-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
work in progress: ssl configuration for Tendrl [blocked] #46
Closed
Closed
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
57a4cfd
tendrl-server: initial version of ssl setup
mbukatov be88fbf
tendrl-server: variable for ServerName in ssl config
mbukatov 5dc6923
tendrl-server: remove variable check of ssl setup
mbukatov 5e9dbef
tendrl-server: configure SSL certificate files
mbukatov 82a2747
tendrl-server: use server name for ssl redirection
mbukatov 036160d
tendrl-server: initial readme update for SSL setup
mbukatov File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,111 @@ | ||
| --- | ||
| # Tasks file for Apache SSL setup for Tendrl. | ||
| # Based on description in https://github.com/Tendrl/api/pull/264 | ||
|
|
||
| # Note: at this point, httpd package should be already installed (httpd is a | ||
| # dependency of tendrl-api-httpd, installed along with tendrl-ui). | ||
|
|
||
| - name: Install mod_ssl package | ||
| yum: | ||
| name=mod_ssl | ||
| state=latest | ||
|
|
||
| # | ||
| # https support over a specific IP | ||
| # | ||
|
|
||
| - name: Initialize new tendrl-ssl.conf file based on sample conf file | ||
| copy: | ||
| src: /etc/httpd/conf.d/tendrl-ssl.conf.sample | ||
| dest: /etc/httpd/conf.d/tendrl-ssl.conf | ||
| remote_src: True | ||
| # This is here to prevent overriding changes over and over again, and | ||
| # also to allow additional manual tweaks. | ||
| # If you need to start from scratch or make sure that the latest sample | ||
| # conf file is used, just delete the tendrl-ssl.conf file. | ||
| force: no | ||
|
|
||
| - name: Configure VirtualHost ip address in tendrl-ssl.conf | ||
| lineinfile: | ||
| path: /etc/httpd/conf.d/tendrl-ssl.conf | ||
| regexp: '^<VirtualHost .*:443>' | ||
| line: "<VirtualHost {{ httpd_ip_address }}:443>" | ||
| notify: | ||
| - restart httpd | ||
|
|
||
| - name: Configure VirtualHost ServerName in tendrl-ssl.conf | ||
| lineinfile: | ||
| path: /etc/httpd/conf.d/tendrl-ssl.conf | ||
| insertafter: '<VirtualHost .*:443>' | ||
| regexp: '^ *ServerName .*' | ||
| line: " ServerName {{ httpd_server_name }}" | ||
| state: present | ||
| notify: | ||
| - restart httpd | ||
|
|
||
| # | ||
| # Specify different cert files if needed | ||
| # | ||
|
|
||
| - name: Configure SSL certificate files | ||
| lineinfile: | ||
| path: /etc/httpd/conf.d/tendrl-ssl.conf | ||
| regexp: "{{ item.regexp }}" | ||
| line: "{{ item.line }}" | ||
| with_items: | ||
| - regexp: '^ *SSLCertificateFile .*' | ||
| line: ' SSLCertificateFile {{ httpd_ssl_certificate_file }}' | ||
| - regexp: '^ *SSLCertificateKeyFile .*' | ||
| line: ' SSLCertificateKeyFile {{ httpd_ssl_certificate_key_file }}' | ||
| when: httpd_ssl_certificate_key_file is defined and httpd_ssl_certificate_file is defined | ||
| notify: | ||
| - restart httpd | ||
|
|
||
| - name: Run apachectl configtest to validate new configuration | ||
| command: apachectl -t | ||
| changed_when: False | ||
| register: apachectl_configtest | ||
|
|
||
| - name: Recheck result of config validation (based on previous task) | ||
| assert: | ||
| that: | ||
| - apachectl_configtest.stderr == 'Syntax OK' | ||
| - apachectl_configtest.stdout == '' | ||
|
|
||
| # | ||
| # Automatic redirect of all http urls to https | ||
| # | ||
|
|
||
| - name: Comment out DocumentRoot, ProxyPass and ProxyPassReverse in tendrl.conf | ||
| lineinfile: | ||
| path: /etc/httpd/conf.d/tendrl.conf | ||
| regexp: "{{ item.regexp }}" | ||
| line: "{{ item.line }}" | ||
| with_items: | ||
| - regexp: ' *#?DocumentRoot /var/www/tendrl' | ||
| line: ' #DocumentRoot /var/www/tendrl' | ||
| - regexp: ' *#?ProxyPass "/api" http://127.0.0.1:9292/' | ||
| line: ' #ProxyPass "/api" http://127.0.0.1:9292/' | ||
| - regexp: ' *#?ProxyPassReverse "/api" http://127.0.0.1:9292/' | ||
| line: ' #ProxyPassReverse "/api" http://127.0.0.1:9292/' | ||
| notify: | ||
| - restart httpd | ||
|
|
||
| - name: Configure SSL redirect in tendrl.conf | ||
| lineinfile: | ||
| path: /etc/httpd/conf.d/tendrl.conf | ||
| regexp: ' *#? *Redirect permanent / https://.*/' | ||
| line: " Redirect permanent / https://{{ httpd_server_name }}/" | ||
| notify: | ||
| - restart httpd | ||
|
|
||
| - name: Run apachectl configtest to validate new configuration | ||
| command: apachectl -t | ||
| changed_when: False | ||
| register: apachectl_configtest | ||
|
|
||
| - name: Recheck result of config validation (based on previous task) | ||
| assert: | ||
| that: | ||
| - apachectl_configtest.stderr == 'Syntax OK' | ||
| - apachectl_configtest.stdout == '' | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason not to use just
<VirtualHost *:443>(or<VirtualHost _default_:443>) - simply do not specify any IP address?From my point of view, it make sense to serve Tendrl related pages on all available IPs/interfaces on the Tendrl server and if somebody want's to restrict it, he or she should know why and how to do it... But default could be with
_default_(or*) and it might avoid some unexpected issues with Tendrl server connected into multiple networks or with access from localhost...If it make sense, it might be worth to change also the default in the tendrl-api package (https://github.com/Tendrl/api/blob/master/config/apache.vhost-ssl.sample#L8).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brainfunked @anivargi see previous comment from @dahorak