2014-12-05 14:25:28 -05:00
2012-11-29 11:47:58 -06:00
# lib/tls
# Functions to control the configuration and operation of the TLS proxy service
# !! source _before_ any services that use ``SERVICE_HOST``
2013-10-24 11:27:02 +01:00
# Dependencies:
# - ``functions`` file
# - ``DEST``, ``DATA_DIR`` must be defined
# - ``KEYSTONE_TOKEN_FORMAT`` must be defined
2012-11-29 11:47:58 -06:00
# Entry points:
2013-10-24 11:27:02 +01:00
# - configure_CA
# - init_CA
2012-11-29 11:47:58 -06:00
2013-10-24 11:27:02 +01:00
# - configure_proxy
# - start_tls_proxy
2012-11-29 11:47:58 -06:00
2014-06-25 15:29:43 +01:00
# - stop_tls_proxy
# - cleanup_CA
2014-06-27 16:05:53 +01:00
# - make_root_CA
# - make_int_CA
# - make_cert ca-dir cert-name "common-name" ["alt-name" ...]
2013-10-24 11:27:02 +01:00
# - start_tls_proxy HOST_IP 5000 localhost 5000
2013-09-20 16:26:42 +10:00
# - ensure_certificates
# - is_ssl_enabled_service
2014-03-19 17:47:42 -04:00
# - enable_mod_ssl
2012-11-29 11:47:58 -06:00
2015-03-28 08:20:50 -05:00
2013-04-08 15:38:03 -05:00
# Defaults
# --------
2012-11-29 11:47:58 -06:00
if is_service_enabled tls-proxy; then
# TODO(dtroyer): revisit this below after the search for HOST_IP has been done
2017-09-19 10:52:32 +00:00
TLS_IP=${TLS_IP:-$(ipv6_unquote $SERVICE_HOST)}
2012-11-29 11:47:58 -06:00
2014-03-19 17:47:42 -04:00
DEVSTACK_HOSTNAME=$(hostname -f)
2012-11-29 11:47:58 -06:00
# CA configuration
# Stud configuration
# CA Functions
# ============
# There may be more than one, get specific
# Do primary CA configuration
2014-02-21 15:35:08 +11:00
function configure_CA {
2012-11-29 11:47:58 -06:00
# build common config file
# Verify ``TLS_IP`` is good
2017-09-19 10:52:32 +00:00
if [[ -n "$SERVICE_HOST" && "$(ipv6_unquote $SERVICE_HOST)" != "$TLS_IP" ]]; then
2012-11-29 11:47:58 -06:00
# auto-discover has changed the IP
2017-09-19 10:52:32 +00:00
TLS_IP=$(ipv6_unquote $SERVICE_HOST)
2012-11-29 11:47:58 -06:00
# Creates a new CA directory structure
# create_CA_base ca-dir
2014-02-21 15:35:08 +11:00
function create_CA_base {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
if [[ -d $ca_dir ]]; then
# Bail out it exists
return 0
2014-07-25 14:57:54 -05:00
local i
2012-11-29 11:47:58 -06:00
for i in certs crl newcerts private; do
mkdir -p $ca_dir/$i
chmod 710 $ca_dir/private
echo "01" >$ca_dir/serial
cp /dev/null $ca_dir/index.txt
# Create a new CA configuration file
# create_CA_config ca-dir common-name
2014-02-21 15:35:08 +11:00
function create_CA_config {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
local common_name=$2
echo "
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $ca_dir
policy = policy_match
database = \$dir/index.txt
serial = \$dir/serial
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
certificate = \$dir/cacert.pem
private_key = \$dir/private/cacert.key
RANDFILE = \$dir/private/.rand
2017-04-27 09:54:27 -07:00
default_md = sha256
2012-11-29 11:47:58 -06:00
[ req ]
2017-04-27 09:54:27 -07:00
default_bits = 2048
default_md = sha256
2012-11-29 11:47:58 -06:00
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
organizationName = $ORG_NAME
organizationalUnitName = $ORG_UNIT_NAME Certificate Authority
commonName = $common_name
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
[ ca_extensions ]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
keyUsage = cRLSign, keyCertSign
" >$ca_dir/ca.conf
# Create a new signing configuration file
# create_signing_config ca-dir
2014-02-21 15:35:08 +11:00
function create_signing_config {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
echo "
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = $ca_dir
policy = policy_match
database = \$dir/index.txt
serial = \$dir/serial
certs = \$dir/certs
crl_dir = \$dir/crl
new_certs_dir = \$dir/newcerts
certificate = \$dir/cacert.pem
private_key = \$dir/private/cacert.key
RANDFILE = \$dir/private/.rand
default_md = default
[ req ]
default_bits = 1024
2022-02-28 18:42:34 +00:00
default_md = sha256
2012-11-29 11:47:58 -06:00
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = req_extensions
[ req_distinguished_name ]
organizationName = $ORG_NAME
organizationalUnitName = $ORG_UNIT_NAME Server Farm
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
[ req_extensions ]
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = \$ENV::SUBJECT_ALT_NAME
" >$ca_dir/signing.conf
2013-01-09 19:08:02 -06:00
# Create root and intermediate CAs
2012-11-29 11:47:58 -06:00
# init_CA
function init_CA {
# Ensure CAs are built
make_root_CA $ROOT_CA_DIR
# Create the CA bundle
cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
2014-03-19 17:47:42 -04:00
cat $INT_CA_DIR/ca-chain.pem >> $SSL_BUNDLE_FILE
if is_fedora; then
sudo cp $INT_CA_DIR/ca-chain.pem /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
2017-05-27 17:52:55 -07:00
elif is_suse; then
sudo cp $INT_CA_DIR/ca-chain.pem /usr/share/pki/trust/anchors/devstack-chain.pem
sudo update-ca-certificates
2014-03-19 17:47:42 -04:00
elif is_ubuntu; then
sudo cp $INT_CA_DIR/ca-chain.pem /usr/local/share/ca-certificates/devstack-int.crt
sudo cp $ROOT_CA_DIR/cacert.pem /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
2013-01-09 19:08:02 -06:00
# Create an initial server cert
# init_cert
function init_cert {
2012-11-29 11:47:58 -06:00
if [[ ! -r $DEVSTACK_CERT ]]; then
if [[ -n "$TLS_IP" ]]; then
2020-06-23 10:21:09 +02:00
2019-06-20 20:39:53 -07:00
if [[ -n "$HOST_IPV6" ]]; then
2012-11-29 11:47:58 -06:00
# Create a cert bundle
# make_cert creates and signs a new certificate with the given commonName and CA
# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
2014-02-21 15:35:08 +11:00
function make_cert {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
local cert_name=$2
local common_name=$3
local alt_names=$4
2016-03-24 18:09:22 -04:00
if [ "$common_name" != "$SERVICE_HOST" ]; then
2016-09-26 12:53:14 -05:00
if is_ipv4_address "$SERVICE_HOST" ; then
2018-11-30 14:40:12 -08:00
if [[ -z "$alt_names" ]]; then
2016-09-26 12:53:14 -05:00
2016-03-24 18:09:22 -04:00
2014-06-25 15:07:48 +01:00
# Only generate the certificate if it doesn't exist yet on the disk
if [ ! -r "$ca_dir/$cert_name.crt" ]; then
# Generate a signing request
$OPENSSL req \
2022-02-28 18:42:34 +00:00
-sha256 \
2014-06-25 15:07:48 +01:00
-newkey rsa \
-nodes \
-keyout $ca_dir/private/$cert_name.key \
-out $ca_dir/$cert_name.csr \
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
if [[ -z "$alt_names" ]]; then
2012-11-29 11:47:58 -06:00
2014-06-25 15:07:48 +01:00
# Sign the request valid for 1 year
SUBJECT_ALT_NAME="$alt_names" \
$OPENSSL ca -config $ca_dir/signing.conf \
-extensions req_extensions \
-days 365 \
-notext \
-in $ca_dir/$cert_name.csr \
-out $ca_dir/$cert_name.crt \
-subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
2012-11-29 11:47:58 -06:00
# Make an intermediate CA to sign everything else
# make_int_CA ca-dir signing-ca-dir
2014-02-21 15:35:08 +11:00
function make_int_CA {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
local signing_ca_dir=$2
# Create the root CA
create_CA_base $ca_dir
create_CA_config $ca_dir 'Intermediate CA'
create_signing_config $ca_dir
2014-06-25 15:07:48 +01:00
if [ ! -r "$ca_dir/cacert.pem" ]; then
# Create a signing certificate request
$OPENSSL req -config $ca_dir/ca.conf \
2022-02-28 18:42:34 +00:00
-sha256 \
2014-06-25 15:07:48 +01:00
-newkey rsa \
-nodes \
-keyout $ca_dir/private/cacert.key \
-out $ca_dir/cacert.csr \
-outform PEM
# Sign the intermediate request valid for 1 year
$OPENSSL ca -config $signing_ca_dir/ca.conf \
-extensions ca_extensions \
-days 365 \
-notext \
-in $ca_dir/cacert.csr \
-out $ca_dir/cacert.pem \
2012-11-29 11:47:58 -06:00
# Make a root CA to sign other CAs
# make_root_CA ca-dir
2014-02-21 15:35:08 +11:00
function make_root_CA {
2012-11-29 11:47:58 -06:00
local ca_dir=$1
# Create the root CA
create_CA_base $ca_dir
create_CA_config $ca_dir 'Root CA'
2016-09-23 13:33:40 -07:00
if [ ! -r "$ca_dir/cacert.pem" ]; then
# Create a self-signed certificate valid for 5 years
$OPENSSL req -config $ca_dir/ca.conf \
-x509 \
-nodes \
-newkey rsa \
-days 21360 \
-keyout $ca_dir/private/cacert.key \
-out $ca_dir/cacert.pem \
-outform PEM
2012-11-29 11:47:58 -06:00
2016-11-10 13:03:32 +00:00
# Deploy the service cert & key to a service specific
# location
function deploy_int_cert {
local cert_target_file=$1
local key_target_file=$2
sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
# Deploy the intermediate CA cert bundle file to a service
# specific location
function deploy_int_CA {
local ca_target_file=$1
sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
2015-06-10 11:00:59 -04:00
# If a non-system python-requests is installed then it will use the
# built-in CA certificate store rather than the distro-specific
# CA certificate store. Detect this and symlink to the correct
# one. If the value for the CA is not rooted in /etc then we know
# we need to change it.
function fix_system_ca_bundle_path {
2017-04-13 10:11:48 -04:00
if is_service_enabled tls-proxy; then
2015-10-07 14:06:26 +11:00
local capath
2020-04-16 13:06:07 +10:00
capath=$(python3 -c $'try:\n from requests import certs\n print (certs.where())\nexcept ImportError: pass')
2015-06-10 11:00:59 -04:00
if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then
if is_fedora; then
sudo rm -f $capath
sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath
elif is_ubuntu; then
sudo rm -f $capath
sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath
2017-05-27 17:52:55 -07:00
elif is_suse; then
sudo rm -f $capath
sudo ln -s /etc/ssl/ca-bundle.pem $capath
2015-06-10 11:00:59 -04:00
echo "Don't know how to set the CA bundle, expect the install to fail."
2012-11-29 11:47:58 -06:00
2017-04-13 10:11:48 -04:00
# Only for compatibility, return if the tls-proxy is enabled
2014-02-21 15:35:08 +11:00
function is_ssl_enabled_service {
2017-04-13 10:11:48 -04:00
return is_service_enabled tls-proxy
2013-09-20 16:26:42 +10:00
2017-04-13 10:11:48 -04:00
# Certificate Input Configuration
# ===============================
2013-09-20 16:26:42 +10:00
# Ensure that the certificates for a service are in place. This function does
# not check that a service is SSL enabled, this should already have been
# completed.
# The function expects to find a certificate, key and CA certificate in the
2015-03-28 08:20:50 -05:00
# variables ``{service}_SSL_CERT``, ``{service}_SSL_KEY`` and ``{service}_SSL_CA``. For
# example for keystone this would be ``KEYSTONE_SSL_CERT``, ``KEYSTONE_SSL_KEY`` and
2014-03-19 17:47:42 -04:00
2015-03-28 08:20:50 -05:00
# If it does not find these certificates then the DevStack-issued server
2014-03-19 17:47:42 -04:00
# certificate, key and CA certificate will be associated with the service.
# If only some of the variables are provided then the function will quit.
2014-02-21 15:35:08 +11:00
function ensure_certificates {
2013-09-20 16:26:42 +10:00
local service=$1
local cert_var="${service}_SSL_CERT"
local key_var="${service}_SSL_KEY"
local ca_var="${service}_SSL_CA"
local cert=${!cert_var}
local key=${!key_var}
local ca=${!ca_var}
2014-03-19 17:47:42 -04:00
if [[ -z "$cert" && -z "$key" && -z "$ca" ]]; then
local cert="$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
local key="$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
local ca="$INT_CA_DIR/ca-chain.pem"
eval ${service}_SSL_CERT=\$cert
eval ${service}_SSL_KEY=\$key
eval ${service}_SSL_CA=\$ca
return # the CA certificate is already in the bundle
elif [[ -z "$cert" || -z "$key" || -z "$ca" ]]; then
2013-09-20 16:26:42 +10:00
die $LINENO "Missing either the ${cert_var} ${key_var} or ${ca_var}" \
"variable to enable SSL for ${service}"
cat $ca >> $SSL_BUNDLE_FILE
2014-03-19 17:47:42 -04:00
# Enable the mod_ssl plugin in Apache
function enable_mod_ssl {
echo "Enabling mod_ssl"
if is_ubuntu; then
sudo a2enmod ssl
2017-05-27 17:52:55 -07:00
elif is_suse; then
sudo a2enmod ssl
sudo a2enflag SSL
2014-03-19 17:47:42 -04:00
elif is_fedora; then
# Fedora enables mod_ssl by default
if ! sudo `which httpd || which apache2ctl` -M | grep -w -q ssl_module; then
die $LINENO "mod_ssl is not enabled in apache2/httpd, please check for it manually and run stack.sh again"
2013-09-20 16:26:42 +10:00
2012-11-29 11:47:58 -06:00
# Proxy Functions
# ===============
2016-11-29 10:43:05 -08:00
function tune_apache_connections {
local tuning_file=$APACHE_SETTINGS_DIR/connection-tuning.conf
if ! [ -f $tuning_file ] ; then
sudo bash -c "cat > $tuning_file" << EOF
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxClients: maximum number of simultaneous client connections
# MaxRequestsPerChild: maximum number of requests a server process serves
2017-03-16 14:06:58 -07:00
# We want to be memory thrifty so tune down apache to allow 256 total
# connections. This should still be plenty for a dev env yet lighter than
# apache defaults.
2016-11-29 10:43:05 -08:00
<IfModule mpm_worker_module>
# Note that the next three conf values must be changed together.
# MaxClients = ServerLimit * ThreadsPerChild
2017-03-16 14:06:58 -07:00
ServerLimit 8
2016-11-29 10:43:05 -08:00
ThreadsPerChild 32
2017-03-16 14:06:58 -07:00
MaxClients 256
StartServers 2
MinSpareThreads 32
MaxSpareThreads 96
2016-11-29 10:43:05 -08:00
ThreadLimit 64
MaxRequestsPerChild 0
<IfModule mpm_event_module>
# Note that the next three conf values must be changed together.
# MaxClients = ServerLimit * ThreadsPerChild
2017-03-16 14:06:58 -07:00
ServerLimit 8
2016-11-29 10:43:05 -08:00
ThreadsPerChild 32
2017-03-16 14:06:58 -07:00
MaxClients 256
StartServers 2
MinSpareThreads 32
MaxSpareThreads 96
2016-11-29 10:43:05 -08:00
ThreadLimit 64
MaxRequestsPerChild 0
2012-11-29 11:47:58 -06:00
# Starts the TLS proxy for the given IP/ports
2017-08-28 11:43:37 +00:00
# start_tls_proxy service-name front-host front-port back-host back-port
2014-02-21 15:35:08 +11:00
function start_tls_proxy {
2016-08-31 18:19:51 -07:00
local b_service="$1-tls-proxy"
local f_host=$2
local f_port=$3
local b_host=$4
local b_port=$5
2017-05-31 13:17:22 -07:00
# 8190 is the default apache size.
local f_header_size=${6:-8190}
2016-08-31 18:19:51 -07:00
2016-11-29 10:43:05 -08:00
2016-08-31 18:19:51 -07:00
local config_file
config_file=$(apache_site_config_for $b_service)
local listen_string
# Default apache configs on ubuntu and centos listen on 80 and 443
# newer apache seems fine with duplicate listen directive but older
# apache does not so special case 80 and 443.
if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
elif [[ "$f_host" == '*' ]] ; then
listen_string="Listen $f_port"
listen_string="Listen $f_host:$f_port"
sudo bash -c "cat >$config_file" << EOF
<VirtualHost $f_host:$f_port>
SSLEngine On
2017-02-14 16:48:20 +01:00
# Disable KeepAlive to fix bug #1630664 a.k.a the
# ('Connection aborted.', BadStatusLine("''",)) error
KeepAlive Off
2017-05-31 13:17:22 -07:00
# This increase in allowed request header sizes is required
# for swift functional testing to work with tls enabled. It is 2 bytes
# larger than the apache default of 8190.
LimitRequestFieldSize $f_header_size
2017-08-29 14:40:26 +00:00
RequestHeader set X-Forwarded-Proto "https"
2017-05-31 13:17:22 -07:00
2018-12-07 14:49:15 -08:00
# Avoid races (at the cost of performance) to re-use a pooled connection
# where the connection is closed (bug 1807518).
SetEnv proxy-initial-not-pooled
2016-08-31 18:19:51 -07:00
<Location />
2017-04-17 14:31:21 -04:00
ProxyPass http://$b_host:$b_port/ retry=0 nocanon
2016-08-31 18:19:51 -07:00
ProxyPassReverse http://$b_host:$b_port/
2016-10-05 12:11:05 -07:00
ErrorLog $APACHE_LOG_DIR/tls-proxy_error.log
2017-08-08 17:51:29 +10:00
ErrorLogFormat "%{cu}t [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [frontend\ %A] %M% ,\ referer\ %{Referer}i"
2016-10-05 12:11:05 -07:00
LogLevel info
2022-04-22 07:58:29 -07:00
CustomLog $APACHE_LOG_DIR/tls-proxy_access.log combined
2016-08-31 18:19:51 -07:00
2017-05-27 17:52:55 -07:00
if is_suse ; then
sudo a2enflag SSL
2017-08-29 14:40:26 +00:00
for mod in headers ssl proxy proxy_http; do
2016-08-31 18:19:51 -07:00
enable_apache_mod $mod
enable_apache_site $b_service
2017-04-26 10:50:29 +10:00
2012-11-29 11:47:58 -06:00
2013-03-29 14:34:53 -04:00
2014-06-25 15:29:43 +01:00
# Cleanup Functions
2014-09-18 09:26:39 -05:00
# =================
2014-06-25 15:29:43 +01:00
2016-08-31 18:19:51 -07:00
# Stops the apache service. This should be done only after all services
2014-06-25 15:29:43 +01:00
# using tls configuration are down.
function stop_tls_proxy {
2016-08-31 18:19:51 -07:00
2017-11-03 08:37:21 +00:00
# NOTE(jh): Removing all tls-proxy configs is a bit of a hack, but
# necessary so that we can restart after an unstack. A better
# solution would be to ensure that each service calling
# start_tls_proxy will call stop_tls_proxy with the same
# parameters on shutdown so we can use the disable_apache_site
# function and remove individual files there.
if is_ubuntu; then
sudo rm -f /etc/apache2/sites-enabled/*-tls-proxy.conf
for i in $APACHE_CONF_DIR/*-tls-proxy.conf; do
sudo mv $i $i.disabled
2014-06-25 15:29:43 +01:00
2016-08-31 18:19:51 -07:00
# Clean up the CA files
# cleanup_CA
2014-06-25 15:29:43 +01:00
function cleanup_CA {
2016-08-31 18:19:51 -07:00
if is_fedora; then
sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
elif is_ubuntu; then
sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
2016-09-23 13:33:40 -07:00
2014-06-25 15:29:43 +01:00
2013-10-24 11:27:02 +01:00
# Tell emacs to use shell-script-mode
## Local variables:
## mode: shell-script
## End: