From f3726080234c97b026fb8d1ad46b522bd99359f3 Mon Sep 17 00:00:00 2001 From: Julien Muchembled <jm@nexedi.com> Date: Sun, 21 Mar 2021 04:53:21 +0100 Subject: [PATCH] re6stnet: remove SSL support for registry The re6st registry is designed to work with plain HTTP because it does authentication & encryption internally. --- software/re6stnet/apache.conf.in | 17 -------- software/re6stnet/buildout.hash.cfg | 4 +- software/re6stnet/instance-re6stnet.cfg.in | 51 +--------------------- software/re6stnet/test/test.py | 33 -------------- 4 files changed, 4 insertions(+), 101 deletions(-) diff --git a/software/re6stnet/apache.conf.in b/software/re6stnet/apache.conf.in index e72c46f70..424b236f8 100644 --- a/software/re6stnet/apache.conf.in +++ b/software/re6stnet/apache.conf.in @@ -8,7 +8,6 @@ LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so -LoadModule ssl_module modules/mod_ssl.so LoadModule mime_module modules/mod_mime.so #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so @@ -31,17 +30,6 @@ ErrorLog "{{ error_log }}" LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined CustomLog "{{ access_log }}" combined -{% if uri_scheme == 'https' -%} -# SSL Configuration -SSLCertificateFile {{ certificate }} -SSLCertificateKeyFile {{ key }} -SSLRandomSeed startup builtin -SSLRandomSeed connect builtin -SSLProtocol all -SSLv2 -SSLv3 -SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 -SSLHonorCipherOrder on -{% endif -%} - <Directory /> Options FollowSymLinks AllowOverride None @@ -50,10 +38,5 @@ SSLHonorCipherOrder on Listen {{ ipv6 }}:{{ apache_port }} <VirtualHost *:{{ apache_port }}> -{% if uri_scheme == 'https' -%} - SSLEngine On - SSLProxyEngine On -{% endif -%} - ProxyPass / http://{{ re6st_ipv4 }}:{{ re6st_port }}/ </VirtualHost> diff --git a/software/re6stnet/buildout.hash.cfg b/software/re6stnet/buildout.hash.cfg index bf71d0e20..9deda93d7 100644 --- a/software/re6stnet/buildout.hash.cfg +++ b/software/re6stnet/buildout.hash.cfg @@ -18,11 +18,11 @@ md5sum = eea691b0919812b9717f17005f06681d [template-re6stnet] filename = instance-re6stnet.cfg.in -md5sum = 7074948c958220e39a44f2c6cb56a0bb +md5sum = 066c1e4e0b97a39bd40da56622921791 [template-apache-conf] filename = apache.conf.in -md5sum = 2ed3c4e9b9d58d2e57cda227bdd454d2 +md5sum = 3d55f7c9c4fc7279f06bfe6313a78a4b [template-re6st-registry-conf] filename = re6st-registry.conf.in diff --git a/software/re6stnet/instance-re6stnet.cfg.in b/software/re6stnet/instance-re6stnet.cfg.in index 950d901b2..a1ef0e2ba 100644 --- a/software/re6stnet/instance-re6stnet.cfg.in +++ b/software/re6stnet/instance-re6stnet.cfg.in @@ -1,11 +1,8 @@ {% set bin_directory = parameter_dict['bin-directory'] -%} {% set python_bin = parameter_dict['python-executable'] -%} {% set publish_dict = {} -%} -{% set part_list = [] -%} {% set ipv6 = (ipv6_set | list)[0] -%} {% set ipv4 = (ipv4_set | list)[0] -%} -{% set uri_scheme = slapparameter_dict.get('uri-scheme', 'http') -%} -{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%} [directory] recipe = slapos.cookbook:mkdirectory @@ -17,12 +14,6 @@ log = ${:var}/log services = ${:etc}/service script = ${:etc}/run run = ${:var}/run -ca-dir = ${:etc}/ssl -requests = ${:ca-dir}/requests -private = ${:ca-dir}/private -certs = ${:ca-dir}/certs -newcerts = ${:ca-dir}/newcerts -crl = ${:ca-dir}/crl re6st = ${:srv}/res6stnet [re6stnet-dirs] @@ -34,18 +25,6 @@ ssl = ${:conf}/ssl token = ${:conf}/token run = ${directory:run}/re6stnet -[certificate-authority] -recipe = slapos.cookbook:certificate_authority -openssl-binary = {{ openssl_bin }}/openssl -ca-dir = ${directory:ca-dir} -requests-directory = ${directory:requests} -wrapper = ${directory:services}/certificate_authority -ca-private = ${directory:private} -ca-certs = ${directory:certs} -ca-newcerts = ${directory:newcerts} -ca-crl = ${directory:crl} - - [apache-conf] recipe = slapos.recipe.template:jinja2 template = {{ parameter_dict['template-apache-conf'] }} @@ -62,35 +41,12 @@ context = key access_log :access-log key error_log :error-log key pid_file :pid-file - raw certificate ${directory:certs}/apache.crt - raw key ${directory:private}/apache.key raw ipv6 {{ ipv6 }} - raw uri_scheme {{ uri_scheme }} -{% set apache_wrapper = '${directory:services}/httpd' -%} -{% if uri_scheme == 'https' -%} -{% set apache_wrapper = '${directory:bin}/httpd_raw' -%} -{% endif -%} [apache-httpd] recipe = slapos.cookbook:wrapper -wrapper-path = {{ apache_wrapper }} -command-line = "{{ parameter_dict['apache-location'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND - -{% if uri_scheme == 'https' %} -[apache-ca] -<= certificate-authority -recipe = slapos.cookbook:certificate_authority.request -executable = ${apache-httpd:wrapper-path} -wrapper = ${directory:bin}/httpd -key-file = ${certificate-authority:ca-private}/apache.key -cert-file = ${certificate-authority:ca-certs}/apache.crt - -[{{ section('apache-ca-service') }}] -recipe = slapos.cookbook:wrapper -command-line = ${apache-ca:wrapper} wrapper-path = ${directory:services}/httpd -hash-existing-files = ${buildout:directory}/software_release/buildout.cfg -{% endif %} +command-line = "{{ parameter_dict['apache-location'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND [apache-httpd-graceful] recipe = slapos.recipe.template:jinja2 @@ -209,7 +165,7 @@ name = apache-re6st-registry.py config-hostname = ${apache-conf:ipv6} config-port = ${apache-conf:port} -{% do publish_dict.__setitem__('re6stry-url', uri_scheme ~ '://[${apache-conf:ipv6}]:${apache-conf:port}') -%} +{% do publish_dict.__setitem__('re6stry-url', 'http://[${apache-conf:ipv6}]:${apache-conf:port}') -%} {% do publish_dict.__setitem__('re6stry-local-url', 'http://${re6st-registry:ipv4}:${re6st-registry:port}/') -%} {% do publish_dict.__setitem__('slave-amount', '${re6st-registry:slave-amount}') -%} [publish] @@ -225,7 +181,6 @@ extends = {{ logrotate_cfg }} parts = - certificate-authority logrotate-apache logrotate-entry-re6stnet re6stnet-manage @@ -239,8 +194,6 @@ parts = re6st-registry-promise apache-registry-promise monitor-base -# Complete parts with sections - {{ part_list | join('\n ') }} eggs-directory = {{ eggs_directory }} develop-eggs-directory = {{ develop_eggs_directory }} diff --git a/software/re6stnet/test/test.py b/software/re6stnet/test/test.py index 54fadd1bb..ccdc8a654 100644 --- a/software/re6stnet/test/test.py +++ b/software/re6stnet/test/test.py @@ -29,7 +29,6 @@ import os import requests import json -from slapos.recipe.librecipe import generateHashFromFiles from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass setUpModule, Re6stnetTestCase = makeModuleSetUpAndTestCaseClass( @@ -57,35 +56,3 @@ class TestPortRedirection(Re6stnetTestCase): 'srcPort': 9201, 'destPort': 9201, }, portredir_config[0]) - - - -class ServicesTestCase(Re6stnetTestCase): - - @classmethod - def getInstanceParameterDict(cls): - return {'uri-scheme': 'https'} - - def test_hashes(self): - hash_files = [ - 'software_release/buildout.cfg', - ] - expected_process_names = [ - 'httpd-{hash}-on-watch', - ] - - with self.slap.instance_supervisor_rpc as supervisor: - process_names = [ - process['name'] for process in supervisor.getAllProcessInfo() - ] - - hash_files = [ - os.path.join(self.computer_partition_root_path, path) - for path in hash_files - ] - - for name in expected_process_names: - h = generateHashFromFiles(hash_files) - expected_process_name = name.format(hash=h) - - self.assertIn(expected_process_name, process_names) -- 2.30.9