Frontend: Use VirtualHost to separate from custom config, listens to plain...

Frontend: Use VirtualHost to separate from custom config, listens to plain http port as well to redirect to https

Frontend: Use VirtualHost to separate from custom config, listens to plain...
Frontend: Use VirtualHost to separate from custom config, listens to plain http port as well to redirect to https
7c5b5688 · Cédric de Saint Martin · e7f107c1 · 7c5b5688 · 7c5b5688 · 7c5b5688
Commit 7c5b5688 authored May 11, 2012 by Cédric de Saint Martin
4 changed files
--- a/slapos/recipe/apache_frontend/__init__.py
+++ b/slapos/recipe/apache_frontend/__init__.py
@@ -50,6 +50,8 @@ class Recipe(BaseSlapRecipe):

    # Define optional arguments
    frontend_port_number = self.parameter_dict.get("port", 4443)
+    frontend_plain_http_port_number = self.parameter_dict.get(
+        "plain_http_port", 8080)
    base_varnish_port = 26009
    slave_instance_list = self.parameter_dict.get("slave_instance_list", [])

@@ -143,6 +145,7 @@ class Recipe(BaseSlapRecipe):
        ip_list=["[%s]" % self.getGlobalIPv6Address(),
                 self.getLocalIPv4Address()],
        port=frontend_port_number,
+        plain_http_port=frontend_plain_http_port_number,
        name=frontend_domain_name,
        rewrite_rule_list=rewrite_rule_list,
        rewrite_rule_zope_list=rewrite_rule_zope_list,
@@ -451,7 +454,8 @@ class Recipe(BaseSlapRecipe):
    self.path_list.append(wrapper)
    return stunnel_conf

-  def installFrontendApache(self, ip_list, port, key, certificate, name,
+  def installFrontendApache(self, ip_list, key, certificate, name,
+                            port, plain_http_port=8080, 
                            rewrite_rule_list=[], rewrite_rule_zope_list=[],
                            access_control_string=None):
    # Create htdocs, populate it with default 404 document
@@ -506,7 +510,11 @@ class Recipe(BaseSlapRecipe):
        )
    )

-    apache_conf["listen"] = "\n".join(["Listen %s:%s" % (ip, port) for ip in ip_list])
+    apache_conf["listen"] = "\n".join([
+        "Listen %s:%s" % (ip, port)
+        for port in (plain_http_port, port)
+        for ip in ip_list
+    ])

    path = self.substituteTemplate(
        self.getTemplateFilename('apache.conf.path-protected.in'),
@@ -517,7 +525,8 @@ class Recipe(BaseSlapRecipe):
      apachemap_path=os.path.join(self.etc_directory, apachemap_name),
      apachemapzope_path=os.path.join(self.etc_directory, apachemapzope_name),
      apache_domain=name,
-      port=port,
+      https_port=port,
+      plain_http_port=plain_http_port,
      custom_apache_conf=custom_apache_configuration_file_location,
    ))


--- a/slapos/recipe/apache_frontend/template/apache.conf.in
+++ b/slapos/recipe/apache_frontend/template/apache.conf.in
@@ -19,9 +19,6 @@ RequestHeader unset REMOTE_USER

 ServerTokens Prod

-# SSL Configuration
-%(ssl_snippet)s
-
 # Log configuration
 ErrorLog "%(error_log)s"
 LogLevel warn
@@ -31,27 +28,6 @@ CustomLog "%(access_log)s" common

 %(path_enable)s

-# Rewrite part
-ProxyVia On
-ProxyTimeout 600
-RewriteEngine On
-
-# Define the two rewritemaps : one for zope, one generic
-RewriteMap apachemapzope txt:%(apachemapzope_path)s
-RewriteMap apachemapgeneric txt:%(apachemap_path)s
-
-# First, we check if we have a zope backend server
-# If so, let's use Virtual Host Daemon rewrite
-RewriteCond ${apachemapzope:%%{SERVER_NAME}} >""
-RewriteRule ^/(.*)$ ${apachemapzope:%%{SERVER_NAME}}/VirtualHostBase/https/%%{SERVER_NAME}:%%{SERVER_PORT}/VirtualHostRoot/$1 [L,P]
-
-# If we have generic backend server, let's rewrite without virtual host daemon
-RewriteCond ${apachemapgeneric:%%{SERVER_NAME}} >""
-RewriteRule ^/(.*)$ ${apachemapgeneric:%%{SERVER_NAME}}/$1 [L,P]
-
-# If nothing exist : put a nice error
-ErrorDocument 404 /notfound.html
-
 # List of modules
 #LoadModule unixd_module modules/mod_unixd.so
 #LoadModule access_compat_module modules/mod_access_compat.so
@@ -73,8 +49,6 @@ LoadModule cache_module modules/mod_cache.so
 LoadModule mem_cache_module modules/mod_mem_cache.so
 LoadModule antiloris_module modules/mod_antiloris.so

-CacheDefaultExpire 3600
-
 # The following directives modify normal HTTP response behavior to
 # handle known problems with browser implementations.
 BrowserMatch "Mozilla/2" nokeepalive
@@ -98,6 +72,7 @@ BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

 # Cache directives
 CacheEnable mem /
+CacheDefaultExpire 3600
 MCacheSize 8192
 MCacheMaxObjectCount 1000
 MCacheMaxObjectSize 8192
@@ -111,6 +86,42 @@ BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 # Make sure proxies don't deliver the wrong content
 Header append Vary User-Agent

+# SSL Configuration
+%(ssl_snippet)s
+
+# Dummy virtualhost redirecting to https. Note: will work only if https listens
+# on standard port (443)
+<VirtualHost *:%(plain_http_port)s>
+  RewriteEngine On
+  # Not using HTTPS? Ask that guy over there.
+  RewriteRule ^/(.*)$ https://%%{SERVER_NAME}%%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:%(https_port)s>
+  SSLEngine on
+  SSLProxyEngine on
+  # Rewrite part
+  ProxyVia On
+  ProxyTimeout 600
+  RewriteEngine On
+
+  # Define the two rewritemaps : one for zope, one generic
+  RewriteMap apachemapzope txt:%(apachemapzope_path)s
+  RewriteMap apachemapgeneric txt:%(apachemap_path)s
+
+  # First, we check if we have a zope backend server
+  # If so, let's use Virtual Host Daemon rewrite
+  RewriteCond ${apachemapzope:%%{SERVER_NAME}} >""
+  RewriteRule ^/(.*)$ ${apachemapzope:%%{SERVER_NAME}}/VirtualHostBase/https/%%{SERVER_NAME}:%%{SERVER_PORT}/VirtualHostRoot/$1 [L,P]
+
+  # If we have generic backend server, let's rewrite without virtual host daemon
+  RewriteCond ${apachemapgeneric:%%{SERVER_NAME}} >""
+  RewriteRule ^/(.*)$ ${apachemapgeneric:%%{SERVER_NAME}}/$1 [L,P]
+
+  # If nothing exist : put a nice error
+  ErrorDocument 404 /notfound.html
+</VirtualHost>
+
 # Include configuration file not operated by slapos. This file won't be erased
 # or changed when slapgrid is ran. It can be freely customized by node admin.
 Include %(custom_apache_conf)s
--- a/slapos/recipe/apache_frontend/template/apache.ssl-snippet.conf.in
+++ b/slapos/recipe/apache_frontend/template/apache.ssl-snippet.conf.in
-SSLEngine on
-SSLProxyEngine on
 SSLCertificateFile %(login_certificate)s
 SSLCertificateKeyFile %(login_key)s
 SSLRandomSeed startup builtin

--- a/software/apache-frontend/README.apache_frontend.txt
+++ b/software/apache-frontend/README.apache_frontend.txt
@@ -54,8 +54,11 @@ Using the IP given by the Master Instance.

 port
 ~~~~
-Port used by Apache. Optional parameter, defaults to 443.
+Port used by Apache. Optional parameter, defaults to 4443.

+plain_http_port
+Port used by apache to serve plain http (only used to redirect to https).
+Optional parameter, defaults to 8080.

 Slave Instance Parameters
 -------------------------
@@ -105,3 +108,12 @@ listening to a custom domain::
        "custom_domain":"mycustomdomain.com",
    }
  )
+
+Notes
+=====
+
+It is not possible with slapos to listen to port <= 1024, because process are
+not run as root. It is a good idea then to go on the node where the instance is
+and set some iptables rules like (if using default ports)::
+  iptables -t nat -A PREROUTING -p tcp -d {public ip} --dport 443 -j DNAT --to-destination {listening ip}:4443
+  iptables -t nat -A PREROUTING -p tcp -d {public_ip} --dport 80 -j DNAT --to-destination {listening ip}:8080