Add HTTPS vhosts to mailman servers
Add secondary vhosts for HTTPS to each mailman site, but don't remove the plain HTTP ones for now. Before switching to Mailman 3 we'll replace the current HTTP vhosts with blanket redirects to HTTPS. Add tests to make sure this is working, and also add a command-line test for the lists.openinfra.dev site now that it's got a first non-default list of its own. Also collect Apache logs from the test nodes so we can see for sure what might break. Change-Id: I4d93d643381f17c9a968595587909f0ba3dd6f92
This commit is contained in:
parent
17e3977eaf
commit
81f8cdfb7b
inventory/service/group_vars
playbooks/roles
testinfra
zuul.d
@ -5,4 +5,5 @@ exim_smtp_accept_max_per_host: '10'
|
||||
iptables_extra_public_tcp_ports:
|
||||
- 25
|
||||
- 80
|
||||
- 443
|
||||
- 465
|
||||
|
@ -12,6 +12,7 @@
|
||||
DocumentRoot /var/www
|
||||
|
||||
RewriteEngine on
|
||||
# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready
|
||||
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
|
||||
|
||||
# We can find mailman here:
|
||||
@ -60,3 +61,51 @@ Alias /images/mailman/ /usr/share/images/mailman/
|
||||
</Directory>
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName {{ mailman_site.listdomain }}
|
||||
ServerAdmin webmaster@openstack.org
|
||||
ErrorLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-ssl-error.log
|
||||
LogLevel warn
|
||||
CustomLog ${APACHE_LOG_DIR}/{{ mailman_site.listdomain }}-ssl-access.log combined
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
# Note: this list should ensure ciphers that provide forward secrecy
|
||||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
|
||||
SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
|
||||
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
|
||||
SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
|
||||
|
||||
RewriteEngine on
|
||||
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
|
||||
|
||||
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
|
||||
Alias /pipermail/ /srv/mailman/{{ mailman_site.name }}/archives/public/
|
||||
Alias /images/mailman/ /usr/share/images/mailman/
|
||||
|
||||
<Directory /usr/lib/cgi-bin/mailman/>
|
||||
AllowOverride None
|
||||
Options ExecCGI
|
||||
AddHandler cgi-script .cgi
|
||||
SetEnv HOST {{ mailman_site.listdomain }}
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
<Directory /srv/mailman/{{ mailman_site.name }}/archives/public/>
|
||||
Options FollowSymlinks
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
<Directory /usr/share/images/mailman/>
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
@ -12,6 +12,7 @@
|
||||
DocumentRoot /var/www
|
||||
|
||||
RewriteEngine on
|
||||
# TODO(fungi): convert this vhost into a blanket redirect to HTTPS when ready
|
||||
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
|
||||
|
||||
# We can find mailman here:
|
||||
@ -59,3 +60,50 @@ Alias /images/mailman/ /usr/share/images/mailman/
|
||||
</Directory>
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
ServerName {{ mailman_listdomain }}
|
||||
ServerAdmin webmaster@openstack.org
|
||||
ErrorLog ${APACHE_LOG_DIR}/{{ mailman_listdomain }}-ssl-error.log
|
||||
LogLevel warn
|
||||
CustomLog ${APACHE_LOG_DIR}/{{ mailman_listdomain }}-ssl-access.log combined
|
||||
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
# Note: this list should ensure ciphers that provide forward secrecy
|
||||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
|
||||
SSLCertificateFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.cer
|
||||
SSLCertificateKeyFile /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
|
||||
SSLCertificateChainFile /etc/letsencrypt-certs/{{ inventory_hostname }}/ca.cer
|
||||
|
||||
RewriteEngine on
|
||||
RewriteRule ^/$ /cgi-bin/mailman/listinfo [R]
|
||||
|
||||
ScriptAlias /cgi-bin/mailman/ /usr/lib/cgi-bin/mailman/
|
||||
Alias /pipermail/ /var/lib/mailman/archives/public/
|
||||
Alias /images/mailman/ /usr/share/images/mailman/
|
||||
|
||||
<Directory /usr/lib/cgi-bin/mailman/>
|
||||
AllowOverride None
|
||||
Options ExecCGI
|
||||
AddHandler cgi-script .cgi
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
<Directory /var/lib/mailman/archives/public/>
|
||||
Options FollowSymlinks
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
<Directory /usr/share/images/mailman/>
|
||||
AllowOverride None
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Require all granted
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
@ -15,3 +15,13 @@ testinfra_hosts = ['lists.katacontainers.io']
|
||||
def test_mm_list_is_present(host):
|
||||
cmd = host.run('list_lists --bare')
|
||||
assert 'kata-dev' in cmd.stdout
|
||||
|
||||
def test_mm_list_site(host):
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.katacontainers.io:80:127.0.0.1 '
|
||||
'http://lists.katacontainers.io/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.katacontainers.io Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.katacontainers.io:443:127.0.0.1 '
|
||||
'https://lists.katacontainers.io/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.katacontainers.io Mailing Lists</TITLE>' in cmd.stdout
|
||||
|
@ -19,6 +19,9 @@ def test_mm_list_is_present(host):
|
||||
cmd = host.run('HOST=lists.opendev.org list_lists --bare')
|
||||
assert 'service-discuss' in cmd.stdout
|
||||
|
||||
cmd = host.run('HOST=lists.openinfra.dev list_lists --bare')
|
||||
assert 'staff' in cmd.stdout
|
||||
|
||||
cmd = host.run('HOST=lists.openstack.org list_lists --bare')
|
||||
assert 'openstack-discuss' in cmd.stdout
|
||||
|
||||
@ -28,8 +31,57 @@ def test_mm_list_is_present(host):
|
||||
cmd = host.run('HOST=lists.zuul-ci.org list_lists --bare')
|
||||
assert 'zuul-discuss' in cmd.stdout
|
||||
|
||||
def test_mm_list_site(host):
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.airshipit.org:80:127.0.0.1 '
|
||||
'http://lists.airshipit.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.airshipit.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.airshipit.org:443:127.0.0.1 '
|
||||
'https://lists.airshipit.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.airshipit.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.opendev.org:80:127.0.0.1 '
|
||||
'http://lists.opendev.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.opendev.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.opendev.org:443:127.0.0.1 '
|
||||
'https://lists.opendev.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.opendev.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.openinfra.dev:80:127.0.0.1 '
|
||||
'http://lists.openinfra.dev/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.openinfra.dev Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.openinfra.dev:443:127.0.0.1 '
|
||||
'https://lists.openinfra.dev/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.openinfra.dev Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.openstack.org:80:127.0.0.1 '
|
||||
'http://lists.openstack.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.openstack.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.openstack.org:443:127.0.0.1 '
|
||||
'https://lists.openstack.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.openstack.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.starlingx.io:80:127.0.0.1 '
|
||||
'http://lists.starlingx.io/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.starlingx.io Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.starlingx.io:443:127.0.0.1 '
|
||||
'https://lists.starlingx.io/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.starlingx.io Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl '
|
||||
'--resolve lists.zuul-ci.org:80:127.0.0.1 '
|
||||
'http://lists.zuul-ci.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.zuul-ci.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
cmd = host.run('curl --insecure '
|
||||
'--resolve lists.zuul-ci.org:443:127.0.0.1 '
|
||||
'https://lists.zuul-ci.org/cgi-bin/mailman/listinfo')
|
||||
assert '<TITLE>lists.zuul-ci.org Mailing Lists</TITLE>' in cmd.stdout
|
||||
|
||||
def test_domain_aliases(host):
|
||||
domain_aliases = host.file('/etc/aliases.domain')
|
||||
assert domain_aliases.exists
|
||||
assert domain_aliases.contains('staff@lists.openstack.org: staff@lists.openinfra.dev')
|
||||
|
||||
|
@ -269,11 +269,13 @@
|
||||
lists.katacontainers.io:
|
||||
host_copy_output:
|
||||
'/var/log/acme.sh': logs
|
||||
'/var/log/apache2': logs
|
||||
'/var/log/mailman': logs
|
||||
lists.openstack.org:
|
||||
host_copy_output:
|
||||
'/etc/aliases.domain': logs_txt
|
||||
'/var/log/acme.sh': logs
|
||||
'/var/log/apache2': logs
|
||||
'/var/log/mailman': logs
|
||||
|
||||
- job:
|
||||
|
Loading…
x
Reference in New Issue
Block a user