From 2be925f8e946de94f9241f107f2d9f6641788963 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Tue, 24 Jan 2017 22:54:32 +0000 Subject: [PATCH] Add HTTPS to developer and docs.openstack.org Add X.509 certificates, certificate chains and private keys for https://developer.openstack.org/ and https://docs.openstack.org/ separately using SNI (as the list grows we can consider condensing these into a single cert using ServerAltNames later). Change-Id: Ia365be3363b611e5ee3b6dceb38ec311456466ec --- manifests/site.pp | 11 ++- .../files/puppetmaster/groups.txt | 1 + .../files/ssl_cert_check/ssldomains | 2 + modules/openstack_project/manifests/files.pp | 78 ++++++++++++++++++- .../templates/developer.vhost.erb | 68 ++++++++++++++++ .../templates/docs.vhost.erb | 42 +++++++++- 6 files changed, 195 insertions(+), 7 deletions(-) create mode 100644 modules/openstack_project/templates/developer.vhost.erb diff --git a/manifests/site.pp b/manifests/site.pp index cdc4f51ade..1b9973a37b 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -667,6 +667,7 @@ node 'design-summit-prep.openstack.org' { # Serve static AFS content for docs and other sites. # Node-OS: trusty node 'files01.openstack.org' { + $group = "files" class { 'openstack_project::server': iptables_public_tcp_ports => [22, 80], sysadmins => hiera('sysadmins', []), @@ -675,8 +676,14 @@ node 'files01.openstack.org' { } class { 'openstack_project::files': - vhost_name => 'files.openstack.org', - require => Class['Openstack_project::Server'], + vhost_name => 'files.openstack.org', + developer_cert_file_contents => hiera('developer_ssl_cert_file_contents'), + developer_key_file_contents => hiera('developer_ssl_key_file_contents'), + developer_chain_file_contents => hiera('developer_ssl_chain_file_contents'), + docs_cert_file_contents => hiera('docs_ssl_cert_file_contents'), + docs_key_file_contents => hiera('docs_ssl_key_file_contents'), + docs_chain_file_contents => hiera('docs_ssl_chain_file_contents'), + require => Class['Openstack_project::Server'], } } diff --git a/modules/openstack_project/files/puppetmaster/groups.txt b/modules/openstack_project/files/puppetmaster/groups.txt index fcc8e1f063..166f4d550b 100644 --- a/modules/openstack_project/files/puppetmaster/groups.txt +++ b/modules/openstack_project/files/puppetmaster/groups.txt @@ -6,6 +6,7 @@ ci-backup ci-backup-*.openstack.org disabled ci-backup-rs-ord.openstack.org:db368fcd-e61a-4294-a5cb-851c16650f7a:wiki.openstack.org elasticsearch ~elasticsearch0[1-7]\.openstack\.org ethercalc ~ethercalc\d+\.openstack\.org +files ~files\d+\.openstack\.org git-loadbalancer ~git(-fe\d+)?\.openstack\.org git-server ~git\d+\.openstack\.org logstash-worker ~logstash-worker\d+\.openstack\.org diff --git a/modules/openstack_project/files/ssl_cert_check/ssldomains b/modules/openstack_project/files/ssl_cert_check/ssldomains index 13482654ca..5b8134ca69 100644 --- a/modules/openstack_project/files/ssl_cert_check/ssldomains +++ b/modules/openstack_project/files/ssl_cert_check/ssldomains @@ -1,4 +1,6 @@ ask.openstack.org 443 +developer.openstack.org 443 +docs.openstack.org 443 ethercalc.openstack.org 443 etherpad.openstack.org 443 git.openstack.org 443 diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp index 013f3a2360..06362eaf3f 100644 --- a/modules/openstack_project/manifests/files.pp +++ b/modules/openstack_project/manifests/files.pp @@ -2,6 +2,12 @@ # class openstack_project::files ( $vhost_name = $::fqdn, + $developer_cert_file_contents, + $developer_key_file_contents, + $developer_chain_file_contents, + $docs_cert_file_contents, + $docs_key_file_contents, + $docs_chain_file_contents, ) { $afs_root = '/afs/openstack.org/' @@ -24,6 +30,22 @@ class openstack_project::files ( require => File["${www_base}"], } + ##################################################### + # Set up directories needed by HTTPS certs/keys + file { '/etc/ssl/certs': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + file { '/etc/ssl/private': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0700', + } + ##################################################### # Build VHost include ::httpd @@ -59,19 +81,69 @@ class openstack_project::files ( # docs.openstack.org ::httpd::vhost { 'docs.openstack.org': - port => 80, + port => 443, # Is required despite not being used. docroot => "${afs_root}docs", priority => '50', template => 'openstack_project/docs.vhost.erb', } + file { '/etc/ssl/certs/docs.openstack.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $docs_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/docs.openstack.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $docs_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/docs.openstack.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $docs_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/docs.openstack.org.pem'], + } ########################################################### # developer.openstack.org ::httpd::vhost { 'developer.openstack.org': - port => 80, + port => 443, # Is required despite not being used. docroot => "${afs_root}developer-docs", priority => '50', - template => 'openstack_project/docs.vhost.erb', + template => 'openstack_project/developer.vhost.erb', + } + file { '/etc/ssl/certs/developer.openstack.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $developer_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/developer.openstack.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $developer_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/developer.openstack.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $developer_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/developer.openstack.org.pem'], } } diff --git a/modules/openstack_project/templates/developer.vhost.erb b/modules/openstack_project/templates/developer.vhost.erb new file mode 100644 index 0000000000..fd322c8be8 --- /dev/null +++ b/modules/openstack_project/templates/developer.vhost.erb @@ -0,0 +1,68 @@ +# ************************************ +# Managed by Puppet +# ************************************ + + + ServerName <%= @srvname %> + <% if @serveraliases.is_a? Array -%> + <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> + <% elsif @serveraliases != nil -%> + <%= " ServerAlias #{@serveraliases}" -%> + <% end -%> + + RewriteEngine on + + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + # Allow mod_rewrite rules + AllowOverride FileInfo + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined + ServerSignature Off + + + + + ServerName <%= @srvname %> + <% if @serveraliases.is_a? Array -%> + <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> + <% elsif @serveraliases != nil -%> + <%= " ServerAlias #{@serveraliases}" -%> + <% end -%> + + RewriteEngine on + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/ssl/certs/developer.openstack.org.pem + SSLCertificateKeyFile /etc/ssl/private/developer.openstack.org.key + SSLCertificateChainFile /etc/ssl/certs/developer.openstack.org_intermediate.pem + + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + # Allow mod_rewrite rules + AllowOverride FileInfo + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined + ServerSignature Off + + diff --git a/modules/openstack_project/templates/docs.vhost.erb b/modules/openstack_project/templates/docs.vhost.erb index 1dc78bb37b..7c40781347 100644 --- a/modules/openstack_project/templates/docs.vhost.erb +++ b/modules/openstack_project/templates/docs.vhost.erb @@ -2,8 +2,7 @@ # Managed by Puppet # ************************************ -NameVirtualHost <%= @vhost_name %>:<%= @port %> -:<%= @port %>> + ServerName <%= @srvname %> <% if @serveraliases.is_a? Array -%> <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> @@ -28,3 +27,42 @@ NameVirtualHost <%= @vhost_name %>:<%= @port %> CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined ServerSignature Off + + + + ServerName <%= @srvname %> + <% if @serveraliases.is_a? Array -%> + <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%> + <% elsif @serveraliases != nil -%> + <%= " ServerAlias #{@serveraliases}" -%> + <% end -%> + + RewriteEngine on + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/ssl/certs/docs.openstack.org.pem + SSLCertificateKeyFile /etc/ssl/private/docs.openstack.org.key + SSLCertificateChainFile /etc/ssl/certs/docs.openstack.org_intermediate.pem + + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + Satisfy any + Require all granted + # Allow mod_rewrite rules + AllowOverride FileInfo + ErrorDocument 404 /errorpage.html + + + ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log + LogLevel warn + CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined + ServerSignature Off + +