Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
103
Merge Requests
103
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
e35f6236
Commit
e35f6236
authored
Jun 15, 2020
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.
parent
dfde2c8e
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
22 additions
and
43 deletions
+22
-43
component/apache/apache-backend.conf.in
component/apache/apache-backend.conf.in
+5
-26
component/apache/buildout.hash.cfg
component/apache/buildout.hash.cfg
+1
-1
software/cloudooo/buildout.hash.cfg
software/cloudooo/buildout.hash.cfg
+1
-1
software/cloudooo/instance-cloudooo.cfg.in
software/cloudooo/instance-cloudooo.cfg.in
+15
-15
No files found.
component/apache/apache-backend.conf.in
View file @
e35f6236
...
...
@@ -23,15 +23,6 @@
# # The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
# "ssl-session-cache": "<folder_path>",
#
# # The path given to "SSLCACertificateFile" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
# "ca-cert": "<file_path>",
#
# # The path given to "SSLCARevocationFile" (used if ca-cert is not
# # empty)
# "crl": "<file_path>",
#
# # The path given to "SSLCACertificatePath" (can be empty)
# # If this value is not empty, it enables client certificate check.
# # (Enabling "SSLVerifyClient require")
...
...
@@ -78,7 +69,7 @@
# From to `backend-list`:
# - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
# - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
# only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert
-dir
`.
# - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
# - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
# accepting requests from any client.
...
...
@@ -92,9 +83,7 @@
# For more details, refer to
# https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
-#}
{% set ca_cert = parameter_dict.get('ca-cert') -%}
{% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
{% set crl = parameter_dict.get('crl') -%}
{% set crl_dir = parameter_dict.get('crl-dir') -%}
LoadModule unixd_module modules/mod_unixd.so
LoadModule access_compat_module modules/mod_access_compat.so
...
...
@@ -146,26 +135,16 @@ SSLProxyEngine On
# As backend is trusting Remote-User header unset it always
RequestHeader unset Remote-User
{% if ca_cert
or ca_cert
_dir -%}
{% if ca_cert_dir -%}
SSLVerifyClient optional
RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
{% if ca_cert -%}
SSLCACertificateFile {{ ca_cert }}
{% endif -%}
{% if ca_cert_dir -%}
SSLCACertificatePath {{ ca_cert_dir }}
{% endif -%}
{% if crl or crl_dir -%}
SSLCARevocationCheck chain
{% if crl -%}
SSLCARevocationFile {{ crl }}
{% endif -%}
{% if crl_dir -%}
SSLCARevocationCheck chain
SSLCARevocationPath {{ crl_dir }}
{% endif -%}
{% endif -%}
{% endif -%}
ErrorLog "{{ parameter_dict['error-log'] }}"
# Default apache log format with request time in microsecond at the end
...
...
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
{% endfor -%}
<VirtualHost *:{{ port }}>
SSLEngine on
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
<VirtualHost {{ ip }}:{{ port }}>
SSLEngine on
Timeout 3600
{% if enable_authentication and
(ca_cert or ca_cert_dir) and (crl or crl_dir)
-%}
{% if enable_authentication and
ca_cert_dir
-%}
SSLVerifyClient require
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
...
...
component/apache/buildout.hash.cfg
View file @
e35f6236
...
...
@@ -14,5 +14,5 @@
# not need these here).
[template-apache-backend-conf]
filename = apache-backend.conf.in
md5sum =
4a13ad45e38e14ca7027c17192c90205
md5sum =
a169c1d6b0f2636f21f180e8a0b52137
software/cloudooo/buildout.hash.cfg
View file @
e35f6236
...
...
@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
[template-cloudooo-instance]
filename = instance-cloudooo.cfg.in
md5sum =
e01ee969a45d44d386653a9eb699cc59
md5sum =
971bf5ab61012a5e227d3208f1717d3b
software/cloudooo/instance-cloudooo.cfg.in
View file @
e35f6236
...
...
@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
{% if ssl_parameter_dict.get('ca-cert') -%}
# Client x509 auth
ca-cert = ${apache-ssl-client:cert}
crl = ${apache-ssl-client:crl}
ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
crl-dir = ${apache-conf-ssl:crl-dir}
{% endif -%}
[apache-promise]
# Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
...
...
@@ -127,8 +129,15 @@ config-http_code = 400
[apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem
ca-cert = ${directory:apache-conf}/ca.crt
crl = ${directory:apache-conf}/crl.pem
{% if ssl_parameter_dict.get('ca-cert') -%}
ca-cert-dir = ${directory:apache-ca-cert-dir}
crl-dir = ${directory:apache-crl-dir}
{{ simplefile('apache-ssl-ca', '${:ca-cert-dir}/ca.crt', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${:crl-dir}/crl.pem', ssl_parameter_dict['crl']) }}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:ca-cert-dir}"; "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:crl-dir}"
update-command = ${:command}
{%- endif %}
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
...
...
@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
{%- endif %}
[apache-ssl-client]
{% if ssl_parameter_dict.get('ca-cert') -%}
cert = ${apache-ssl-ca:rendered}
crl = ${apache-ssl-crl:rendered}
{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
{% else %}
cert =
crl =
{%- endif %}
[apache-logrotate]
< = logrotate-entry-base
name = apache
...
...
@@ -268,6 +266,8 @@ link-binary =
[directory]
recipe = slapos.cookbook:mkdirectory
apache-conf = ${:etc}/apache
apache-ca-cert-dir = ${:apache-conf}/ssl.crt
apache-crl-dir = ${:apache-conf}/ssl.crl
bin = ${buildout:directory}/bin
ca-dir = ${buildout:directory}/srv/ssl
certs = ${:ca-dir}/certs
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment