From 32f959fb8362e394456b3103940e382dcfdc0f81 Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Apr 17 2020 07:35:47 +0000
Subject: copr-fe: style cleanup for coprs.conf


- some documentation for things I think I know why we did them
- drop duplicated statements
- white-space lint
- dev: drop enforced redirect to https, we don't do that in production
  so it is weird to do that on stage (and Let's Encrypt doesn't insist
  on that rule anyways as I initially thought)

---

diff --git a/roles/copr/frontend-cloud/templates/httpd/coprs.conf b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
index 11679fe..6911d51 100644
--- a/roles/copr/frontend-cloud/templates/httpd/coprs.conf
+++ b/roles/copr/frontend-cloud/templates/httpd/coprs.conf
@@ -9,33 +9,38 @@ WSGIDaemonProcess stats user=copr-fe group=copr-fe threads=15 display-name=stats
 WSGIDaemonProcess tmp user=copr-fe group=copr-fe threads=15 display-name=tmp maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess repo user=copr-fe group=copr-fe threads=15 display-name=repo maximum-requests=8000 graceful-timeout=20
 WSGIDaemonProcess packages user=copr-fe group=copr-fe processes=1 threads=6 maximum-requests=100 display-name=packages graceful-timeout=20
-WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
+
+WSGIApplicationGroup %{GLOBAL}
 
 <VirtualHost *:80>
-    ServerName copr.fedorainfracloud.org
-    ServerAlias copr-fe.cloud.fedoraproject.org
-    WSGIPassAuthorization On
+    ServerName {{ copr_frontend_public_hostname }}
+    ServerAlias copr-fe{% if devel %}-dev{% endif %}.cloud.fedoraproject.org
 
+    # We don't strictly enforce https (only HSTS) for python-processed content.
+    # This is still useful at least for *.repo URLs.  But, that's why we still
+    # configure port 80 here.
+    WSGIPassAuthorization On
     <Location />
         WSGIProcessGroup 127.0.0.1
     </Location>
-
-    #ErrorLog logs/error_coprs
-    #CustomLog logs/access_coprs common
-
     <Directory /usr/share/copr>
-        WSGIApplicationGroup %{GLOBAL}
-    Require all granted
+        Require all granted
     </Directory>
 
 {% if letsencrypt is defined %}
+    # For ansible.git roles/copr/certbot role.  Needs to run on port 80.
     RewriteEngine on
     RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
-    RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
 {% endif %}
 </VirtualHost>
 
 <VirtualHost *:443>
+    ServerName {{ copr_frontend_public_hostname }}
+{% if not devel %}
+    ServerAlias copr.fedoraproject.org
+    Redirect 302 / https://copr.fedorainfracloud.org/
+{% endif %}
+
     SSLEngine on
     SSLProtocol {{ ssl_protocols }}
     # Use secure TLSv1.1 and TLSv1.2 ciphers
@@ -43,25 +48,17 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
     SSLHonorCipherOrder on
     Header always add Strict-Transport-Security "max-age=31536000; preload"
 
-    {% if not devel %}
-    SSLCertificateFile /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
-    SSLCertificateKeyFile /etc/pki/tls/private/copr.fedorainfracloud.org.key
+{% if not devel %}
+    SSLCertificateFile      /etc/pki/tls/certs/copr.fedorainfracloud.org.crt
+    SSLCertificateKeyFile   /etc/pki/tls/private/copr.fedorainfracloud.org.key
     SSLCertificateChainFile /etc/pki/tls/certs/copr.fedorainfracloud.org.intermediate.crt
-    {% else %}
-    SSLCertificateFile    /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
-    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
+{% else %}
+    SSLCertificateFile      /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/cert.pem
+    SSLCertificateKeyFile   /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/privkey.pem
     SSLCertificateChainFile /etc/letsencrypt/live/{{ copr_frontend_public_hostname }}/fullchain.pem
-    {% endif %}
-
-    ServerName {{ copr_frontend_public_hostname }}
-
-    {% if not devel %}
-    ServerAlias copr.fedoraproject.org
-    Redirect 302 / https://copr.fedorainfracloud.org/
-    {% endif %}
+{% endif %}
 
     WSGIPassAuthorization On
-    WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
     WSGIProcessGroup 127.0.0.1
 
     <Location /api>
@@ -87,11 +84,7 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
         </RequireAll>
     </LocationMatch>
 
-    #ErrorLog logs/error_coprs
-    #CustomLog logs/access_coprs common
-
     <Directory /usr/share/copr>
-        WSGIApplicationGroup %{GLOBAL}
         Require all granted
     </Directory>
 
@@ -105,19 +98,20 @@ WSGIScriptAlias / /usr/share/copr/coprs_frontend/application
 </VirtualHost>
 
 <IfModule mod_status.c>
-ExtendedStatus On
-
-<Location /server-status>
-    SetHandler server-status
-    Require all denied
-    Require host localhost .redhat.com
-</Location>
+    ExtendedStatus On
+    <Location /server-status>
+        SetHandler server-status
+        Require all denied
+        Require host localhost .redhat.com
+    </Location>
 </IfModule>
 
 <IfModule mpm_prefork_module>
     StartServers          8
     MinSpareServers       8
-    MaxSpareServers      20
-    MaxClients          50
+    MaxSpareServers       20
+    MaxClients            50
     MaxRequestsPerChild   10000
 </IfModule>
+
+# vim: ft=apache