Commit 322181fc authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

software/slapos-master: follow up changes on ERP5 stack.

parent e35f6236
...@@ -23,14 +23,14 @@ ...@@ -23,14 +23,14 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)" # # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>", # "ssl-session-cache": "<folder_path>",
# #
# # The path given to "SSLCACertificateFile" (can be empty) # # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check. # # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require") # # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>", # "ca-cert-dir": "<directory_path>",
# #
# # The path given to "SSLCARevocationFile" (used if ca-cert is not # # The path given to "SSLCARevocationPath" (used if ca-cert-dir is not
# # empty) # # empty)
# "crl": "<file_path>", # "crl-dir": "<directory_path>",
# #
# # The path given to "ErrorLog" # # The path given to "ErrorLog"
# "error-log": "<file_path>", # "error-log": "<file_path>",
...@@ -69,7 +69,7 @@ ...@@ -69,7 +69,7 @@
# From to `backend-list`: # From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and # - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001 # - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`. # only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003 # - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003 # - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client. # accepting requests from any client.
...@@ -83,6 +83,8 @@ ...@@ -83,6 +83,8 @@
# For more details, refer to # For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together # https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#} -#}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_core_module modules/mod_authz_core.so
...@@ -103,7 +105,7 @@ LoadModule headers_module modules/mod_headers.so ...@@ -103,7 +105,7 @@ LoadModule headers_module modules/mod_headers.so
LoadModule deflate_module modules/mod_deflate.so LoadModule deflate_module modules/mod_deflate.so
LoadModule filter_module modules/mod_filter.so LoadModule filter_module modules/mod_filter.so
AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm AddOutputFilterByType DEFLATE text/cache-manifest text/html text/plain text/css application/hal+json application/json application/x-javascript text/xml application/xml application/rss+xml text/javascript application/javascript image/svg+xml application/x-font-ttf application/font-woff application/font-woff2 application/x-font-opentype application/wasm
PidFile "{{ parameter_dict['pid-file'] }}" PidFile "{{ parameter_dict['pid-file'] }}"
ServerAdmin admin@ ServerAdmin admin@
...@@ -133,17 +135,16 @@ SSLProxyEngine On ...@@ -133,17 +135,16 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always # As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User RequestHeader unset Remote-User
{% if parameter_dict['ca-cert'] -%} {% if ca_cert_dir -%}
SSLVerifyClient optional SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile {{ parameter_dict['ca-cert'] }} RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if not parameter_dict['shared-ca-cert'] %} SSLCACertificatePath {{ ca_cert_dir }}
{% if parameter_dict['crl'] -%} {% if crl_dir -%}
SSLCARevocationCheck chain SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }} SSLCARevocationPath {{ crl_dir }}
{%- endif %} {% endif -%}
{%- endif %} {% endif -%}
{%- endif %}
ErrorLog "{{ parameter_dict['error-log'] }}" ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end # Default apache log format with request time in microsecond at the end
...@@ -163,12 +164,8 @@ Listen {{ ip }}:{{ port }} ...@@ -163,12 +164,8 @@ Listen {{ ip }}:{{ port }}
{% endfor -%} {% endfor -%}
<VirtualHost *:{{ port }}> <VirtualHost *:{{ port }}>
SSLEngine on SSLEngine on
{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%} {% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require SSLVerifyClient require
# Custom block we use for now different parameters.
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...@@ -186,11 +183,8 @@ Listen {{ ip }}:{{ port }} ...@@ -186,11 +183,8 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}> <VirtualHost {{ ip }}:{{ port }}>
SSLEngine on SSLEngine on
Timeout 3600 Timeout 3600
{% if enable_authentication and parameter_dict['ca-cert'] and parameter_dict['crl'] -%} {% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require SSLVerifyClient require
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...@@ -204,4 +198,4 @@ Listen {{ ip }}:{{ port }} ...@@ -204,4 +198,4 @@ Listen {{ ip }}:{{ port }}
RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P] RewriteRule ^/{{path}}(.*) {{ backend }}/VirtualHostBase/https/{{ ip }}:{{ port }}/VirtualHostRoot/_vh_{{ path }}$1 [L,P]
{% endfor -%} {% endfor -%}
</VirtualHost> </VirtualHost>
{% endfor -%} {% endfor -%}
\ No newline at end of file
...@@ -18,8 +18,8 @@ md5sum = 2ef0ddc206c6b0982a37cfc21f23e423 ...@@ -18,8 +18,8 @@ md5sum = 2ef0ddc206c6b0982a37cfc21f23e423
[template-balancer] [template-balancer]
filename = instance-balancer.cfg.in filename = instance-balancer.cfg.in
md5sum = ef86e09e44ac67a9b15939df0ab4a466 md5sum = d10a5ddfffa67b8ca01b3e38315bae2f
[template-apache-backend-conf] [template-apache-backend-conf]
filename = apache-backend.conf.in filename = apache-backend.conf.in
md5sum = 48f086ce1acffca7bab942b43d856fb7 md5sum = a169c1d6b0f2636f21f180e8a0b52137
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
{% set part_list = [] -%} {% set part_list = [] -%}
{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} {% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
{% set ssl_parameter_dict = slapparameter_dict['ssl'] -%} {% set ssl_parameter_dict = slapparameter_dict['ssl'] -%}
{% set frontend_caucase_url_list = ssl_parameter_dict.get('frontend_caucase_url_list', []) -%}
{% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%} {% set shared_ca_path = slapparameter_dict.get('shared-certificate-authority-path') -%}
{# {#
XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6 XXX: This template only supports exactly one IPv4 and (if ipv6 is used) one IPv6
...@@ -28,8 +29,8 @@ mode = 644 ...@@ -28,8 +29,8 @@ mode = 644
url=ssl_parameter_dict['caucase-url'], url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater', data_dir='${directory:srv}/caucase-updater',
crt_path='${apache-conf-ssl:caucase-cert}', crt_path='${apache-conf-ssl:caucase-cert}',
ca_path='${apache-conf-ssl:ca-cert}', ca_path='${directory:srv}/caucase-updater/ca.crt',
crl_path='${apache-conf-ssl:crl}', crl_path='${directory:srv}/caucase-updater/crl.pem',
key_path='${apache-conf-ssl:caucase-key}', key_path='${apache-conf-ssl:caucase-key}',
on_renew='${apache-graceful:output}', on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0), max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
...@@ -37,6 +38,69 @@ mode = 644 ...@@ -37,6 +38,69 @@ mode = 644
openssl=parameter_dict['openssl'] ~ '/bin/openssl', openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}} )}}
{% do section('caucase-updater') -%} {% do section('caucase-updater') -%}
{% do section('caucase-updater-promise') -%}
{% set frontend_caucase_url_hash_list = [] -%}
{% for frontend_caucase_url in frontend_caucase_url_list -%}
{% set hash = hashlib.md5(frontend_caucase_url).hexdigest() -%}
{% do frontend_caucase_url_hash_list.append(hash) -%}
{% set data_dir = '${directory:srv}/client-cert-ca/%s' % hash -%}
{{ caucase.updater(
prefix='caucase-updater-%s' % hash,
buildout_bin_directory=parameter_dict['bin-directory'],
updater_path='${directory:services-on-watch}/caucase-updater-%s' % hash,
url=frontend_caucase_url,
data_dir=data_dir,
ca_path='%s/ca.crt' % data_dir,
crl_path='%s/crl.pem' % data_dir,
on_renew='${caucase-updater-housekeeper:output}; ${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
openssl=parameter_dict['openssl'] ~ '/bin/openssl',
)}}
{% do section('caucase-updater-%s' % hash) -%}
{% endfor -%}
{% if frontend_caucase_url_hash_list -%}
[caucase-updater-housekeeper]
recipe = collective.recipe.template
output = ${directory:bin}/caucase-updater-housekeeper
mode = 700
input =
inline:
#!${buildout:executable}
import glob
import os
import subprocess
hash_list = {{ repr(frontend_caucase_url_hash_list) }}
crt_list = ['%s.crt' % e for e in hash_list]
crl_list = ['%s.crl' % e for e in hash_list]
{% if shared_ca_path -%}
crt_list.append('{{ shared_ca_path }}/cacert.pem')
crl_list.append('{{ shared_ca_path }}/crl')
{% endif -%}
for path in glob.glob('${apache-conf-ssl:ca-cert-dir}/*.crt'):
if os.path.basename(path) not in crt_list:
os.unlink(path)
for path in glob.glob('${apache-conf-ssl:crl-dir}/*.crl'):
if os.path.basename(path) not in crl_list:
os.unlink(path)
for hash in hash_list:
crt = '${directory:srv}/client-cert-ca/%s/ca.crt' % hash
crt_link = '${apache-conf-ssl:ca-cert-dir}/%s.crt' % hash
crl = '${directory:srv}/client-cert-ca/%s/crl.pem' % hash
crl_link = '${apache-conf-ssl:crl-dir}/%s.crl' % hash
if os.path.isfile(crt) and not os.path.islink(crt_link):
os.symlink(crt, crt_link)
if os.path.isfile(crl) and not os.path.islink(crl_link):
os.symlink(crl, crl_link)
subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:ca-cert-dir}'])
subprocess.check_call(['{{ parameter_dict["openssl"] }}/bin/c_rehash', '${apache-conf-ssl:crl-dir}'])
[caucase-updater-housekeeper-run]
recipe = plone.recipe.command
command = ${caucase-updater-housekeeper:output}
update-command = ${:command}
{% endif -%}
{% set haproxy_dict = {} -%} {% set haproxy_dict = {} -%}
{% set apache_dict = {} -%} {% set apache_dict = {} -%}
...@@ -123,8 +187,27 @@ key = ${directory:apache-conf}/apache.pem ...@@ -123,8 +187,27 @@ key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now # XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem caucase-key = ${directory:apache-conf}/apache-caucase.pem
ca-cert = ${directory:apache-conf}/ca.crt {% if frontend_caucase_url_list -%}
crl = ${directory:apache-conf}/crl.pem depends = ${caucase-updater-housekeeper-run:recipe}
ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
{%- endif %}
[simplefile]
< = jinja2-template-base
template = inline:{{ '{{ content }}' }}
{% macro simplefile(section_name, file_path, content, mode='') -%}
{% set content_section_name = section_name ~ '-content' -%}
[{{ content_section_name }}]
content = {{ dumps(content) }}
[{{ section(section_name) }}]
< = simplefile
rendered = {{ file_path }}
context = key content {{content_section_name}}:content
mode = {{ mode }}
{%- endmacro %}
[apache-ssl] [apache-ssl]
{% if ssl_parameter_dict.get('key') -%} {% if ssl_parameter_dict.get('key') -%}
...@@ -154,13 +237,10 @@ cert = ${apache-ssl:cert} ...@@ -154,13 +237,10 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key} key = ${apache-ssl:key}
cipher = cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if frontend_caucase_url_list -%}
# Client x509 auth # Client x509 auth
ca-cert = ${apache-conf-ssl:ca-cert} ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl = ${apache-conf-ssl:crl} crl-dir = ${apache-conf-ssl:crl-dir}
{% if shared_ca_path -%}
shared-ca-cert = {{ shared_ca_path }}/cacert.pem
shared-crl = {{ shared_ca_path }}/crl
{%- endif %} {%- endif %}
[apache-conf] [apache-conf]
...@@ -186,8 +266,8 @@ input = inline: ...@@ -186,8 +266,8 @@ input = inline:
kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')" kill -USR1 "$(cat '${apache-conf-parameter-dict:pid-file}')"
[{{ section('apache-promise') }}] [{{ section('apache-promise') }}]
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
<= monitor-promise-base <= monitor-promise-base
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
module = check_port_listening module = check_port_listening
name = apache.py name = apache.py
config-hostname = {{ ipv4 }} config-hostname = {{ ipv4 }}
...@@ -228,6 +308,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi ...@@ -228,6 +308,10 @@ post = test ! -s ${apache-conf-parameter-dict:pid-file} || {{ parameter_dict['bi
[directory] [directory]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache apache-conf = ${:etc}/apache
{% if frontend_caucase_url_list -%}
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
{% endif -%}
bin = ${buildout:directory}/bin bin = ${buildout:directory}/bin
etc = ${buildout:directory}/etc etc = ${buildout:directory}/etc
services = ${:etc}/run services = ${:etc}/run
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment