Make storyboard run over ssl
We're doing auth now, so we should really do it over SSL. The cert contents are already in hiera. Change-Id: Ia939e228785168705840acd6d377e6c25ba3370d
This commit is contained in:
parent
339d73ac34
commit
fa3b8f4869
@ -458,9 +458,9 @@ node 'storyboard.openstack.org' {
|
||||
mysql_host => hiera('storyboard_db_host'),
|
||||
mysql_user => hiera('storyboard_db_user'),
|
||||
mysql_password => hiera('storyboard_db_password'),
|
||||
# ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
|
||||
# ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
|
||||
# ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
|
||||
ssl_cert_file_contents => hiera('storyboard_ssl_cert_file_contents'),
|
||||
ssl_key_file_contents => hiera('storyboard_ssl_key_file_contents'),
|
||||
ssl_chain_file_contents => hiera('storyboard_ssl_chain_file_contents'),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -5,10 +5,13 @@ class openstack_project::storyboard(
|
||||
$mysql_password = '',
|
||||
$mysql_user = '',
|
||||
$sysadmins = [],
|
||||
$ssl_cert_file_contents = '',
|
||||
$ssl_key_file_contents = '',
|
||||
$ssl_chain_file_contents = '',
|
||||
) {
|
||||
class { 'openstack_project::server':
|
||||
sysadmins => $sysadmins,
|
||||
iptables_public_tcp_ports => [80],
|
||||
iptables_public_tcp_ports => [80, 443],
|
||||
}
|
||||
|
||||
class { '::storyboard':
|
||||
@ -17,6 +20,14 @@ class openstack_project::storyboard(
|
||||
mysql_user => $mysql_user,
|
||||
projects_file =>
|
||||
'puppet:///modules/openstack_project/review.projects.yaml',
|
||||
ssl_cert_file =>
|
||||
'/etc/ssl/certs/storyboard.openstack.org.pem',
|
||||
ssl_key_file =>
|
||||
'/etc/ssl/private/storyboard.openstack.org.key',
|
||||
ssl_chain_file => '/etc/ssl/certs/intermediate.pem',
|
||||
ssl_cert_file_contents => $ssl_cert_file_contents,
|
||||
ssl_key_file_contents => $ssl_key_file_contents,
|
||||
ssl_chain_file_contents => $ssl_chain_file_contents,
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -20,10 +20,16 @@ class storyboard (
|
||||
$mysql_password,
|
||||
$mysql_user,
|
||||
$projects_file,
|
||||
$ssl_cert_file,
|
||||
$ssl_key_file,
|
||||
$ssl_chain_file,
|
||||
$storyboard_git_source_repo = 'https://git.openstack.org/openstack-infra/storyboard/',
|
||||
$storyboard_revision = 'master',
|
||||
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz'
|
||||
|
||||
$storyboard_webclient_url = 'http://tarballs.openstack.org/storyboard-webclient/storyboard-webclient-latest.tar.gz',
|
||||
$serveradmin = "webmaster@${::fqdn}",
|
||||
$ssl_cert_file_contents = '',
|
||||
$ssl_key_file_contents = '',
|
||||
$ssl_chain_file_contents = ''
|
||||
) {
|
||||
include apache
|
||||
include mysql::python
|
||||
@ -162,6 +168,7 @@ class storyboard (
|
||||
priority => '50',
|
||||
template => 'storyboard/storyboard.vhost.erb',
|
||||
require => Package['libapache2-mod-wsgi'],
|
||||
ssl => true,
|
||||
}
|
||||
|
||||
a2mod { 'proxy':
|
||||
@ -177,4 +184,33 @@ class storyboard (
|
||||
require => Package['libapache2-mod-wsgi'],
|
||||
}
|
||||
|
||||
if $ssl_cert_file_contents != '' {
|
||||
file { $ssl_cert_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_cert_file_contents,
|
||||
before => Apache::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_key_file_contents != '' {
|
||||
file { $ssl_key_file:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
content => $ssl_key_file_contents,
|
||||
before => Apache::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
|
||||
if $ssl_chain_file_contents != '' {
|
||||
file { $ssl_chain_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $ssl_chain_file_contents,
|
||||
before => Apache::Vhost[$vhost_name],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,7 +1,49 @@
|
||||
<VirtualHost *:80>
|
||||
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:80>
|
||||
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/storyboard-error.log
|
||||
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/storyboard-access.log combined
|
||||
|
||||
Redirect / https://<%= scope.lookupvar("storyboard::vhost_name") %>/
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost <%= scope.lookupvar("storyboard::vhost_name") %>:443>
|
||||
ServerName <%= scope.lookupvar("storyboard::vhost_name") %>
|
||||
ServerAdmin <%= scope.lookupvar("storyboard::serveradmin") %>
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/storyboard-ssl-error.log
|
||||
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/storyboard-ssl-access.log combined
|
||||
|
||||
SSLEngine on
|
||||
|
||||
SSLCertificateFile <%= scope.lookupvar("storyboard::ssl_cert_file") %>
|
||||
SSLCertificateKeyFile <%= scope.lookupvar("storyboard::ssl_key_file") %>
|
||||
<% if scope.lookupvar("storyboard::ssl_chain_file") != "" %>
|
||||
SSLCertificateChainFile <%= scope.lookupvar("storyboard::ssl_chain_file") %>
|
||||
<% end %>
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
BrowserMatch "MSIE [2-6]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
# MSIE 7 and newer should be able to use keepalive
|
||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||
|
||||
DocumentRoot /var/lib/storyboard/www
|
||||
ErrorLog /var/log/apache2/storyboard-error.log
|
||||
CustomLog /var/log/apache2/storyboard-access.log common
|
||||
|
||||
WSGIDaemonProcess storyboard user=storyboard group=storyboard threads=5 python-path=/usr/local/lib/python2.7/dist-packages
|
||||
WSGIScriptAlias /api /usr/local/lib/python2.7/dist-packages/storyboard/api/app.wsgi
|
||||
@ -15,4 +57,6 @@
|
||||
Order deny,allow
|
||||
Allow from all
|
||||
</Directory>
|
||||
|
||||
</VirtualHost>
|
||||
</IfModule>
|
||||
|
Loading…
Reference in New Issue
Block a user