Merge "Enable ssl on all mirror vhosts"

This commit is contained in:
Zuul 2020-05-19 21:38:12 +00:00 committed by Gerrit Code Review
commit 728f8a9ee5
3 changed files with 150 additions and 42 deletions

View File

@ -4,15 +4,23 @@ NameVirtualHost *:443
# Dedicated port for proxy caching, as not to affect afs mirrors. # Dedicated port for proxy caching, as not to affect afs mirrors.
Listen 8080 Listen 8080
NameVirtualHost *:8080 NameVirtualHost *:8080
Listen 4443
NameVirtualHost *:4443
Listen 8081 Listen 8081
NameVirtualHost *:8081 NameVirtualHost *:8081
Listen 4444
NameVirtualHost *:4444
Listen 8082 Listen 8082
NameVirtualHost *:8082 NameVirtualHost *:8082
Listen 4445
NameVirtualHost *:4445
Listen 8083 Listen 8083
NameVirtualHost *:8083 NameVirtualHost *:8083
Listen 4446
NameVirtualHost *:4446
{% raw %} {% raw %}
LogFormat "%h %l %u [%{%F %T}t.%{msec_frac}t] \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-agent}i\"" combined-cache LogFormat "%h %l %u [%{%F %T}t.%{msec_frac}t] \"%r\" %>s %b %{cache-status}e \"%{Referer}i\" \"%{User-agent}i\"" combined-cache
@ -116,6 +124,17 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
</Macro> </Macro>
<Macro SSLConfig>
SSLEngine On
SSLCertificateFile /etc/letsencrypt-certs/{{ apache_server_name }}/{{ apache_server_name }}.cer
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ apache_server_name }}/{{ apache_server_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ apache_server_name }}/ca.cer
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
</Macro>
<VirtualHost *:80> <VirtualHost *:80>
ServerName {{ apache_server_name }} ServerName {{ apache_server_name }}
ServerAlias {{ apache_server_alias }} ServerAlias {{ apache_server_alias }}
@ -127,21 +146,11 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
ServerName {{ apache_server_name }} ServerName {{ apache_server_name }}
ServerAlias {{ apache_server_alias }} ServerAlias {{ apache_server_alias }}
SSLCertificateFile /etc/letsencrypt-certs/{{ apache_server_name }}/{{ apache_server_name }}.cer Use SSLConfig
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ apache_server_name }}/{{ apache_server_name }}.key
SSLCertificateChainFile /etc/letsencrypt-certs/{{ apache_server_name }}/ca.cer
SSLProtocol All -SSLv2 -SSLv3
# Note: this list should ensure ciphers that provide forward secrecy
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
Use BaseMirror 443 Use BaseMirror 443
</VirtualHost> </VirtualHost>
<VirtualHost *:8080> <Macro ProxyMirror $port>
ServerName {{ apache_server_name }}:8080
ServerAlias {{ apache_server_alias }}:8080
# Disable directory listing by default. # Disable directory listing by default.
<Directory /> <Directory />
Order Deny,Allow Order Deny,Allow
@ -150,9 +159,9 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
AllowOverride None AllowOverride None
</Directory> </Directory>
ErrorLog /var/log/apache2/proxy_8080_error.log ErrorLog /var/log/apache2/proxy_$port_error.log
LogLevel warn LogLevel warn
CustomLog /var/log/apache2/proxy_8080_access.log combined-cache CustomLog /var/log/apache2/proxy_$port_access.log combined-cache
ServerSignature Off ServerSignature Off
# Let upstreams decide on encoded slash handling. # Let upstreams decide on encoded slash handling.
@ -294,14 +303,25 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
CacheEnable disk "/copr-lxc2" CacheEnable disk "/copr-lxc2"
ProxyPass "/copr-lxc2/" "https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/" ttl=120 keepalive=On retry=0 ProxyPass "/copr-lxc2/" "https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/" ttl=120 keepalive=On retry=0
ProxyPassReverse "/copr-lxc2/" "https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/" ProxyPassReverse "/copr-lxc2/" "https://copr-be.cloud.fedoraproject.org/results/thm/lxc2.0/"
</Macro>
<VirtualHost *:8080>
ServerName {{ apache_server_name }}:8080
ServerAlias {{ apache_server_alias }}:8080
Use ProxyMirror 8080
</VirtualHost>
<VirtualHost *:4443>
ServerName {{ apache_server_name }}:4443
ServerAlias {{ apache_server_alias }}:4443
Use SSLConfig
Use ProxyMirror 4443
</VirtualHost> </VirtualHost>
# Docker registry v1 proxy. # Docker registry v1 proxy.
<VirtualHost *:8081> <Macro Dockerv1Mirror $port>
ServerName {{ apache_server_name }}:8081
ServerAlias {{ apache_server_alias }}:8081
# Disable directory listing by default. # Disable directory listing by default.
<Directory /> <Directory />
Order Deny,Allow Order Deny,Allow
@ -310,9 +330,9 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
AllowOverride None AllowOverride None
</Directory> </Directory>
ErrorLog /var/log/apache2/proxy_8081_error.log ErrorLog /var/log/apache2/proxy_$port_error.log
LogLevel warn LogLevel warn
CustomLog /var/log/apache2/proxy_8081_access.log combined-cache CustomLog /var/log/apache2/proxy_$port_access.log combined-cache
ServerSignature Off ServerSignature Off
# Caching reverse proxy for things that don't make sense in AFS # Caching reverse proxy for things that don't make sense in AFS
@ -351,14 +371,25 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
CacheEnable disk "/cloudflare" CacheEnable disk "/cloudflare"
ProxyPass "/cloudflare/" "https://production.cloudflare.docker.com/" ttl=120 keepalive=On retry=0 ProxyPass "/cloudflare/" "https://production.cloudflare.docker.com/" ttl=120 keepalive=On retry=0
