confdroid_nagios/templates/httpd/nagios_ssl_vhost.erb

###############################################################################
#####  virtual_host file created by puppet, changes will be overwritten  ######
###############################################################################

<VirtualHost *:<%= @ng_https_port %>>

    ServerAdmin root@localhost
    DocumentRoot /var/www/html
    ServerName <%= @ng_webserver_name %>
    ServerAlias <%= @ng_webserver_name %>
    ErrorLog /var/log/httpd/nagios_ssl_error_log
#    ErrorLog syslog:local1
    TransferLog /var/log/httpd/nagios_ssl_transfer_log
    LogLevel warn

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

<% if @ng_enable_certbot == true -%>
    SSLCertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/cert.pem
    SSLCertificateKeyFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem
    SSLCACertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem
<% elsif @ng_enable_certbot != true -%>
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
<% end -%>
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
    </Directory>

ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"

<Directory "/usr/lib64/nagios/cgi-bin/">
<% if @ng_use_https == true -%>
   SSLRequireSSL
<% else -%>
#  SSLRequireSSL
<% end -%>
   Options ExecCGI
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
<% unless @ng_required_hosts.empty? -%>
    Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
         Require ip <%= @source_range %>
<% end -%>
         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /etc/nagios/passwd
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
<% unless @ng_required_hosts.empty? -%>
      Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
         Allow from <%= @source_range %>
<% end -%>
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /etc/nagios/passwd
      Require valid-user
   </IfVersion>
</Directory>

Alias /nagios "/usr/share/nagios/html"

<Directory "/usr/share/nagios/html">
<% if @ng_use_https == true -%>
   SSLRequireSSL
<% else -%>
#  SSLRequireSSL
<% end -%>
   Options None
   AllowOverride None
   <IfVersion >= 2.3>
      <RequireAll>
         Require all granted
<% unless @ng_required_hosts.empty? -%>
    Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
         Require ip <%= @source_range %>
<% end -%>
         AuthName "Nagios Access"
         AuthType Basic
         AuthUserFile /etc/nagios/passwd
         Require valid-user
      </RequireAll>
   </IfVersion>
   <IfVersion < 2.3>
      Order allow,deny
<% unless @ng_required_hosts.empty? -%>
      Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
         Allow from <%= @source_range %>
<% end -%>
      AuthName "Nagios Access"
      AuthType Basic
      AuthUserFile /etc/nagios/passwd
      Require valid-user
   </IfVersion>
</Directory>

RedirectMatch ^/$ https://<%= @ng_webserver_name %>/nagios

    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


     CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>