Ovirt devel - Feb 2009 - [PATCH server] Switch ovirt appliance httpd conf to use ssl, redirect http to https.

---
 conf/ovirt-server.conf                     |   20 +++++++++++++++++++-
 installer/modules/ovirt/manifests/ovirt.pp |   15 +++++++++++++++
 2 files changed, 34 insertions(+), 1 deletions(-)

diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
index 7ab77b4..1d8cb7a 100644
--- a/conf/ovirt-server.conf
+++ b/conf/ovirt-server.conf
@@ -1,6 +1,24 @@
 NameVirtualHost *:80
 <VirtualHost *:80>
-ProxyRequests Off
+  RewriteEngine on
+  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
+</VirtualHost>
+
+NameVirtualHost 192.168.50.2:443
+<VirtualHost 192.168.50.2:443>
+
+  RequestHeader set X_FORWARDED_PROTO 'https'
+
+  ErrorLog /etc/httpd/logs/error_log
+  TransferLog /etc/httpd/logs/access_log
+  LogLevel warn
+  NSSEngine on
+  NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
+  NSSProtocol SSLv3,TLSv1
+  NSSNickname Server-Cert
+  NSSCertificateDatabase /etc/httpd/alias
+
+  ProxyRequests Off
 
 <ProxyMatch ^.*/ovirt/login.*$>
   AuthType Kerberos
diff --git a/installer/modules/ovirt/manifests/ovirt.pp
b/installer/modules/ovirt/manifests/ovirt.pp
index c81b6f2..c34eae0 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -20,6 +20,21 @@
 
 class ovirt::setup {
 
+        #until ace offers a global replacement, we need to change each
+        #occurrence of the ip address in the httpd conf file
+	file_replacement{"ovirt_httpd_config_change_1":
+	        file => "/etc/httpd/conf.d/ovirt-server.conf",
+	        pattern => "192\.168\.50\.2",
+	        replacement => "$mgmt_ipaddr",
+		require => Package[ovirt-server]
+        }
+	file_replacement{"ovirt_httpd_config_change_2":
+	        file => "/etc/httpd/conf.d/ovirt-server.conf",
+	        pattern => "192\.168\.50\.2",
+	        replacement => "$mgmt_ipaddr",
+		require => Package[ovirt-server]
+        }
+
         package {"ovirt-server":
 		ensure => installed,
 		require => Single_exec[set_pw_expiration]
-- 
1.6.0.6

On Tue, 2009-02-24 at 10:29 -0600, Steve Linabery wrote:
> ---
>  conf/ovirt-server.conf                     |   20 +++++++++++++++++++-
>  installer/modules/ovirt/manifests/ovirt.pp |   15 +++++++++++++++
>  2 files changed, 34 insertions(+), 1 deletions(-)
> 
> diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
> index 7ab77b4..1d8cb7a 100644
> --- a/conf/ovirt-server.conf
> +++ b/conf/ovirt-server.conf
> @@ -1,6 +1,24 @@
>  NameVirtualHost *:80
>  <VirtualHost *:80>
> -ProxyRequests Off
> +  RewriteEngine on
> +  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> +</VirtualHost>
> +
> +NameVirtualHost 192.168.50.2:443
> +<VirtualHost 192.168.50.2:443>
> +
> +  RequestHeader set X_FORWARDED_PROTO 'https'
> +
> +  ErrorLog /etc/httpd/logs/error_log
> +  TransferLog /etc/httpd/logs/access_log
> +  LogLevel warn
> +  NSSEngine on
> +  NSSCipherSuite
+rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
> +  NSSProtocol SSLv3,TLSv1
> +  NSSNickname Server-Cert
> +  NSSCertificateDatabase /etc/httpd/alias
> +
> +  ProxyRequests Off
>  
>  <ProxyMatch ^.*/ovirt/login.*$>
>    AuthType Kerberos
> diff --git a/installer/modules/ovirt/manifests/ovirt.pp
b/installer/modules/ovirt/manifests/ovirt.pp
> index c81b6f2..c34eae0 100644
> --- a/installer/modules/ovirt/manifests/ovirt.pp
> +++ b/installer/modules/ovirt/manifests/ovirt.pp
> @@ -20,6 +20,21 @@
>  
>  class ovirt::setup {
>  
> +        #until ace offers a global replacement, we need to change each
> +        #occurrence of the ip address in the httpd conf file
> +	file_replacement{"ovirt_httpd_config_change_1":
> +	        file => "/etc/httpd/conf.d/ovirt-server.conf",
> +	        pattern => "192\.168\.50\.2",
> +	        replacement => "$mgmt_ipaddr",
> +		require => Package[ovirt-server]
> +        }
> +	file_replacement{"ovirt_httpd_config_change_2":
> +	        file => "/etc/httpd/conf.d/ovirt-server.conf",
> +	        pattern => "192\.168\.50\.2",
> +	        replacement => "$mgmt_ipaddr",
> +		require => Package[ovirt-server]
> +        }
> +
>          package {"ovirt-server":
>  		ensure => installed,
>  		require => Single_exec[set_pw_expiration]
ACK, provided you remove one of those file_replace blocks above ^^

-j

On Tue, 24 Feb 2009 10:29:03 -0600
Steve Linabery <slinabery at redhat.com> wrote:
> ---
>  conf/ovirt-server.conf                     |   20 +++++++++++++++++++-
>  installer/modules/ovirt/manifests/ovirt.pp |   15 +++++++++++++++
>  2 files changed, 34 insertions(+), 1 deletions(-)
> 
> diff --git a/conf/ovirt-server.conf b/conf/ovirt-server.conf
> index 7ab77b4..1d8cb7a 100644
> --- a/conf/ovirt-server.conf
> +++ b/conf/ovirt-server.conf
> @@ -1,6 +1,24 @@
>  NameVirtualHost *:80
>  <VirtualHost *:80>
> -ProxyRequests Off
> +  RewriteEngine on
> +  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
> +</VirtualHost>
> +
> +NameVirtualHost 192.168.50.2:443
> +<VirtualHost 192.168.50.2:443>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Doesn't work!!  Will only work if you have the appliance-like setup
(or randomly get that IP).

    Ian