ProxyPassReverse "/cloudflare/" "https://production.cloudflare.docker.com/" ProxyPassReverse "/cloudflare/" "https://production.cloudflare.docker.com/"
</Macro>
<VirtualHost *:8081>
ServerName {{ apache_server_name }}:8081
ServerAlias {{ apache_server_alias }}:8081
Use Dockerv1Mirror 8081
</VirtualHost>
<VirtualHost *:4444>
ServerName {{ apache_server_name }}:4444
ServerAlias {{ apache_server_alias }}:4444
Use SSLConfig
Use Dockerv1Mirror 4444
</VirtualHost> </VirtualHost>
# Docker registry v2 proxy. # Docker registry v2 proxy.
<VirtualHost *:8082> <Macro Dockerv2Mirror $port>
ServerName {{ apache_server_name }}:8082
ServerAlias {{ apache_server_alias }}:8082
# Disable directory listing by default. # Disable directory listing by default.
<Directory /> <Directory />
Order Deny,Allow Order Deny,Allow
@ -367,9 +398,9 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
AllowOverride None AllowOverride None
</Directory> </Directory>
ErrorLog /var/log/apache2/proxy_8082_error.log ErrorLog /var/log/apache2/proxy_$port_error.log
LogLevel warn LogLevel warn
CustomLog /var/log/apache2/proxy_8082_access.log combined-cache CustomLog /var/log/apache2/proxy_$port_access.log combined-cache
ServerSignature Off ServerSignature Off
# Caching reverse proxy for things that don't make sense in AFS # Caching reverse proxy for things that don't make sense in AFS
@ -409,13 +440,25 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
CacheEnable disk "/" CacheEnable disk "/"
ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0 ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
ProxyPassReverse "/" "https://registry-1.docker.io/" ProxyPassReverse "/" "https://registry-1.docker.io/"
</Macro>
<VirtualHost *:8082>
ServerName {{ apache_server_name }}:8082
ServerAlias {{ apache_server_alias }}:8082
Use Dockerv2Mirror 8082
</VirtualHost>
<VirtualHost *:4445>
ServerName {{ apache_server_name }}:4445
ServerAlias {{ apache_server_alias }}:4445
Use SSLConfig
Use Dockerv2Mirror 4445
</VirtualHost> </VirtualHost>
# Redhat registry proxy. # Redhat registry proxy.
<VirtualHost *:8083> <Macro RHRegistryMirror $port>
ServerName {{ apache_server_name }}:8083
ServerAlias {{ apache_server_alias }}:8083
# Disable directory listing by default. # Disable directory listing by default.
<Directory /> <Directory />
Order Deny,Allow Order Deny,Allow
@ -424,9 +467,9 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
AllowOverride None AllowOverride None
</Directory> </Directory>
ErrorLog /var/log/apache2/proxy_8083_error.log ErrorLog /var/log/apache2/proxy_$port_error.log
LogLevel warn LogLevel warn
CustomLog /var/log/apache2/proxy_8083_access.log combined-cache CustomLog /var/log/apache2/proxy_$port_access.log combined-cache
ServerSignature Off ServerSignature Off
# Caching reverse proxy for things that don't make sense in AFS # Caching reverse proxy for things that don't make sense in AFS
@ -462,12 +505,25 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
CacheEnable disk "/" CacheEnable disk "/"
ProxyPass "/" "https://registry.access.redhat.com/" ttl=120 keepalive=On retry=0 ProxyPass "/" "https://registry.access.redhat.com/" ttl=120 keepalive=On retry=0
ProxyPassReverse "/" "https://registry.access.redhat.com/" ProxyPassReverse "/" "https://registry.access.redhat.com/"
</Macro>
<VirtualHost *:8083>
ServerName {{ apache_server_name }}:8083
ServerAlias {{ apache_server_alias }}:8083
Use RHRegistryMirror 8083
</VirtualHost>
<VirtualHost *:4446>
ServerName {{ apache_server_name }}:4446
ServerAlias {{ apache_server_alias }}:4446
Use SSLConfig
Use RHRegistryMirror 4446
</VirtualHost> </VirtualHost>
# Quay registry proxy. # Quay registry proxy.
<VirtualHost *:8084> <Macro QuayRegistryMirror $port>
ServerName {{ apache_server_name }}:8084
ServerAlias {{ apache_server_alias }}:8084
# Disable directory listing by default. # Disable directory listing by default.
<Directory /> <Directory />
@ -477,9 +533,9 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
AllowOverride None AllowOverride None
</Directory> </Directory>
ErrorLog /var/log/apache2/proxy_8083_error.log ErrorLog /var/log/apache2/proxy_$port_error.log
LogLevel warn LogLevel warn
CustomLog /var/log/apache2/proxy_8083_access.log combined-cache CustomLog /var/log/apache2/proxy_$port_access.log combined-cache
ServerSignature Off ServerSignature Off
# Caching reverse proxy for things that don't make sense in AFS # Caching reverse proxy for things that don't make sense in AFS
@ -510,4 +566,19 @@ ErrorLogFormat "[%{cu}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% , \
CacheEnable disk "/" CacheEnable disk "/"
ProxyPass "/" "https://quay.io/" ttl=120 keepalive=On retry=0 ProxyPass "/" "https://quay.io/" ttl=120 keepalive=On retry=0
ProxyPassReverse "/" "https://quay.io/" ProxyPassReverse "/" "https://quay.io/"
</Macro>
<VirtualHost *:8084>
ServerName {{ apache_server_name }}:8084
ServerAlias {{ apache_server_alias }}:8084
Use QuayRegistryMirror 8084
</VirtualHost>
<VirtualHost *:4447>
ServerName {{ apache_server_name }}:4447
ServerAlias {{ apache_server_alias }}:4447
Use SSLConfig
Use QuayRegistryMirror 4447
</VirtualHost> </VirtualHost>

View File

@ -13,21 +13,52 @@
# under the License. # under the License.
testinfra_hosts = ['mirror01.region.provider.opendev.org', testinfra_hosts = ['mirror01.openafs.provider.opendev.org',
'mirror02.region.provider.opendev.org'] 'mirror02.openafs.provider.opendev.org']
def test_apache(host): def test_apache(host):
apache = host.service('apache2') apache = host.service('apache2')
assert apache.is_running assert apache.is_running
def test_mirror_indexes(host): def test_base_mirror(host):
# BaseMirror
cmd = host.run("wget --no-check-certificate -qO- https://localhost/") cmd = host.run("wget --no-check-certificate -qO- https://localhost/")
assert '<a href="debian/">' in cmd.stdout assert '<a href="debian/">' in cmd.stdout
cmd = host.run("wget -qO- http://localhost/") cmd = host.run("wget -qO- http://localhost/")
assert '<a href="debian/">' in cmd.stdout assert '<a href="debian/">' in cmd.stdout
def test_proxy_mirror(host):
# ProxyMirror
cmd = host.run("wget --no-check-certificate -qO- "
"https://localhost:4443/pypi/simple/setuptools")
assert 'setuptools' in cmd.stdout
cmd = host.run("wget -qO- http://localhost:8080/pypi/simple/setuptools")
assert 'setuptools' in cmd.stdout
def test_dockerv1_mirror(host):
# Dockerv1Mirror
cmd = host.run("wget --no-check-certificate -O- "
"https://localhost:4444/registry-1.docker")
# TODO assert that this proxy cache is working more properly
assert '403 Forbidden' in cmd.stderr
cmd = host.run("wget -O- http://localhost:8081/registry-1.docker")
# TODO assert that this proxy cache is working more properly
assert '403 Forbidden' in cmd.stderr
def test_dockerv2_mirror(host):
# Dockerv2Mirror
cmd = host.run("wget --no-check-certificate -O- "
"https://localhost:4445/v2/")
assert '401 Unauthorized' in cmd.stderr
cmd = host.run("wget -O- http://localhost:8082/v2/")
assert '401 Unauthorized' in cmd.stderr
# TODO test RHRegistryMirror and QuayMirror
# NOTE(ianw): further testing idea for anyone interested; get the # NOTE(ianw): further testing idea for anyone interested; get the
# actual IP address of the mirror node and connect via that, and then # actual IP address of the mirror node and connect via that
# also poke at the other proxy ports

View File

@ -347,6 +347,12 @@
host_copy_output: host_copy_output:
'/var/log/apache2/': logs '/var/log/apache2/': logs
'/var/log/acme.sh': logs '/var/log/acme.sh': logs
'/etc/apache2/sites-available/mirror.conf': logs
mirror02.openafs.provider.opendev.org:
host_copy_output:
'/var/log/apache2/': logs
'/var/log/acme.sh': logs
'/etc/apache2/sites-available/mirror.conf': logs
files: files:
- playbooks/install-ansible.yaml - playbooks/install-ansible.yaml
- roles/ - roles/