From be91b9bc1a545d7a683b2b3447c4c393efeec283 Mon Sep 17 00:00:00 2001 From: Thomas Dalichow Date: Mon, 31 Jul 2017 18:34:07 +0200 Subject: [PATCH] pfizer - WAF/LB Change, vgl. PFIZ-5190 --- .../pfizer/web01-pfizer-de.pixelpark.net.yaml | 63 ++++++++++++++----- .../pfizer/web02-pfizer-de.pixelpark.net.yaml | 2 +- 2 files changed, 49 insertions(+), 16 deletions(-) diff --git a/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml b/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml index 69945188..47955144 100644 --- a/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml +++ b/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml @@ -4,6 +4,7 @@ infra::additional_classes: - infra::profile::drupal - infra::profile::typo3 - infra::profile::mysql_server + - apache::mod::remoteip apache::default_vhost: false @@ -41,6 +42,10 @@ php::extensions: pecl-apcu: {} pecl-xslcache: {} +apache::mod::remoteip::proxy_ips: + - '217.66.55.124' + - '217.66.55.125' + mysql::server::remove_default_accounts: true mysql::server::backup::backupuser: backup mysql::server::backup::backuppassword: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAw7c8vYxvuFnXvBedqD3AnHqr3zktNQGKi/LIWNBkRFEZwgAdAW9urkElDzG/3bpIvf1fdysZhk4xsJDAkAS6KaC6VysvNcRzRzCk0YYYTcGGEDB+aD+KRfbBA62FZTpizUo9C3AuSFlBv18H1RAOEv/hswlTPXpYx+beT2qQ7i84V0lbz696NinWNjzaD3UQYBFHZjsYGiHD6NwBhzLWr7X4tIk8ITZhMshJ7pZdVNDKez3v6DOfF/v+eicwiKCIYxvWCo/r9PWuCPcpCDa1h68mVKp1nWvJqa8RWCRCcQ9T22VNYjI0wx6dtdO9f7dNwaI47NKg0/zGovVZtdws8TBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCp5J+kg2E94jOt6qzt+YCbgCBsM3frKIETVhWuuIq90Y12zL2t3EQhe3wZShrCxgaZdg==] @@ -96,7 +101,7 @@ infra::profile::drupal::projects: # www.pfizer.de infra::profile::typo3::projects: www.pfizer.de: - ip: 217.66.55.99 + ip: 217.66.55.110 site_path: /srv/www/www.pfizer.de use_symlink: true #################################################################################################### @@ -107,6 +112,7 @@ infra::profile::typo3::projects: db_pass: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACvtsM0AYLxpBKlyuAsaOHqP7jMvpiQ3Yi5LGgqx7LapkCj7SdpQi1Qyf4TcfUAwuVAnp0GcQ8thVFKSxDbZIBLR1TfeRT9Mh1qQ97v3MmCOn8mW6cAqTwmGH+nlMWrt9GaJaE5t9tCggnYO6o92h6hWTtyMcykY+wV5W62xWBgvTJ0c86/rUvszaLCQJNBs/Lq9aPPJYf2e3c052kBWp+jiiJdJg2FdQnBDM5JMwyjWnVU++nYya8FlP1O33wr6Ig06LesU91dB2EidDpDqZj5WN7miw5QuyI8ZoRJj2VpYIe//5On/TvJVMiBxApd1uflhQLIPOSOjB3vEOwB0kkDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAviaAXuMNQYGsO06cFcTx0gBAJiwapnM4nRhoMRGu86k4t] db_user: typo3 db_name: typo3_live + access_log_format: remote_combined servername: www.pfizer.de serveraliases: - pfizer.de @@ -145,6 +151,7 @@ infra::profile::typo3::projects: - www02-sab-simplex-de.pixelpark.net - www02-lyrica-de.pixelpark.net ssl: true + ssl_real: false cert_servername: 'www.pfizer.de' cert_customer: 'pfizer' ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem @@ -181,6 +188,8 @@ infra::profile::typo3::projects: settypo3_context: false setenvif: - 'Origin "http(s)?://(www\.)?(countering-cancer.tumblr.com|countering-cancer-test.tumblr.com|ichbeimarzt.de|test-ich-beim-arzt-de.pixelpark.net|wegweiser-psoriasis.de|test-www-wegweiser-psoriasis-de.pixelpark.net|wegweiser-rheuma.de|test-www-wegweiser-rheuma-de.pixelpark.net|wegweiser-rheuma-psoriasis.de|test-www-wegweiser-rheuma-psoriasis-de.pixelpark.net|lungenkrebs-testen.de|test-www-lungenkrebs-testen-de.pixelpark.net|lungenkrebs-testen.at|test-www-lungenkrebs-testen-at.pixelpark.net|local-onkologie-akademie-pfizer-de.pixelpark.net|dev-redaktion-onkologie-akademie-pfizer-de.pixelpark.net|dev-www-onkologie-akademie-pfizer-de.pixelpark.net|test-www-onkologie-akademie-pfizer-de.pixelpark.net|redaktion-onkologie-akademie-pfizer-de.pixelpark.net|www-onkologie-akademie-pfizer-de.pixelpark.net|oncoacademy.de|localhost:3000)$" AccessControlAllowOrigin=$0$1' + setenvif_ssl + - 'HTTPS on X-Forwarded-Proto=https' headers: - 'add Access-Control-Allow-Origin %%{ich-trickse}{AccessControlAllowOrigin}e env=AccessControlAllowOrigin' setenv: @@ -539,7 +548,7 @@ infra::profile::typo3::projects: - PFIZ-1837: comment: https://jira.pixelpark.com/jira/browse/PFIZ-1837 rewrite_cond: - - '%%{ich-trickse}{HTTPS} !