From: Oliver Böttcher Date: Fri, 9 Mar 2018 08:19:55 +0000 (+0100) Subject: MBVD - ODT - new live env / cert location fix X-Git-Tag: v0.1.0~1497^2~8^2~5 X-Git-Url: https://git.uhu-banane.de/?a=commitdiff_plain;h=b4de6009eb8a1ed991c05625b06d4aff347468cc;p=pixelpark%2Fhiera.git MBVD - ODT - new live env / cert location fix --- diff --git a/customer/mbvd-odt/int-tmp-cms-odt-daimler-com.pixelpark.net.yaml b/customer/mbvd-odt/int-tmp-cms-odt-daimler-com.pixelpark.net.yaml index 9cd994e8..4e55c1b5 100644 --- a/customer/mbvd-odt/int-tmp-cms-odt-daimler-com.pixelpark.net.yaml +++ b/customer/mbvd-odt/int-tmp-cms-odt-daimler-com.pixelpark.net.yaml @@ -29,9 +29,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' custom_fragment: | ProxyTimeout 3600 rewrites: @@ -85,9 +85,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' rewrites_non_ssl: - opencms_to_slash: comment: '/opencms to /' @@ -154,9 +154,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' rewrites_non_ssl: - opencms_to_slash: comment: '/opencms to /' @@ -223,9 +223,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' rewrites_non_ssl: - opencms_to_slash: comment: '/opencms to /' @@ -290,9 +290,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' proxy_preserve_host: true rewrites_non_ssl: - https: @@ -309,9 +309,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' rewrites: - to_minio: comment: 'Forward nonexisting files to Minio' diff --git a/customer/mbvd-odt/int-tmp-odt-daimler-com.pixelpark.net.yaml b/customer/mbvd-odt/int-tmp-odt-daimler-com.pixelpark.net.yaml index 044f074d..de90ac20 100644 --- a/customer/mbvd-odt/int-tmp-odt-daimler-com.pixelpark.net.yaml +++ b/customer/mbvd-odt/int-tmp-odt-daimler-com.pixelpark.net.yaml @@ -28,9 +28,9 @@ infra::profile::apache::pp_vhosts: ssl: true cert_servername: 'wildcard.pixelpark.net' cert_customer: 'pixelpark' - ssl_cert: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' - ssl_key: '/etc/ssl/private/wildcard.pixelpark.net-key.pem' - ssl_chain: '/etc/ssl/certs/wildcard.pixelpark.net-cert.pem' + ssl_cert: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' + ssl_key: '/etc/apache2/ssl.key/wildcard.pixelpark.net-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/wildcard.pixelpark.net-cert.pem' ssl_verify_client: require ssl_crl: '/etc/ssl/certs/odt-cacrl.pem' ssl_ca: '/etc/ssl/certs/odt-root-ca.pem' diff --git a/customer/mbvd-odt/tmp-cms-odt-daimler-com.pixelpark.net.yaml b/customer/mbvd-odt/tmp-cms-odt-daimler-com.pixelpark.net.yaml index 371810ed..552792da 100644 --- a/customer/mbvd-odt/tmp-cms-odt-daimler-com.pixelpark.net.yaml +++ b/customer/mbvd-odt/tmp-cms-odt-daimler-com.pixelpark.net.yaml @@ -2,4 +2,519 @@ infra::role: base_for_old_systems # because we can't install xymon infra::additional_classes: - accounts + - infra::profile::apache + - apache::mod::proxy_ajp + - apache::mod::headers + - apache::mod::remoteip + +logstash::drop_grokparsefailure: false +logstash::generic_resource: + catalina: + resource: file + order: 10 # Input + parameters: + path: '/var/lib/tomcat/catalina/odt-cms/logs/catalina.out' + type: tomcat + tags: + - "odt-cms" + - "%{customer}" + - "%{environment}" + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{MONTH} %%{ich-trickse}{MONTHDAY}" + negate: true + opencms: + resource: file + order: 10 # Input + parameters: + path: '/var/lib/tomcat/catalina/odt-cms/webapps/ROOT/WEB-INF/logs/opencms.log' + type: opencms + tags: + - "odt-cms" + - "%{customer}" + - "%{environment}" + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{MONTHDAY} %%{ich-trickse}{MONTH}" + negate: true + tomcat_access: + resource: file + order: 10 # Input + parameters: + path: '/var/lib/tomcat/catalina/odt-cms/logs/localhost_access_log.*' + type: tomcat-access + tags: + - "odt-cms" + - "%{customer}" + - "%{environment}" + tomcat_access_filter: + condition: 'if [type] == "tomcat-access"' + resource: grok + order: 40 # Filter + parameters: + match: + - message + - '%%{ich-trickse}{COMMONAPACHELOG}' + +apache::mod:proxy: + proxy_via: 'Off' + +apache::mod::remoteip::proxy_ips: + - '93.188.107.252' + - '93.188.107.253' + +apache::mod::expires::expires_by_type: + - { application/javascript: "access plus 1 year" } + - { application/x-javascript: "access plus 1 year" } + - { text/css: "access plus 1 year" } + - { image/jpeg: "access plus 1 month" } + - { image/png: "access plus 1 month" } + - { image/bmp: "access plus 1 month" } + - { image/gif: "access plus 1 month" } + - { image/vnd.microsoft.icon: "access plus 1 year" } + - { image/x-icon: "access plus 1 year" } + - { application/font-woff: "access plus 1 month" } + - { application/vnd.ms-fontobject: "access plus 1 month" } + - { image/svg+xml: "access plus 1 month" } + - { application/font-sfnt: "access plus 1 month" } + - { application/vnd.oasis.opendocument.formula-template: "access plus 1 month" } + - { application/font-woff2: "access plus 1 month" } + - { video/mp4: "access plus 1 month" } + - { video/ogv: "access plus 1 month" } + - { video/webm: "access plus 1 month" } + +infra::profile::apache::pp_vhosts: + cms: + setenvif: + - 'HTTPS on HTTPS=on' + docroot: '/var/lib/tomcat/catalina/odt-cms/webapps/ROOT' + docroot_owner: tomcat + docroot_group: tomcat + servername: emmt-cms.daimler.com + serveraliases: + - odt-cms.daimler.com + - cms-emmt-daimler-com.pixelpark.net + - cms-odt-daimler-com.pixelpark.net + ssl: false + rewrites: + - opencms_to_slash: + comment: '/opencms to /' + rewrite_rule: + - '^/opencms(/)?$ / [R,L]' + - https: + comment: 'all to https' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/system/(.*)$ https://%%{ich-trickse}{SERVER_NAME}/system/$1 [L,R=301]' + - login: + rewrite_rule: + - '^(/)?$ https://%%{ich-trickse}{SERVER_NAME}/system/login [L,R=301]' + - 404handler_non_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8080/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - 404handler_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8081/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - proxy_non_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8080/opencms$1 [P,L]' + - proxy_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8081/opencms$1 [P,L]' + - proxy_non_https_fix: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/opencms/(.*)$ http://localhost:8080/opencms/$1 [P,L]' + - proxy_https_fix: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/opencms/(.*)$ http://localhost:8081/opencms/$1 [P,L]' + proxy_preserve_host: true + directories: + - access-control-fonts: + provider: filesmatch + path: '\.(ttf|ttc|otf|eot|woff|svg)$' + headers: + - 'set Access-Control-Allow-Origin "*"' + access_log_format: remote_combined + custom_fragment: | + ProxyTimeout 3600 + mb: + setenvif: + - 'HTTPS on HTTPS=on' + docroot: '/var/lib/tomcat/catalina/odt-cms/webapps/ROOT' + docroot_owner: tomcat + docroot_group: tomcat + servername: newsletter.mercedes-benz.de + serveraliases: + - newsletter-mercedes-benz-de.pixelpark.net + ssl: false + rewrites: + - opencms_to_slash: + comment: '/opencms to /' + rewrite_rule: + - '^/opencms/(.*)$ /$1 [R,L]' + - https_forms: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/(r/|w/|anmeldung|forms_retail|forms_wholesale) [NC]' + rewrite_rule: + - '^(.*)$ https://%%{ich-trickse}{HTTP_HOST}$1 [R=301,L,QSA,NE]' + - 404handler_non_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8082/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - 404handle_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8083/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - jsession_id: + rewrite_rule: + - '^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [L,R=301]' + - rewrite_slash: + rewrite_rule: + - '^(/)?$ http://www.mercedes-benz.de [R=301,L]' + - proxy_openemm: + rewrite_rule: + - '^/content/(r\.html|g\.html|form\.do) http://93.188.107.234:8081/$1 [P,L,QSA,NE]' + - proxy_forms_r_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8082/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/anmeldung/?