Add https-only support.

parent 253b111d
...@@ -73,6 +73,7 @@ class Recipe(BaseSlapRecipe): ...@@ -73,6 +73,7 @@ class Recipe(BaseSlapRecipe):
self.path_list.append(self.killpidfromfile) self.path_list.append(self.killpidfromfile)
rewrite_rule_list = [] rewrite_rule_list = []
rewrite_rule_https_only_list = []
rewrite_rule_zope_list = [] rewrite_rule_zope_list = []
rewrite_rule_zope_path_list = [] rewrite_rule_zope_path_list = []
slave_dict = {} slave_dict = {}
...@@ -92,9 +93,13 @@ class Recipe(BaseSlapRecipe): ...@@ -92,9 +93,13 @@ class Recipe(BaseSlapRecipe):
enable_cache = slave_instance.get('enable_cache', '').lower() in TRUE_VALUES enable_cache = slave_instance.get('enable_cache', '').lower() in TRUE_VALUES
slave_type = slave_instance.get('type', '').lower() or None slave_type = slave_instance.get('type', '').lower() or None
https_only = slave_instance.get('https-only', '').lower() in TRUE_VALUES
# Set scheme (http? https?) # Set scheme (http? https?)
# Future work may allow to choose between http and https (or both?) if https_only:
scheme = 'http://' scheme = 'https://'
else:
scheme = 'http://'
self.logger.info('Processing slave instance: %s' % reference) self.logger.info('Processing slave instance: %s' % reference)
...@@ -136,6 +141,10 @@ class Recipe(BaseSlapRecipe): ...@@ -136,6 +141,10 @@ class Recipe(BaseSlapRecipe):
rewrite_rule = "%s %s" % (domain, backend_url) rewrite_rule = "%s %s" % (domain, backend_url)
# Finally, if successful, we add the rewrite rule to our list of rules # Finally, if successful, we add the rewrite rule to our list of rules
# We have 4 RewriteMaps:
# - One for generic (non-zope) websites, accepting both HTTP and HTTPS
# - One for generic websites that only accept HTTPS
# - Two for Zope-based websites
if rewrite_rule: if rewrite_rule:
# We check if we have a zope slave. It requires different rewrite # We check if we have a zope slave. It requires different rewrite
# rule structure. # rule structure.
...@@ -147,7 +156,10 @@ class Recipe(BaseSlapRecipe): ...@@ -147,7 +156,10 @@ class Recipe(BaseSlapRecipe):
rewrite_rule_path = "%s %s" % (domain, slave_instance.get('path', '')) rewrite_rule_path = "%s %s" % (domain, slave_instance.get('path', ''))
rewrite_rule_zope_path_list.append(rewrite_rule_path) rewrite_rule_zope_path_list.append(rewrite_rule_path)
else: else:
rewrite_rule_list.append(rewrite_rule) if https_only:
rewrite_rule_https_only_list.append(rewrite_rule)
else:
rewrite_rule_list.append(rewrite_rule)
# Certificate stuff # Certificate stuff
valid_certificate_str = self.parameter_dict.get("domain_ssl_ca_cert") valid_certificate_str = self.parameter_dict.get("domain_ssl_ca_cert")
...@@ -179,6 +191,7 @@ class Recipe(BaseSlapRecipe): ...@@ -179,6 +191,7 @@ class Recipe(BaseSlapRecipe):
plain_http_port=frontend_plain_http_port_number, plain_http_port=frontend_plain_http_port_number,
name=frontend_domain_name, name=frontend_domain_name,
rewrite_rule_list=rewrite_rule_list, rewrite_rule_list=rewrite_rule_list,
rewrite_rule_https_only_list=rewrite_rule_https_only_list,
rewrite_rule_zope_list=rewrite_rule_zope_list, rewrite_rule_zope_list=rewrite_rule_zope_list,
rewrite_rule_zope_path_list=rewrite_rule_zope_path_list, rewrite_rule_zope_path_list=rewrite_rule_zope_path_list,
key=key, certificate=certificate) key=key, certificate=certificate)
...@@ -510,10 +523,13 @@ class Recipe(BaseSlapRecipe): ...@@ -510,10 +523,13 @@ class Recipe(BaseSlapRecipe):
port=4443, plain_http_port=8080, port=4443, plain_http_port=8080,
rewrite_rule_list=None, rewrite_rule_list=None,
rewrite_rule_zope_list=None, rewrite_rule_zope_list=None,
rewrite_rule_https_only_list=None,
rewrite_rule_zope_path_list=None, rewrite_rule_zope_path_list=None,
access_control_string=None): access_control_string=None):
if rewrite_rule_list is None: if rewrite_rule_list is None:
rewrite_rule_list = [] rewrite_rule_list = []
if rewrite_rule_https_only_list is None:
rewrite_rule_zope_path_list = []
if rewrite_rule_zope_list is None: if rewrite_rule_zope_list is None:
rewrite_rule_zope_list = [] rewrite_rule_zope_list = []
if rewrite_rule_zope_path_list is None: if rewrite_rule_zope_path_list is None:
...@@ -564,15 +580,22 @@ class Recipe(BaseSlapRecipe): ...@@ -564,15 +580,22 @@ class Recipe(BaseSlapRecipe):
self.path_list.append(backup_cron) self.path_list.append(backup_cron)
# Create configuration file and rewritemaps # Create configuration file and rewritemaps
apachemap_name = "apachemap.txt" apachemap_path = self.createConfigurationFile(
apachemapzope_name = "apachemapzope.txt" "apache_rewritemap_generic.txt",
apachemapzopepath_name = "apachemapzopepath.txt" "\n".join(rewrite_rule_list)
)
self.createConfigurationFile(apachemap_name, "\n".join(rewrite_rule_list)) apachemap_httpsonly_path = self.createConfigurationFile(
self.createConfigurationFile(apachemapzope_name, "apache_rewritemap_httpsonly.txt",
"\n".join(rewrite_rule_zope_list)) "\n".join(rewrite_rule_https_only_list)
self.createConfigurationFile(apachemapzopepath_name, )
"\n".join(rewrite_rule_zope_path_list)) apachemap_zope_path = self.createConfigurationFile(
"apache_rewritemap_zope.txt",
"\n".join(rewrite_rule_zope_list)
)
apachemap_zopepath_path = self.createConfigurationFile(
"apache_rewritemap_zopepath.txt",
"\n".join(rewrite_rule_zope_path_list)
)
apache_conf = self._getApacheConfigurationDict(name, ip_list, port) apache_conf = self._getApacheConfigurationDict(name, ip_list, port)
apache_conf['ssl_snippet'] = self.substituteTemplate( apache_conf['ssl_snippet'] = self.substituteTemplate(
...@@ -599,9 +622,10 @@ class Recipe(BaseSlapRecipe): ...@@ -599,9 +622,10 @@ class Recipe(BaseSlapRecipe):
apache_conf.update(**dict( apache_conf.update(**dict(
path_enable=path, path_enable=path,
apachemap_path=os.path.join(self.etc_directory, apachemap_name), apachemap_path=apachemap_path,
apachemapzope_path=os.path.join(self.etc_directory, apachemapzope_name), apachemap_httpsonly_path=apachemap_httpsonly_path,
apachemapzopepath_path=os.path.join(self.etc_directory, apachemapzopepath_name), apachemapzope_path=apachemap_zope_path,
apachemapzopepath_path=apachemap_zopepath_path,
apache_domain=name, apache_domain=name,
https_port=port, https_port=port,
plain_http_port=plain_http_port, plain_http_port=plain_http_port,
......
...@@ -104,10 +104,12 @@ Header append Vary User-Agent ...@@ -104,10 +104,12 @@ Header append Vary User-Agent
# or changed when slapgrid is ran. It can be freely customized by node admin. # or changed when slapgrid is ran. It can be freely customized by node admin.
Include %(custom_apache_virtualhost_conf)s Include %(custom_apache_virtualhost_conf)s
# Define the two RewriteMaps (key -> value store): one for Zope, one generic # Define the 3 RewriteMaps (key -> value store): one for Zope, one generic,
# one generic https only,
# containing: rewritten URL -> original URL (a.k.a VirtualHostBase in Zope) # containing: rewritten URL -> original URL (a.k.a VirtualHostBase in Zope)
RewriteMap apachemapzope txt:%(apachemapzope_path)s RewriteMap apachemapzope txt:%(apachemapzope_path)s
RewriteMap apachemapgeneric txt:%(apachemap_path)s RewriteMap apachemapgeneric txt:%(apachemap_path)s
RewriteMap apachemapgenerichttpsonly txt:%(apachemap_httpsonly_path)s
# Define another RewriteMap for Zope, containing: # Define another RewriteMap for Zope, containing:
# rewritten URL -> VirtualHostRoot # rewritten URL -> VirtualHostRoot
...@@ -123,6 +125,10 @@ Header append Vary User-Agent ...@@ -123,6 +125,10 @@ Header append Vary User-Agent
RewriteCond ${apachemapgeneric:%%{SERVER_NAME}} >"" RewriteCond ${apachemapgeneric:%%{SERVER_NAME}} >""
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables) # We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ ${apachemapgeneric:%%{SERVER_NAME}}/$1 [L,P] RewriteRule ^/(.*)$ ${apachemapgeneric:%%{SERVER_NAME}}/$1 [L,P]
# Same for https only server
RewriteCond ${apachemapgenerichttpsonly:%%{SERVER_NAME}} >""
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ ${apachemapgenerichttpsonly:%%{SERVER_NAME}}/$1 [L,P]
# If nothing exist : put a nice error # If nothing exist : put a nice error
ErrorDocument 404 /notfound.html ErrorDocument 404 /notfound.html
...@@ -138,6 +144,9 @@ Header append Vary User-Agent ...@@ -138,6 +144,9 @@ Header append Vary User-Agent
ProxyTimeout 600 ProxyTimeout 600
RewriteEngine On RewriteEngine On
# Remove "Secure" from cookies, as backend may be https
Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
# Include configuration file not operated by slapos. This file won't be erased # Include configuration file not operated by slapos. This file won't be erased
# or changed when slapgrid is ran. It can be freely customized by node admin. # or changed when slapgrid is ran. It can be freely customized by node admin.
Include %(custom_apache_virtualhost_conf)s Include %(custom_apache_virtualhost_conf)s
......
...@@ -118,6 +118,13 @@ Domain name to use as frontend. The frontend will be accessible from this domain ...@@ -118,6 +118,13 @@ Domain name to use as frontend. The frontend will be accessible from this domain
[instancereference].[masterdomain]. [instancereference].[masterdomain].
Example: www.mycustomdomain.com Example: www.mycustomdomain.com
https-only
~~~~~~~~~~
Specify if website should be accessed using https only. If so, the frontend
will redirect the user to https if accessed from http.
Possible values: "true", "false".
This is an optional parameter. Defaults to false.
path path
~~~~ ~~~~
Only used if type is "zope". Only used if type is "zope".
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment