[Erp5-report] r41423 luke - in /erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache:...

nobody at svn.erp5.org nobody at svn.erp5.org
Tue Dec 14 16:26:59 CET 2010 

Author: luke
Date: Tue Dec 14 16:26:58 2010
New Revision: 41423

URL: http://svn.erp5.org?rev=41423&view=rev
Log:
 - use only SSL and generate certificate if does not exists

Added:
    erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in
Modified:
    erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py
    erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in

Modified: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py?rev=41423&r1=41422&r2=41423&view=diff
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py [utf8] (original)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py [utf8] Tue Dec 14 16:26:58 2010
@@ -15,8 +15,45 @@
 
 import os
 import pkg_resources
+import subprocess
+import zc.buildout
 
 class Apache:
+  def _checkSsl(self):
+    if 'ssl_certificate' in self.options and 'ssl_key' in self.options:
+      # nothing to do, static configuration
+      return
+    key_directory = os.path.join(self.options['var_directory'],
+      self.name+'-ssl')
+    if not os.path.exists(key_directory):
+      os.makedirs(key_directory, 0700)
+    openssl_configuration = os.path.join(key_directory, 'openssl.cnf')
+    request_file = os.path.join(key_directory, 'request.pem')
+    self.options['ssl_key'] = os.path.join(key_directory, 'key.pem')
+    self.options['ssl_certificate'] = os.path.join(key_directory, 'cert.pem')
+    if not(os.path.exists(self.options['ssl_key']) and os.path.exists(
+        self.options['ssl_certificate'])):
+      # certificate does not exists yet, generate
+      openssl_binary = self.options.get('openssl_binary', 'openssl')
+      open(openssl_configuration, 'w').write(pkg_resources.resource_string(
+        __name__, 'templates/openssl.cnf.in') % self.options)
+      try:
+        assert subprocess.call([openssl_binary, 'genrsa', '-out',
+          self.options['ssl_key'], '1024']) == 0
+        assert subprocess.call([openssl_binary, 'req', '-batch', '-new',
+          '-key', self.options['ssl_key'], '-out', request_file, '-config',
+          openssl_configuration]) == 0
+        assert subprocess.call([openssl_binary, 'x509', '-req', '-days',
+          '365', '-in', request_file, '-signkey', self.options['ssl_key'],
+          '-out', self.options['ssl_certificate']]) == 0
+      except AssertionError:
+        for path in [openssl_configuration, request_file,
+            self.options['ssl_key'], self.options['ssl_certificate']]:
+          if os.path.exists(path):
+            os.unlink(path)
+          raise zc.buildout.UserError("Error during generating self signed "
+            "certificate.")
+
   def __init__(self, buildout, name, options):
     self.buildout, self.name, self.options = buildout, name, options
     self.options['location'] = self.options.get('location',
@@ -54,24 +91,15 @@ class Apache:
     self.options['regex_server_name'] = '^' + self.options[
       'server_name'].replace('.', '\\.') + '$'
 
-    self.options['protocol'] = self.options.get('protocol', 'http').strip()
-    if self.options['protocol'] == 'https':
-      self.options['ssl_state'] = 'on'
-      for k in 'ssl_certificate', 'ssl_key':
-        self.options[k] = self.options[k].strip()
-    else:
-      self.options['ssl_state'] = 'off'
-      for k in 'ssl_certificate', 'ssl_key':
-        self.options[k] = self.options.get(k, '').strip()
-
     for k in 'ip', 'port':
       self.options[k] = self.options[k].strip()
 
   def install(self):
-    for d in [self.options['conf_directory'], self.options['log_directory'],
-        self.options['run_directory']]:
+    for d in [self.options['conf_directory'], self.options['var_directory'],
+        self.options['log_directory'], self.options['run_directory']]:
       if not os.path.exists(d):
         os.makedirs(d, 0750)
+    self._checkSsl()
 
   # by default update is same as install
   update = install

Added: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in?rev=41423&view=auto
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in (added)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in [utf8] Tue Dec 14 16:26:58 2010
@@ -0,0 +1,96 @@
+####################################################################
+[ req ]
+default_bits		= 1024
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= XX
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Somewhere
+
+localityName			= Locality Name (eg, city)
+
+0.organizationName		= Organization Name (eg, company)
+0.organizationName_default	= erp5.recipe.apache autogeneration
+
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organization Unit Name
+organizationalUnitName_default	= Unknown
+
+commonName			= Common Name
+commonName_default	= %(server_name)s
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF

Modified: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in?rev=41423&r1=41422&r2=41423&view=diff
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in [utf8] (original)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in [utf8] Tue Dec 14 16:26:58 2010
@@ -13,7 +13,7 @@ AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
 
 # SSL Configuration
-SSLEngine %(ssl_state)s
+SSLEngine on
 SSLCertificateFile %(ssl_certificate)s
 SSLCertificateKeyFile %(ssl_key)s
 SSLRandomSeed startup builtin
@@ -46,7 +46,7 @@ RewriteEngine On
 RewriteCond %%{SERVER_NAME} !%(regex_server_name)s
 RewriteRule . - [F,L]
 RewriteCond %%{SERVER_NAME} %(regex_server_name)s
-RewriteRule /%(path)s($|/.*) http://%(backend_ip)s:%(backend_port)s/VirtualHostBase/%(protocol)s/%%{SERVER_NAME}:%(port)s/%(backend_path)s/VirtualHostRoot/_vh_%(path)s$1 [L,P]
+RewriteRule /%(path)s($|/.*) http://%(backend_ip)s:%(backend_port)s/VirtualHostBase/https/%%{SERVER_NAME}:%(port)s/%(backend_path)s/VirtualHostRoot/_vh_%(path)s$1 [L,P]
 
 # List of module
 LoadModule authz_host_module modules/mod_authz_host.so

More information about the Erp5-report mailing list