Commit e35f6236 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.

parent dfde2c8e
...@@ -23,15 +23,6 @@ ...@@ -23,15 +23,6 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)" # # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>", # "ssl-session-cache": "<folder_path>",
# #
# # The path given to "SSLCACertificateFile" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>",
#
# # The path given to "SSLCARevocationFile" (used if ca-cert is not
# # empty)
# "crl": "<file_path>",
#
# # The path given to "SSLCACertificatePath" (can be empty) # # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check. # # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require") # # (Enabling "SSLVerifyClient require")
...@@ -78,7 +69,7 @@ ...@@ -78,7 +69,7 @@
# From to `backend-list`: # From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and # - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001 # - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`. # only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003 # - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003 # - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client. # accepting requests from any client.
...@@ -92,9 +83,7 @@ ...@@ -92,9 +83,7 @@
# For more details, refer to # For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together # https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#} -#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%} {% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%} {% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so LoadModule access_compat_module modules/mod_access_compat.so
...@@ -146,26 +135,16 @@ SSLProxyEngine On ...@@ -146,26 +135,16 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always # As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User RequestHeader unset Remote-User
{% if ca_cert or ca_cert_dir -%} {% if ca_cert_dir -%}
SSLVerifyClient optional SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'" RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if ca_cert -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }} SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
{% if crl -%}
SSLCARevocationFile {{ crl }}
{% endif -%}
{% if crl_dir -%} {% if crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationPath {{ crl_dir }} SSLCARevocationPath {{ crl_dir }}
{% endif -%} {% endif -%}
{% endif -%} {% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}" ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end # Default apache log format with request time in microsecond at the end
...@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }} ...@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
{% endfor -%} {% endfor -%}
<VirtualHost *:{{ port }}> <VirtualHost *:{{ port }}>
SSLEngine on SSLEngine on
{% if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%} {% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }} ...@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}> <VirtualHost {{ ip }}:{{ port }}>
SSLEngine on SSLEngine on
Timeout 3600 Timeout 3600
{% if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%} {% if enable_authentication and ca_cert_dir -%}
SSLVerifyClient require SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
......
...@@ -14,5 +14,5 @@ ...@@ -14,5 +14,5 @@
# not need these here). # not need these here).
[template-apache-backend-conf] [template-apache-backend-conf]
filename = apache-backend.conf.in filename = apache-backend.conf.in
md5sum = 4a13ad45e38e14ca7027c17192c90205 md5sum = a169c1d6b0f2636f21f180e8a0b52137
...@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0 ...@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
[template-cloudooo-instance] [template-cloudooo-instance]
filename = instance-cloudooo.cfg.in filename = instance-cloudooo.cfg.in
md5sum = e01ee969a45d44d386653a9eb699cc59 md5sum = 971bf5ab61012a5e227d3208f1717d3b
...@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert} ...@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key} key = ${apache-ssl:key}
cipher = cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if ssl_parameter_dict.get('ca-cert') -%}
# Client x509 auth # Client x509 auth
ca-cert = ${apache-ssl-client:cert} ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl = ${apache-ssl-client:crl} crl-dir = ${apache-conf-ssl:crl-dir}
{% endif -%}
[apache-promise] [apache-promise]
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently # Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
...@@ -127,8 +129,15 @@ config-http_code = 400 ...@@ -127,8 +129,15 @@ config-http_code = 400
[apache-conf-ssl] [apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem key = ${directory:apache-conf}/apache.pem
ca-cert = ${directory:apache-conf}/ca.crt {% if ssl_parameter_dict.get('ca-cert') -%}
crl = ${directory:apache-conf}/crl.pem ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
{{ simplefile('apache-ssl-ca', '${:ca-cert-dir}/ca.crt', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${:crl-dir}/crl.pem', ssl_parameter_dict['crl']) }}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:ca-cert-dir}"; "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:crl-dir}"
update-command = ${:command}
{%- endif %}
[apache-ssl] [apache-ssl]
{% if ssl_parameter_dict.get('key') -%} {% if ssl_parameter_dict.get('key') -%}
...@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key} ...@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert} cert = ${apache-conf-ssl:cert}
{%- endif %} {%- endif %}
[apache-ssl-client]
{% if ssl_parameter_dict.get('ca-cert') -%}
cert = ${apache-ssl-ca:rendered}
crl = ${apache-ssl-crl:rendered}
{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
{% else %}
cert =
crl =
{%- endif %}
[apache-logrotate] [apache-logrotate]
< = logrotate-entry-base < = logrotate-entry-base
name = apache name = apache
...@@ -268,6 +266,8 @@ link-binary = ...@@ -268,6 +266,8 @@ link-binary =
[directory] [directory]
recipe = slapos.cookbook:mkdirectory recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache apache-conf = ${:etc}/apache
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
bin = ${buildout:directory}/bin bin = ${buildout:directory}/bin
ca-dir = ${buildout:directory}/srv/ssl ca-dir = ${buildout:directory}/srv/ssl
certs = ${:ca-dir}/certs certs = ${:ca-dir}/certs
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment