Commit 359e1eed authored by MARGERY David's avatar MARGERY David
Browse files

Update dev environment to be able to test ssl

This creates a local virtualhost listening on 8443 and configured to
require a ssl client cert.
Rails config file is updated so as to go to that url for outgoing
connection to the API using entries such as
  base_uri_out: https://127.0.0.1:8443
  uri_out_private_key_file: /etc/ssl/certs/clientkey_nopass.pem
  uri_out_cert_chain_file: /etc/ssl/certs/clientcert.pem

The complete environment can then be tested setup tunnels and running
against the development rails server

curl -kni http://127.0.0.1:8000/sites/rennes/jobs \
  -H'Accept: application/json' -H'Content-Type: application/json' \
  -d '{"resources": "nodes=1,walltime=00:05:00", "command": "while(true); do sleep 5;
  echo \"awake\"; done"}'
parent b35ba750
......@@ -28,7 +28,10 @@ defaults: &defaults
development:
<<: *defaults
base_uri_in: http://localhost:8000
base_uri_out: http://localhost:8000
base_uri_out: https://127.0.0.1:8443
uri_out_private_key_file: /etc/ssl/certs/clientkey_nopass.pem
uri_out_cert_chain_file: /etc/ssl/certs/clientcert.pem
uri_out_verify_peer: false
notifications_uri: https://localhost:3443/sid/notifications
reference_repository_path: ~/reference-repository
smtp_host: localhost
......
......@@ -37,12 +37,71 @@ class apache {
file {
'/vagrant/lib/tasks/tunneling.rake':
mode => '0644',
owner => root,
group => root,
owner => vagrant,
group => vagrant,
content => template('apache/tunneling.rake.erb'),
}
exec {
file { "/etc/ssl/secret":
ensure => present,
content => "authority_pass\n",
mode => '0600', owner => root, group => root,
}
file { "/etc/ssl/certs/ca.srl":
ensure => present,
content => "01\n",
mode => '0644', owner => root, group => root,
}
exec { "Generate certificate authority":
command => "/usr/bin/openssl req -new -x509 -days 3650 -keyform PEM -keyout /etc/ssl/private/cakey.pem -outform PEM -out /etc/ssl/certs/ca.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=vagrant/emailAddress=support-staff@lists.grid5000.fr\"",
user => root, group => root,
require => File["/etc/ssl/secret"],
creates => "/etc/ssl/private/cakey.pem",
}
exec { "Create client key and csr":
user => root, group => root,
command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/certs/clientkey.pem -out /etc/ssl/clientcsr.pem -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=client/emailAddress=support-staff@lists.grid5000.fr\" -passout file:/etc/ssl/secret",
creates => "/etc/ssl/clientcsr.pem",
}
exec { "Sign client csr":
user => root, group => root,
require => [Exec["Create client key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]],
command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/clientcsr.pem -outform PEM -out /etc/ssl/certs/clientcert.pem -extensions usr_cert -passin file:/etc/ssl/secret",
creates => "/etc/ssl/certs/clientcert.pem",
}
exec { "Remove client key password":
user => root, group => root,
require => Exec["Sign client csr"],
command => "/usr/bin/openssl rsa -in /etc/ssl/certs/clientkey.pem -out /etc/ssl/certs/clientkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''",
creates => "/etc/ssl/certs/clientkey_nopass.pem"
}
exec { "Create server key and csr":
user => root, group => root,
command => "/usr/bin/openssl req -new -newkey rsa:2048 -keyout /etc/ssl/private/serverkey.pem -out /etc/ssl/servercsr.pem -passout file:/etc/ssl/secret -batch -subj \"/C=FR/ST=Bretagne/L=Rennes/O=dev/OU=Grid5000/CN=server/emailAddress=support-staff@lists.grid5000.fr\"",
creates => ["/etc/ssl/servercsr.pem","/etc/ssl/private/serverkey.pem"]
}
exec { "Sign server csr":
user => root, group => root,
require => [Exec["Create server key and csr","Generate certificate authority"], File["/etc/ssl/certs/ca.srl"]],
command => "/usr/bin/openssl x509 -days 3650 -CA /etc/ssl/certs/ca.pem -CAkey /etc/ssl/private/cakey.pem -req -in /etc/ssl/servercsr.pem -outform PEM -out /etc/ssl/certs/servercert.pem -passin file:/etc/ssl/secret",
creates => "/etc/ssl/certs/servercert.pem",
}
exec { "Remove server key password":
user => root, group => root,
require => Exec["Sign server csr"],
command => "/usr/bin/openssl rsa -in /etc/ssl/private/serverkey.pem -out /etc/ssl/certs/serverkey_nopass.pem -passin file:/etc/ssl/secret -passout pass:''",
creates => "/etc/ssl/certs/serverkey_nopass.pem"
}
exec {
"enable site api-proxy-dev":
command => "/usr/sbin/a2ensite api-proxy-dev",
unless => "/usr/bin/test -f /etc/apache2/sites-enabled/api-proxy-dev.conf",
......@@ -96,6 +155,13 @@ class apache {
require => Package["apache2"];
}
exec{ "enable apache ssl module":
command => "/usr/sbin/a2enmod ssl ",
notify => Service["apache2"],
creates => "/etc/apache2/mods-enabled/ssl.load",
require => Package["apache2-dev"];
}
exec {
"enable module deflate configuration":
command => "/usr/sbin/a2enconf deflate",
......
......@@ -5,6 +5,41 @@
<% oardbsite = scope.lookupvar('oardbsite') -%>
<% developer = scope.lookupvar('developer') -%>
Listen 8443
<VirtualHost *:8443>
TimeOut 300
ServerName <%= @fqdn %>
ServerAlias server api.grid5000.fr
DocumentRoot /vagrant/public
CustomLog /var/log/apache2/api-proxy-dev-ssl.log "%v %h %l %t %D \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
ErrorLog syslog:local1
# Set up SSL proxy engine
SSLEngine On
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /etc/ssl/certs/servercert.pem
SSLCertificateKeyFile /etc/ssl/certs/serverkey_nopass.pem
# Enable SSL client certificates verification
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLVerifyClient require
# the client certificate should be signed by the first CA (ca.grid5000.fr)
SSLVerifyDepth 1
<Location />
Require all granted
require ssl
ProxyPass http://127.0.0.1:8080/ retry=1
</Location>
</VirtualHost>
Listen 8080
<VirtualHost *:8080>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment