Commit cc10a28c authored by Łukasz Nowak's avatar Łukasz Nowak

Allow to configure SSL authnetication backend.

By configuring in JSON ssl-authentication to true for backend it will turn
listening apache to SSL based authorisation system.

SSL authorisation on such entry point is obligatory.

In order to follow typical ERP5 configuration SSL_CLIENT_S_DN_CN will be
passed as REMOTE_USER to Zope backend.

ERP5 CA is used to validate certificates.
parent 7fd8b983
......@@ -49,6 +49,12 @@ class Recipe(GenericBaseRecipe):
apache_conf['ssl_session_cache'] = self.options['ssl-session-cache']
apache_conf['ssl_snippet'] = pkg_resources.resource_string(__name__,
'template/snippet.ssl.in') % apache_conf
if self.optionIsTrue('ssl-authentication'):
apache_conf['ssl_snippet'] += pkg_resources.resource_string(__name__,
'template/snippet.ssl.ca.in') % dict(
ca_certificate=self.options['ssl-authentication-certificate'],
ca_crl=self.options['ssl-authentication-crl']
)
else:
raise ValueError, "Unsupported scheme %s" % scheme
......
SSLVerifyClient require
RequestHeader set REMOTE_USER %%{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile %(ca_certificate)s
SSLCARevocationPath %(ca_crl)s
......@@ -168,7 +168,9 @@ class Recipe(GenericSlapRecipe):
access_control_string=backend_configuration['access-control-string'],
maxconn=backend_configuration['maxconn'],
server_check_path='/%s/getId' % site_id,
haproxy_backend_list=' '.join(haproxy_backend_list)
haproxy_backend_list=' '.join(haproxy_backend_list),
ssl_authentication=backend_configuration.get('ssl-authentication',
False)
)
current_apache_port += 1
output += snippet_backend % backend_dict
......
......@@ -30,6 +30,10 @@ ssl-session-cache = $${basedirectory:log}/apache-ssl-session-cache
error-log = $${basedirectory:log}/apache-%(backend_name)s-error.log
access-log = $${basedirectory:log}/apache-%(backend_name)s-access.log
apache-binary = ${apache:location}/bin/httpd
ssl-authentication = %(ssl_authentication)s
# Note: Without erp5-certificate-authority main certificate have to be hardcoded
ssl-authentication-certificate = $${erp5-certificate-authority:ca-dir}/cacert.pem
ssl-authentication-crl = $${erp5-certificate-authority:ca-crl}
[ca-apache-%(backend_name)s]
<= certificate-authority
......
......@@ -136,7 +136,7 @@ mode = 0644
[template-snippet-backend]
recipe = slapos.recipe.template
url = ${:_profile_base_location_}/snippet-backend.cfg
md5sum = 7285e671bfb6d905f859d0787ac931c4
md5sum = 30c59038d504addaf9dfb276b84004a9
output = ${buildout:directory}/template-snippet-backend.cfg
mode = 0644
......@@ -227,4 +227,4 @@ signature-certificate-list =
YLEZJbofF7gSrRIcrlUJYXfTfw1QUBOKkGFFDsiJpEg4y5pUk1s5Jq9K3SDzNq/W
it1oYjOhuGg3al8OOeKFrU6nvNTF1BAvJCl0tr3POai5yXyN5jlK/zPfypmQYxE+
TaqQSGBJPVXYt6lrq/PRD9ciZgKLOwEqK8w=
-----END CERTIFICATE-----
\ No newline at end of file
-----END CERTIFICATE-----
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment