From e5a7cd29647f6018be57eab1e439a19e346ace3b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Oliver=20B=C3=B6ttcher?= <oliver.boettcher@pixelpark.com>
Date: Mon, 10 Jul 2017 14:02:56 +0200
Subject: [PATCH] ODT - fix new live

---
 .../odt-daimler-com.pixelpark.net.yaml        | 45 ++++++++++++-------
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/customer/mbvd-odt/odt-daimler-com.pixelpark.net.yaml b/customer/mbvd-odt/odt-daimler-com.pixelpark.net.yaml
index 0e8ac62f..d3fabba5 100644
--- a/customer/mbvd-odt/odt-daimler-com.pixelpark.net.yaml
+++ b/customer/mbvd-odt/odt-daimler-com.pixelpark.net.yaml
@@ -1,10 +1,12 @@
 ---
 infra::role: base
-#infra::additional_classes:
-#  - infra::profile::apache
-#  - apache::mod::proxy_ajp
-#  - apache::mod::remoteip
-#  - apache::mod::headers
+infra::additional_classes:
+  - infra::profile::apache
+  - apache::mod::proxy_ajp
+  - apache::mod::remoteip
+  - apache::mod::headers
+  - infra::profile::cron
+
 
 infra::profile::apache::pp_vhosts:
   odt:
@@ -14,26 +16,39 @@ infra::profile::apache::pp_vhosts:
       - odt-daimler-com-temp.pixelpark.net
       - odt-daimler-com.pixelpark.net
     ssl: true
-    ssl_cert: '/etc/pki/tls/certs/wildcard.pixelpark.net-cert.pem'
-    ssl_key: '/etc/pki/tls/private/wildcard.pixelpark.net-key.pem'
-    ssl_chain: '/etc/pki/tls/certs/wildcard.pixelpark.net-cert.pem'
+    cert_servername: 'odt.daimler.com'
+    cert_customer: 'daimler'
+    ssl_cert: '/etc/pki/tls/certs/odt.daimler.com-cert.pem'
+    ssl_key: '/etc/pki/tls/private/odt.daimler.com-key.pem'
+    ssl_chain: '/etc/pki/tls/certs/odt.daimler.com-cert.pem'
     ssl_verify_client: require
-    #ssl_crl_check: chain
-    #ssl_crl: '/etc/pki/tls/certs/odt-cacrl.pem'
+    ssl_crl: '/etc/pki/tls/certs/odt-cacrl.pem'
     ssl_ca: '/etc/pki/tls/certs/odt-root-ca.pem'
+    custom_fragment_ssl: 'SSLRequire %%{ich-trickse}{SSL_CLIENT_S_DN_O} eq "ODT"'
     rewrites_non_ssl:
-      - comment: 'almost all to https'
-        rewrite_cond:
-          - '%{ich-trickse}{REQUEST_URI} !^(/.\.html|/emm_webservice)$'
+      - https:
+        comment: 'almost all to https'
+        rewritecond:
+          - '%%{ich-trickse}{REQUEST_URI} !^/.\.html'
         rewrite_rule:
-          - '^(.*)$ https://odt-daimler-com.pixelpark.net$1 [L,R=301]'
+          - '^(.*)$ https://int-odt-daimler-com.pixelpark.net$1 [L,R=301]'
     proxy_preserve_host: true
     proxy_pass:
       - { path: /, url: 'ajp://localhost:8009/' }
     directories:
-      - provider: location
+      - webservice:
+        provider: location
         path: '/emm_webservice'
         require:
           - 'ip 93.188.107.192/26'
           - 'ip 217.66.50.0/24'
           - 'ip 217.66.51.0/24'
+        custom_fragment: "SSLVerifyClient none"
+
+infra::profile::cron::cronjobs:
+  fetchcrl:
+    user: root
+    command: 'scp httpd@odt-tinyca:/www/htdocs/odt-tinyca.pixelpark.net/data/phpki-store/CA/crl/cacrl.pem /etc/pki/tls/certs/odt-cacrl.pem && systemctl reload httpd'
+    minute: 0
+    hour: 5
+    description: um 05:00 Uhr wird die Revocationlist vom User openemm geholt. somit muss der Webserver restarted werden
-- 
2.39.5