=on' + - '%%{ich-trickse}{HTTP:X-Forwarded-Proto} !=https' rewrite_rule: - ^(.*)$ https://%%{ich-trickse}{HTTP_HOST}$1 [R=301,L] - PFIZ-2445: @@ -1151,7 +1160,7 @@ infra::profile::apache::pp_vhosts: pfizer-berlin: servername: pfizer.berlin docroot: '/srv/www/mspfizerberlin' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false ssl: false docroot_owner: apache @@ -1162,6 +1171,7 @@ infra::profile::apache::pp_vhosts: - www-pfizer-berlin.pixelpark.net # Upgrade - www02-pfizer-berlin.pixelpark.net + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1179,7 +1189,7 @@ infra::profile::apache::pp_vhosts: ich-beim-arzt: servername: www.ich-beim-arzt.de docroot: '/srv/www/www.ich-beim-arzt.de' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false ssl: false docroot_owner: apache @@ -1193,6 +1203,7 @@ infra::profile::apache::pp_vhosts: - ich-beim-arzt.de - ich-beim-arzt-de.pixelpark.net - www-ich-beim-arzt-de.pixelpark.net + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1218,7 +1229,7 @@ infra::profile::apache::pp_vhosts: lungenkrebs-testen-at: servername: www.lungenkrebs-testen.at docroot: '/srv/www/www.lungenkrebs-testen.at' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false ssl: false docroot_owner: apache @@ -1230,6 +1241,7 @@ infra::profile::apache::pp_vhosts: - www-lungenkrebs-testen-at.pixelpark.net # Upgrade - www02-lungenkrebs-testen-at.pixelpark.net + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1248,7 +1260,7 @@ infra::profile::apache::pp_vhosts: lungenkrebs-testen-de: servername: www.lungenkrebs-testen.de docroot: '/srv/www/www.lungenkrebs-testen.de' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot_owner: apache docroot_group: apache @@ -1264,6 +1276,7 @@ infra::profile::apache::pp_vhosts: - www-lungenkrebs-testen-de.pixelpark.net # Upgrade - www02-lungenkrebs-testen-de.pixelpark.net + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1279,7 +1292,7 @@ infra::profile::apache::pp_vhosts: impf2ab60: servername: www.impf2ab60.de docroot: '/srv/www/www.impf2ab60.de' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false ssl: false docroot_owner: apache @@ -1305,6 +1318,7 @@ infra::profile::apache::pp_vhosts: - impf2-ab-60-de.pixelpark.net # Upgrade - www02-impf2ab60-de.pixelpark.net + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1344,12 +1358,13 @@ infra::profile::apache::pp_vhosts: servername: www.wegweiser-psoriasis.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot_owner: apache docroot_group: apache docroot_mode: '0770' ssl: true + ssl_real: false cert_servername: 'www.pfizer.de' cert_customer: 'pfizer' ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem @@ -1359,6 +1374,9 @@ infra::profile::apache::pp_vhosts: - wegweiser-psoriasis.de # Upgrade - www02-wegweiser-psoriasis-de.pixelpark.net + access_log_format: remote_combined + setenvif_ssl: + - 'HTTPS on X-Forwarded-Proto=https' headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1389,12 +1407,13 @@ infra::profile::apache::pp_vhosts: servername: www.wegweiser-rheuma.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot_owner: apache docroot_group: apache docroot_mode: '0770' ssl: true + ssl_real: false cert_servername: 'www.pfizer.de' cert_customer: 'pfizer' ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem @@ -1404,6 +1423,9 @@ infra::profile::apache::pp_vhosts: - wegweiser-rheuma.de # Upgrade - www02-wegweiser-rheuma-de.pixelpark.net + access_log_format: remote_combined + setenvif_ssl: + - 'HTTPS on X-Forwarded-Proto=https' headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1434,12 +1456,13 @@ infra::profile::apache::pp_vhosts: servername: www.wegweiser-rheuma-psoriasis.