Commit 9c691cc0 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Generate self-signed certificates for ip access

Caddy since 0.11.1 requires that certificate match the exposed site, so in
order to being able to serve ip access sites each frontend node needs
to generate certificate with its IP in the subjectAltName.
parent e7555f4f
......@@ -22,7 +22,7 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
[template-apache-frontend]
filename = instance-apache-frontend.cfg.in
md5sum = a9be268aa485aa464cec25fea962faba
md5sum = 395ea5b3389e26a57dad0f91cd458630
[template-apache-replicate]
filename = instance-apache-replicate.cfg.in
......@@ -30,7 +30,7 @@ md5sum = 6a86edb96b171fbd0a59d0adc9cc906b
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
md5sum = b30bcd11c545d86c30d05db9cecb4f80
md5sum = 434e00cbfee2f9c002b2a83084a48b4a
[template-slave-configuration]
filename = templates/custom-virtualhost.conf.in
......@@ -42,11 +42,11 @@ md5sum = 01efde8febafcff6dde2ebb43e75a9e4
[template-caddy-frontend-configuration]
filename = templates/Caddyfile.in
md5sum = 7c987ad75fcce6f5b925c7696ff41971
md5sum = 0134a1586f15cd5665069d6d81a505be
[template-custom-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
md5sum = b30bcd11c545d86c30d05db9cecb4f80
md5sum = 434e00cbfee2f9c002b2a83084a48b4a
[caddy-backend-url-validator]
filename = templates/caddy-backend-url-validator.in
......@@ -70,7 +70,7 @@ md5sum = 7cbcadc295860821ac9d3aaa3cca72c5
[template-log-access]
filename = templates/template-log-access.conf.in
md5sum = f2a74f88c7248f199011fa9ec6182f73
md5sum = 122b05829ecc4c0ad4e47e7d1c21166b
[template-empty]
filename = templates/empty.in
......
......@@ -97,10 +97,36 @@ single-custom-personal = ${dynamic-custom-personal-template-slave-list:rendered}
[frontend-configuration]
template-log-access = {{ parameter_dict['template_log_access'] }}
log-access-configuration = ${directory:etc}/log-access.conf
ip-access-certificate = ${self-signed-ip-access:certificate}
ip-access-key = ${self-signed-ip-access:key}
caddy-directory = {{ parameter_dict['caddy_location'] }}
caddy-ipv6 = {{ instance_parameter['ipv6-random'] }}
caddy-https-port = ${configuration:port}
[self-signed-ip-access]
# Self Signed certificate for HTTPS IP accesses to the frontend
recipe = plone.recipe.command
update-command = ${:command}
ipv6 = ${slap-network-information:global-ipv6}
ipv4 = {{instance_parameter['ipv4-random']}}
key = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.key
certificate = ${caddy-directory:vh-ssl}/ip-access-${:ipv6}-${:ipv4}.crt
stop-on-error = True
command =
[ -f ${:key} ] && [ -f ${:certificate} ] && exit 0
rm -f ${:key} ${:certificate}
/bin/bash -c ' \
{{ parameter_dict['openssl'] }}/bin/openssl req \
-new -newkey rsa:2048 -sha256 \
-nodes -x509 -days 36500 \
-keyout ${:key} \
-subj "/CN=Self Signed IP Access" \
-reqexts SAN \
-extensions SAN \
-config <(cat {{ parameter_dict['openssl'] }}/etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=IP:${:ipv6},IP:${:ipv4}")) \
-out ${:certificate}'
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
rendered = ${buildout:directory}/${:filename}
......
......@@ -30,7 +30,7 @@ import {{ slave_with_cache_configuration_directory }}/*.conf
# Access to server-status Caddy-style
https://[{{ global_ipv6 }}]:{{ https_port }}/server-status, https://{{ local_ipv4 }}:{{ https_port }}/server-status {
tls {{ login_certificate }} {{ login_key }}
tls {{ frontend_configuration['ip-access-certificate'] }} {{ frontend_configuration['ip-access-key'] }}
# Compress the output
gzip
bind {{ local_ipv4 }}
......
......@@ -379,8 +379,8 @@ local_ipv4 = {{ dumps(local_ipv4) }}
global_ipv6 = {{ dumps(global_ipv6) }}
https_port = {{ dumps(https_port) }}
http_port = {{ dumps(http_port) }}
login_certificate = {{ dumps(login_certificate) }}
login_key = {{ dumps(login_key) }}
ip_access_certificate = {{ frontend_configuration.get('ip-access-certificate') }}
ip_access_key = {{ frontend_configuration.get('ip-access-key') }}
access_log = {{ dumps(access_log) }}
error_log = {{ dumps(error_log) }}
not_found_file = {{ dumps(not_found_file) }}
......@@ -394,6 +394,7 @@ extra-context =
section slave_password slave-password
section parameter_dict caddy-log-access-parameters
{# Publish information for the instance #}
[publish-caddy-information]
recipe = slapos.cookbook:publish.serialised
......
......@@ -3,7 +3,7 @@ https://[{{ parameter_dict['global_ipv6'] }}]:{{ parameter_dict['https_port'] }}
bind {{ parameter_dict['local_ipv4'] }}
root {{ directory }}/
browse
tls {{ parameter_dict['login_certificate'] }} {{ parameter_dict['login_key'] }}
tls {{ parameter_dict['ip_access_certificate'] }} {{ parameter_dict['ip_access_key'] }}
basicauth "{{ slave }}" {{ slave_password[slave] | trim }} {
"Log Access {{ slave }}"
/
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment