forked from Normation/rudder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rudder-apache-common.conf
92 lines (80 loc) · 2.63 KB
/
rudder-apache-common.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# Prevent Chrome loop detection to block the page after too many
# page reloads.
<LocationMatch "/rudder">
Header add X-Chrome-Exponential-Throttling "disable"
</LocationMatch>
DocumentRoot /var/www
# Nice loading page if the Java server is not ready
Alias /images /opt/rudder/share/load-page/images
Alias /files /opt/rudder/share/load-page/files
Alias /rudder-loading.html /opt/rudder/share/load-page/rudder-loading.html
ErrorDocument 503 /rudder-loading.html
# Enforce permissive access to the load page directory
<Directory /opt/rudder/share/load-page>
Order deny,allow
Allow From all
</Directory>
# Expose the server UUID through http
Alias /uuid /opt/rudder/etc/uuid.hive
<Directory /opt/rudder/etc>
Order deny,allow
Allow from all
</Directory>
# WebDAV share to receive inventories
Alias /inventories /var/rudder/inventories/incoming
<Directory /var/rudder/inventories/incoming>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav-initial
Require valid-user
Order deny,allow
# This file is automatically generated according to
# the hosts allowed by rudder.
Include /opt/rudder/etc/rudder-networks.conf
<LimitExcept PUT>
Order allow,deny
Deny from all
</LimitExcept>
</Directory>
# WebDAV share to receive inventories
Alias /inventory-updates /var/rudder/inventories/accepted-nodes-updates
<Directory /var/rudder/inventories/accepted-nodes-updates>
DAV on
AuthName "WebDAV Storage"
AuthType Basic
AuthUserFile /opt/rudder/etc/htpasswd-webdav
Require valid-user
Order deny,allow
# This file is automatically generated according to
# the hosts allowed by rudder.
Include /opt/rudder/etc/rudder-networks.conf
<LimitExcept PUT>
Order allow,deny
Deny from all
</LimitExcept>
</Directory>
# Deny the use of legacy API if using X-API-Version which is not '1'
SetEnvIf X-API-Version "[^1]" api_deny
# NO access to the status and archiving API unless you are localhost
<LocationMatch "^/rudder/api/(status|archives)$">
Order allow,deny
Allow from localhost
Deny from env=api_deny
</LocationMatch>
# NO access to the reloading API either unless you are localhost
<LocationMatch "^/rudder/api/(techniqueLibrary|dyngroup|deploy)/reload$">
Order allow,deny
Allow from localhost
Deny from env=api_deny
</LocationMatch>
# Note: The preceding statements are here for compatibility purpose and will
# be removed in a future version of Rudder, which will enforce authenticated
# calls to every API part.
# Link to Rudder documentation
Alias /rudder-doc /usr/share/doc/rudder/html
<Directory /usr/share/doc/rudder/html>
DirectoryIndex rudder-doc.html
Order deny,allow
Allow from all
</Directory>