra")
+	ServerAdmin debian-admin@lists.debian.org
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+	ServerSignature On
 
-lines.join("\n")
--%>
+	DocumentRoot /srv/static.debian.org/mirrors/deb.debian.org/cur
+	<Directory /srv/static.debian.org/mirrors/deb.debian.org/cur>
+		AllowOverride FileInfo Indexes Options=Multiviews
+		Options Indexes SymLinksIfOwnerMatch
+		Require all granted
+	</Directory>
 
-######################
-# metadata.ftp-master.debian.org
-<% if scope.function_has_static_component(['metadata.ftp-master.debian.org']) -%>
-<VirtualHost <%= vhost_listen %> >
-	ServerName metadata.ftp-master.debian.org
-	ServerAdmin debian-admin@lists.debian.org
+	Header set Surrogate-Key <%= @hostname %>
 
-	ErrorLog /var/log/apache2/metadata.ftp-master.debian.org-error.log
-	CustomLog /var/log/apache2/metadata.ftp-master.debian.org-access.log privacy
+	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
 
-	Use common-static-base metadata.ftp-master.debian.org
-	AddDefaultCharset utf-8
-	<LocationMatch "/changelogs/(main|contrib|non-free)">
-		ForceType text/plain
-	</LocationMatch>
+	Redirect /debian/           https://cdn-aws.deb.debian.org/debian/
+	Redirect /debian-debug/     https://cdn-aws.deb.debian.org/debian-debug/
+	Redirect /debian-ports/     https://cdn-aws.deb.debian.org/debian-ports/
+	Redirect /debian-security/  https://cdn-aws.deb.debian.org/debian-security/
 </VirtualHost>
 <% end -%>
 
-######################
-# bits.debian.org
-<% if scope.function_has_static_component(['bits.debian.org']) -%>
-<Macro static-bits.debian.org-base>
-	ServerName bits.debian.org
-	ServerAdmin debian-admin@lists.debian.org
+<Macro vstatic-vhost-extra-network-test.debian.org>
+	ServerAlias network-test-backend.debian.org
+</Macro>
 
-	ErrorLog /var/log/apache2/bits.debian.org-error.log
+<Macro vstatic-vhost-extra-bits.debian.org>
 	<IfModule mod_geoip.c>
 		CustomLog /var/log/apache2/bits.debian.org-public-access.log privacy+geo
 	</IfModule>
-
-	Use common-static-base bits.debian.org
 </Macro>
 
-<Virtualhost <%= vhost_listen %> >
-	RewriteEngine on
-
-	RewriteEngine On
-	RewriteCond %{REQUEST_URI} !^/feeds/
-	RewriteRule ^/(.*)$ https://bits.debian.org/$1 [R,L]
-	#RewriteRule ^/(.*)$ https://bits.debian.org/$1 [R=301,L]
-
-	Use static-bits.debian.org-base
-	CustomLog /var/log/apache2/bits.debian.org-access.log privacy
-</VirtualHost>
-
-<Virtualhost <%= vhost_listen_443 %> >
-	Use static-bits.debian.org-base
-	CustomLog /var/log/apache2/bits.debian.org-access.log privacyssl
-
-	Use common-debian-service-ssl bits.debian.org
-	Use common-ssl-HSTS
-</VirtualHost>
-<% end -%>
-
-######################
-# release.debian.org
-<% if scope.function_has_static_component(['release.debian.org']) -%>
-Use common-dsa-vhost-https-redirect release.debian.org
-<VirtualHost <%= vhost_listen_443 %> >
-	ServerName release.debian.org
-	ServerAdmin debian-admin@debian.org
-
-	ErrorLog /var/log/apache2/release.debian.org-error.log
-	CustomLog /var/log/apache2/release.debian.org-access.log privacy
+<Macro vstatic-vhost-extra-metadata.ftp-master.debian.org>
+	AddDefaultCharset utf-8
 
-	Use common-debian-service-ssl release.debian.org
-	Use common-ssl-HSTS
+	# Rewrite away double slashes
+	RewriteEngine on
+	RewriteCond %{REQUEST_URI} ^(.*)//(.*)$ [NC]
+	RewriteRule . %1/%2 [R=301,L,NE]
 
-	Use common-static-base release.debian.org
+	<LocationMatch "/changelogs/(main|contrib|non-free)">
+		ForceType text/plain
+	</LocationMatch>
+</Macro>
 
+<Macro vstatic-vhost-extra-release.debian.org>
 	RewriteEngine	on
 	RewriteRule		^/migration/$			/migration/testing.pl
 	RewriteRule		^/migration/search/(.+)/$	/migration/testing.pl?package=$1
@@ -146,7 +82,6 @@ Use common-dsa-vhost-https-redirect release.debian.org
 	<Directory /srv/static.debian.org/mirrors/release.debian.org-pu/cur>
 		Require all granted
 		Options Indexes SymLinksIfOwnerMatch MultiViews
-		IndexOptions FancyIndexing NameWidth=*
 
 		AddEncoding gzip .gz
 		FilterDeclare gzip CONTENT_SET
@@ -154,89 +89,186 @@ Use common-dsa-vhost-https-redirect release.debian.org
 		FilterChain gzip
 		<Files *.debdiff.gz>
 			ForceType text/plain
+			AddDefaultCharset utf-8
+		</Files>
+		<Files *.debdiff.html.gz>
+			ForceType text/html
+			AddDefaultCharset utf-8
 		</Files>
 	</Directory>
-</VirtualHost>
-<% end -%>
-
-# www.backports.org
-###################
-# www.backports.org is the historical place for the backports
-# website and archive.  It is now a CNAME to backports.debian.org:
-# redirect http requests.
-<VirtualHost <%= vhost_listen %> >
-	ServerName www.backports.org
-	ServerAlias lists.backports.org
-	ServerAdmin debian-admin@debian.org
-	RedirectPermanent / http://backports.debian.org/
-</VirtualHost>
+</Macro>
 
-######################
-# www.ports.debian.org
-<% if scope.function_has_static_component(['www.ports.debian.org']) -%>
+<Macro vstatic-vhost-extra-www.ports.debian.org>
+	<Directory /srv/static.debian.org/mirrors/www.ports.debian.org/cur>
+		AllowOverride FileInfo Indexes Options=Multiviews
+		Options Multiviews Indexes FollowSymLinks Includes
+		Require all granted
+	</Directory>
 
-Use common-dsa-vhost-https-redirect www.ports.debian.org
+	AddOutputFilter INCLUDES .xhtml
+</Macro>
 
-<Macro vhost-inner-www.ports.debian.org>
-	ServerAdmin debian-admin@lists.debian.org
 
-	ErrorLog /var/log/apache2/www.ports.debian.org-error.log
-	CustomLog /var/log/apache2/www.ports.debian.org-access.log privacy
+<Macro vstatic-vhost-extra-lintian.debian.org>
+	AddDefaultCharset utf-8
 
+	<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur>
+		Require all granted
 
-	<IfModule mod_userdir.c>
-		UserDir disabled
-	</IfModule>
-	ServerSignature On
+		# These three lines makes apache serve
+		# "lintian.log.gz" as a text/plain with encoding gzip
+		# making it easier to view the log in the browser.
+		RemoveType .gz
+		AddEncoding x-gzip .gz
+		AddType text/plain .log
+
+		<IfModule mod_userdir.c>
+			AddOutputFilterByType DEFLATE image/svg+xml
+			AddOutputFilterByType DEFLATE text/plain
+		</IfModule>
+	</Directory>
 
-	DocumentRoot /srv/static.debian.org/mirrors/www.ports.debian.org/cur
-	<Directory /srv/static.debian.org/mirrors/www.ports.debian.org/cur>
-		AllowOverride FileInfo Indexes Options=Multiviews
-		Options Multiviews Indexes FollowSymLinks Includes
-		IndexOptions FancyIndexing NameWidth=*
-		Require all granted
+	<Directory /srv/static.debian.org/mirrors/lintian.debian.org/cur/resources>
+		# Cache these for a year (3600 * 24 * 365.25)
+		# Files in here will change name if their content change
+		Header set Cache-Control "max-age=31557600, public"
 	</Directory>
 
-	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
-	AddOutputFilter INCLUDES .xhtml
+	RewriteEngine on
+	RewriteMap source-map txt:/srv/static.debian.org/mirrors/lintian.debian.org/cur/lookup-tables/source-packages
+
+	# Re-direct from the "old" locations to the new ones
+	RewriteRule ^/reports/T(.*)\.html$ /tags/$1.html [L,R=permanent]
+	RewriteRule ^/reports/(.*)$ /$1 [L,R=permanent]
+
+	# Map source packages to reports (this mapping is re-written once per lintian run,
+	# serve it as a 302 rather than a permanent redirect)
+	# Version-less request
+	RewriteRule ^/source/([a-z0-9-]+)/?$ /${source-map:$1} [L,R,NE]
+	# Versioned request
+	RewriteRule ^/source/([a-z0-9-]+)/([a-zA-Z0-9.+:~-]+)$ /${source-map:$1/$2} [L,R,NE]
+
+	Header always set Content-Security-Policy "default-src 'self'; media-src 'none'; object-src 'none';"
+	<FilesMatch "\.(svg)$">
+		Header always set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline';"
+	</FilesMatch>
 </Macro>
 
-<Virtualhost <%= vhost_listen_443 %> >
-	ServerName www.ports.debian.org
-	ServerAlias www.ports-backend.debian.org
-	Use common-debian-service-ssl www.ports.debian.org
-	Use common-ssl-HSTS
-	Use vhost-inner-www.ports.debian.org
-</VirtualHost>
-<% if scope.function_onion_global_service_hostname(['www.ports.debian.org']) -%>
-<Virtualhost <%= vhost_listen %> >
-	ServerName <%= scope.function_onion_global_service_hostname(['www.ports.debian.org']) %>
-	Use vhost-inner-www.ports.debian.org
+<%=
+
+def vhost(lines, sn, kwargs={})
+	if scope.function_has_static_component([sn])
+		if not kwargs[:extra]
+				lines << "<Macro vstatic-vhost-extra-#{sn}>"
+				lines << "  # mod macro does not like empty macros, so here's some content:"
+				lines << "  <Directory /non-existant>"
+				lines << "  </Directory>"
+				lines << "</Macro>"
+		end
+
+		lines << "Use prepare-static-vhost #{sn}"
+
+		if kwargs[:ssl] and kwargs[:ssl_optional]
+			lines << "Use static-vhost-plain-#{sn}"
+			lines << "Use static-vhost-ssl-#{sn}"
+		elsif kwargs[:ssl]
+			lines << "Use common-dsa-vhost-https-redirect #{sn}"
+			lines << "Use static-vhost-ssl-#{sn}"
+		else
+			lines << "Use static-vhost-plain-#{sn}"
+		end
+
+		onion = scope.function_onion_global_service_hostname([sn])
+		lines << "Use static-vhost-onion-#{sn} #{onion}" if onion
+
+		lines << ""
+	end
+end
+
+lines = []
+vhost(lines, "mozilla.debian.net"            , :ssl => true, :ssl_optional => true)
+vhost(lines, "backports.debian.org"          , :ssl => true)
+vhost(lines, "incoming.debian.org"           , :ssl => true, :ssl_optional => true)
+vhost(lines, "incoming.ports.debian.org"     , :ssl => true, :ssl_optional => true)
+vhost(lines, "debdeltas.debian.net"          , :ssl => true, :ssl_optional => true)
+vhost(lines, "news.debian.net"               , :ssl => true)
+vhost(lines, "bootstrap.debian.net"          , :ssl => true)
+vhost(lines, "debaday.debian.net"            , :ssl => true)
+vhost(lines, "timeline.debian.net"           , :ssl => true)
+vhost(lines, "network-test.debian.org"       , :extra => true)
+vhost(lines, "blends.debian.org"             , :ssl => true)
+vhost(lines, "wnpp-by-tags.debian.net"       , :ssl => true)
+vhost(lines, "security-team.debian.org"      , :ssl => true)
+vhost(lines, "d-i.debian.org"                , :ssl => true)
+vhost(lines, "appstream.debian.org"          , :ssl => true)
+vhost(lines, "apt.buildd.debian.org"         , :ssl => true)
+vhost(lines, "dpl.debian.org"                , :ssl => true)
+vhost(lines, "dsa.debian.org"                , :ssl => true)
+vhost(lines, "rtc.debian.org"                , :ssl => true)
+vhost(lines, "mirror-master.debian.org"      , :ssl => true)
+vhost(lines, "onion.debian.org"              , :ssl => true)
+vhost(lines, "manpages.debian.org"           , :ssl => true, :extra => true)
+
+vhost(lines, "bits.debian.org"               , :ssl => true, :extra => true)
+vhost(lines, "micronews.debian.org"          , :ssl => true)
+vhost(lines, "metadata.ftp-master.debian.org", :extra => true)
+
+vhost(lines, "10years.debconf.org"           , :ssl => true)
+vhost(lines, "debconf0.debconf.org"          , :ssl => true)
+vhost(lines, "debconf1.debconf.org"          , :ssl => true)
+vhost(lines, "debconf2.debconf.org"          , :ssl => true)
+vhost(lines, "debconf3.debconf.org"          , :ssl => true)
+vhost(lines, "debconf4.debconf.org"          , :ssl => true)
+vhost(lines, "debconf5.debconf.org"          , :ssl => true)
+vhost(lines, "debconf6.debconf.org"          , :ssl => true)
+vhost(lines, "debconf7.debconf.org"          , :ssl => true)
+vhost(lines, "debconf16.debconf.org"         , :ssl => true)
+vhost(lines, "es.debconf.org"                , :ssl => true)
+vhost(lines, "fr.debconf.org"                , :ssl => true)
+vhost(lines, "miniconf10.debconf.org"        , :ssl => true)
+
+vhost(lines, "deb.debian.org"                , :extra => true)
+vhost(lines, "release.debian.org"            , :ssl => true, :extra => true)
+vhost(lines, "www.ports.debian.org"          , :ssl => true, :extra => true)
+vhost(lines, "lintian.debian.org"            , :ssl => true, :extra => true)
+
+lines.join("\n")
+-%>
+
+# www.backports.org
+###################
+# www.backports.org is the historical place for the backports
+# website and archive.  It is now a CNAME to backports.debian.org:
+# redirect http requests.
+<VirtualHost <%= @vhost_listen %> >
+	ServerName www.backports.org
+	ServerAlias lists.backports.org
+	ServerAdmin debian-admin@debian.org
+	RedirectPermanent / http://backports.debian.org/
 </VirtualHost>
-<% end -%>
-<% end -%>
 
-<VirtualHost <%= vhost_listen %> >
+######################
+<VirtualHost <%= @vhost_listen %> >
 	ServerName www.debian-ports.org
 	ServerAlias debian-ports.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / https://www.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ports.debian.org
 	ServerAlias ports.debian.net
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / https://www.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName incoming.debian-ports.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / http://incoming.ports.debian.org/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ftp.debian-ports.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent /archive http://www.ports.debian.org
@@ -245,19 +277,16 @@ Use common-dsa-vhost-https-redirect www.ports.debian.org
 	RedirectPermanent / http://ftp.ports.debian.org/
 </VirtualHost>
 
-# video.debian.net
-###################
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName video.debian.net
 	ServerAdmin debian-admin@debian.org
-
 	Redirect / http://meetings-archive.debian.net/pub/debian-meetings/
 </VirtualHost>
 
 # historical sites
 ##################
 # now only redirects remain
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName women.debian.org
 	ServerAdmin debian-admin@debian.org
 
@@ -274,17 +303,60 @@ Use common-dsa-vhost-https-redirect www.ports.debian.org
 	RedirectPermanent /profiles/ http://www.debian.org/women/profiles/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName volatile.debian.org
 	ServerAlias volatile-master.debian.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / http://www.debian.org/volatile/
 </VirtualHost>
 
-<VirtualHost <%= vhost_listen %> >
+<VirtualHost <%= @vhost_listen %> >
 	ServerName ftp-master.metadata.debian.org
 	ServerAdmin debian-admin@debian.org
 	RedirectPermanent / http://metadata.ftp-master.debian.org/
 </VirtualHost>
 
+<VirtualHost <%= @vhost_listen %> >
+	ServerName backports-master.debian.org
+	ServerAdmin debian-admin@debian.org
+	RedirectPermanent / https://backports.debian.org/
+</VirtualHost>
+
+<VirtualHost <%= @vhost_listen %> >
+	ServerName manpages.debian.net
+	ServerAdmin debian-admin@debian.org
+	Redirect / https://manpages.debian.org/
+</VirtualHost>
+
+# error pages
+#############
+
+Use common-dsa-vhost-https-redirect archive.debian.net
+<VirtualHost <%= @vhost_listen %> >
+	ServerName archive.debian.net
+	ServerAdmin debian-admin@debian.org
+	ErrorLog /var/log/apache2/archive.debian.net-error.log
+	CustomLog /var/log/apache2/archive.debian.net-access.log privacyssl
+
+	Use common-debian-service-ssl archive.debian.net
+	Use common-ssl-HSTS
+
+	<IfModule mod_userdir.c>
+		UserDir disabled
+	</IfModule>
+	ServerSignature On
+
+	DocumentRoot /srv/static.debian.org/puppet/archive.debian.net
+	<Directory /srv/static.debian.org/puppet/archive.debian.net>
+		AllowOverride FileInfo Indexes Options=Multiviews
+		Options Indexes SymLinksIfOwnerMatch
+		Require all granted
+	</Directory>
+
+	RedirectMatch 503 ^/(?!503\.html)
+	ErrorDocument 503 /503.html
+	Header always set Retry-After "18000"
+</VirtualHost>
+
+
 # vim:ft=apache: