caddy-frontend: Generate self-signed certificates for ip access

Caddy since 0.11.1 requires that certificate match the exposed site, so in order to being able to serve ip access sites each frontend node needs to generate certificate with its IP in the subjectAltName.

caddy-frontend: Generate self-signed certificates for ip access
Caddy since 0.11.1 requires that certificate match the exposed site, so in order to being able to serve ip access sites each frontend node needs to generate certificate with its IP in the subjectAltName.
9c691cc0 · Łukasz Nowak · Łukasz Nowak · e7555f4f · 9c691cc0 · 9c691cc0
Commit 9c691cc0 authored Nov 28, 2018 by Łukasz Nowak Committed by Łukasz Nowak Dec 05, 2018
5 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b

 [template-apache-frontend]
 filename = instance-apache-frontend.cfg.in
-md5sum = a9be268aa485aa464cec25fea962faba
+md5sum = 395ea5b3389e26a57dad0f91cd458630

 [template-apache-replicate]
 filename = instance-apache-replicate.cfg.in
@@ -30,7 +30,7 @@ md5sum = 6a86edb96b171fbd0a59d0adc9cc906b

 [template-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = b30bcd11c545d86c30d05db9cecb4f80
+md5sum = 434e00cbfee2f9c002b2a83084a48b4a

 [template-slave-configuration]
 filename = templates/custom-virtualhost.conf.in
@@ -42,11 +42,11 @@ md5sum = 01efde8febafcff6dde2ebb43e75a9e4

 [template-caddy-frontend-configuration]
 filename = templates/Caddyfile.in
-md5sum = 7c987ad75fcce6f5b925c7696ff41971
+md5sum = 0134a1586f15cd5665069d6d81a505be

 [template-custom-slave-list]
 filename = templates/apache-custom-slave-list.cfg.in
-md5sum = b30bcd11c545d86c30d05db9cecb4f80
+md5sum = 434e00cbfee2f9c002b2a83084a48b4a

 [caddy-backend-url-validator]
 filename = templates/caddy-backend-url-validator.in
@@ -70,7 +70,7 @@ md5sum = 7cbcadc295860821ac9d3aaa3cca72c5

 [template-log-access]
 filename = templates/template-log-access.conf.in
-md5sum = f2a74f88c7248f199011fa9ec6182f73
+md5sum = 122b05829ecc4c0ad4e47e7d1c21166b

 [template-empty]
 filename = templates/empty.in

--- a/software/caddy-frontend/instance-apache-frontend.cfg.in
+++ b/software/caddy-frontend/instance-apache-frontend.cfg.in
@@ -97,10 +97,36 @@ single-custom-personal = ${dynamic-custom-personal-template-slave-list:rendered}
 [frontend-configuration]
 template-log-access = {{ parameter_dict['template_log_access'] }}
 log-access-configuration = ${directory:etc}/log-access.conf
+ip-access-certificate = ${self-signed-ip-access:certificate}
+ip-access-key = ${self-signed-ip-access:key}
 caddy-directory = {{ parameter_dict['caddy_location'] }}
 caddy-ipv6 = {{ instance_parameter['ipv6-random'] }}
 caddy-https-port = ${configuration:port}

+[self-signed-ip-access]
+# Self Signed certificate for HTTPS IP accesses to the frontend
+recipe = plone.recipe.command
+update-command = ${:command}
+ipv6 = ${slap-network-information:global-ipv6}
+ipv4 = {{instance_parameter['ipv4-random']}}
+key = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.key
+certificate = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.crt
+stop-on-error = True
+command =
+  [ -f ${:key} ] && [ -f ${:certificate} ] && exit 0
+  rm -f ${:key} ${:certificate}
+  /bin/bash -c ' \
+  {{ parameter_dict['openssl'] }}/bin/openssl req \
+     -new -newkey rsa:2048 -sha256 \
+     -nodes -x509 -days 36500 \
+     -keyout ${:key} \
+     -subj "/CN=Self Signed IP Access" \
+     -reqexts SAN \
+     -extensions SAN \
+     -config <(cat {{ parameter_dict['openssl'] }}/etc/ssl/openssl.cnf \
+         <(printf "\n[SAN]\nsubjectAltName=IP:${:ipv6},IP:${:ipv4}")) \
+     -out ${:certificate}'
+
 [jinja2-template-base]
 recipe = slapos.recipe.template:jinja2
 rendered = ${buildout:directory}/${:filename}

--- a/software/caddy-frontend/templates/Caddyfile.in
+++ b/software/caddy-frontend/templates/Caddyfile.in
@@ -30,7 +30,7 @@ import {{ slave_with_cache_configuration_directory }}/*.conf

 # Access to server-status Caddy-style
 https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
-  tls {{ login_certificate }} {{ login_key }}
+  tls {{ frontend_configuration['ip-access-certificate'] }} {{ frontend_configuration['ip-access-key'] }}
  # Compress the output
  gzip
  bind {{ local_ipv4 }}

--- a/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
+++ b/software/caddy-frontend/templates/apache-custom-slave-list.cfg.in
@@ -379,8 +379,8 @@ local_ipv4 = {{ dumps(local_ipv4) }}
 global_ipv6 = {{ dumps(global_ipv6) }}
 https_port = {{ dumps(https_port) }}
 http_port = {{ dumps(http_port) }}
-login_certificate = {{ dumps(login_certificate) }}
-login_key = {{ dumps(login_key) }}
+ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
+ip_access_key = {{ frontend_configuration.get('ip-access-key') }}
 access_log = {{ dumps(access_log) }}
 error_log = {{ dumps(error_log) }}
 not_found_file = {{ dumps(not_found_file) }}
@@ -394,6 +394,7 @@ extra-context =
    section slave_password slave-password
    section parameter_dict caddy-log-access-parameters

+
 {# Publish information for the instance #}
 [publish-caddy-information]
 recipe = slapos.cookbook:publish.serialised

--- a/software/caddy-frontend/templates/template-log-access.conf.in
+++ b/software/caddy-frontend/templates/template-log-access.conf.in
@@ -3,7 +3,7 @@ https://[{{ parameter_dict['global_ipv6'] }}]:{{ parameter_dict['https_port'] }}
  bind {{ parameter_dict['local_ipv4'] }}
  root {{ directory }}/
  browse
-  tls {{ parameter_dict['login_certificate'] }} {{ parameter_dict['login_key'] }}
+  tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_key'] }}
  basicauth "{{ slave }}" {{ slave_password[slave] | trim }} {
    "Log Access {{ slave }}"
    /