Merge "Move security.openstack.org to HTTPS"

2015-05-14 00:57:39 +00:00 · 2015-05-14 00:57:39 +00:00 · 9844824dcd
commit 9844824dcd
parent c58f38482c 08dc5c2006
3 changed files with 103 additions and 12 deletions
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -464,6 +464,9 @@ node 'static.openstack.org' {
    swift_tenant_name                => hiera('infra_files_tenant_name', 'tenantname'),
    swift_region_name                => 'DFW',
    swift_default_container          => 'infra-files',
+    security_ssl_cert_file_contents  => hiera('security_ssl_cert_file_contents', 'XXX'),
+    security_ssl_key_file_contents   => hiera('security_ssl_key_file_contents', 'XXX'),
+    security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'),
  }
 }

--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@ -9,6 +9,9 @@ class openstack_project::static (
  $swift_region_name = '',
  $swift_default_container = '',
  $project_config_repo = '',
+  $security_ssl_cert_file_contents = '',
+  $security_ssl_key_file_contents = '',
+  $security_ssl_chain_file_contents = '',
  $jenkins_gitfullname = 'OpenStack Jenkins',
  $jenkins_gitemail = 'jenkins@openstack.org',
 ) {
@ -118,9 +121,12 @@ class openstack_project::static (
  # Security

  apache::vhost { 'security.openstack.org':
-    port     => 80,
-    priority => '50',
+    port       => 443, # Is required despite not being used.
    docroot    => '/srv/static/security',
+    priority   => '50',
+    ssl        => true,
+    template   => 'openstack_project/security.vhost.erb',
+    vhost_name => 'security.openstack.org',
    require    => File['/srv/static/security'],
  }

@ -131,6 +137,50 @@ class openstack_project::static (
    require => User['jenkins'],
  }

+  file { '/etc/ssl/certs':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/ssl/private':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0700',
+  }
+
+  file { '/etc/ssl/certs/security.openstack.org.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $security_ssl_cert_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => Apache::Vhost['security.openstack.org'],
+  }
+
+  file { '/etc/ssl/private/security.openstack.org.key':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0600',
+    content => $security_ssl_key_file_contents,
+    require => File['/etc/ssl/private'],
+    before  => Apache::Vhost['security.openstack.org'],
+  }
+
+  file { '/etc/ssl/certs/security.openstack.org_intermediate.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => $security_ssl_chain_file_contents,
+    require => File['/etc/ssl/certs'],
+    before  => Apache::Vhost['security.openstack.org'],
+  }
+
  ###########################################################
  # Governance

--- a/modules/openstack_project/templates/security.vhost.erb
+++ b/modules/openstack_project/templates/security.vhost.erb
@ -0,0 +1,38 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+  RewriteEngine On
+  RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+  SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+  <Directory <%= @docroot %>>
+    Allow from all
+    Satisfy Any
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>