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot_owner: apache docroot_group: apache docroot_mode: '0770' ssl: true + ssl_real: false cert_servername: 'www.pfizer.de' cert_customer: 'pfizer' ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem @@ -1449,6 +1472,9 @@ infra::profile::apache::pp_vhosts: - wegweiser-rheuma-psoriasis.de # Upgrade - www02-wegweiser-rheuma-psoriasis-de.pixelpark.net + access_log_format: remote_combined + setenvif_ssl: + - 'HTTPS on X-Forwarded-Proto=https' headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1483,7 +1509,7 @@ infra::profile::apache::pp_vhosts: static.pfizer: servername: static.pfizer.de docroot: '/srv/www/static.pfizer.de' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false ssl: false docroot_owner: apache @@ -1492,6 +1518,7 @@ infra::profile::apache::pp_vhosts: serveraliases: - static-pfizer-de.pixelpark.net - www02-static-pfizer-de.pixelpark.net + access_log_format: remote_combined directories: - directory_root: provider: directory @@ -1504,6 +1531,7 @@ infra::profile::apache::pp_vhosts: dialogrunde-blutkrebs: servername: www.dialogrunde-brustkrebs.de ssl: true + ssl_real: false cert_servername: 'www.pfizer.de' cert_customer: 'pfizer' ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem @@ -1513,6 +1541,9 @@ infra::profile::apache::pp_vhosts: serveraliases: - dialogrunde-brustkrebs.de - www-dialogrunde-brustkrebs-de.pixelpark.net # Pixelpark-Domain + access_log_format: remote_combined + setenvif_ssl: + - 'HTTPS on X-Forwarded-Proto=https' headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1521,7 +1552,7 @@ infra::profile::apache::pp_vhosts: docroot_owner: apache docroot_group: apache docroot_mode: '0770' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false directories: - directory_root: @@ -1547,7 +1578,7 @@ infra::profile::apache::pp_vhosts: docroot_owner: apache docroot_group: apache docroot_mode: '0770' - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false headers: - 'always unset "X-Powered-By"' @@ -1557,6 +1588,7 @@ infra::profile::apache::pp_vhosts: serveraliases: - neue-niere.de - www-neue-niere-de.pixelpark.net # Pixelpark-Domain + access_log_format: remote_combined directories: - directory_root: provider: directory @@ -1577,7 +1609,7 @@ infra::profile::apache::pp_vhosts: mit-euch-teil-ich-alles: servername: www.mit-euch-teil-ich-alles.de ssl: false - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot: '/srv/www/mit-euch-teil-ich-alles' serveraliases: @@ -1585,6 +1617,7 @@ infra::profile::apache::pp_vhosts: - www.wirteilenalles.de wirteilenalles.de - www.wir-teilen-alles.de wir-teilen-alles.de - www-mit-euch-teil-ich-alles-de.pixelpark.net # Pixelpark-Domain + access_log_format: remote_combined headers: - 'always unset "X-Powered-By"' - 'set X-Content-Type-Options: nosniff' @@ -1610,7 +1643,7 @@ infra::profile::apache::pp_vhosts: our_default: servername: default ssl: false - ip: 217.66.55.99 + ip: 217.66.55.110 add_listen: false docroot: '/srv/www/default' default_vhost: true diff --git a/customer/pfizer/web02-pfizer-de.pixelpark.net.yaml b/customer/pfizer/web02-pfizer-de.pixelpark.net.yaml index 21fdc7c3..920df103 100644 --- a/customer/pfizer/web02-pfizer-de.pixelpark.net.yaml +++ b/customer/pfizer/web02-pfizer-de.pixelpark.net.yaml @@ -126,7 +126,7 @@ infra::profile::typo3::projects: provider: location path: '/protected/' require: - - ip 217.66.55.99 217.66.55.105 217.66.55.100 # IPs des Auslieferungssystems + - ip 217.66.55.99 217.66.55.110 217.66.55.105 217.66.55.100 # IPs des Auslieferungssystems - 'all denied' user: apache mode: '2770' -- 2.39.5