diff --git a/defaults/main/ood_portal.yml b/defaults/main/ood_portal.yml index e42402c..39eb865 100644 --- a/defaults/main/ood_portal.yml +++ b/defaults/main/ood_portal.yml @@ -67,6 +67,9 @@ pun_stage_cmd: "sudo {{ ood_base_dir }}/nginx_stage/sbin/nginx_stage" # node_uri: '/node' # rnode_uri: '/rnode' +# secure_node_uri: '/secure-node' +# secure_rnode_uri: '/secure-rnode' +# ssl_proxy: [] host_regex: '[^/]+' pun_uri: "/pun" diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 index 07a775a..41ed403 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 @@ -278,6 +278,37 @@ node_uri: /custom-node-path # Default: null (disable this feature) rnode_uri: /custom-rnode-path +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +secure_node_uri: /custom-secure-node + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +secure_rnode_uri: /custom-secure-rnode + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +ssl_proxy: + - 'SSLProxyCheckPeerCN Off' + - 'SSLProxyCheckPeerName Off' + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd index 1677636..1cded5d 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd @@ -278,6 +278,37 @@ node_uri: /custom-node-path # Default: null (disable this feature) rnode_uri: /custom-rnode-path +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +secure_node_uri: /custom-secure-node + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +secure_rnode_uri: /custom-secure-rnode + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +ssl_proxy: + - 'SSLProxyCheckPeerCN Off' + - 'SSLProxyCheckPeerName Off' + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 index ed2c90c..5d13fb9 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 @@ -269,6 +269,35 @@ host_regex: '[^/]+' # Default: null (disable this feature) #rnode_uri: null +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +#secure_node_uri: null + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +#secure_rnode_uri: null + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +#ssl_proxy: [] + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd index 9f12d41..951bd0e 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.default.httpd @@ -269,6 +269,35 @@ host_regex: '[^/]+' # Default: null (disable this feature) #rnode_uri: null +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +#secure_node_uri: null + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +#secure_rnode_uri: null + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +#ssl_proxy: [] + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 index f1a5a2a..4316a51 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 @@ -270,6 +270,35 @@ node_uri: /custom-node-path # Default: null (disable this feature) rnode_uri: /custom-rnode-path +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +#secure_node_uri: null + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +#secure_rnode_uri: null + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +#ssl_proxy: [] + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd index 694675d..0b1cfbc 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd @@ -270,6 +270,35 @@ node_uri: /custom-node-path # Default: null (disable this feature) rnode_uri: /custom-rnode-path +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +#secure_node_uri: null + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +#secure_rnode_uri: null + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +#ssl_proxy: [] + # # Per-user NGINX Passenger apps # diff --git a/molecule/default/vars/portal.yml b/molecule/default/vars/portal.yml index 5358082..17683f5 100644 --- a/molecule/default/vars/portal.yml +++ b/molecule/default/vars/portal.yml @@ -6,6 +6,11 @@ user_map_match: '^([^@]+)@.*$' rnode_uri: '/custom-rnode-path' node_uri: '/custom-node-path' oidc_uri: '/custom-oidc-path' +secure_node_uri: '/custom-secure-node' +secure_rnode_uri: '/custom-secure-rnode' +ssl_proxy: + - 'SSLProxyCheckPeerCN Off' + - 'SSLProxyCheckPeerName Off' httpd_error_log: 'custom_defined_error.log' httpd_access_log: 'custom_defined_access.log' httpd_logformat: '"%O %h \"%{Referer}i\" \"%r\" %v \"%{User-Agent}i\" %{SSL_PROTOCOL}e %T %>s"' diff --git a/templates/ood_portal.yml.j2 b/templates/ood_portal.yml.j2 index 818baf1..6dfef3b 100644 --- a/templates/ood_portal.yml.j2 +++ b/templates/ood_portal.yml.j2 @@ -344,6 +344,46 @@ host_regex: '{{ host_regex }}' {% else %}#rnode_uri: null {% endif %} +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that knows +# the full URI path +# Example: +# secure_node_uri: '/secure-node' +# Default: null (disable this feature) +{% if secure_node_uri is defined %}secure_node_uri: {{ secure_node_uri }} +{% else %}#secure_node_uri: null +{% endif %} + +# This path will force the upstream connection to use HTTPS or WSS, used for +# backend applications that are running their own SSL termination +# Sub-uri used to reverse proxy to backend web server running on node that +# ONLY uses *relative* URI paths +# Example: +# secure_rnode_uri: '/secure-rnode' +# Default: null (disable this feature) +{% if secure_rnode_uri is defined %}secure_rnode_uri: {{ secure_rnode_uri }} +{% else %}#secure_rnode_uri: null +{% endif %} + +# List of SSL Proxy Apache directives +# These settings control SSL validation for the upstream connection and require +# a secure_[r]node_uri to be defined +# to. +# Example: +# ssl_proxy: +# - 'SSLProxyCheckPeerCN Off' +# - 'SSLProxyCheckPeerName Off' +# Default: [] (no additional SSL proxy settings) +{% if ssl_proxy is defined %} +ssl_proxy: +{% for directive in ssl_proxy %} + - '{{ directive }}' +{% endfor %} +{% else %} +#ssl_proxy: [] +{% endif %} + # # Per-user NGINX Passenger apps #