Merge "Move security.openstack.org to HTTPS"

This commit is contained in:
Jenkins 2015-05-14 00:57:39 +00:00 committed by Gerrit Code Review
commit 9844824dcd
3 changed files with 103 additions and 12 deletions

View File

@ -456,14 +456,17 @@ node 'storyboard.openstack.org' {
# Node-OS: precise
node 'static.openstack.org' {
class { 'openstack_project::static':
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
swift_user => 'infra-files-ro',
swift_key => hiera('infra_files_ro_password', 'XXX'),
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
swift_region_name => 'DFW',
swift_default_container => 'infra-files',
project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
sysadmins => hiera('sysadmins', []),
swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
swift_user => 'infra-files-ro',
swift_key => hiera('infra_files_ro_password', 'XXX'),
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
swift_region_name => 'DFW',
swift_default_container => 'infra-files',
security_ssl_cert_file_contents => hiera('security_ssl_cert_file_contents', 'XXX'),
security_ssl_key_file_contents => hiera('security_ssl_key_file_contents', 'XXX'),
security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'),
}
}

View File

@ -9,6 +9,9 @@ class openstack_project::static (
$swift_region_name = '',
$swift_default_container = '',
$project_config_repo = '',
$security_ssl_cert_file_contents = '',
$security_ssl_key_file_contents = '',
$security_ssl_chain_file_contents = '',
$jenkins_gitfullname = 'OpenStack Jenkins',
$jenkins_gitemail = 'jenkins@openstack.org',
) {
@ -118,10 +121,13 @@ class openstack_project::static (
# Security
apache::vhost { 'security.openstack.org':
port => 80,
priority => '50',
docroot => '/srv/static/security',
require => File['/srv/static/security'],
port => 443, # Is required despite not being used.
docroot => '/srv/static/security',
priority => '50',
ssl => true,
template => 'openstack_project/security.vhost.erb',
vhost_name => 'security.openstack.org',
require => File['/srv/static/security'],
}
file { '/srv/static/security':
@ -131,6 +137,50 @@ class openstack_project::static (
require => User['jenkins'],
}
file { '/etc/ssl/certs':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0700',
}
file { '/etc/ssl/certs/security.openstack.org.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $security_ssl_cert_file_contents,
require => File['/etc/ssl/certs'],
before => Apache::Vhost['security.openstack.org'],
}
file { '/etc/ssl/private/security.openstack.org.key':
ensure => present,
owner => 'root',
group => 'root',
mode => '0600',
content => $security_ssl_key_file_contents,
require => File['/etc/ssl/private'],
before => Apache::Vhost['security.openstack.org'],
}
file { '/etc/ssl/certs/security.openstack.org_intermediate.pem':
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
content => $security_ssl_chain_file_contents,
require => File['/etc/ssl/certs'],
before => Apache::Vhost['security.openstack.org'],
}
###########################################################
# Governance

View File

@ -0,0 +1,38 @@
# ************************************
# Managed by Puppet
# ************************************
<VirtualHost *:80>
ServerName <%= @vhost_name %>
RewriteEngine On
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <%= @vhost_name %>
DocumentRoot <%= @docroot %>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
# Once the machine is using something to terminate TLS that supports ECDHE
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
# only is guarenteed.
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
<Directory <%= @docroot %>>
Allow from all
Satisfy Any
</Directory>
LogLevel warn
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
ServerSignature Off
</VirtualHost>
</IfModule>