$ http://localhost:8082/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8082/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_promo_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/w/abmeldung_promo http://localhost:8082/opencms/forms_wholesale/abmeldung_promo [P,L]' + - proxy_forms_trapo_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/anmeldung-transporter http://localhost:8082/opencms/forms_mbtrapo_wholesale/anmeldung [P,L]' + - proxy_forms_r_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8083/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung/?$ http://localhost:8083/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8083/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_promo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/abmeldung_promo http://localhost:8083/opencms/forms_wholesale/abmeldung_promo [P,L]' + - proxy_forms_trapo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung-transporter http://localhost:8083/opencms/forms_mbtrapo_wholesale/anmeldung [P,L]' + - proxy_non_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8082/opencms$1 [P,L]' + - proxy_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8083/opencms$1 [P,L]' + proxy_preserve_host: true + directories: + - access-control-fonts: + provider: filesmatch + path: '\.(ttf|ttc|otf|eot|woff|svg)$' + headers: + - 'set Access-Control-Allow-Origin "*"' + access_log_format: remote_combined + smart: + setenvif: + - 'HTTPS on HTTPS=on' + docroot: '/var/lib/tomcat/catalina/odt-cms/webapps/ROOT' + docroot_owner: tomcat + docroot_group: tomcat + servername: newsletter.smart.de + serveraliases: + - newsletter-smart-de.pixelpark.net + ssl: false + rewrites: + - opencms_to_slash: + comment: '/opencms to /' + rewrite_rule: + - '^/opencms/(.*)$ /$1 [R,L]' + - https_forms: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/(r/|w/|anmeldung|forms_retail|forms_wholesale) [NC]' + rewrite_rule: + - '^(.*)$ https://%%{ich-trickse}{HTTP_HOST}$1 [R=301,L,QSA,NE]' + - 404handler_non_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8084/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - 404handle_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8085/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - jsession_id: + rewrite_rule: + - '^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [L,R=301]' + - rewrite_slash: + rewrite_rule: + - '^(/)?$ http://www.smart.de [R=301,L]' + - proxy_openemm: + rewrite_rule: + - '^/content/(r\.html|g\.html|form\.do) http://93.188.107.234:8081/$1 [P,L,QSA,NE]' + - proxy_forms_r_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8084/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/anmeldung http://localhost:8084/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8084/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_r_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8085/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung http://localhost:8085/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8085/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_promo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/abmeldung_promo http://localhost:8085/opencms/forms_wholesale/abmeldung_promo [P,L]' + - proxy_forms_trapo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung-transporter http://localhost:8085/opencms/forms_trapo_wholesale/anmeldung [P,L]' + - proxy_non_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8084/opencms$1 [P,L]' + - proxy_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8085/opencms$1 [P,L]' + proxy_preserve_host: true + directories: + - access-control-fonts: + provider: filesmatch + path: '\.(ttf|ttc|otf|eot|woff|svg)$' + headers: + - 'set Access-Control-Allow-Origin "*"' + access_log_format: remote_combined + tw: + setenvif: + - 'HTTPS on HTTPS=on' + docroot: '/var/lib/tomcat/catalina/odt-cms/webapps/ROOT' + docroot_owner: tomcat + docroot_group: tomcat + servername: newsletter.truckworks.de + serveraliases: + - newsletter-truckworks-de.pixelpark.net + ssl: false + rewrites: + - opencms_to_slash: + comment: '/opencms to /' + rewrite_rule: + - '^/opencms/(.*)$ /$1 [R,L]' + - https_forms: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/(r/|w/|anmeldung|forms_retail|forms_wholesale) [NC]' + rewrite_rule: + - '^(.*)$ https://%%{ich-trickse}{HTTP_HOST}$1 [R=301,L,QSA,NE]' + - 404handler_non_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8086/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - 404handle_https: + comment: 'missing export to opencms' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/export/(.*) [NC]' + - '%%{ich-trickse}{DOCUMENT_ROOT}%%{ich-trickse}{REQUEST_FILENAME} !-f' + rewrite_rule: + - '^(.*)$ http://localhost:8087/opencms/handle404?exporturi=%%{ich-trickse}{REQUEST_URI}&%%{ich-trickse}{QUERY_STRING} [P]' + - jsession_id: + rewrite_rule: + - '^(.*);jsessionid=[A-Za-z0-9]+(.*)$ $1$2 [L,R=301]' + - rewrite_slash: + rewrite_rule: + - '^(/)?$ http://www.truckworks.de [R=301,L]' + - proxy_openemm: + rewrite_rule: + - '^/content/(r\.html|g\.html|form\.do) http://93.188.107.234:8081/$1 [P,L,QSA,NE]' + - proxy_forms_r_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8086/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/anmeldung http://localhost:8086/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_nonssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8086/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_r_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/r/(.*) http://localhost:8087/opencms/forms_retail/$1 [P,L]' + - proxy_forms_anmeldung_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung http://localhost:8087/opencms/forms_wholesale/anmeldung [P,L]' + - proxy_forms_w_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/(.*) http://localhost:8087/opencms/forms_wholesale/$1 [P,L]' + - proxy_forms_promo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/w/abmeldung_promo http://localhost:8087/opencms/forms_wholesale/abmeldung_promo [P,L]' + - proxy_forms_trapo_ssl: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + rewrite_rule: + - '^/anmeldung-transporter http://localhost:8087/opencms/forms_trapo_wholesale/anmeldung [P,L]' + - proxy_non_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8086/opencms$1 [P,L]' + - proxy_https: + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} =on [NC]' + - '%%{ich-trickse}{REQUEST_URI} !^/(opencms|resources|export|skins|genImages|genImagesTemp|fonts)' + rewrite_rule: + - '^(.*)$ http://localhost:8087/opencms$1 [P,L]' + proxy_preserve_host: true + directories: + - access-control-fonts: + provider: filesmatch + path: '\.(ttf|ttc|otf|eot|woff|svg)$' + headers: + - 'set Access-Control-Allow-Origin "*"' + access_log_format: remote_combined + kampagnen: + setenvif: + - 'HTTPS on HTTPS=on' + servername: kampagnen.mercedes-benz.de + serveraliases: + - kampagnen-mercedes-benz-de.pixelpark.net + docroot: /var/www/html + ssl: false + proxy_preserve_host: true + rewrites: + - fan-klasse-roadshow-redirect: + rewrite_rule: + - '^/2039/fan-klasse_roadshow_2016$ http://www.mercedes-benz.de/content/germany/mpc/mpc_germany_website/de/home_mpc/passengercars/home/mercedes-benz_fan-klasse0.html?CFC_cK=1459929029170 [R=302,L]' + - https: + comment: 'all to https' + rewrite_cond: + - '%%{ich-trickse}{HTTP:HTTPS} !=on [NC]' + rewrite_rule: + - '^(.*)$ https://%%{ich-trickse}{HTTP_HOST}$1 [L,R=301]' + proxy_pass: + - { path: /, url: 'http://localhost:9000/ retry=0' } + access_log_format: remote_combined + bilder: + servername: bilder.mercedes-benz.de + serveraliases: + - bilder-mercedes-benz-de.pixelpark.net + - bilder-emmt-mercedes-benz-de.pixelpark.net + docroot: /home/ftp/ftpuser1/docs + ssl: false diff --git a/customer/mbvd-odt/tmp-odt-daimler-com.pixelpark.net.yaml b/customer/mbvd-odt/tmp-odt-daimler-com.pixelpark.net.yaml index 371810ed..679b2c32 100644 --- a/customer/mbvd-odt/tmp-odt-daimler-com.pixelpark.net.yaml +++ b/customer/mbvd-odt/tmp-odt-daimler-com.pixelpark.net.yaml @@ -2,4 +2,185 @@ infra::role: base_for_old_systems # because we can't install xymon infra::additional_classes: - accounts + - infra::profile::apache + - apache::mod::proxy_ajp + - apache::mod::remoteip + - apache::mod::headers + - infra::profile::cron +accounts::users: + christian.heggemann: + apply: true + sudo: true + sudo_cmds: + - ODTNLS + - ODTTN + annika.wenzel: + apply: true + sudo: true + sudo_cmds: + - ODTNLS + - ODTTN + dirk-peter.krause: + apply: true + sudo: true + sudo_cmds: + - ODTNLS + - ODTTN + +sudo::configs: + cmd_alias: + priority: "05" + content: | + Cmnd_Alias ODTNLS = /bin/journalctl -u odt-newsletter-service.service + Cmnd_Alias ODTTN = /bin/journalctl -u mbvd-teilenews-service.service + +apache::mod::remoteip::proxy_ips: + - '93.188.107.252' + - '93.188.107.253' + +infra::profile::apache::pp_vhosts: + odt: + docroot: '/var/www' + servername: odt.daimler.com + serveraliases: + - odt-daimler-com-temp.pixelpark.net + - odt-daimler-com.pixelpark.net + ssl: true + cert_servername: 'odt.daimler.com' + cert_customer: 'daimler' + ssl_cert: '/etc/apache2/ssl.crt/odt.daimler.com-cert.pem' + ssl_key: '/etc/apache2/ssl.key/private/odt.daimler.com-key.pem' + ssl_chain: '/etc/apache2/ssl.crt/odt.daimler.com-cert.pem' + ssl_verify_client: require + ssl_crl: '/etc/apache2/ssl.crl/odt-cacrl.pem' + ssl_ca: '/etc/apache2/ssl.crt/odt-root-ca.pem' + access_log_format: remote_combined + rewrites_non_ssl: + - https: + comment: 'almost all to https' + rewrite_cond: + - "expr \"! -R '77.74.234.0/25'\"" + - "expr \"! -R '93.188.107.192/26'\"" + rewrite_rule: + - '^(.*)$ https://odt.daimler.com$1 [L,R=301]' + rewrites_ssl: + - logon: + comment: 'redirect to logon.do' + rewrite_rule: + - '^(/?)$ https://odt.daimler.com/logon.do [L,R=301]' + proxy_preserve_host: true + proxy_pass: + - { path: /teilenews-service, url: 'http://localhost:8083/teilenews-service' } + - { path: /newsletterservice, url: 'http://localhost:8082/newsletterservice' } + - { path: /, url: 'ajp://localhost:8009/' } + directories_ssl: + - slash: + provider: location + path: '/' + custom_fragment: | + # enabled until merge of 71e4c530d286b8f11863d16ee94bc2f28f800cce + SSLRequire %%{ich-trickse}{SSL_CLIENT_I_DN_O} eq "ODT" + SSLVerifyClient require + #- webservice: + # provider: location + # path: '/emm_webservice' + # require: + # - 'ip 93.188.107.192/26' + # - 'ip 217.66.50.0/24' + # - 'ip 217.66.51.0/24' + #- newsletterservice: + # provider: location + # path: '/newsletterservice' + # require: + # - ip 217.66.51.0/24 + # - ip 217.66.50.0/24 + # - ip 217.66.56.0/24 + # - ip 213.61.96.226 + # - ip 176.28.25.242 + # - ip 100.97.70.141 + # - ip 37.120.57.39 + # - ip 46.30.59.148 + # - ip 82.165.141.125 + # - ip 37.120.103.75 + # - ip 83.125.19.254 + # - ip 192.168.170.49 + # - ip 192.168.170.53 + # - ip 192.168.170.52 + # - ip 54.205.87.231 + # - ip 86.56.52.27 + # - ip 100.97.127.4 + # - ip 37.202.1.232 + +infra::profile::cron::cronjobs: + fetchcrl: + user: root + command: 'scp httpd@odt-tinyca:/www/htdocs/odt-tinyca.pixelpark.net/data/phpki-store/CA/crl/cacrl.pem /etc/pki/tls/certs/odt-cacrl.pem && systemctl reload httpd' + minute: 0 + hour: 5 + description: um 05:00 Uhr wird die Revocationlist vom User openemm geholt. somit muss der Webserver restarted werden + +logstash::filter: + - journald + +logstash::generic_resource: + mbvd-teilenews-service: + resource: pipe + order: 10 + parameters: + command: '/bin/journalctl -o cat -fl -u mbvd-teilenews-service.service' + type: webapp + tags: + - 'live' + - "%{customer}" + - "mbvd-teilenews-service" + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{TIMESTAMP_ISO8601}" + negate: true + odt-newsletter-service: + resource: pipe + order: 10 + parameters: + command: '/bin/journalctl -o cat -fl -u odt-newsletter-service.service' + type: webapp + tags: + - 'live' + - "%{customer}" + - "odt-newsletter-service" + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{TIMESTAMP_ISO8601}" + negate: true + openemm-core: + resource: file + order: 10 + parameters: + path: '/home/openemm/logs/openemm/openemm_core.log' + type: 'EMM-Core' + tags: + - 'prod' + - "%{customer}" + - 'odt-core' + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{TIMESTAMP_ISO8601}" + negate: true + openemm-data: + resource: file + order: 10 + parameters: + path: '/home/openemm/logs/openemm/openemm_data.log' + type: 'EMM-Webservice' + tags: + - 'prod' + - "%{customer}" + - 'odt-data' + codec: + type: multiline + what: previous + pattern: "^%%{ich-trickse}{TIMESTAMP_ISO8601}" + negate: true