Enable SSL for user sites on the dev server

diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb
index 5186e1109934d65bbf01c835d961d81603e4d46c..35efa45f71ded8c9694aedb998dbbc0050c4761d 100644 (file)
--- a/cookbooks/dev/recipes/default.rb
+++ b/cookbooks/dev/recipes/default.rb
@@ -136,6 +136,11 @@ search(:accounts, "*:*").each do |account|
     notifies :reload, "service[php7.0-fpm]"
   end
 
+  ssl_certificate "#{name}.dev.openstreetmap.org" do
+    domains ["#{name}.dev.openstreetmap.org", "#{name}.dev.osm.org"]
+    notifies :reload, "service[apache2]"
+  end
+
   apache_site "#{name}.dev.openstreetmap.org" do
     template "apache.user.erb"
     directory "#{user_home}/public_html"

diff --git a/cookbooks/dev/templates/default/apache.user.erb b/cookbooks/dev/templates/default/apache.user.erb
index 39f1cd60faa2f40b1c8db8f5e830de0fc8bc6c30..13afb27c2fc9776260562cc51750c104aab1a1e3 100644 (file)
--- a/cookbooks/dev/templates/default/apache.user.erb
+++ b/cookbooks/dev/templates/default/apache.user.erb
@@ -2,11 +2,15 @@
 
 WSGIDaemonProcess <%= @user %>.dev.openstreetmap.org user=<%= @user %> inactivity-timeout=600
 
-<VirtualHost *:80>
+<VirtualHost *:443>
        ServerName <%= @user %>.dev.openstreetmap.org
        ServerAdmin webmaster@openstreetmap.org
        ServerAlias <%= @user %>.dev.osm.org
 
+       SSLEngine on
+       SSLCertificateFile /etc/ssl/certs/<%= @user %>.dev.openstreetmap.org.pem
+       SSLCertificateKeyFile /etc/ssl/private/<%= @user %>.dev.openstreetmap.org.key
+
        # Remove Proxy request header to mitigate https://httpoxy.org/
        RequestHeader unset Proxy early
 
@@ -29,6 +33,35 @@ WSGIDaemonProcess <%= @user %>.dev.openstreetmap.org user=<%= @user %> inactivit
        RewriteRule ^/(.*\.ph(p|ps|p3|tml)(/.*)?)$ fcgi://127.0.0.1:<%= @port %><%= @directory %>/$1 [P]
 </VirtualHost>
 
+<VirtualHost *:80>
+       ServerName <%= @user %>.dev.openstreetmap.org
+       ServerAdmin webmaster@openstreetmap.org
+       ServerAlias <%= @user %>.dev.osm.org
+
+       # Remove Proxy request header to mitigate https://httpoxy.org/
+       RequestHeader unset Proxy early
+
+       UseCanonicalName Off
+       DocumentRoot <%= @directory %>
+       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+
+       RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
+        WSGIProcessGroup <%= @user %>.dev.openstreetmap.org
+
+       RewriteEngine on
+       #LogLevel rewrite:trace2
+
+       CustomLog /var/log/apache2/<%= @user %>.dev.openstreetmap.org-access.log combined
+       ErrorLog /var/log/apache2/<%= @user %>.dev.openstreetmap.org-error.log
+
+       RewriteCond <%= @directory %>%{REQUEST_FILENAME} -f
+       RewriteRule ^/cgi-bin/(.*)$ /~<%= @user %>/cgi-bin/$1 [PT,L]
+
+       RewriteCond <%= @directory %>%{REQUEST_FILENAME} -f
+       RewriteRule ^/(.*\.ph(p|ps|p3|tml)(/.*)?)$ fcgi://127.0.0.1:<%= @port %><%= @directory %>/$1 [P]
+</VirtualHost>
+
 <Directory <%= @directory %>>
        AllowOverride AuthConfig FileInfo Indexes Options=RailsBaseURI
        Options SymLinksIfOwnerMatch Indexes Includes