[Erp5-report] r41423 luke - in /erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache:...
nobody at svn.erp5.org
nobody at svn.erp5.org
Tue Dec 14 16:26:59 CET 2010
Author: luke
Date: Tue Dec 14 16:26:58 2010
New Revision: 41423
URL: http://svn.erp5.org?rev=41423&view=rev
Log:
- use only SSL and generate certificate if does not exists
Added:
erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in
Modified:
erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py
erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in
Modified: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py?rev=41423&r1=41422&r2=41423&view=diff
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py [utf8] (original)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/__init__.py [utf8] Tue Dec 14 16:26:58 2010
@@ -15,8 +15,45 @@
import os
import pkg_resources
+import subprocess
+import zc.buildout
class Apache:
+ def _checkSsl(self):
+ if 'ssl_certificate' in self.options and 'ssl_key' in self.options:
+ # nothing to do, static configuration
+ return
+ key_directory = os.path.join(self.options['var_directory'],
+ self.name+'-ssl')
+ if not os.path.exists(key_directory):
+ os.makedirs(key_directory, 0700)
+ openssl_configuration = os.path.join(key_directory, 'openssl.cnf')
+ request_file = os.path.join(key_directory, 'request.pem')
+ self.options['ssl_key'] = os.path.join(key_directory, 'key.pem')
+ self.options['ssl_certificate'] = os.path.join(key_directory, 'cert.pem')
+ if not(os.path.exists(self.options['ssl_key']) and os.path.exists(
+ self.options['ssl_certificate'])):
+ # certificate does not exists yet, generate
+ openssl_binary = self.options.get('openssl_binary', 'openssl')
+ open(openssl_configuration, 'w').write(pkg_resources.resource_string(
+ __name__, 'templates/openssl.cnf.in') % self.options)
+ try:
+ assert subprocess.call([openssl_binary, 'genrsa', '-out',
+ self.options['ssl_key'], '1024']) == 0
+ assert subprocess.call([openssl_binary, 'req', '-batch', '-new',
+ '-key', self.options['ssl_key'], '-out', request_file, '-config',
+ openssl_configuration]) == 0
+ assert subprocess.call([openssl_binary, 'x509', '-req', '-days',
+ '365', '-in', request_file, '-signkey', self.options['ssl_key'],
+ '-out', self.options['ssl_certificate']]) == 0
+ except AssertionError:
+ for path in [openssl_configuration, request_file,
+ self.options['ssl_key'], self.options['ssl_certificate']]:
+ if os.path.exists(path):
+ os.unlink(path)
+ raise zc.buildout.UserError("Error during generating self signed "
+ "certificate.")
+
def __init__(self, buildout, name, options):
self.buildout, self.name, self.options = buildout, name, options
self.options['location'] = self.options.get('location',
@@ -54,24 +91,15 @@ class Apache:
self.options['regex_server_name'] = '^' + self.options[
'server_name'].replace('.', '\\.') + '$'
- self.options['protocol'] = self.options.get('protocol', 'http').strip()
- if self.options['protocol'] == 'https':
- self.options['ssl_state'] = 'on'
- for k in 'ssl_certificate', 'ssl_key':
- self.options[k] = self.options[k].strip()
- else:
- self.options['ssl_state'] = 'off'
- for k in 'ssl_certificate', 'ssl_key':
- self.options[k] = self.options.get(k, '').strip()
-
for k in 'ip', 'port':
self.options[k] = self.options[k].strip()
def install(self):
- for d in [self.options['conf_directory'], self.options['log_directory'],
- self.options['run_directory']]:
+ for d in [self.options['conf_directory'], self.options['var_directory'],
+ self.options['log_directory'], self.options['run_directory']]:
if not os.path.exists(d):
os.makedirs(d, 0750)
+ self._checkSsl()
# by default update is same as install
update = install
Added: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in?rev=41423&view=auto
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in (added)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/openssl.cnf.in [utf8] Tue Dec 14 16:26:58 2010
@@ -0,0 +1,96 @@
+####################################################################
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = XX
+countryName_min = 2
+countryName_max = 2
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Somewhere
+
+localityName = Locality Name (eg, city)
+
+0.organizationName = Organization Name (eg, company)
+0.organizationName_default = erp5.recipe.apache autogeneration
+
+# we can do this but it is not needed normally :-)
+#1.organizationName = Second Organization Name (eg, company)
+#1.organizationName_default = World Wide Web Pty Ltd
+
+organizationalUnitName = Organization Unit Name
+organizationalUnitName_default = Unknown
+
+commonName = Common Name
+commonName_default = %(server_name)s
+commonName_max = 64
+
+emailAddress = Email Address
+emailAddress_max = 64
+
+# SET-ex3 = SET extension number 3
+
+[ req_attributes ]
+challengePassword = A challenge password
+challengePassword_min = 4
+challengePassword_max = 20
+
+unstructuredName = An optional company name
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+# nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
Modified: erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in
URL: http://svn.erp5.org/erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in?rev=41423&r1=41422&r2=41423&view=diff
==============================================================================
--- erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in [utf8] (original)
+++ erp5/trunk/utils/erp5.recipe.apache/src/erp5/recipe/apache/templates/zope.conf.in [utf8] Tue Dec 14 16:26:58 2010
@@ -13,7 +13,7 @@ AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# SSL Configuration
-SSLEngine %(ssl_state)s
+SSLEngine on
SSLCertificateFile %(ssl_certificate)s
SSLCertificateKeyFile %(ssl_key)s
SSLRandomSeed startup builtin
@@ -46,7 +46,7 @@ RewriteEngine On
RewriteCond %%{SERVER_NAME} !%(regex_server_name)s
RewriteRule . - [F,L]
RewriteCond %%{SERVER_NAME} %(regex_server_name)s
-RewriteRule /%(path)s($|/.*) http://%(backend_ip)s:%(backend_port)s/VirtualHostBase/%(protocol)s/%%{SERVER_NAME}:%(port)s/%(backend_path)s/VirtualHostRoot/_vh_%(path)s$1 [L,P]
+RewriteRule /%(path)s($|/.*) http://%(backend_ip)s:%(backend_port)s/VirtualHostBase/https/%%{SERVER_NAME}:%(port)s/%(backend_path)s/VirtualHostRoot/_vh_%(path)s$1 [L,P]
# List of module
LoadModule authz_host_module modules/mod_authz_host.so
More information about the Erp5-report
mailing list