Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Sebastien Robin
slapos
Commits
524c2b7f
Commit
524c2b7f
authored
Apr 02, 2013
by
Cédric de Saint Martin
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add https-only support.
parent
253b111d
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
56 additions
and
16 deletions
+56
-16
slapos/recipe/apache_frontend/__init__.py
slapos/recipe/apache_frontend/__init__.py
+39
-15
slapos/recipe/apache_frontend/template/apache.conf.in
slapos/recipe/apache_frontend/template/apache.conf.in
+10
-1
software/apache-frontend/README.apache_frontend.txt
software/apache-frontend/README.apache_frontend.txt
+7
-0
No files found.
slapos/recipe/apache_frontend/__init__.py
View file @
524c2b7f
...
...
@@ -73,6 +73,7 @@ class Recipe(BaseSlapRecipe):
self
.
path_list
.
append
(
self
.
killpidfromfile
)
rewrite_rule_list
=
[]
rewrite_rule_https_only_list
=
[]
rewrite_rule_zope_list
=
[]
rewrite_rule_zope_path_list
=
[]
slave_dict
=
{}
...
...
@@ -92,8 +93,12 @@ class Recipe(BaseSlapRecipe):
enable_cache
=
slave_instance
.
get
(
'enable_cache'
,
''
).
lower
()
in
TRUE_VALUES
slave_type
=
slave_instance
.
get
(
'type'
,
''
).
lower
()
or
None
https_only
=
slave_instance
.
get
(
'https-only'
,
''
).
lower
()
in
TRUE_VALUES
# Set scheme (http? https?)
# Future work may allow to choose between http and https (or both?)
if
https_only
:
scheme
=
'https://'
else
:
scheme
=
'http://'
self
.
logger
.
info
(
'Processing slave instance: %s'
%
reference
)
...
...
@@ -136,6 +141,10 @@ class Recipe(BaseSlapRecipe):
rewrite_rule
=
"%s %s"
%
(
domain
,
backend_url
)
# Finally, if successful, we add the rewrite rule to our list of rules
# We have 4 RewriteMaps:
# - One for generic (non-zope) websites, accepting both HTTP and HTTPS
# - One for generic websites that only accept HTTPS
# - Two for Zope-based websites
if
rewrite_rule
:
# We check if we have a zope slave. It requires different rewrite
# rule structure.
...
...
@@ -146,6 +155,9 @@ class Recipe(BaseSlapRecipe):
# For Zope, we have another dict containing the path e.g '/erp5/...
rewrite_rule_path
=
"%s %s"
%
(
domain
,
slave_instance
.
get
(
'path'
,
''
))
rewrite_rule_zope_path_list
.
append
(
rewrite_rule_path
)
else
:
if
https_only
:
rewrite_rule_https_only_list
.
append
(
rewrite_rule
)
else
:
rewrite_rule_list
.
append
(
rewrite_rule
)
...
...
@@ -179,6 +191,7 @@ class Recipe(BaseSlapRecipe):
plain_http_port
=
frontend_plain_http_port_number
,
name
=
frontend_domain_name
,
rewrite_rule_list
=
rewrite_rule_list
,
rewrite_rule_https_only_list
=
rewrite_rule_https_only_list
,
rewrite_rule_zope_list
=
rewrite_rule_zope_list
,
rewrite_rule_zope_path_list
=
rewrite_rule_zope_path_list
,
key
=
key
,
certificate
=
certificate
)
...
...
@@ -510,10 +523,13 @@ class Recipe(BaseSlapRecipe):
port
=
4443
,
plain_http_port
=
8080
,
rewrite_rule_list
=
None
,
rewrite_rule_zope_list
=
None
,
rewrite_rule_https_only_list
=
None
,
rewrite_rule_zope_path_list
=
None
,
access_control_string
=
None
):
if
rewrite_rule_list
is
None
:
rewrite_rule_list
=
[]
if
rewrite_rule_https_only_list
is
None
:
rewrite_rule_zope_path_list
=
[]
if
rewrite_rule_zope_list
is
None
:
rewrite_rule_zope_list
=
[]
if
rewrite_rule_zope_path_list
is
None
:
...
...
@@ -564,15 +580,22 @@ class Recipe(BaseSlapRecipe):
self
.
path_list
.
append
(
backup_cron
)
# Create configuration file and rewritemaps
apachemap_name
=
"apachemap.txt"
apachemapzope_name
=
"apachemapzope.txt"
apachemapzopepath_name
=
"apachemapzopepath.txt"
self
.
createConfigurationFile
(
apachemap_name
,
"
\
n
"
.
join
(
rewrite_rule_list
))
self
.
createConfigurationFile
(
apachemapzope_name
,
"
\
n
"
.
join
(
rewrite_rule_zope_list
))
self
.
createConfigurationFile
(
apachemapzopepath_name
,
"
\
n
"
.
join
(
rewrite_rule_zope_path_list
))
apachemap_path
=
self
.
createConfigurationFile
(
"apache_rewritemap_generic.txt"
,
"
\
n
"
.
join
(
rewrite_rule_list
)
)
apachemap_httpsonly_path
=
self
.
createConfigurationFile
(
"apache_rewritemap_httpsonly.txt"
,
"
\
n
"
.
join
(
rewrite_rule_https_only_list
)
)
apachemap_zope_path
=
self
.
createConfigurationFile
(
"apache_rewritemap_zope.txt"
,
"
\
n
"
.
join
(
rewrite_rule_zope_list
)
)
apachemap_zopepath_path
=
self
.
createConfigurationFile
(
"apache_rewritemap_zopepath.txt"
,
"
\
n
"
.
join
(
rewrite_rule_zope_path_list
)
)
apache_conf
=
self
.
_getApacheConfigurationDict
(
name
,
ip_list
,
port
)
apache_conf
[
'ssl_snippet'
]
=
self
.
substituteTemplate
(
...
...
@@ -599,9 +622,10 @@ class Recipe(BaseSlapRecipe):
apache_conf
.
update
(
**
dict
(
path_enable
=
path
,
apachemap_path
=
os
.
path
.
join
(
self
.
etc_directory
,
apachemap_name
),
apachemapzope_path
=
os
.
path
.
join
(
self
.
etc_directory
,
apachemapzope_name
),
apachemapzopepath_path
=
os
.
path
.
join
(
self
.
etc_directory
,
apachemapzopepath_name
),
apachemap_path
=
apachemap_path
,
apachemap_httpsonly_path
=
apachemap_httpsonly_path
,
apachemapzope_path
=
apachemap_zope_path
,
apachemapzopepath_path
=
apachemap_zopepath_path
,
apache_domain
=
name
,
https_port
=
port
,
plain_http_port
=
plain_http_port
,
...
...
slapos/recipe/apache_frontend/template/apache.conf.in
View file @
524c2b7f
...
...
@@ -104,10 +104,12 @@ Header append Vary User-Agent
# or changed when slapgrid is ran. It can be freely customized by node admin.
Include %(custom_apache_virtualhost_conf)s
# Define the two RewriteMaps (key -> value store): one for Zope, one generic
# Define the 3 RewriteMaps (key -> value store): one for Zope, one generic,
# one generic https only,
# containing: rewritten URL -> original URL (a.k.a VirtualHostBase in Zope)
RewriteMap apachemapzope txt:%(apachemapzope_path)s
RewriteMap apachemapgeneric txt:%(apachemap_path)s
RewriteMap apachemapgenerichttpsonly txt:%(apachemap_httpsonly_path)s
# Define another RewriteMap for Zope, containing:
# rewritten URL -> VirtualHostRoot
...
...
@@ -123,6 +125,10 @@ Header append Vary User-Agent
RewriteCond ${apachemapgeneric:%%{SERVER_NAME}} >""
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ ${apachemapgeneric:%%{SERVER_NAME}}/$1 [L,P]
# Same for https only server
RewriteCond ${apachemapgenerichttpsonly:%%{SERVER_NAME}} >""
# We suppose that Apache listens to 443 (even indirectly thanks to things like iptables)
RewriteRule ^/(.*)$ ${apachemapgenerichttpsonly:%%{SERVER_NAME}}/$1 [L,P]
# If nothing exist : put a nice error
ErrorDocument 404 /notfound.html
...
...
@@ -138,6 +144,9 @@ Header append Vary User-Agent
ProxyTimeout 600
RewriteEngine On
# Remove "Secure" from cookies, as backend may be https
Header edit Set-Cookie "(?i)^(.+);secure$" "$1"
# Include configuration file not operated by slapos. This file won't be erased
# or changed when slapgrid is ran. It can be freely customized by node admin.
Include %(custom_apache_virtualhost_conf)s
...
...
software/apache-frontend/README.apache_frontend.txt
View file @
524c2b7f
...
...
@@ -118,6 +118,13 @@ Domain name to use as frontend. The frontend will be accessible from this domain
[instancereference].[masterdomain].
Example: www.mycustomdomain.com
https-only
~~~~~~~~~~
Specify if website should be accessed using https only. If so, the frontend
will redirect the user to https if accessed from http.
Possible values: "true", "false".
This is an optional parameter. Defaults to false.
path
~~~~
Only used if type is "zope".
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment