3 files changed, 172 insertions, 79 deletions
diff --git a/config/httpd-force-ssl.conf-example b/config/httpd-force-ssl.conf-example
new file mode 100644
index 000000000..0e89afe62
--- /dev/null
+++ b/config/httpd-force-ssl.conf-example
@@ -0,0 +1,5 @@
+# Rewrite all proxied HTTP requests to HTTPS.
+# Only include if FORCE_SSL: true is set in general.yml
+# Expected to be found at /etc/apache2/vhost.d/alaveteli
+RewriteCond %{HTTP:X-Forwarded-Proto} !https
+RewriteRule /(.*) https://www.example.com/$1 [L,R=permanent]
diff --git a/config/httpd-ssl.conf-example b/config/httpd-ssl.conf-example
new file mode 100644
index 000000000..8f099b8a6
--- /dev/null
+++ b/config/httpd-ssl.conf-example
@@ -0,0 +1,24 @@
+# VirtualHost for HTTPS requests
+<VirtualHost *:443>
+  ServerName www.example.com
+
+  ErrorLog /var/log/apache2/alaveteli_error.log
+  CustomLog /var/log/apache2/alaveteli_access.log combined
+
+  ProxyRequests       Off
+  ProxyPreserveHost   On
+  ProxyPass           /       http://localhost:80/
+  ProxyPassReverse    /       http://localhost:80/
+  RequestHeader       set X-Forwarded-Proto 'https'
+
+  SSLEngine on
+  SSLProtocol all -SSLv2
+  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
+
+  SSLCertificateFile /etc/ssl/certs/www.example.com.cert
+  SSLCertificateKeyFile /etc/ssl/private/www.example.com.key
+  # SSLCertificateChainFile /etc/ssl/sub.class2.server.ca.pem
+  # SSLCACertificateFile /etc/ssl/ca.pem
+
+  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
+</VirtualHost>
diff --git a/config/httpd.conf-example b/config/httpd.conf-example
index 8d549d363..9736cafff 100644
--- a/config/httpd.conf-example
+++ b/config/httpd.conf-example
@@ -1,81 +1,145 @@
-# Apache configuration for FOI site.
-#
-# For development ignore this, you can just run ./scripts/server as for any
-# Ruby on Rails application.
-#
-# Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
-# Email: hello@mysociety.org; WWW: http://www.mysociety.org
-
-# This is needed for the PHP spell checker
-<Location /fcgi>
-    Options +ExecCGI
-    SetHandler fastcgi-script
-</Location>
-
-RewriteEngine On
-#RewriteLog /var/log/apache2/rewrite.log
-#RewriteLogLevel 9
-
-# TODO: do we need this now we use Passenger?
-# Pass through the HTTP basic authentication to mongrel. See also
-# admin_http_auth_user in app/controllers/application.rb
-# Note: Apache 2 only. Doesn't work in Apache 1.3, you'll need to live without
-# it.
-RewriteCond %{LA-U:REMOTE_USER} (.+)
-RewriteRule . - [E=RU:%1]
-RequestHeader add X-Forwarded-User %{RU}e
-
-# Old /files URL to new subdomain (as can't use Alias with passenger,
-# so we do it on its own domain). This is for custom admin upload
-# files for archiving.
-RewriteRule /files/(.+) http://files.whatdotheyknow.com/$1
-
-# Serve attachments directly from the cache, if possible.
-#
-# The file names are URL-encoded on disk, and sharded by the first
-# three digits of the request id, which is why this is as complicated
-# as it is. The RewriteMap directive makes the URL-escaping function
-# available to use in the other directives.
-#
-# The condition means that the rule will fire only if the cached
-# file exists.
-RewriteMap escape int:escape
-RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f
-RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L]
-
-
-<IfModule mod_passenger.c>
- # Set this to something like 100 if you have memory leak issues
- PassengerMaxRequests 500
- PassengerResolveSymlinksInDocumentRoot on
- # Recommend setting this to 3 or less on servers with 512MB RAM
- PassengerMaxPoolSize 6
- # The RackEnv variable applies to Rails 3 applications, while
- # the RailsEnv variable applies to applications for earlier
- # versions of Rails.  There doesn't seem to be any harm in
- # setting both, however.
- RailsEnv production
- RackEnv production
-</IfModule>
-
-# Gzip font resources
-<IfModule mod_deflate.c>
-    <IfModule mod_mime.c>
-        Addtype font/opentype .otf
-        Addtype font/opentype .woff
-        Addtype font/eot .eot
-        Addtype font/truetype .ttf
+# Redirect other domains to canonical domain
+<VirtualHost *:80>
+    ServerName example.com
+    ServerAlias example.org
+    ServerAlias www.example.org
+    RedirectPermanent / http://www.example.com/
+</VirtualHost>
+
+# Canonical domain vHost
+<VirtualHost *:80>
+    ServerName www.example.com
+    ServerAdmin webmaster@example.com
+    DocumentRoot /var/www/alaveteli/public
+
+    # TODO: Remove this and use PassengerUser when supported
+    # This is the user that runs the rails application processes
+    SuExecUserGroup alaveteli alaveteli
+    RewriteEngine On
+
+    ErrorLog /var/log/apache2/alaveteli_error.log
+    CustomLog /var/log/apache2/alaveteli_access.log combined
+
+    # App server configuration
+    <IfModule mod_passenger.c>
+        PassengerAppRoot /var/www/alaveteli
+        PassengerResolveSymlinksInDocumentRoot on
+
+        # See http://blog.phusion.nl/2013/03/12/tuning-phusion-passengers-concurrency-settings/
+        # and http://blog.scoutapp.com/articles/2009/12/08/production-rails-tuning-with-passenger-passengermaxprocesses
+        # for more information on tuning Passenger
+
+        # Set this to something like 100 if you have memory leak issues
+        PassengerMaxRequests 2000
+        # Passenger's default MaxPoolSize is 6. At the time of writing
+        # normal instances of Alaveteli seem to take 150-200MB per
+        # process, so we've set this conservatively at 3. Read the guides
+        # above to tune this for your system 
+        PassengerMaxPoolSize 3
+
+        # The RAILS_ENV that the app is running in. This can be any of
+        # the environments listed in APP_ROOT/config/environments.
+        RailsEnv production
+        RackEnv production
     </IfModule>
-    AddOutputFilterByType DEFLATE font/opentype font/truetype font/eot
-    AddOutputFilterByType DEFLATE image/svg+xml
-</IFModule>
-
-# Set the Sendfile header and switch sendfile on - Apache will
-# now handle send_file calls from Alaveteli
-<Location />
-    <IfModule mod_xsendfile.c>
-    RequestHeader Set X-Sendfile-Type X-Sendfile
-    XSendFile On
-    XSendFileAllowAbove On
+
+    # This is your Rails app's public directory
+    <Directory "/var/www/alaveteli/public">
+        Options +ExecCGI -MultiViews
+        AllowOverride All
+    </Directory>
+
+    # Maintenance Page
+        # Make a file down.html in the DocumentRoot to bring down the whole
+        # site and display itself.
+        RewriteEngine on
+        ErrorDocument 503 /down.html
+        Redirect 503 /down
+
+        # If down.html exists, and that's what's been asked for,
+        # just hand it over
+        RewriteCond %{DOCUMENT_ROOT}/down.html -s
+        RewriteRule /down.html /down.html [L]
+
+        RewriteCond %{DOCUMENT_ROOT}/down.html -s
+        RewriteRule /(.+).cgi /down [PT]
+        RewriteCond %{DOCUMENT_ROOT}/down.html -s
+        RewriteRule /(.+).php /down [PT]
+        # Mainly for Rails/Django type sites - anything without a . can go down
+        # TODO: could we just check that it is an HTML content-type?
+        RewriteCond %{DOCUMENT_ROOT}/down.html -s
+        RewriteRule /([^.]*)$ /down [PT]
+    # END Maintenance Page
+
+    # Set the Sendfile header and switch sendfile on - Apache will
+    # now handle send_file calls from Alaveteli
+    <Location />
+        <IfModule mod_xsendfile.c>
+            RequestHeader Set X-Sendfile-Type X-Sendfile
+            XSendFile On
+            XSendFilePath /var/www/alaveteli/public
+        </IfModule>
+    </Location>
+
+    # Commonlib is typically found in alaveteli/commonlib
+    Alias /jslib/ "/var/www/alaveteli/commonlib/jslib"
+    <Directory "/var/www/alaveteli/commonlib/jslib">
+        Options +ExecCGI
+        AddHandler fastcgi-script .cgi
+    </Directory>
+
+    # Serve attachments directly from the cache, if possible.
+    #
+    # The file names are URL-encoded on disk, and sharded by the first
+    # three digits of the request id, which is why this is as complicated
+    # as it is. The RewriteMap directive makes the URL-escaping function
+    # available to use in the other directives.
+    #
+    # The condition means that the rule will fire only if the cached
+    # file exists.
+    RewriteMap escape int:escape
+    RewriteCond %{DOCUMENT_ROOT}/views_cache/request/$2/$1/${escape:$3} -f
+    RewriteRule ^/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/request/$2/$1/${escape:$3} [L]
+    RewriteCond %{DOCUMENT_ROOT}/views_cache/cy/request/$2/$1/${escape:$3} -f
+    RewriteRule ^/cy/request/((\d{1,3})\d*)/(response/\d+/attach/(html/)?\d+/.+) /views_cache/cy/request/$2/$1/${escape:$3} [L]
+
+    # Compress assets
+    <Location />
+        <IfModule mod_deflate.c>
+            AddOutputFilterByType DEFLATE text/css application/javascript text/plain
+        </IfModule>
+    </Location>
+
+    # Cache assets
+    ExpiresActive On
+    <LocationMatch "^/(assets).*\.(ico|gif|jpe?g|png|js|css|svg|ttf|otf|eot|woff)$">
+        ExpiresDefault "access plus 1 day"
+    </LocationMatch>
+
+    # Compress font resources
+    <IfModule mod_deflate.c>
+        <IfModule mod_mime.c>
+            Addtype font/opentype .otf
+            Addtype font/opentype .woff
+            Addtype font/eot .eot
+            Addtype font/truetype .ttf
+        </IfModule>
+        AddOutputFilterByType DEFLATE font/opentype font/truetype font/eot
+        AddOutputFilterByType DEFLATE image/svg+xml
     </IfModule>
-</Location>
+
+    # Include optional configuration
+    Include vhost.d/alaveteli
+
+</VirtualHost>
+
+# Large / static files for WhatDoTheyKnow. Used for manual sysadmin uploads.
+# Is on its own files.example.com subdomain (instead of old /files URL)
+# as mod_alias doesn't work with Passenger.
+# <VirtualHost *:80>
+#     ServerName files.example.com
+#     DocumentRoot /var/www/alaveteli/files
+#     <Directory "/var/www/alaveteli/files">
+#         Options +Indexes
+#     </Directory>
+# </VirtualHost>