From 4b49e409f853104dae021dfca1a9342ec9ac4709 Mon Sep 17 00:00:00 2001 From: Gregory Haynes Date: Wed, 31 Aug 2016 18:19:51 -0700 Subject: [PATCH] Use apache for tls-proxy ssl termination Stud is now abandonware (see https://github.com/bumptech/stud) and is not packaged in xenial. Lets use Apache for SSL termination since its there already. Change-Id: Ifcba410f5969521e8b3d30f02795541c1661f83a --- files/debs/tls-proxy | 2 +- functions-common | 10 ++++++ lib/apache | 31 +++++++++++++++--- lib/cinder | 4 +-- lib/glance | 4 +-- lib/keystone | 4 +-- lib/neutron | 2 +- lib/neutron-legacy | 2 +- lib/nova | 2 +- lib/swift | 2 +- lib/tls | 76 +++++++++++++++++++++++++++++++------------- stack.sh | 1 + 12 files changed, 102 insertions(+), 38 deletions(-) diff --git a/files/debs/tls-proxy b/files/debs/tls-proxy index dce9c07d3f..5bd8e213a2 100644 --- a/files/debs/tls-proxy +++ b/files/debs/tls-proxy @@ -1 +1 @@ -stud +apache2 diff --git a/functions-common b/functions-common index 1a4a8f8eea..4716567be3 100644 --- a/functions-common +++ b/functions-common @@ -2304,6 +2304,16 @@ function stop_service { fi } +# Service wrapper to stop services +# reload_service service-name +function reload_service { + if [ -x /bin/systemctl ]; then + sudo /bin/systemctl reload $1 + else + sudo service $1 reload + fi +} + # Test with a finite retry loop. # function test_with_retry { diff --git a/lib/apache b/lib/apache index 2c84c7a481..740f58835e 100644 --- a/lib/apache +++ b/lib/apache @@ -42,24 +42,40 @@ fi # Functions # --------- + +# Enable apache mod and restart apache if it isn't already enabled. +function enable_apache_mod { + local mod=$1 + # Apache installation, because we mark it NOPRIME + if is_ubuntu || is_suse ; then + if ! a2query -m $mod ; then + sudo a2enmod $mod + restart_apache_server + fi + elif is_fedora; then + # pass + true + else + exit_distro_not_supported "apache enable mod" + fi +} + # install_apache_wsgi() - Install Apache server and wsgi module function install_apache_wsgi { # Apache installation, because we mark it NOPRIME if is_ubuntu; then # Install apache2, which is NOPRIME'd install_package apache2 libapache2-mod-wsgi - # WSGI isn't enabled by default, enable it - sudo a2enmod wsgi elif is_fedora; then sudo rm -f /etc/httpd/conf.d/000-* install_package httpd mod_wsgi elif is_suse; then install_package apache2 apache2-mod_wsgi - # WSGI isn't enabled by default, enable it - sudo a2enmod wsgi else - exit_distro_not_supported "apache installation" + exit_distro_not_supported "apache wsgi installation" fi + # WSGI isn't enabled by default, enable it + enable_apache_mod wsgi # ensure mod_version enabled for . This is # built-in statically on anything recent, but precise (2.2) @@ -192,6 +208,11 @@ function restart_apache_server { time_stop "restart_apache_server" } +# reload_apache_server +function reload_apache_server { + reload_service $APACHE_NAME +} + # Restore xtrace $_XTRACE_LIB_APACHE diff --git a/lib/cinder b/lib/cinder index a87f395c8e..0fe950b6c2 100644 --- a/lib/cinder +++ b/lib/cinder @@ -305,8 +305,8 @@ function configure_cinder { if is_service_enabled tls-proxy; then # Set the service port for a proxy to take the original iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT - iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT + iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT fi if [ "$SYSLOG" != "False" ]; then @@ -534,7 +534,7 @@ function start_cinder { # Start proxies if enabled if is_service_enabled c-api && is_service_enabled tls-proxy; then - start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT & + start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT fi } diff --git a/lib/glance b/lib/glance index 8d95aad73f..a31e564104 100644 --- a/lib/glance +++ b/lib/glance @@ -383,8 +383,8 @@ function install_glance { function start_glance { local service_protocol=$GLANCE_SERVICE_PROTOCOL if is_service_enabled tls-proxy; then - start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT & - start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT & + start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT + start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT fi run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf" diff --git a/lib/keystone b/lib/keystone index 6198e43b58..f52cc3fb4b 100644 --- a/lib/keystone +++ b/lib/keystone @@ -609,8 +609,8 @@ function start_keystone { # Start proxies if enabled if is_service_enabled tls-proxy; then - start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT & - start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT & + start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT + start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT fi # (re)start memcached to make sure we have a clean memcache. diff --git