Commit f3b24072 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Łukasz Nowak

caddy-frontend: Implement ciphers parameter

/reviewed-on !597
parent c794bfd1
......@@ -14,7 +14,7 @@
# not need these here).
[template]
filename = instance.cfg.in
md5sum = fd2ff61d9270109115ced8f56fb0be17
md5sum = 4832bb055d31be6e99e2ef890b2206b0
[template-common]
filename = instance-common.cfg.in
......@@ -22,15 +22,15 @@ md5sum = c801b7f9f11f0965677c22e6bbe9281b
[template-apache-frontend]
filename = instance-apache-frontend.cfg.in
md5sum = 72e8ff0773fd0325dcbe994786156570
md5sum = 74f730a4fb079416118bd412a458cea8
[template-caddy-replicate]
filename = instance-apache-replicate.cfg.in
md5sum = 6ef06ef36dbb0c3ba1ea8841bcd49330
md5sum = 491a19d1747bbf795c27b094cf67114d
[template-slave-list]
filename = templates/apache-custom-slave-list.cfg.in
md5sum = 3faad78c80b0e9235849f0b5346eebbc
md5sum = cee327868f251639883df63923f978b5
[template-slave-configuration]
filename = templates/custom-virtualhost.conf.in
......@@ -54,7 +54,7 @@ md5sum = f20d6c3d2d94fb685f8d26dfca1e822b
[template-default-slave-virtualhost]
filename = templates/default-virtualhost.conf.in
md5sum = 0c5ef7f26a142c3ab53e835d2caa698d
md5sum = 7e21418a03529db22181962ea804da53
[template-cached-slave-virtualhost]
filename = templates/cached-virtualhost.conf.in
......
......@@ -263,6 +263,7 @@ extra-context =
key bin_directory :bin_directory
key enable_http2_by_default configuration:enable-http2-by-default
key global_disable_http2 configuration:global-disable-http2
key ciphers configuration:ciphers
key proxy_try_duration configuration:proxy-try-duration
key proxy_try_interval configuration:proxy-try-interval
key access_log caddy-configuration:access-log
......
{% if slap_software_type in software_type %}
{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] -%}
{%- set GOOD_CIPHER_LIST = ['ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-WITH-CHACHA20-POLY1305', 'ECDHE-RSA-AES256-CBC-SHA', 'ECDHE-RSA-AES128-CBC-SHA', 'ECDHE-ECDSA-AES256-CBC-SHA', 'ECDHE-ECDSA-AES128-CBC-SHA', 'RSA-AES256-CBC-SHA', 'RSA-AES128-CBC-SHA', 'ECDHE-RSA-3DES-EDE-CBC-SHA', 'RSA-3DES-EDE-CBC-SHA'] %}
{% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
......@@ -86,6 +87,15 @@ context =
{% elif slave_type not in [None, '', 'default', 'zope', 'redirect', 'notebook', 'websocket'] %}
{% do slave_error_list.append('type:%s is not supported' % (slave_type,)) %}
{% endif %}
{# Check ciphers #}
{% set slave_cipher_list = slave.get('ciphers', '').strip().split() %}
{% if slave_cipher_list %}
{% for cipher in slave_cipher_list %}
{% if cipher not in GOOD_CIPHER_LIST %}
{% do slave_error_list.append('Cipher %r is not supported.' % (cipher,)) %}
{% endif %}
{% endfor %}
{% endif %}
{# BBB: apache_custom_https AND apache_custom_http #}
{% set custom_domain = slave.get('custom_domain') %}
{% if custom_domain and custom_domain in used_host_list %}
......
......@@ -102,6 +102,11 @@
],
"title": "Automatic Internal KeDiFa's Caucase CSR",
"type": "string"
},
"ciphers": {
"description": "List of ciphers. Empty defaults to Caddy list of ciphers. See https://caddyserver.com/docs/tls for more information.",
"title": "Ordered space separated list of ciphers",
"type": "string"
}
},
"title": "Input Parameters",
......
......@@ -214,6 +214,11 @@
"description": "Port where https requests to frontend will be redirected.",
"title": "type:zope virtualhostroot-https-port",
"type": "integer"
},
"ciphers": {
"description": "List of ciphers. Empty defaults to cluster list of ciphers, which by default are Caddy list of ciphers. See https://caddyserver.com/docs/tls for more information.",
"title": "Ordered space separated list of ciphers",
"type": "string"
}
},
"title": "Input Parameters",
......
......@@ -115,6 +115,7 @@ configuration.trafficserver-mgmt-port = 8084
configuration.re6st-verification-url = http://[2001:67c:1254:4::1]/index.html
configuration.enable-http2-by-default = true
configuration.global-disable-http2 = false
configuration.ciphers =
configuration.enable-quic = false
configuration.mpm-graceful-shutdown-timeout = 5
configuration.monitor-httpd-port = 8072
......
......@@ -55,6 +55,14 @@ output = {{ plugin_directory }}/${:name}
{# Loop thought slave list to set up slaves #}
{% for slave_instance in slave_instance_list %}
{# Manage ciphers #}
{% set slave_ciphers = slave_instance.get('ciphers', '').strip().split() %}
{% if slave_ciphers %}
{% set slave_cipher_list = ' '.join(slave_ciphers) %}
{% else %}
{% set slave_cipher_list = ciphers.strip() %}
{% endif %}
{% do slave_instance.__setitem__('cipher_list', slave_cipher_list) %}
{% set slave_type = slave_instance.get('type', '') %}
{% set enable_cache = (('' ~ slave_instance.get('enable_cache', '')).lower() in TRUE_VALUES and slave_type != 'redirect') %}
{% set slave_reference = slave_instance.get('slave_reference') %}
......
......@@ -13,6 +13,7 @@
{%- set https_only = slave_parameter.get('https-only', '').lower() in TRUE_VALUES %}
{%- set slave_type = slave_parameter.get('type', '') %}
{%- set host_list = server_alias_list %}
{%- set cipher_list = slave_parameter.get('cipher_list', '').strip() %}
{%- if slave_parameter.get('custom_domain') not in host_list %}
{%- do host_list.append(slave_parameter.get('custom_domain')) %}
{%- endif %}
......@@ -53,6 +54,9 @@
gzip
{%- if tls %}
tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} {
{%- if cipher_list %}
ciphers {{ cipher_list }}
{%- endif %}
{%- if enable_h2 %}
# Allow HTTP2
alpn h2 http/1.1
......
......@@ -938,6 +938,25 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
]
)
def assertSlaveBase(self, reference):
parameter_dict = self.parseSlaveParameterDict(reference)
self.assertLogAccessUrlWithPop(parameter_dict)
self.assertKedifaKeysWithPop(parameter_dict, '')
hostname = reference.translate(None, '_-').lower()
self.assertEqual(
{
'domain': '%s.example.com' % (hostname,),
'replication_number': '1',
'url': 'http://%s.example.com' % (hostname, ),
'site_url': 'http://%s.example.com' % (hostname, ),
'secure_access': 'https://%s.example.com' % (hostname, ),
'public-ipv4': SLAPOS_TEST_IPV4,
},
parameter_dict
)
return parameter_dict
class TestSlave(SlaveHttpFrontendTestCase, TestDataMixin):
caddy_custom_https = '''# caddy_custom_https_filled_in_accepted
......@@ -1280,6 +1299,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
},
're6st-optimal-test': {
're6st-optimal-test': 'ipv6,ipv4',
},
'ciphers': {
'ciphers': 'RSA-3DES-EDE-CBC-SHA RSA-AES128-CBC-SHA',
}
}
......@@ -1358,9 +1380,9 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
expected_parameter_dict = {
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '51',
'accepted-slave-amount': '52',
'rejected-slave-amount': '5',
'slave-amount': '56',
'slave-amount': '57',
'rejected-slave-dict': {
"_apache_custom_http_s-rejected": ["slave not authorized"],
"_caddy_custom_http_s": ["slave not authorized"],
......@@ -1407,25 +1429,6 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
got
)
def assertSlaveBase(self, reference):
parameter_dict = self.parseSlaveParameterDict(reference)
self.assertLogAccessUrlWithPop(parameter_dict)
self.assertKedifaKeysWithPop(parameter_dict, '')
hostname = reference.translate(None, '_-').lower()
self.assertEqual(
{
'domain': '%s.example.com' % (hostname,),
'replication_number': '1',
'url': 'http://%s.example.com' % (hostname, ),
'site_url': 'http://%s.example.com' % (hostname, ),
'secure_access': 'https://%s.example.com' % (hostname, ),
'public-ipv4': SLAPOS_TEST_IPV4,
},
parameter_dict
)
return parameter_dict
def test_empty(self):
parameter_dict = self.assertSlaveBase('empty')
result = self.fakeHTTPSResult(
......@@ -2951,6 +2954,31 @@ http://apachecustomhttpsaccepted.example.com:%%(http_port)s {
}
)
def test_ciphers(self):
parameter_dict = self.assertSlaveBase('ciphers')
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(httplib.NOT_FOUND, result.status_code)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(httplib.NOT_FOUND, result_http.status_code)
configuration_file = glob.glob(
os.path.join(
self.instance_path, '*', 'etc', 'caddy-slave-conf.d', '_ciphers.conf'
))[0]
self.assertTrue(
'ciphers RSA-3DES-EDE-CBC-SHA RSA-AES128-CBC-SHA'
in open(configuration_file).read()
)
def test_enable_cache_custom_domain(self):
reference = 'enable_cache_custom_domain'
hostname = 'customdomainenablecache'
......@@ -4303,6 +4331,9 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'monitor-ipv6-test-unsafe': {
'monitor-ipv6-test': '${section:option}\nafternewline ipv6',
},
'bad-ciphers': {
'ciphers': 'bad ECDHE-ECDSA-AES256-GCM-SHA384 again',
}
}
def test_master_partition_state(self):
......@@ -4315,9 +4346,13 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '8',
'rejected-slave-amount': '2',
'slave-amount': '10',
'rejected-slave-amount': '3',
'slave-amount': '11',
'rejected-slave-dict': {
'_bad-ciphers': [
"Cipher 'bad' is not supported.",
"Cipher 'again' is not supported."
],
'_custom_domain-unsafe': [
"custom_domain '${section:option} afterspace\\nafternewline' invalid"
],
......@@ -4457,6 +4492,18 @@ class TestSlaveBadParameters(SlaveHttpFrontendTestCase, TestDataMixin):
parameter_dict
)
def test_bad_ciphers(self):
parameter_dict = self.parseSlaveParameterDict('bad-ciphers')
self.assertEqual(
{
'request-error-list': [
"Cipher 'bad' is not supported.",
"Cipher 'again' is not supported."
]
},
parameter_dict
)
def test_virtualhostroot_http_port_unsafe(self):
parameter_dict = self.parseSlaveParameterDict(
'virtualhostroot-http-port-unsafe')
......@@ -5886,3 +5933,104 @@ class TestSlaveSlapOSMasterCertificateCompatibilityUpdate(
der2pem(result.peercert))
self.assertEqualResultJson(result, 'Path', '/test-path')
class TestSlaveCiphers(SlaveHttpFrontendTestCase, TestDataMixin):
@classmethod
def getInstanceParameterDict(cls):
return {
'domain': 'example.com',
'public-ipv4': SLAPOS_TEST_IPV4,
'-frontend-authorized-slave-string':
'_apache_custom_http_s-accepted _caddy_custom_http_s-accepted',
'port': HTTPS_PORT,
'plain_http_port': HTTP_PORT,
'monitor-httpd-port': MONITOR_HTTPD_PORT,
'-frontend-config-1-monitor-httpd-port': MONITOR_F1_HTTPD_PORT,
'kedifa_port': KEDIFA_PORT,
'caucase_port': CAUCASE_PORT,
'mpm-graceful-shutdown-timeout': 2,
'ciphers': 'ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384'
}
@classmethod
def getSlaveParameterDictDict(cls):
return {
'default_ciphers': {
},
'own_ciphers': {
'ciphers': 'ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256',
},
}
def test_master_partition_state(self):
parameter_dict = self.parseConnectionParameterDict()
self.assertKeyWithPop('monitor-setup-url', parameter_dict)
self.assertKedifaKeysWithPop(parameter_dict, 'master-')
self.assertRejectedSlavePromiseWithPop(parameter_dict)
expected_parameter_dict = {
'monitor-base-url': None,
'domain': 'example.com',
'accepted-slave-amount': '2',
'rejected-slave-amount': '0',
'slave-amount': '2',
'rejected-slave-dict': {}
}
self.assertEqual(
expected_parameter_dict,
parameter_dict
)
def test_default_ciphers(self):
parameter_dict = self.assertSlaveBase('default_ciphers')
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(httplib.NOT_FOUND, result.status_code)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(httplib.NOT_FOUND, result_http.status_code)
configuration_file = glob.glob(
os.path.join(
self.instance_path, '*', 'etc', 'caddy-slave-conf.d',
'_default_ciphers.conf'
))[0]
self.assertTrue(
'ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384'
in open(configuration_file).read()
)
def test_own_ciphers(self):
parameter_dict = self.assertSlaveBase('own_ciphers')
result = self.fakeHTTPSResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(
self.certificate_pem,
der2pem(result.peercert))
self.assertEqual(httplib.NOT_FOUND, result.status_code)
result_http = self.fakeHTTPResult(
parameter_dict['domain'], parameter_dict['public-ipv4'], 'test-path')
self.assertEqual(httplib.NOT_FOUND, result_http.status_code)
configuration_file = glob.glob(
os.path.join(
self.instance_path, '*', 'etc', 'caddy-slave-conf.d',
'_own_ciphers.conf'
))[0]
self.assertTrue(
'ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256'
in open(configuration_file).read()
)
......@@ -26,6 +26,8 @@ T-2/var/log/httpd/_apache_custom_http_s-accepted_access_log
T-2/var/log/httpd/_apache_custom_http_s-accepted_error_log
T-2/var/log/httpd/_caddy_custom_http_s-accepted_access_log
T-2/var/log/httpd/_caddy_custom_http_s-accepted_error_log
T-2/var/log/httpd/_ciphers_access_log
T-2/var/log/httpd/_ciphers_error_log
T-2/var/log/httpd/_custom_domain_access_log
T-2/var/log/httpd/_custom_domain_error_log
T-2/var/log/httpd/_custom_domain_server_alias_access_log
......
T-0/etc/cron.d/logrotate
T-0/etc/cron.d/monitor-configurator
T-0/etc/cron.d/monitor-globalstate
T-0/etc/cron.d/monitor_collect
T-1/etc/cron.d/logrotate
T-1/etc/cron.d/monitor-configurator
T-1/etc/cron.d/monitor-globalstate
T-1/etc/cron.d/monitor_collect
T-2/etc/cron.d/logrotate
T-2/etc/cron.d/monitor-configurator
T-2/etc/cron.d/monitor-globalstate
T-2/etc/cron.d/monitor_collect
T-2/etc/cron.d/trafficserver-logrotate
\ No newline at end of file
T-0/var/log/monitor-httpd-error.log
T-0/var/log/slapgrid-T-0-error.log
T-1/var/log/expose-csr_id.log
T-2/var/log/frontend-access.log
T-2/var/log/frontend-error.log
T-2/var/log/httpd-csr_id/expose-csr_id.log
T-2/var/log/httpd/_default_ciphers_access_log
T-2/var/log/httpd/_default_ciphers_error_log
T-2/var/log/httpd/_own_ciphers_access_log
T-2/var/log/httpd/_own_ciphers_error_log
T-2/var/log/monitor-httpd-error.log
T-2/var/log/trafficserver/manager.log
T-2/var/log/trafficserver/traffic.out
\ No newline at end of file
T-0/var/run/monitor-httpd.pid
T-0/var/run/monitor/monitor-bootstrap.pid
T-1/var/run/kedifa.pid
T-1/var/run/monitor/monitor-bootstrap.pid
T-2/var/run/caddy_configuration_last_state
T-2/var/run/graceful_configuration_state_signature
T-2/var/run/httpd.pid
T-2/var/run/monitor-httpd.pid
T-2/var/run/monitor/monitor-bootstrap.pid
T-2/var/run/validate_configuration_state_signature
\ No newline at end of file
T-0/etc/plugin/buildout-T-0-status.py: OK
T-0/etc/plugin/check-free-disk-space.py: OK
T-0/etc/plugin/monitor-bootstrap-status.py: OK
T-0/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
T-0/etc/plugin/rejected-slave-publish-ip-port-listening.py: OK
T-0/etc/plugin/rejected-slave.py: OK
T-1/etc/plugin/buildout-T-1-status.py: OK
T-1/etc/plugin/check-free-disk-space.py: OK
T-1/etc/plugin/expose-csr_id-ip-port-listening.py: OK
T-1/etc/plugin/kedifa-http-reply.py: OK
T-1/etc/plugin/monitor-bootstrap-status.py: OK
T-1/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
T-2/etc/plugin/buildout-T-2-status.py: OK
T-2/etc/plugin/caddy_cached.py: ERROR
T-2/etc/plugin/caddy_frontend_ipv4_http.py: OK
T-2/etc/plugin/caddy_frontend_ipv4_https.py: OK
T-2/etc/plugin/caddy_frontend_ipv6_http.py: OK
T-2/etc/plugin/caddy_frontend_ipv6_https.py: OK
T-2/etc/plugin/caddy_ssl_cached.py: ERROR
T-2/etc/plugin/check-free-disk-space.py: OK
T-2/etc/plugin/expose-csr_id-ip-port-listening.py: OK
T-2/etc/plugin/frontend-caddy-configuration-promise.py: OK
T-2/etc/plugin/monitor-bootstrap-status.py: OK
T-2/etc/plugin/monitor-httpd-listening-on-tcp.py: OK
T-2/etc/plugin/re6st-connectivity.py: OK
T-2/etc/plugin/trafficserver-port-listening.py: OK
\ No newline at end of file
T-1/etc/promise/caucased: OK
\ No newline at end of file
T-0:bootstrap-monitor EXITED
T-0:certificate_authority-{hash-generic}-on-watch RUNNING
T-0:crond-{hash-generic}-on-watch RUNNING
T-0:monitor-httpd-{hash-generic}-on-watch RUNNING
T-0:monitor-httpd-graceful EXITED
T-0:rejected-slave-publish-{hash-rejected-slave-publish}-on-watch RUNNING
T-1:bootstrap-monitor EXITED
T-1:caucase-updater-on-watch RUNNING
T-1:caucased-{hash-generic}-on-watch RUNNING
T-1:certificate_authority-{hash-generic}-on-watch RUNNING
T-1:crond-{hash-generic}-on-watch RUNNING
T-1:expose-csr_id-{hash-generic}-on-watch RUNNING
T-1:kedifa-{hash-generic}-on-watch RUNNING
T-1:kedifa-reloader EXITED
T-1:monitor-httpd-{hash-generic}-on-watch EXITED
T-1:monitor-httpd-graceful EXITED
T-2:6tunnel-11080-{hash-generic}-on-watch RUNNING
T-2:6tunnel-11443-{hash-generic}-on-watch RUNNING
T-2:6tunnel-26011-{hash-generic}-on-watch RUNNING
T-2:6tunnel-26012-{hash-generic}-on-watch RUNNING
T-2:bootstrap-monitor EXITED
T-2:certificate_authority-{hash-generic}-on-watch RUNNING
T-2:crond-{hash-generic}-on-watch RUNNING
T-2:expose-csr_id-{hash-generic}-on-watch RUNNING
T-2:frontend-caddy-safe-graceful EXITED
T-2:frontend_caddy-{hash-caddy-T-2}-on-watch RUNNING
T-2:kedifa-login-certificate-caucase-updater-on-watch RUNNING
T-2:kedifa-updater-{hash-generic}-on-watch RUNNING
T-2:monitor-httpd-{hash-generic}-on-watch RUNNING
T-2:monitor-httpd-graceful EXITED
T-2:trafficserver-{hash-generic}-on-watch RUNNING
T-2:trafficserver-reload EXITED
watchdog:watchdog RUNNING
\ No newline at end of file
......@@ -26,6 +26,8 @@ T-2/var/log/httpd/_apache_custom_http_s-accepted_access_log
T-2/var/log/httpd/_apache_custom_http_s-accepted_error_log
T-2/var/log/httpd/_caddy_custom_http_s-accepted_access_log
T-2/var/log/httpd/_caddy_custom_http_s-accepted_error_log
T-2/var/log/httpd/_ciphers_access_log
T-2/var/log/httpd/_ciphers_error_log
T-2/var/log/httpd/_custom_domain_access_log
T-2/var/log/httpd/_custom_domain_error_log
T-2/var/log/httpd/_custom_domain_server_alias_access_log
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment