Use apache for tls-proxy ssl termination

Stud is now abandonware (see https://github.com/bumptech/stud) and is
not packaged in xenial. Lets use Apache for SSL termination since its
there already.

Change-Id: Ifcba410f5969521e8b3d30f02795541c1661f83a
This commit is contained in:
Gregory Haynes 2016-08-31 18:19:51 -07:00 committed by Clark Boylan
parent fb1e1cc7e3
commit 4b49e409f8
12 changed files with 102 additions and 38 deletions

View File

@ -1 +1 @@
stud apache2

View File

@ -2304,6 +2304,16 @@ function stop_service {
fi fi
} }
# Service wrapper to stop services
# reload_service service-name
function reload_service {
if [ -x /bin/systemctl ]; then
sudo /bin/systemctl reload $1
else
sudo service $1 reload
fi
}
# Test with a finite retry loop. # Test with a finite retry loop.
# #
function test_with_retry { function test_with_retry {

View File

@ -42,24 +42,40 @@ fi
# Functions # Functions
# --------- # ---------
# Enable apache mod and restart apache if it isn't already enabled.
function enable_apache_mod {
local mod=$1
# Apache installation, because we mark it NOPRIME
if is_ubuntu || is_suse ; then
if ! a2query -m $mod ; then
sudo a2enmod $mod
restart_apache_server
fi
elif is_fedora; then
# pass
true
else
exit_distro_not_supported "apache enable mod"
fi
}
# install_apache_wsgi() - Install Apache server and wsgi module # install_apache_wsgi() - Install Apache server and wsgi module
function install_apache_wsgi { function install_apache_wsgi {
# Apache installation, because we mark it NOPRIME # Apache installation, because we mark it NOPRIME
if is_ubuntu; then if is_ubuntu; then
# Install apache2, which is NOPRIME'd # Install apache2, which is NOPRIME'd
install_package apache2 libapache2-mod-wsgi install_package apache2 libapache2-mod-wsgi
# WSGI isn't enabled by default, enable it
sudo a2enmod wsgi
elif is_fedora; then elif is_fedora; then
sudo rm -f /etc/httpd/conf.d/000-* sudo rm -f /etc/httpd/conf.d/000-*
install_package httpd mod_wsgi install_package httpd mod_wsgi
elif is_suse; then elif is_suse; then
install_package apache2 apache2-mod_wsgi install_package apache2 apache2-mod_wsgi
# WSGI isn't enabled by default, enable it
sudo a2enmod wsgi
else else
exit_distro_not_supported "apache installation" exit_distro_not_supported "apache wsgi installation"
fi fi
# WSGI isn't enabled by default, enable it
enable_apache_mod wsgi
# ensure mod_version enabled for <IfVersion ...>. This is # ensure mod_version enabled for <IfVersion ...>. This is
# built-in statically on anything recent, but precise (2.2) # built-in statically on anything recent, but precise (2.2)
@ -192,6 +208,11 @@ function restart_apache_server {
time_stop "restart_apache_server" time_stop "restart_apache_server"
} }
# reload_apache_server
function reload_apache_server {
reload_service $APACHE_NAME
}
# Restore xtrace # Restore xtrace
$_XTRACE_LIB_APACHE $_XTRACE_LIB_APACHE

View File

@ -305,8 +305,8 @@ function configure_cinder {
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
# Set the service port for a proxy to take the original # Set the service port for a proxy to take the original
iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
fi fi
if [ "$SYSLOG" != "False" ]; then if [ "$SYSLOG" != "False" ]; then
@ -534,7 +534,7 @@ function start_cinder {
# Start proxies if enabled # Start proxies if enabled
if is_service_enabled c-api && is_service_enabled tls-proxy; then if is_service_enabled c-api && is_service_enabled tls-proxy; then
start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT & start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT
fi fi
} }

View File

@ -383,8 +383,8 @@ function install_glance {
function start_glance { function start_glance {
local service_protocol=$GLANCE_SERVICE_PROTOCOL local service_protocol=$GLANCE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT & start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT
start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT & start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT
fi fi
run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf" run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"

View File

@ -609,8 +609,8 @@ function start_keystone {
# Start proxies if enabled # Start proxies if enabled
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT & start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT & start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi fi
# (re)start memcached to make sure we have a clean memcache. # (re)start memcached to make sure we have a clean memcache.

View File

@ -409,7 +409,7 @@ function start_neutron_api {
# Start proxy if enabled # Start proxy if enabled
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT & start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
fi fi
} }

View File

@ -460,7 +460,7 @@ function start_neutron_service_and_check {
# Start proxy if enabled # Start proxy if enabled
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT & start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
fi fi
} }

View File

@ -800,7 +800,7 @@ function start_nova_api {
# Start proxies if enabled # Start proxies if enabled
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT & start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT
fi fi
export PATH=$old_path export PATH=$old_path

View File

@ -806,7 +806,7 @@ function start_swift {
done done
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
local proxy_port=${SWIFT_DEFAULT_BIND_PORT} local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT & start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
fi fi
run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v" run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
if [[ ${SWIFT_REPLICAS} == 1 ]]; then if [[ ${SWIFT_REPLICAS} == 1 ]]; then

76
lib/tls
View File

@ -16,7 +16,6 @@
# #
# - configure_CA # - configure_CA
# - init_CA # - init_CA
# - cleanup_CA
# - configure_proxy # - configure_proxy
# - start_tls_proxy # - start_tls_proxy
@ -221,19 +220,6 @@ function init_CA {
fi fi
} }
# Clean up the CA files
# cleanup_CA
function cleanup_CA {
if is_fedora; then
sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
elif is_ubuntu; then
sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
fi
}
# Create an initial server cert # Create an initial server cert
# init_cert # init_cert
function init_cert { function init_cert {
@ -455,26 +441,72 @@ function enable_mod_ssl {
# Starts the TLS proxy for the given IP/ports # Starts the TLS proxy for the given IP/ports
# start_tls_proxy front-host front-port back-host back-port # start_tls_proxy front-host front-port back-host back-port
function start_tls_proxy { function start_tls_proxy {
local f_host=$1 local b_service="$1-tls-proxy"
local f_port=$2 local f_host=$2
local b_host=$3 local f_port=$3
local b_port=$4 local b_host=$4
local b_port=$5
stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null local config_file
config_file=$(apache_site_config_for $b_service)
local listen_string
# Default apache configs on ubuntu and centos listen on 80 and 443
# newer apache seems fine with duplicate listen directive but older
# apache does not so special case 80 and 443.
if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
listen_string=""
elif [[ "$f_host" == '*' ]] ; then
listen_string="Listen $f_port"
else
listen_string="Listen $f_host:$f_port"
fi
sudo bash -c "cat >$config_file" << EOF
$listen_string
<VirtualHost $f_host:$f_port>
SSLEngine On
SSLCertificateFile $DEVSTACK_CERT
<Location />
ProxyPass http://$b_host:$b_port/ retry=5 nocanon
ProxyPassReverse http://$b_host:$b_port/
</Location>
</VirtualHost>
EOF
for mod in ssl proxy proxy_http; do
enable_apache_mod $mod
done
enable_apache_site $b_service
# Only a reload is required to pull in new vhosts
# Note that a restart reliably fails on centos7 and trusty
# because apache can't open port 80 because the old apache
# still has it open. Using reload fixes trusty but centos7
# still doesn't work.
reload_apache_server
} }
# Cleanup Functions # Cleanup Functions
# ================= # =================
# Stops all stud processes. This should be done only after all services # Stops the apache service. This should be done only after all services
# using tls configuration are down. # using tls configuration are down.
function stop_tls_proxy { function stop_tls_proxy {
killall stud stop_apache_server
} }
# Remove CA along with configuration, as well as the local server certificate # Clean up the CA files
# cleanup_CA
function cleanup_CA { function cleanup_CA {
if is_fedora; then
sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
sudo update-ca-trust
elif is_ubuntu; then
sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
sudo update-ca-certificates
fi
rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT" rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
} }

View File

@ -1052,6 +1052,7 @@ EOF
if is_service_enabled tls-proxy; then if is_service_enabled tls-proxy; then
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi fi
source $TOP_DIR/userrc_early source $TOP_DIR/userrc_early