bobmaerten · April 29, 2014 08:00
diff --git a/default b/default
 <Macro RedirSSL ${domain}>
    <VirtualHost *:80>
        ServerName ${domain}.domain.com

        RewriteEngine On
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
    </VirtualHost>
 </Macro>
 #-------
 <Macro ConfSSL>
        SSLEngine on
        SSLCertificateFile      /etc/apache2/ssl/wildcard.pem
        SSLCertificateKeyFile   /etc/apache2/ssl/wildcard.key
        SSLCertificateChainFile /etc/apache2/ssl/ssl-chain.pem
        SSLProtocol             all -SSLv2
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
        SSLHonorCipherOrder     on
        SSLCompression          off

        # OCSP Stapling, only in httpd 2.3.3 and later
        #SSLUseStapling          on
        #SSLStaplingResponderTimeout 5
        #SSLStaplingReturnResponderErrors off
        #SSLStaplingCache        shmcb:/var/run/ocsp(128000)

        # Enable this if your want HSTS (recommended, but be careful)
        # HTTP Strict Transport Security: HSTS is a HTTP header that tells clients to connect to the site using HTTPS only. It enforces security, by telling clients that any HTTP URL to a given site should be ignored. The directive is cached on the client size for the duration of max-age.
        #Header add Strict-Transport-Security "max-age=15768000"
 </Macro>
 #-------
 <Macro Confvhost ${domain}>
        ServerAdmin [email protected]
        ServerName ${domain}.domain.com

        ErrorLog ${APACHE_LOG_DIR}/${domain}-error.log
        LogLevel warn
        SetEnvIf Request_URI "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf|txt|cur)$" dontlog
        SetEnvIf Request_URI "^_" dontlog
        SetEnvIf Request_URI "^/_" dontlog
        CustomLog ${APACHE_LOG_DIR}/${domain}-access.log combined env=!dontlog
        ServerSignature Off

        <IfModule mod_expires.c>
            ExpiresActive On
            ExpiresByType text/css "access plus 3 hours"
            ExpiresByType text/javascript "access plus 3 hours"
            ExpiresByType image/gif "access plus 1 day"
            ExpiresByType image/png "access plus 1 day"
            ExpiresByType image/jpg "access plus 1 day"
            ExpiresByType application/x-shockwave-flash "access plus 1 day"
            ExpiresByType image/x-icon  "access plus 1 day"
        </IfModule>

        <IfModule mod_deflate.c>
            AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript
        </IfModule>
 </Macro>
 #-------
 <Macro RPSimple ${target} ${allowfrom}>
    ProxyPreserveHost On
    ProxyRequests     Off
    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from ${allowfrom}
    </Proxy>
    ProxyPass        / ${target}
    ProxyPassReverse / ${target}
 </Macro>
 #-------
 <Macro RPLB2 ${domain} ${target1} ${target2} ${allowfrom}>
        ProxyPass /balancer-manager !
        ProxyPass / balancer://${domain}servers/
        SetEnvIf Request_URI "^/balancer-manager" dontlog

        <Proxy balancer://${domain}servers>
                Order Deny,Allow
                Deny from all
                Allow from ${allowfrom}
                BalancerMember ${target1} route=${domain} timeout=60 retry=1 loadfactor=100
                BalancerMember ${target2} route=${domain} timeout=60 retry=1 loadfactor=100
                ProxySet stickysession=${domain}_STICKY nofailover=On
        </Proxy>

        Header add Set-Cookie "${domain}_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;" env=BALANCER_ROUTE_CHANGED

        <Location /balancer-manager>
                SetHandler balancer-manager
                Order Deny,Allow
                Deny from all
                Allow from 127.0.0.1 192.168.1.0/24
        </Location>
 </Macro>
 #-------
 #///////////////////////////////#
 # Macros définissant les vhosts #
 #///////////////////////////////#
 <Macro vhost ${type} ${domain} ${target} ${allowfrom}>
    <VirtualHost *:80>
        Use Confvhost ${domain}
        Use ${type} ${target} "${allowfrom}"
    </VirtualHost>
 </Macro>
 #-------
 <Macro SSLvhost ${type} ${domain} ${target} ${allowfrom}>
    Use RedirSSL ${domain}
    <VirtualHost *:443>
        Use Confvhost ${domain}
        Use ConfSSL
        Use ${type} ${target} "${allowfrom}"
    </VirtualHost>
 </Macro>
 #-------
 <Macro SSLvhostLB2 ${type} ${domain} ${target1} ${target2} ${allowfrom}>
    Use RedirSSL ${domain}
    <VirtualHost *:443>
        Use Confvhost ${domain}
        Use ConfSSL
        Use ${type} ${domain} ${target1} ${target2} "${allowfrom}"
    </VirtualHost>
 </Macro>
 #-------

 ######################
 # Definition des RPs #
 ######################
 Use vhost RPSimple app-php http://appserver-php.domain.com/ "all"
 Use SSLvhost RPSimple ssl-app-java ajp://appserver-java.domain.com:8009/ "all"
 Use SSLvhostLB2 RPLB2 ssl-app-java-lb ajp://appserver-java1.domain.com:8009 ajp://appserver-java2.domain.com:8009 "192.168.1.0/24 "
	<Macro RedirSSL ${domain}>
	<VirtualHost *:80>
	ServerName ${domain}.domain.com

	RewriteEngine On
	RewriteCond %{SERVER_PORT} !^443$
	RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
	</VirtualHost>
	</Macro>
	#-------
	<Macro ConfSSL>
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/wildcard.pem
	SSLCertificateKeyFile /etc/apache2/ssl/wildcard.key
	SSLCertificateChainFile /etc/apache2/ssl/ssl-chain.pem
	SSLProtocol all -SSLv2
	SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
	SSLHonorCipherOrder on
	SSLCompression off

	# OCSP Stapling, only in httpd 2.3.3 and later
	#SSLUseStapling on
	#SSLStaplingResponderTimeout 5
	#SSLStaplingReturnResponderErrors off
	#SSLStaplingCache shmcb:/var/run/ocsp(128000)

	# Enable this if your want HSTS (recommended, but be careful)
	# HTTP Strict Transport Security: HSTS is a HTTP header that tells clients to connect to the site using HTTPS only. It enforces security, by telling clients that any HTTP URL to a given site should be ignored. The directive is cached on the client size for the duration of max-age.
	#Header add Strict-Transport-Security "max-age=15768000"
	</Macro>
	#-------
	<Macro Confvhost ${domain}>
	ServerAdmin [email protected]
	ServerName ${domain}.domain.com

	ErrorLog ${APACHE_LOG_DIR}/${domain}-error.log
	LogLevel warn
	SetEnvIf Request_URI "\.(ico\|pdf\|flv\|jpg\|jpeg\|png\|gif\|js\|css\|swf\|txt\|cur)$" dontlog
	SetEnvIf Request_URI "^_" dontlog
	SetEnvIf Request_URI "^/_" dontlog
	CustomLog ${APACHE_LOG_DIR}/${domain}-access.log combined env=!dontlog
	ServerSignature Off

	<IfModule mod_expires.c>
	ExpiresActive On
	ExpiresByType text/css "access plus 3 hours"
	ExpiresByType text/javascript "access plus 3 hours"
	ExpiresByType image/gif "access plus 1 day"
	ExpiresByType image/png "access plus 1 day"
	ExpiresByType image/jpg "access plus 1 day"
	ExpiresByType application/x-shockwave-flash "access plus 1 day"
	ExpiresByType image/x-icon "access plus 1 day"
	</IfModule>

	<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript
	</IfModule>
	</Macro>
	#-------
	<Macro RPSimple ${target} ${allowfrom}>
	ProxyPreserveHost On
	ProxyRequests Off
	<Proxy *>
	Order deny,allow
	Deny from all
	Allow from ${allowfrom}
	</Proxy>
	ProxyPass / ${target}
	ProxyPassReverse / ${target}
	</Macro>
	#-------
	<Macro RPLB2 ${domain} ${target1} ${target2} ${allowfrom}>
	ProxyPass /balancer-manager !
	ProxyPass / balancer://${domain}servers/
	SetEnvIf Request_URI "^/balancer-manager" dontlog

	<Proxy balancer://${domain}servers>
	Order Deny,Allow
	Deny from all
	Allow from ${allowfrom}
	BalancerMember ${target1} route=${domain} timeout=60 retry=1 loadfactor=100
	BalancerMember ${target2} route=${domain} timeout=60 retry=1 loadfactor=100
	ProxySet stickysession=${domain}_STICKY nofailover=On
	</Proxy>

	Header add Set-Cookie "${domain}_STICKY=sticky.%{BALANCER_WORKER_ROUTE}e;path=/;" env=BALANCER_ROUTE_CHANGED

	<Location /balancer-manager>
	SetHandler balancer-manager
	Order Deny,Allow
	Deny from all
	Allow from 127.0.0.1 192.168.1.0/24
	</Location>
	</Macro>
	#-------
	#///////////////////////////////#
	# Macros définissant les vhosts #
	#///////////////////////////////#
	<Macro vhost ${type} ${domain} ${target} ${allowfrom}>
	<VirtualHost *:80>
	Use Confvhost ${domain}
	Use ${type} ${target} "${allowfrom}"
	</VirtualHost>
	</Macro>
	#-------
	<Macro SSLvhost ${type} ${domain} ${target} ${allowfrom}>
	Use RedirSSL ${domain}
	<VirtualHost *:443>
	Use Confvhost ${domain}
	Use ConfSSL
	Use ${type} ${target} "${allowfrom}"
	</VirtualHost>
	</Macro>
	#-------
	<Macro SSLvhostLB2 ${type} ${domain} ${target1} ${target2} ${allowfrom}>
	Use RedirSSL ${domain}
	<VirtualHost *:443>
	Use Confvhost ${domain}
	Use ConfSSL
	Use ${type} ${domain} ${target1} ${target2} "${allowfrom}"
	</VirtualHost>
	</Macro>
	#-------

	######################
	# Definition des RPs #
	######################
	Use vhost RPSimple app-php http://appserver-php.domain.com/ "all"
	Use SSLvhost RPSimple ssl-app-java ajp://appserver-java.domain.com:8009/ "all"
	Use SSLvhostLB2 RPLB2 ssl-app-java-lb ajp://appserver-java1.domain.com:8009 ajp://appserver-java2.domain.com:8009 "192.168.1.0/24 "