Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Leo Le Bouter
slapos
Commits
e35f6236
Commit
e35f6236
authored
Jun 15, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.
parent
dfde2c8e
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
22 additions
and
43 deletions
+22
-43
component/apache/apache-backend.conf.in
component/apache/apache-backend.conf.in
+5
-26
component/apache/buildout.hash.cfg
component/apache/buildout.hash.cfg
+1
-1
software/cloudooo/buildout.hash.cfg
software/cloudooo/buildout.hash.cfg
+1
-1
software/cloudooo/instance-cloudooo.cfg.in
software/cloudooo/instance-cloudooo.cfg.in
+15
-15
No files found.
component/apache/apache-backend.conf.in
View file @
e35f6236
...
@@ -23,15 +23,6 @@
...
@@ -23,15 +23,6 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>",
# "ssl-session-cache": "<folder_path>",
#
#
# # The path given to "SSLCACertificateFile" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>",
#
# # The path given to "SSLCARevocationFile" (used if ca-cert is not
# # empty)
# "crl": "<file_path>",
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# # (Enabling "SSLVerifyClient require")
...
@@ -78,7 +69,7 @@
...
@@ -78,7 +69,7 @@
# From to `backend-list`:
# From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert
-dir
`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client.
# accepting requests from any client.
...
@@ -92,9 +83,7 @@
...
@@ -92,9 +83,7 @@
# For more details, refer to
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule access_compat_module modules/mod_access_compat.so
...
@@ -146,26 +135,16 @@ SSLProxyEngine On
...
@@ -146,26 +135,16 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
RequestHeader unset Remote-User
{% if ca_cert
or ca_cert
_dir -%}
{% if ca_cert_dir -%}
SSLVerifyClient optional
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if ca_cert -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
{% if crl -%}
SSLCARevocationFile {{ crl }}
{% endif -%}
{% if crl_dir -%}
{% if crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationPath {{ crl_dir }}
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
{% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}"
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
# Default apache log format with request time in microsecond at the end
...
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
...
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
{% endfor -%}
<VirtualHost *:{{ port }}>
<VirtualHost *:{{ port }}>
SSLEngine on
SSLEngine on
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
...
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
SSLEngine on
Timeout 3600
Timeout 3600
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
component/apache/buildout.hash.cfg
View file @
e35f6236
...
@@ -14,5 +14,5 @@
...
@@ -14,5 +14,5 @@
# not need these here).
# not need these here).
[template-apache-backend-conf]
[template-apache-backend-conf]
filename = apache-backend.conf.in
filename = apache-backend.conf.in
md5sum =
4a13ad45e38e14ca7027c17192c90205
md5sum =
a169c1d6b0f2636f21f180e8a0b52137
software/cloudooo/buildout.hash.cfg
View file @
e35f6236
...
@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
...
@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
[template-cloudooo-instance]
[template-cloudooo-instance]
filename = instance-cloudooo.cfg.in
filename = instance-cloudooo.cfg.in
md5sum =
e01ee969a45d44d386653a9eb699cc59
md5sum =
971bf5ab61012a5e227d3208f1717d3b
software/cloudooo/instance-cloudooo.cfg.in
View file @
e35f6236
...
@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert}
...
@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
key = ${apache-ssl:key}
cipher =
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if ssl_parameter_dict.get('ca-cert') -%}
# Client x509 auth
# Client x509 auth
ca-cert = ${apache-ssl-client:cert}
ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl = ${apache-ssl-client:crl}
crl-dir = ${apache-conf-ssl:crl-dir}
{% endif -%}
[apache-promise]
[apache-promise]
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
...
@@ -127,8 +129,15 @@ config-http_code = 400
...
@@ -127,8 +129,15 @@ config-http_code = 400
[apache-conf-ssl]
[apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt
cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem
key = ${directory:apache-conf}/apache.pem
ca-cert = ${directory:apache-conf}/ca.crt
{% if ssl_parameter_dict.get('ca-cert') -%}
crl = ${directory:apache-conf}/crl.pem
ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
{{ simplefile('apache-ssl-ca', '${:ca-cert-dir}/ca.crt', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${:crl-dir}/crl.pem', ssl_parameter_dict['crl']) }}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:ca-cert-dir}"; "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:crl-dir}"
update-command = ${:command}
{%- endif %}
[apache-ssl]
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
{% if ssl_parameter_dict.get('key') -%}
...
@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key}
...
@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
cert = ${apache-conf-ssl:cert}
{%- endif %}
{%- endif %}
[apache-ssl-client]
{% if ssl_parameter_dict.get('ca-cert') -%}
cert = ${apache-ssl-ca:rendered}
crl = ${apache-ssl-crl:rendered}
{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
{% else %}
cert =
crl =
{%- endif %}
[apache-logrotate]
[apache-logrotate]
< = logrotate-entry-base
< = logrotate-entry-base
name = apache
name = apache
...
@@ -268,6 +266,8 @@ link-binary =
...
@@ -268,6 +266,8 @@ link-binary =
[directory]
[directory]
recipe = slapos.cookbook:mkdirectory
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
apache-conf = ${:etc}/apache
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
bin = ${buildout:directory}/bin
bin = ${buildout:directory}/bin
ca-dir = ${buildout:directory}/srv/ssl
ca-dir = ${buildout:directory}/srv/ssl
certs = ${:ca-dir}/certs
certs = ${:ca-dir}/certs
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment