Commit 9e128673 authored by Alain Takoudjou's avatar Alain Takoudjou

Merge branch 'alain'

Conflicts:
	stack/certificate-authority/buildout.cfg
	stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
	stack/certificate-authority/template/ca-nginx.conf.in
parents 0619e1bc 75e2d291
[buildout] [buildout]
extends = extends =
buildout.hash.cfg
../../component/apache/buildout.cfg ../../component/apache/buildout.cfg
../../component/nginx/buildout.cfg ../../component/nginx/buildout.cfg
../../component/curl/buildout.cfg ../../component/curl/buildout.cfg
...@@ -36,20 +37,14 @@ mode = 0644 ...@@ -36,20 +37,14 @@ mode = 0644
[template-httpd-auth-conf] [template-httpd-auth-conf]
<= template-ca-download-base <= template-ca-download-base
md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf] [template-nginx-ca-conf]
<= template-ca-download-base <= template-ca-download-base
md5sum = 97d8dbcdfcca92a3c2b70634f0dee8d9
filename = ca-nginx.conf.in
[template-authenticated-server] [template-authenticated-server]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
filename = template-authenticated-server.cfg
template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
rendered = ${buildout:directory}/template-authenticated-server.cfg rendered = ${buildout:directory}/template-authenticated-server.cfg
md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
context = context =
key apache_location apache:location key apache_location apache:location
key gzip_location gzip:location key gzip_location gzip:location
...@@ -65,15 +60,14 @@ context = ...@@ -65,15 +60,14 @@ context =
[template-certificate-authority] [template-certificate-authority]
recipe = slapos.recipe.template:jinja2 recipe = slapos.recipe.template:jinja2
filename = template-certificate-authority.cfg
template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
rendered = ${buildout:directory}/template-certificate-authority.cfg rendered = ${buildout:directory}/template-certificate-authority.cfg
md5sum = d5139f650388256776f43b9026617564
context = context =
key ngix_location nginx:location key ngix_location nginx:location
key template_logrotate_base template-logrotate-base:rendered key template_logrotate_base template-logrotate-base:rendered
raw curl_executable_location ${curl:location}/bin/curl raw curl_executable_location ${curl:location}/bin/curl
raw certificate_authority_bin ${buildout:directory}/bin/ca-bin raw certificate_authority_bin ${buildout:directory}/bin/ca-bin
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename} raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw dash_executable_location ${dash:location}/bin/dash raw dash_executable_location ${dash:location}/bin/dash
raw gunicorn_bin ${buildout:directory}/bin/gunicorn raw gunicorn_bin ${buildout:directory}/bin/gunicorn
......
# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
# The only allowed lines here are (regexes):
# - "^#" comments, copied verbatim
# - "^[" section beginings, copied verbatim
# - lines containing an "=" sign which must fit in the following categorie.
# - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
# But avoid directories, they are not portable.
# Copied verbatim.
# - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
# by the re-generation script.
# Re-generated.
# - other lines are copied verbatim
# Substitution (${...:...}), extension ([buildout] extends = ...) and
# section inheritance (< = ...) are NOT supported (but you should really
# not need these here).
[template-httpd-auth-conf]
md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
md5sum = 608b221009981fddfd9bb6cc6c5d465c
filename = ca-nginx.conf.in
[template-authenticated-server]
filename = template-authenticated-server.cfg
md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
[template-certificate-authority]
filename = template-certificate-authority.cfg
md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
...@@ -9,8 +9,10 @@ parts = ...@@ -9,8 +9,10 @@ parts =
[certificate-authority-parameters] [certificate-authority-parameters]
server-port = 8009 server-port = 8009
# Overrite this to set frontend URL server-https-port = 8010
external-url = https://[${slap-configuration:ipv6-random}]:${:server-port} # Overrite this to set frontend URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory] [directory]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
...@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs} ...@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs}
ca-newcerts = ${ca-directory:newcerts} ca-newcerts = ${ca-directory:newcerts}
ca-crl = ${ca-directory:crl} ca-crl = ${ca-directory:crl}
[ca-nginx-ssl] [nginx-certificate-request-base]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:bin}/request-base-certificate
cert-file = ${ca-nginx-ssl-config:cert}
key-file = ${ca-nginx-ssl-config:key}
ca-cert = ${directory:ssl}/cacert.pem
parameters-extra = true
command-line = {{ certificate_request_bin }}
--crt-file ${:cert-file}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:scripts}/request-server-certificate
command-line =
${nginx-certificate-request-base:wrapper-path}
--cn nginx@certificate.authority
--request
[ca-nginx-ssl-config]
recipe = plone.recipe.command recipe = plone.recipe.command
# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files command =
command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
else:
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
fi
key = ${directory:ssl}/ca-cert.key key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt cert = ${directory:ssl}/ca-cert.crt
update-command = update-command = ${:command}
output = ${directory:etc}/ca-nginx-ssl.cfg
stop-on-error = true stop-on-error = true
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
[ca-nginx-conf-parameter] [ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random} ip = ${slap-configuration:ipv6-random}
port = ${certificate-authority-parameters:server-port} port = ${certificate-authority-parameters:server-port}
https-port = ${certificate-authority-parameters:server-https-port}
pid-file = ${directory:run}/nginx-ca.pid pid-file = ${directory:run}/nginx-ca.pid
access-log = ${directory:log}/nginx-ca-access.log access-log = ${directory:log}/nginx-ca-access.log
error-log = ${directory:log}/nginx-ca-error.log error-log = ${directory:log}/nginx-ca-error.log
...@@ -102,6 +136,8 @@ input = inline: ...@@ -102,6 +136,8 @@ input = inline:
crl-life-period 0.02 crl-life-period 0.02
# ca-life-time = ca-life-period * crt-life-time # ca-life-time = ca-life-period * crt-life-time
ca-life-period 10 ca-life-period 10
# time before clean certificate on CA: 60*24*60*60
crt-keep-time 5184000
output = ${directory:etc}/ca.conf output = ${directory:etc}/ca.conf
mode = 700 mode = 700
...@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn ...@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered} command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server wrapper-path = ${directory:services}/ca-server
wait-for-files = #wait-for-files =
${ca-nginx-ssl:cert} # ${ca-nginx-ssl:cert}
${ca-nginx-ssl:key} # ${ca-nginx-ssl:key}
#environment =
# CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
url = ${certificate-authority-parameters:external-url} url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
depends = depends =
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename} ${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output} ${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
[ca-server-certificate-renew]
recipe = collective.recipe.template
input = inline:
#!{{ dash_executable_location }}
d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
cert_time=$(date -d "$d" +"%s")
now=$(date +"%s")
thresold=2592000 # 30*24*60*60 equivalent to one month in seconds
remind=$(($cert_time - $now))
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
fi
output = ${directory:bin}/server-certificate-renew
mode = 700
[certificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
command = ${ca-server-certificate-renew:output}
[certificate-authority-server-promise] [certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename} path = ${directory:promises}/${:filename}
filename = certificate-authority-server-listening-on-tcp filename = certificate-authority-server-listening-on-tcp
url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port} url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
[certificate-authority-https-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
check-secure = 1 check-secure = 1
dash_path = {{ dash_executable_location }} dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }} curl_path = {{ curl_executable_location }}
......
...@@ -26,36 +26,70 @@ http { ...@@ -26,36 +26,70 @@ http {
server unix:{{ parameter_dict['socket'] }} fail_timeout=0; server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
} }
server { {% if parameter_dict['cert-file'] and parameter_dict['key-file'] -%}
listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl; server {
server_name _; listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }} ssl;
ssl_certificate {{ parameter_dict['cert-file'] }}; server_name _;
ssl_certificate_key {{ parameter_dict['key-file'] }}; ssl_certificate {{ parameter_dict['cert-file'] }};
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_certificate_key {{ parameter_dict['key-file'] }};
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5;
keepalive_timeout 90s; ssl_prefer_server_ciphers on;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }}; keepalive_timeout 90s;
proxy_temp_path {{ parameter_dict['proxy-temp-path'] }}; client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }}; proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }}; fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }}; uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location / {
proxy_redirect off; location / {
proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Authorization $http_authorization; proxy_set_header Host $http_host;
proxy_pass_header Authorization; proxy_set_header Authorization $http_authorization;
proxy_connect_timeout 90; proxy_pass_header Authorization;
proxy_send_timeout 90; proxy_connect_timeout 90;
proxy_read_timeout 90; proxy_send_timeout 90;
send_timeout 90; proxy_read_timeout 90;
send_timeout 90;
proxy_pass http://app_server;
} proxy_pass http://app_server;
}
}
{% endif -%}
server {
listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
server_name _;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location ~ ^(/admin|/user) {
# http is not used for /admin and /user
}
location / {
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
send_timeout 90;
proxy_pass http://app_server;
}
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment