Add HTTPS to developer and docs.openstack.org

Add X.509 certificates, certificate chains and private keys for
https://developer.openstack.org/ and https://docs.openstack.org/
separately using SNI (as the list grows we can consider condensing
these into a single cert using ServerAltNames later).

Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec
This commit is contained in:
Jeremy Stanley 2017-01-24 22:54:32 +00:00
parent f6d93be297
commit 2be925f8e9
6 changed files with 195 additions and 7 deletions

View File

@ -667,6 +667,7 @@ node 'design-summit-prep.openstack.org' {
# Serve static AFS content for docs and other sites.
# Node-OS: trusty
node 'files01.openstack.org' {
$group = "files"
class { 'openstack_project::server':
iptables_public_tcp_ports => [22, 80],
sysadmins => hiera('sysadmins', []),
@ -676,6 +677,12 @@ node 'files01.openstack.org' {
class { 'openstack_project::files':
vhost_name => 'files.openstack.org',
developer_cert_file_contents => hiera('developer_ssl_cert_file_contents'),
developer_key_file_contents => hiera('developer_ssl_key_file_contents'),
developer_chain_file_contents => hiera('developer_ssl_chain_file_contents'),
docs_cert_file_contents => hiera('docs_ssl_cert_file_contents'),
docs_key_file_contents => hiera('docs_ssl_key_file_contents'),
docs_chain_file_contents => hiera('docs_ssl_chain_file_contents'),
require => Class['Openstack_project::Server'],
}
}

View File

@ -6,6 +6,7 @@ ci-backup ci-backup-*.openstack.org
disabled ci-backup-rs-ord.openstack.org:db368fcd-e61a-4294-a5cb-851c16650f7a:wiki.openstack.org
elasticsearch ~elasticsearch0[1-7]\.openstack\.org
ethercalc ~ethercalc\d+\.openstack\.org
files ~files\d+\.openstack\.org
git-loadbalancer ~git(-fe\d+)?\.openstack\.org
git-server ~git\d+\.openstack\.org
logstash-worker ~logstash-worker\d+\.openstack\.org

View File

@ -1,4 +1,6 @@
ask.openstack.org 443
developer.openstack.org 443
docs.openstack.org 443
ethercalc.openstack.org 443
etherpad.openstack.org 443
git.openstack.org 443

View File

@ -2,6 +2,12 @@
#
class openstack_project::files (
$vhost_name = $::fqdn,
$developer_cert_file_contents,
$developer_key_file_contents,
$developer_chain_file_contents,
$docs_cert_file_contents,
$docs_key_file_contents,
$docs_chain_file_contents,
) {
$afs_root = '/afs/openstack.org/'
@ -24,6 +30,22 @@ class openstack_project::files (
require => File["${www_base}"],
}
#####################################################
# Set up directories needed by HTTPS certs/keys
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
#####################################################
# Build VHost
include ::httpd
@ -59,19 +81,69 @@ class openstack_project::files (
# docs.openstack.org
::httpd::vhost { 'docs.openstack.org':
port => 80,
port => 443, # Is required despite not being used.
docroot => "${afs_root}docs",
priority => '50',
template => 'openstack_project/docs.vhost.erb',
}
file { '/etc/ssl/certs/docs.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/docs.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $docs_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $docs_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/docs.openstack.org.pem'],
}
###########################################################
# developer.openstack.org
::httpd::vhost { 'developer.openstack.org':
port => 80,
port => 443, # Is required despite not being used.
docroot => "${afs_root}developer-docs",
priority => '50',
template => 'openstack_project/docs.vhost.erb',
template => 'openstack_project/developer.vhost.erb',
}
file { '/etc/ssl/certs/developer.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_cert_file_contents,
require => File['/etc/ssl/certs'],
}
file { '/etc/ssl/private/developer.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $developer_key_file_contents,
require => File['/etc/ssl/private'],
}
file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $developer_chain_file_contents,
require => File['/etc/ssl/certs'],
before => File['/etc/ssl/certs/developer.openstack.org.pem'],
}
}

View File

@ -0,0 +1,68 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
# Allow mod_rewrite rules
AllowOverride FileInfo
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem
SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key
SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
# Allow mod_rewrite rules
AllowOverride FileInfo
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>

View File

@ -2,8 +2,7 @@
# Managed by Puppet
# ************************************
NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
<VirtualHost *:80>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
@ -28,3 +27,42 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %>
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != nil -%>
<%= " ServerAlias #{@serveraliases}" -%>
<% end -%>
RewriteEngine on
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem
SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key
SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem
DocumentRoot <%= @docroot %>
<Directory <%= @docroot %>>
Options Indexes FollowSymLinks MultiViews
Satisfy any
Require all granted
# Allow mod_rewrite rules
AllowOverride FileInfo
ErrorDocument 404 /errorpage.html
</Directory>
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
LogLevel warn
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>