Commit 428b69b7 authored by Alain Takoudjou's avatar Alain Takoudjou

add new stack certificate authority with support for CA web mode

Auth server is an apache httpd which validate client certificate for authentification.
It autmatically request certificate to CA web (required to this work on SlapOS)
parent a9fbc474
[buildout]
extends =
../../component/apache/buildout.cfg
../../component/curl/buildout.cfg
../../component/dash/buildout.cfg
../../component/dcron/buildout.cfg
../../component/openssl/buildout.cfg
../../component/gzip/buildout.cfg
../../component/lxml-python/buildout.cfg
../../component/pycurl/buildout.cfg
../../component/python-cryptography/buildout.cfg
../../stack/logrotate/buildout.cfg
parts =
template-logrotate-base
[extra-eggs]
recipe = zc.recipe.egg
eggs =
slapos.toolbox
plone.recipe.command
collective.recipe.template
[template-ca-download-base]
recipe = hexagonit.recipe.download
ignore-existing = true
download-only = true
url = ${:_profile_base_location_}/template/${:filename}
mode = 0644
[template-httpd-auth-conf]
<= template-ca-download-base
md5sum = ea445b0a9b143d12b5700a71ac06293c
filename = template-httpd-auth.conf.in
[template-openssl-cnf]
<= template-ca-download-base
md5sum = ddbff3b56db7e0f9e88c8905e9c3678b
filename = openssl.cnf.in
[template-authenticated-server]
recipe = slapos.recipe.template:jinja2
filename = template-authenticated-server.cfg
template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
rendered = ${buildout:directory}/template-authenticated-server.cfg
md5sum = 7677333023b89dc345c18eace252e34a
context =
key apache_location apache:location
key gzip_location gzip:location
key template_logrotate_base template-logrotate-base:rendered
raw certificate_request_bin ${buildout:directory}/bin/ca-web-request
raw curl_executable_location ${curl:location}/bin/curl
raw dash_executable_location ${dash:location}/bin/dash
raw dcron_executable_location ${dcron:location}/sbin/crond
raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
raw template_httpd_auth_template ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
raw openssl_executable_location ${openssl:location}/bin/openssl
raw python_executable ${buildout:executable}
depends =
${extra-eggs:eggs}
[template-certificate-authority]
recipe = slapos.recipe.template:jinja2
filename = template-certificate-authority.cfg
template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
rendered = ${buildout:directory}/template-certificate-authority.cfg
md5sum = 6403eec50f70a1a989480052df42d025
context =
key template_logrotate_base template-logrotate-base:rendered
raw curl_executable_location ${curl:location}/bin/curl
raw certificate_authority_bin ${buildout:directory}/bin/certificate_authority
raw dash_executable_location ${dash:location}/bin/dash
raw openssl_executable_location ${openssl:location}/bin/openssl
raw template_openssl_conf ${template-openssl-cnf:location}/${template-openssl-cnf:filename}
depends =
${extra-eggs:eggs}
[buildout]
extends =
{{ template_logrotate_base }}
parts =
authenticated-httpd-server
[authenticated-server-parameters]
ca-url =
common-name = instance@${slap-configuration:instance-title}
server-port = 8286
custom-httpd-file =
web-directory = ${directory:document-root}
[directory]
recipe = slapos.cookbook:mkdirectory
etc = ${buildout:directory}/etc
bin = ${buildout:directory}/bin
srv = ${buildout:directory}/srv
var = ${buildout:directory}/var
ssl = ${:etc}/ssl
run = ${:var}/run
log = ${:var}/log
scripts = ${:etc}/run
services = ${:etc}/service
promises = ${:etc}/promise
document-root = ${:srv}/private
[server-certificate-request]
recipe = slapos.cookbook:wrapper
wrapper-path = ${directory:scripts}/request-instance-certificate
cert-file = ${directory:ssl}/instance.cert.pem
key-file = ${directory:ssl}/instance.key.pem
ca-cert = ${directory:ssl}/cacert.pem
command-line = {{ certificate_request_bin }}
--cert_file ${:cert-file}
--key_file ${:key-file}
--cn ${authenticated-server-parameters:common-name}
--ca_url ${authenticated-server-parameters:ca-url}
--ca_cert_file ${:ca-cert}
[authenticated-httpd-conf-parameter]
ip = ${slap-configuration:ipv6-random}
port = ${authenticated-server-parameters:server-port}
pid-file = ${directory:run}/httpd-auth.pid
dav-lock = ${directory:var}/DavLockdb
access-log = ${directory:log}/httpd-auth-access.log
error-log = ${directory:log}/httpd-auth-error.log
cert-file = ${server-certificate-request:cert-file}
key-file = ${server-certificate-request:key-file}
ca-cert = ${server-certificate-request:ca-cert}
url = https://[${:ip}]:${:port}
private = ${authenticated-server-parameters:web-directory}
httpd-include-file = ${authenticated-server-parameters:custom-httpd-file}
crl =
[authenticated-httpd-conf]
recipe = slapos.recipe.template:jinja2
template = {{ template_httpd_auth_template }}
rendered = ${directory:etc}/httpd-auth.conf
mode = 0744
context =
section parameter_dict authenticated-httpd-conf-parameter
[authenticated-httpd-graceful]
recipe = collective.recipe.template
input = inline:
#!{{ dash_executable_location }}
kill -USR1 $(cat ${authenticated-httpd-conf-parameter:pid-file})
output = ${directory:scripts}/authenticated-httpd-graceful
mode = 700
[authenticated-httpd-server]
recipe = slapos.cookbook:wrapper
command-line = {{ apache_location }}/bin/httpd -f ${authenticated-httpd-conf:rendered} -DFOREGROUND
wrapper-path = ${directory:services}/authenticated-httpd-server
wait-for-files =
${server-certificate-request:cert-file}
${server-certificate-request:key-file}
${server-certificate-request:ca-cert}
url = ${authenticated-httpd-conf-parameter:url}
depends =
${authenticated-httpd-promise:filename}
${authenticated-httpd-graceful:output}
${logrotate-authenticated-httpd:name}
[logrotate-authenticated-httpd]
< = logrotate-entry-base
name = authenticated-httpd-server
log = ${authenticated-httpd-conf-parameter:access-log} ${authenticated-httpd-conf-parameter:access-log}
post = {{ slapos_kill_bin }} --pidfile ${authenticated-httpd-conf-parameter:pid-file} -s USR1
[authenticated-httpd-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = authenticated-httpd-is-available
url = ${authenticated-httpd-conf-parameter:url}
check-secure = 1
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
cert-file = ${server-certificate-request:cert-file}
key-file = ${server-certificate-request:key-file}
ca-cert-file = ${server-certificate-request:ca-cert}
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration.serialised
computer = ${slap-connection:computer-id}
partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
[buildout]
extends =
{{ template_logrotate_base }}
parts =
certificate-authority
certificate-authority-web
[certificate-authority-parameters]
server-port = 8009
crl-url = http://[${slap-configuration:ipv6-random}]:${:server-port}/cacrl.pem
[directory]
recipe = slapos.cookbook:mkdirectory
etc = ${buildout:directory}/etc
bin = ${buildout:directory}/bin
srv = ${buildout:directory}/srv
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
scripts = ${:etc}/run
services = ${:etc}/service
promises = ${:etc}/promise
[ca-directory]
recipe = slapos.cookbook:mkdirectory
root = ${directory:srv}/ssl
ca-web = ${directory:srv}/ca
requests = ${:root}/requests
private = ${:root}/private
certs = ${:root}/certs
newcerts = ${:root}/newcerts
crl = ${:root}/crl
[certificate-authority]
recipe = slapos.cookbook:certificate_authority
openssl-binary = {{ openssl_executable_location }}
ca-dir = ${ca-directory:root}
requests-directory = ${ca-directory:requests}
wrapper = ${directory:services}/certificate_authority
ca-private = ${ca-directory:private}
ca-certs = ${ca-directory:certs}
ca-newcerts = ${ca-directory:newcerts}
ca-crl = ${ca-directory:crl}
[openssl-parameter-dict]
ca-dir = ${ca-directory:ca-web}
cert-days = 3650
country-code = XX
state = ('State',)
city = City
compagny = Company
# common-name = XXX
email = xx@example.com
crl-url = ${certificate-authority-parameters:crl-url}
[openssl-conf]
recipe = slapos.recipe.template:jinja2
template = {{ template_openssl_conf }}
rendered = ${ca-directory:ca-web}/openssl.cnf
mode = 700
context =
section parameter_dict openssl-parameter-dict
[certificate-authority-web]
recipe = slapos.cookbook:wrapper
host = ${slap-configuration:ipv6-random}
port = ${certificate-authority-parameters:server-port}
wrapper-path = ${directory:services}/certificate-authority-web
command-line = {{ certificate_authority_bin }}
--ca_dir ${ca-directory:ca-web}
--openssl_bin "{{ openssl_executable_location }}"
--config_file "${openssl-conf:rendered}"
--host "${:host}"
--port "${:port}"
--log_file "${directory:log}/ca-web.log"
--trusted_host ${:host}
url = http://[${:host}]:${:port}
depends =
${certificate-authority-web-promise:filename}
[certificate-authority-web-promise]
recipe = slapos.cookbook:check_url_available
path = ${directory:promises}/${:filename}
filename = certificate-authority-web-listening-on-tcp
url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
check-secure = 1
dash_path = {{ dash_executable_location }}
curl_path = {{ curl_executable_location }}
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration.serialised
computer = ${slap-connection:computer-id}
partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
This diff is collapsed.
Listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule alias_module modules/mod_alias.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule headers_module modules/mod_headers.so
LoadModule env_module modules/mod_env.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
ServerAdmin admin@
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
ServerTokens Prod
ServerSignature Off
TraceEnable Off
PidFile "{{ parameter_dict['pid-file'] }}"
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ parameter_dict['access-log'] }}" combined
# SSL Configuration
Define SSLConfigured
SSLCertificateFile {{ parameter_dict['cert-file'] }}
SSLCertificateKeyFile {{ parameter_dict['key-file'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLEngine On
<Directory />
Options FollowSymLinks
AllowOverride None
Allow from all
</Directory>
<VirtualHost *:{{ parameter_dict['port'] }}>
DavLockDB {{ parameter_dict['dav-lock'] }}
SSLVerifyClient require
RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if parameter_dict['crl'] -%}
SSLCARevocationCheck chain
SSLCARevocationFile {{ parameter_dict['crl'] }}
{%- endif %}
Alias / {{ parameter_dict['private'] }}/
<Directory {{ parameter_dict['private'] }}>
DirectoryIndex disabled
DAV On
Options Indexes FollowSymLinks
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
{% if parameter_dict.get('httpd-include-file', '') -%}
# Custom apache configuration here
Include {{ parameter_dict['httpd-include-file'] }}
{% endif -%}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment