From 4b49e409f853104dae021dfca1a9342ec9ac4709 Mon Sep 17 00:00:00 2001
From: Gregory Haynes <greg@greghaynes.net>
Date: Wed, 31 Aug 2016 18:19:51 -0700
Subject: [PATCH] Use apache for tls-proxy ssl termination

Stud is now abandonware (see https://github.com/bumptech/stud) and is
not packaged in xenial. Lets use Apache for SSL termination since its
there already.

Change-Id: Ifcba410f5969521e8b3d30f02795541c1661f83a
---
 files/debs/tls-proxy |  2 +-
 functions-common     | 10 ++++++
 lib/apache           | 31 +++++++++++++++---
 lib/cinder           |  4 +--
 lib/glance           |  4 +--
 lib/keystone         |  4 +--
 lib/neutron          |  2 +-
 lib/neutron-legacy   |  2 +-
 lib/nova             |  2 +-
 lib/swift            |  2 +-
 lib/tls              | 76 +++++++++++++++++++++++++++++++-------------
 stack.sh             |  1 +
 12 files changed, 102 insertions(+), 38 deletions(-)

diff --git a/files/debs/tls-proxy b/files/debs/tls-proxy
index dce9c07d3f..5bd8e213a2 100644
--- a/files/debs/tls-proxy
+++ b/files/debs/tls-proxy
@@ -1 +1 @@
-stud
+apache2
diff --git a/functions-common b/functions-common
index 1a4a8f8eea..4716567be3 100644
--- a/functions-common
+++ b/functions-common
@@ -2304,6 +2304,16 @@ function stop_service {
     fi
 }
 
+# Service wrapper to stop services
+# reload_service service-name
+function reload_service {
+    if [ -x /bin/systemctl ]; then
+        sudo /bin/systemctl reload $1
+    else
+        sudo service $1 reload
+    fi
+}
+
 # Test with a finite retry loop.
 #
 function test_with_retry {
diff --git a/lib/apache b/lib/apache
index 2c84c7a481..740f58835e 100644
--- a/lib/apache
+++ b/lib/apache
@@ -42,24 +42,40 @@ fi
 
 # Functions
 # ---------
+
+# Enable apache mod and restart apache if it isn't already enabled.
+function enable_apache_mod {
+    local mod=$1
+    # Apache installation, because we mark it NOPRIME
+    if is_ubuntu || is_suse ; then
+        if ! a2query -m $mod ; then
+            sudo a2enmod $mod
+            restart_apache_server
+        fi
+    elif is_fedora; then
+        # pass
+        true
+    else
+        exit_distro_not_supported "apache enable mod"
+    fi
+}
+
 # install_apache_wsgi() - Install Apache server and wsgi module
 function install_apache_wsgi {
     # Apache installation, because we mark it NOPRIME
     if is_ubuntu; then
         # Install apache2, which is NOPRIME'd
         install_package apache2 libapache2-mod-wsgi
-        # WSGI isn't enabled by default, enable it
-        sudo a2enmod wsgi
     elif is_fedora; then
         sudo rm -f /etc/httpd/conf.d/000-*
         install_package httpd mod_wsgi
     elif is_suse; then
         install_package apache2 apache2-mod_wsgi
-        # WSGI isn't enabled by default, enable it
-        sudo a2enmod wsgi
     else
-        exit_distro_not_supported "apache installation"
+        exit_distro_not_supported "apache wsgi installation"
     fi
+    # WSGI isn't enabled by default, enable it
+    enable_apache_mod wsgi
 
     # ensure mod_version enabled for <IfVersion ...>.  This is
     # built-in statically on anything recent, but precise (2.2)
@@ -192,6 +208,11 @@ function restart_apache_server {
     time_stop "restart_apache_server"
 }
 
+# reload_apache_server
+function reload_apache_server {
+    reload_service $APACHE_NAME
+}
+
 # Restore xtrace
 $_XTRACE_LIB_APACHE
 
diff --git a/lib/cinder b/lib/cinder
index a87f395c8e..0fe950b6c2 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -305,8 +305,8 @@ function configure_cinder {
     if is_service_enabled tls-proxy; then
         # Set the service port for a proxy to take the original
         iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
-
         iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
+        iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
     fi
 
     if [ "$SYSLOG" != "False" ]; then
@@ -534,7 +534,7 @@ function start_cinder {
 
     # Start proxies if enabled
     if is_service_enabled c-api && is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT &
+        start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT
     fi
 }
 
diff --git a/lib/glance b/lib/glance
index 8d95aad73f..a31e564104 100644
--- a/lib/glance
+++ b/lib/glance
@@ -383,8 +383,8 @@ function install_glance {
 function start_glance {
     local service_protocol=$GLANCE_SERVICE_PROTOCOL
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT &
-        start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT &
+        start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT
+        start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT
     fi
 
     run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"
diff --git a/lib/keystone b/lib/keystone
index 6198e43b58..f52cc3fb4b 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -609,8 +609,8 @@ function start_keystone {
 
     # Start proxies if enabled
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
-        start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
+        start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+        start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
     fi
 
     # (re)start memcached to make sure we have a clean memcache.
diff --git a/lib/neutron b/lib/neutron
index c1552e3d06..e37701879d 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -409,7 +409,7 @@ function start_neutron_api {
 
     # Start proxy if enabled
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT &
+        start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
     fi
 }
 
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index b1b5230fdd..18100994f3 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -460,7 +460,7 @@ function start_neutron_service_and_check {
 
     # Start proxy if enabled
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT &
+        start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
     fi
 }
 
diff --git a/lib/nova b/lib/nova
index 235b533d77..8970a7c693 100644
--- a/lib/nova
+++ b/lib/nova
@@ -800,7 +800,7 @@ function start_nova_api {
 
     # Start proxies if enabled
     if is_service_enabled tls-proxy; then
-        start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
+        start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT
     fi
 
     export PATH=$old_path
diff --git a/lib/swift b/lib/swift
index 0c74411a9c..f9ea028cea 100644
--- a/lib/swift
+++ b/lib/swift
@@ -806,7 +806,7 @@ function start_swift {
     done
     if is_service_enabled tls-proxy; then
         local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
-        start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT &
+        start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
     fi
     run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
     if [[ ${SWIFT_REPLICAS} == 1 ]]; then
diff --git a/lib/tls b/lib/tls
index ca57ed44e0..2c4e18d388 100644
--- a/lib/tls
+++ b/lib/tls
@@ -16,7 +16,6 @@
 #
 # - configure_CA
 # - init_CA
-# - cleanup_CA
 
 # - configure_proxy
 # - start_tls_proxy
@@ -221,19 +220,6 @@ function init_CA {
     fi
 }
 
-# Clean up the CA files
-# cleanup_CA
-function cleanup_CA {
-    if is_fedora; then
-        sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
-        sudo update-ca-trust
-    elif is_ubuntu; then
-        sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
-        sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
-        sudo update-ca-certificates
-    fi
-}
-
 # Create an initial server cert
 # init_cert
 function init_cert {
@@ -455,26 +441,72 @@ function enable_mod_ssl {
 # Starts the TLS proxy for the given IP/ports
 # start_tls_proxy front-host front-port back-host back-port
 function start_tls_proxy {
-    local f_host=$1
-    local f_port=$2
-    local b_host=$3
-    local b_port=$4
+    local b_service="$1-tls-proxy"
+    local f_host=$2
+    local f_port=$3
+    local b_host=$4
+    local b_port=$5
 
-    stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
+    local config_file
+    config_file=$(apache_site_config_for $b_service)
+    local listen_string
+    # Default apache configs on ubuntu and centos listen on 80 and 443
+    # newer apache seems fine with duplicate listen directive but older
+    # apache does not so special case 80 and 443.
+    if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
+        listen_string=""
+    elif [[ "$f_host" == '*' ]] ; then
+        listen_string="Listen $f_port"
+    else
+        listen_string="Listen $f_host:$f_port"
+    fi
+    sudo bash -c "cat >$config_file" << EOF
+$listen_string
+
+<VirtualHost $f_host:$f_port>
+    SSLEngine On
+    SSLCertificateFile $DEVSTACK_CERT
+
+    <Location />
+        ProxyPass http://$b_host:$b_port/ retry=5 nocanon
+        ProxyPassReverse http://$b_host:$b_port/
+    </Location>
+</VirtualHost>
+EOF
+    for mod in ssl proxy proxy_http; do
+        enable_apache_mod $mod
+    done
+    enable_apache_site $b_service
+    # Only a reload is required to pull in new vhosts
+    # Note that a restart reliably fails on centos7 and trusty
+    # because apache can't open port 80 because the old apache
+    # still has it open. Using reload fixes trusty but centos7
+    # still doesn't work.
+    reload_apache_server
 }
 
 
 # Cleanup Functions
 # =================
 
-# Stops all stud processes. This should be done only after all services
+# Stops the apache service. This should be done only after all services
 # using tls configuration are down.
 function stop_tls_proxy {
-    killall stud
+    stop_apache_server
 }
 
-# Remove CA along with configuration, as well as the local server certificate
+# Clean up the CA files
+# cleanup_CA
 function cleanup_CA {
+    if is_fedora; then
+        sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
+        sudo update-ca-trust
+    elif is_ubuntu; then
+        sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
+        sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
+        sudo update-ca-certificates
+    fi
+
     rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
 }
 
diff --git a/stack.sh b/stack.sh
index 09466a6894..119ca8561b 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1052,6 +1052,7 @@ EOF
 
     if is_service_enabled tls-proxy; then
         echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+        start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
     fi
 
     source $TOP_DIR/userrc_early