# ************************************
# Vhost template in module puppetlabs-apache
# Managed by Puppet
# ************************************
# 
<VirtualHost *:443>
  ServerName foremanserver.com

  ## Vhost docroot
  DocumentRoot "/usr/share/foreman/public"

  ## Directories, there should at least be a declaration for /usr/share/foreman/public

  <Directory "/usr/share/foreman/public">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Load additional static includes
  IncludeOptional "/etc/httpd/conf.d/05-foreman-ssl.d/*.conf"

  ## Logging
  ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined 

  ## Request header rules
  ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
  RequestHeader set X_FORWARDED_PROTO "https"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
  RequestHeader unset REMOTE_USER
  RequestHeader unset REMOTE_USER_EMAIL
  RequestHeader unset REMOTE_USER_FIRSTNAME
  RequestHeader unset REMOTE_USER_LASTNAME
  RequestHeader unset REMOTE_USER_GROUPS

  # SSL Proxy directives
  SSLProxyEngine On

  <Location "/pulpcore_registry/v2/">
    RequestHeader unset REMOTE_USER
    RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
    ProxyPass unix:///run/pulpcore-api.sock|http://foremanserver.com/v2/
    ProxyPassReverse unix:///run/pulpcore-api.sock|http://foremanserver.com/v2/
  </Location>

  ProxyPass /pulp/container/ unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/container/
  ProxyPassReverse /pulp/container/ unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/container/

  <Location "/pulp/deb">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
  </Location>

  <Location "/pulp/isos">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
  </Location>

  <Location "/pulp/repos">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
  </Location>

  <Location "/pulp/content">
    RequestHeader unset X-CLIENT-CERT
    RequestHeader set X-CLIENT-CERT "%{SSL_CLIENT_CERT}s" env=SSL_CLIENT_CERT
    ProxyPass unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
    ProxyPassReverse unix:///run/pulpcore-content.sock|http://foremanserver.com/pulp/content
  </Location>

  <Location "/pulp/api/v3">
    RequestHeader unset REMOTE_USER
    RequestHeader set REMOTE_USER "%{SSL_CLIENT_S_DN_CN}s" env=SSL_CLIENT_S_DN_CN
    ProxyPass unix:///run/pulpcore-api.sock|http://foremanserver.com/pulp/api/v3
    ProxyPassReverse unix:///run/pulpcore-api.sock|http://foremanserver.com/pulp/api/v3
  </Location>

  ProxyPass /pulp/assets/ unix:///run/pulpcore-api.sock|http://foremanserver.com/pulp/assets/
  ProxyPassReverse /pulp/assets/ unix:///run/pulpcore-api.sock|http://foremanserver.com/pulp/assets/

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyAddHeaders On
  ProxyPass /pulp !
  ProxyPass /pulp2 !
  ProxyPass /streamer !
  ProxyPass /pub !
  ProxyPass /icons !
  ProxyPass / http://127.0.0.1:3000/ retry=0 timeout=900
  ProxyPassReverse / http://127.0.0.1:3000/
  ## Rewrite rules
  RewriteEngine On

  #Upgrade Websocket connections
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]


  ## Server aliases
  ServerAlias foreman

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-apache.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-apache.key"
  SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
  SSLVerifyClient         optional
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars +ExportCertData

  ## Custom fragment
  # Return compressed assets if they are precompiled
<IfModule mod_rewrite.c>
  RewriteEngine on
  # Make sure the browser supports gzip encoding and file with .gz added
  # does exist on disc before we rewrite with the extension
  RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
  RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
  RewriteCond %{REQUEST_FILENAME}.gz -s
  RewriteRule ^(.+) $1.gz [L]

  # Set headers for all possible assets which are compressed
  <FilesMatch \.css\.gz$>
    ForceType text/css
    Header set Content-Encoding gzip
    SetEnv no-gzip
  </FilesMatch>
  <FilesMatch \.js\.gz$>
    ForceType text/javascript
    Header set Content-Encoding gzip
    SetEnv no-gzip
  </FilesMatch>
  <FilesMatch \.svg\.gz$>
    ForceType image/svg+xml
    Header set Content-Encoding gzip
    SetEnv no-gzip
  </FilesMatch>
</IfModule>

<LocationMatch "^/(assets|webpack)">
  Options SymLinksIfOwnerMatch
  AllowOverride None
  Require all granted

  # Use standard http expire header for assets instead of ETag
  <IfModule mod_expires.c>
    Header unset ETag
    FileETag None
    ExpiresActive On
    ExpiresDefault "access plus 1 year"
  </IfModule>
</LocationMatch>


  AddDefaultCharset UTF-8
</VirtualHost>