From 7c994774c3cca552a60f8068a334e9d301245e13 Mon Sep 17 00:00:00 2001
From: Stefano Alberto Russo <stefano.russo@gmail.com>
Date: Thu, 21 May 2020 00:14:05 +0200
Subject: [PATCH] Forces SSL everytwhere except than on localhost. Used rosetta
 certs for default Apache SSL conf.

---
 services/proxy/000-default.conf |  8 ++++----
 services/proxy/001-proxy.conf   | 34 +++++++++++++++++----------------
 services/proxy/default-ssl.conf |  7 +++++--
 3 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/services/proxy/000-default.conf b/services/proxy/000-default.conf
index 2d703eb..2d43f2b 100644
--- a/services/proxy/000-default.conf
+++ b/services/proxy/000-default.conf
@@ -36,10 +36,10 @@
     #  1) dev env is different than staging/production, and
     #  2) other roules in 001-proxy.conf are never reached
 
-    #RewriteEngine On
-    #RewriteCond %{HTTPS} off
-    #RewriteCond %{HTTP_HOST} !=localhost
-    #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteCond %{HTTP_HOST} !=localhost
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
     
     ProxyPass / http://webapp:8080/
     ProxyPassReverse / http://webapp:8080/ 
diff --git a/services/proxy/001-proxy.conf b/services/proxy/001-proxy.conf
index 052a1a6..6f02cde 100644
--- a/services/proxy/001-proxy.conf
+++ b/services/proxy/001-proxy.conf
@@ -3,26 +3,28 @@
 #  Rosetta platform 
 #---------------------------
 
+# WARNING: not relevant anymore, see 000-default.conf
+
 # Non-SSL
-<VirtualHost *:80>
-    ServerName rosetta.platform
-    Redirect 301 / https://rosetta.platform/
-</VirtualHost>
+#<VirtualHost *:80>
+#    ServerName rosetta.platform
+#    Redirect 301 / https://rosetta.platform/
+#</VirtualHost>
 
 # SSL
-<VirtualHost *:443>
-    
-    ServerName rosetta.platform
-
-    SSLEngine on
-    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
-    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
-    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
-
-    ProxyPass / http://webapp:8080/
-    ProxyPassReverse / http://webapp:8080/
+#<VirtualHost *:443>
+#    
+#    ServerName rosetta.platform
+#
+#    SSLEngine on
+#    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+#    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+#    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+#
+#    ProxyPass / http://webapp:8080/
+#    ProxyPassReverse / http://webapp:8080/
     
-</VirtualHost>
+#</VirtualHost>
 
 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
 
diff --git a/services/proxy/default-ssl.conf b/services/proxy/default-ssl.conf
index 6a67b5b..a52f5b0 100644
--- a/services/proxy/default-ssl.conf
+++ b/services/proxy/default-ssl.conf
@@ -30,8 +30,11 @@
         #   /usr/share/doc/apache2/README.Debian.gz for more info.
         #   If both key and certificate are stored in the same file, only the
         #   SSLCertificateFile directive is needed.
-        SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
-        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+        #SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+        #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+        SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+        SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+        SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
 
         #   Server Certificate Chain:
         #   Point SSLCertificateChainFile at a file containing the
-- 
GitLab