Commit 9e128673 authored by Alain Takoudjou's avatar Alain Takoudjou

Merge branch 'alain'

Conflicts:
	stack/certificate-authority/buildout.cfg
	stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
	stack/certificate-authority/template/ca-nginx.conf.in
parents 0619e1bc 75e2d291
[buildout]
extends =
buildout.hash.cfg
../../component/apache/buildout.cfg
../../component/nginx/buildout.cfg
../../component/curl/buildout.cfg
......@@ -36,20 +37,14 @@ mode = 0644
[template-httpd-auth-conf]
<= template-ca-download-base
md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
<= template-ca-download-base
md5sum = 97d8dbcdfcca92a3c2b70634f0dee8d9
filename = ca-nginx.conf.in
[template-authenticated-server]
recipe = slapos.recipe.template:jinja2
filename = template-authenticated-server.cfg
template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
rendered = ${buildout:directory}/template-authenticated-server.cfg
md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
context =
key apache_location apache:location
key gzip_location gzip:location
......@@ -65,15 +60,14 @@ context =
[template-certificate-authority]
recipe = slapos.recipe.template:jinja2
filename = template-certificate-authority.cfg
template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
rendered = ${buildout:directory}/template-certificate-authority.cfg
md5sum = d5139f650388256776f43b9026617564
context =
key ngix_location nginx:location
key template_logrotate_base template-logrotate-base:rendered
raw curl_executable_location ${curl:location}/bin/curl
raw certificate_authority_bin ${buildout:directory}/bin/ca-bin
raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
raw dash_executable_location ${dash:location}/bin/dash
raw gunicorn_bin ${buildout:directory}/bin/gunicorn
......
# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
# The only allowed lines here are (regexes):
# - "^#" comments, copied verbatim
# - "^[" section beginings, copied verbatim
# - lines containing an "=" sign which must fit in the following categorie.
# - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
# But avoid directories, they are not portable.
# Copied verbatim.
# - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
# by the re-generation script.
# Re-generated.
# - other lines are copied verbatim
# Substitution (${...:...}), extension ([buildout] extends = ...) and
# section inheritance (< = ...) are NOT supported (but you should really
# not need these here).
[template-httpd-auth-conf]
md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-nginx-ca-conf]
md5sum = 608b221009981fddfd9bb6cc6c5d465c
filename = ca-nginx.conf.in
[template-authenticated-server]
filename = template-authenticated-server.cfg
md5sum = 39c1494b45dcbd5388b0d1c1d9b27ffb
[template-certificate-authority]
filename = template-certificate-authority.cfg
md5sum = 50d678bfc056489fd9817e4da6599e8f
\ No newline at end of file
......@@ -9,8 +9,10 @@ parts =
[certificate-authority-parameters]
server-port = 8009
# Overrite this to set frontend URL
external-url = https://[${slap-configuration:ipv6-random}]:${:server-port}
server-https-port = 8010
# Overrite this to set frontend URL (URL is used as CRL distribution point)
# Please set http not HTTPS scheme
external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
[directory]
recipe = slapos.cookbook:mkdirectory
......@@ -52,18 +54,50 @@ ca-certs = ${ca-directory:certs}
ca-newcerts = ${ca-directory:newcerts}
ca-crl = ${ca-directory:crl}
[ca-nginx-ssl]
[nginx-certificate-request-base]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:bin}/request-base-certificate
cert-file = ${ca-nginx-ssl-config:cert}
key-file = ${ca-nginx-ssl-config:key}
ca-cert = ${directory:ssl}/cacert.pem
parameters-extra = true
command-line = {{ certificate_request_bin }}
--crt-file ${:cert-file}
--key-file ${:key-file}
--ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
--ca-crt-file ${:ca-cert}
--no-check-certificate
[nginx-certificate-request]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:scripts}/request-server-certificate
command-line =
${nginx-certificate-request-base:wrapper-path}
--cn nginx@certificate.authority
--request
[ca-nginx-ssl-config]
recipe = plone.recipe.command
# XXX - For now, generate ca httpd certificate here, because it's not possible to start CA without this files
command = "{{ openssl_executable_location }}" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
command =
if [ -s "${:key}" ] && [ -s "${:cert}" ]; then
echo -e "[ca-nginx-ssl]\nkey=${:key}\ncert=${:cert}" > ${:output}
else:
echo -e "[ca-nginx-ssl]\nkey=\ncert=" > ${:output}
fi
key = ${directory:ssl}/ca-cert.key
cert = ${directory:ssl}/ca-cert.crt
update-command =
update-command = ${:command}
output = ${directory:etc}/ca-nginx-ssl.cfg
stop-on-error = true
[ca-nginx-ssl]
recipe = slapos.cookbook:zero-knowledge.read
file-path = ${ca-nginx-ssl-config:output}
[ca-nginx-conf-parameter]
ip = ${slap-configuration:ipv6-random}
port = ${certificate-authority-parameters:server-port}
https-port = ${certificate-authority-parameters:server-https-port}
pid-file = ${directory:run}/nginx-ca.pid
access-log = ${directory:log}/nginx-ca-access.log
error-log = ${directory:log}/nginx-ca-error.log
......@@ -102,6 +136,8 @@ input = inline:
crl-life-period 0.02
# ca-life-time = ca-life-period * crt-life-time
ca-life-period 10
# time before clean certificate on CA: 60*24*60*60
crt-keep-time 5184000
output = ${directory:etc}/ca.conf
mode = 700
......@@ -129,21 +165,56 @@ wrapper-path = ${directory:services}/ca-gunicorn
recipe = slapos.cookbook:wrapper
command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
wrapper-path = ${directory:services}/ca-server
wait-for-files =
${ca-nginx-ssl:cert}
${ca-nginx-ssl:key}
#environment =
# CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
#wait-for-files =
# ${ca-nginx-ssl:cert}
# ${ca-nginx-ssl:key}
url = ${certificate-authority-parameters:external-url}
secure-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
depends =
${nginx-certificate-request:wrapper-path}
${certificate-authority-server-promise:filename}
${certificate-authority-https-server-promise:filename}
${ca-nginx-graceful:output}
${certificate-renew-cron-entry:name}
[ca-server-certificate-renew]
recipe = collective.recipe.template
input = inline:
#!{{ dash_executable_location }}
d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
cert_time=$(date -d "$d" +"%s")
now=$(date +"%s")
thresold=2592000 # 30*24*60*60 equivalent to one month in seconds
remind=$(($cert_time - $now))
if [ $remind -lt $thresold ]; then
exec ${nginx-certificate-request-base:wrapper-path} --renew
fi
output = ${directory:bin}/server-certificate-renew
mode = 700
[certificate-renew-cron-entry]
recipe = slapos.cookbook:cron.d
cron-entries = ${cron:cron-entries}
name = ca-server-certificate-auto-renew
frequency = 0 */2 * * *
command = ${ca-server-certificate-renew:output}
[certificate-authority-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = certificate-authority-server-listening-on-tcp
url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
[certificate-authority-https-server-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
check-secure = 1
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
......
......@@ -26,8 +26,9 @@ http {
server unix:{{ parameter_dict['socket'] }} fail_timeout=0;
}
{% if parameter_dict['cert-file'] and parameter_dict['key-file'] -%}
server {
listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }} ssl;
listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['https-port'] }} ssl;
server_name _;
ssl_certificate {{ parameter_dict['cert-file'] }};
ssl_certificate_key {{ parameter_dict['key-file'] }};
......@@ -41,6 +42,39 @@ http {
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location / {
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Host $http_host;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
send_timeout 90;
proxy_pass http://app_server;
}
}
{% endif -%}
server {
listen [{{ parameter_dict['ip'] }}]:parameter_dict['port'] ssl;
server_name _;
keepalive_timeout 90s;
client_body_temp_path {{ parameter_dict['client-body-temp-path'] }};
proxy_temp_path {{ parameter_dict['proxy-temp-path'] }};
fastcgi_temp_path {{ parameter_dict['fastcgi-temp-path'] }};
uwsgi_temp_path {{ parameter_dict['uwsgi-temp-path'] }};
scgi_temp_path {{ parameter_dict['scgi-temp-path'] }};
location ~ ^(/admin|/user) {
# http is not used for /admin and /user
}
location / {
proxy_redirect off;
proxy_set_header X-Forwarded-Proto $scheme;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment