proxy-global.conf

# Note: if setting up Let's Encrypt, use these certificates for the 
# intermediate step, according to the REANDE:
# SSLCertificateFile /root/certificates/selfsigned.crt
# SSLCertificateKeyFile /root/certificates/selfsigned.key
# SSLCACertificateFile /root/certificates/selfsigned.ca-bundle


#------------------------
# Force https
#------------------------
<VirtualHost *:80>

    ServerAdmin admin@rosetta.platform
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    AllowEncodedSlashes NoDecode
       
</VirtualHost>


#------------------------
# Catch-all
#------------------------
<VirtualHost *:443>
    ServerAdmin admin@rosetta.platform
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/__ROSETTA_HOST__/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/fullchain.pem
    DocumentRoot /var/www/html
</VirtualHost>


#------------------------
#  Rosetta Platform
#------------------------
<VirtualHost *:443>
    ServerAdmin admin@rosetta.platform
    ServerName __ROSETTA_HOST__
    ProxyPass / http://webapp:8080/
    ProxyPassReverse / http://webapp:8080/
    AllowEncodedSlashes NoDecode

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/__ROSETTA_HOST__/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/fullchain.pem

    # Browser-specific fixes
    BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # Required for the Open ID connect redirects to work properly
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS        

</VirtualHost>


#------------------------
#  Rosetta tasks
#------------------------
# This is actually a placeholder required in order to have Let's Encrypt to get the
# certificates, as Apache conf fot hte tasks is injected by the webapp service.
# If __ROSETTA_TASKS_PROXY_HOST__ is set qual to __ROSETTA_HOST__ as no dual
# configuration is in place, then it simply gets overwritten by the entry above.

<VirtualHost *:443>
    ServerAdmin admin@rosetta.platform
    ServerName __ROSETTA_TASKS_PROXY_HOST__
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/__ROSETTA_TASKS_PROXY_HOST__/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/__ROSETTA_TASKS_PROXY_HOST__/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/__ROSETTA_TASKS_PROXY_HOST__/fullchain.pem
    DocumentRoot /var/www/html
</VirtualHost>


#-------------------------
#  The Docker registry
#-------------------------
Listen 5000
<VirtualHost *:5000>
    ServerAdmin admin@rosetta.platform
    ProxyPass / http://dregistry:5000/
    ProxyPassReverse / http://dregistry:5000/

    SSLEngine on

    SSLCertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/__ROSETTA_HOST__/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/__ROSETTA_HOST__/fullchain.pem

    # Browser-specific fixes
    BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    # Required for the Open ID connect redirects to work properly
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS        

</VirtualHost>