puppet/modules/railsapp/templates/passenger-app.erb
<%- if @use_ssl -%>
<VirtualHost *:80>
ServerName <%= @server_url %>
Redirect permanent / https://<%= @server_url %>/
</VirtualHost>
Listen 443
<VirtualHost *:443>
DocumentRoot <%= @path %>
SSLEngine on
SSLOptions +StrictRequire
<Directory />
SSLRequireSSL
</Directory>
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
# Prevent CRIME/BREACH compression attacks
SSLCompression Off
SSLCertificateFile <%= File.expand_path(File.join(@path, '..', '..', 'shared', 'certs', 'server.crt')) %>
SSLCertificateKeyFile <%= File.expand_path(File.join(@path, '..', '..', 'shared', 'certs', 'server_key.pem')) %>
<%- intermediate_cert_path = File.expand_path(File.join(@path, '..', '..', 'shared', 'certs', 'intermediate.crt')) -%>
<%- if File.exists?(intermediate_cert_path) -%>
SSLCertificateChainFile <%= intermediate_cert_path %>
<%- end -%>
SSLVerifyClient none
SSLProxyEngine off
<IfModule mime.c>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfModule>
</VirtualHost>
<%- else -%>
<VirtualHost *:80>
ServerName <%= @server_url %>
DocumentRoot <%= @path %>
<Directory <%= @path %>>
Allow from all
Options -MultiViews
</Directory>
</VirtualHost>
<%- end -%>