a/lib/neutron b/lib/neutron index c1552e3d06..e37701879d 100644 --- a/lib/neutron +++ b/lib/neutron @@ -409,7 +409,7 @@ function start_neutron_api { # Start proxy if enabled if is_service_enabled tls-proxy; then - start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT & + start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT fi } diff --git a/lib/neutron-legacy b/lib/neutron-legacy index b1b5230fdd..18100994f3 100644 --- a/lib/neutron-legacy +++ b/lib/neutron-legacy @@ -460,7 +460,7 @@ function start_neutron_service_and_check { # Start proxy if enabled if is_service_enabled tls-proxy; then - start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT & + start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT fi } diff --git a/lib/nova b/lib/nova index 235b533d77..8970a7c693 100644 --- a/lib/nova +++ b/lib/nova @@ -800,7 +800,7 @@ function start_nova_api { # Start proxies if enabled if is_service_enabled tls-proxy; then - start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & + start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT fi export PATH=$old_path diff --git a/lib/swift b/lib/swift index 0c74411a9c..f9ea028cea 100644 --- a/lib/swift +++ b/lib/swift @@ -806,7 +806,7 @@ function start_swift { done if is_service_enabled tls-proxy; then local proxy_port=${SWIFT_DEFAULT_BIND_PORT} - start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT & + start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT fi run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v" if [[ ${SWIFT_REPLICAS} == 1 ]]; then diff --git a/lib/tls b/lib/tls index ca57ed44e0..2c4e18d388 100644 --- a/lib/tls +++ b/lib/tls @@ -16,7 +16,6 @@ # # - configure_CA # - init_CA -# - cleanup_CA # - configure_proxy # - start_tls_proxy @@ -221,19 +220,6 @@ function init_CA { fi } -# Clean up the CA files -# cleanup_CA -function cleanup_CA { - if is_fedora; then - sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem - sudo update-ca-trust - elif is_ubuntu; then - sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt - sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt - sudo update-ca-certificates - fi -} - # Create an initial server cert # init_cert function init_cert { @@ -455,26 +441,72 @@ function enable_mod_ssl { # Starts the TLS proxy for the given IP/ports # start_tls_proxy front-host front-port back-host back-port function start_tls_proxy { - local f_host=$1 - local f_port=$2 - local b_host=$3 - local b_port=$4 + local b_service="$1-tls-proxy" + local f_host=$2 + local f_port=$3 + local b_host=$4 + local b_port=$5 - stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null + local config_file + config_file=$(apache_site_config_for $b_service) + local listen_string + # Default apache configs on ubuntu and centos listen on 80 and 443 + # newer apache seems fine with duplicate listen directive but older + # apache does not so special case 80 and 443. + if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then + listen_string="" + elif [[ "$f_host" == '*' ]] ; then + listen_string="Listen $f_port" + else + listen_string="Listen $f_host:$f_port" + fi + sudo bash -c "cat >$config_file" << EOF +$listen_string + + + SSLEngine On + SSLCertificateFile $DEVSTACK_CERT + + + ProxyPass http://$b_host:$b_port/ retry=5 nocanon + ProxyPassReverse http://$b_host:$b_port/ + + +EOF + for mod in ssl proxy proxy_http; do + enable_apache_mod $mod + done + enable_apache_site $b_service + # Only a reload is required to pull in new vhosts + # Note that a restart reliably fails on centos7 and trusty + # because apache can't open port 80 because the old apache + # still has it open. Using reload fixes trusty but centos7 + # still doesn't work. + reload_apache_server } # Cleanup Functions # ================= -# Stops all stud processes. This should be done only after all services +# Stops the apache service. This should be done only after all services # using tls configuration are down. function stop_tls_proxy { - killall stud + stop_apache_server } -# Remove CA along with configuration, as well as the local server certificate +# Clean up the CA files +# cleanup_CA function cleanup_CA { + if is_fedora; then + sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem + sudo update-ca-trust + elif is_ubuntu; then + sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt + sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt + sudo update-ca-certificates + fi + rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT" } diff --git a/stack.sh b/stack.sh index 09466a6894..119ca8561b 100755 --- a/stack.sh +++ b/stack.sh @@ -1052,6 +1052,7 @@ EOF if is_service_enabled tls-proxy; then echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early + start_tls_proxy http-services '*' 443 $SERVICE_HOST 80 fi source $TOP_DIR/userrc_early