blob: d05536b45dae454b4cf1a2255c6a168ce7a00220 [file] [log] [blame]
Sean Daguee263c822014-12-05 14:25:28 -05001#!/bin/bash
2#
Dean Troyerc83a7e12012-11-29 11:47:58 -06003# lib/tls
4# Functions to control the configuration and operation of the TLS proxy service
5
Dean Troyerc83a7e12012-11-29 11:47:58 -06006# !! source _before_ any services that use ``SERVICE_HOST``
Adam Spiers6a5aa7c2013-10-24 11:27:02 +01007#
8# Dependencies:
9#
10# - ``functions`` file
11# - ``DEST``, ``DATA_DIR`` must be defined
12# - ``HOST_IP``, ``SERVICE_HOST``
13# - ``KEYSTONE_TOKEN_FORMAT`` must be defined
Dean Troyerc83a7e12012-11-29 11:47:58 -060014
15# Entry points:
Adam Spiers6a5aa7c2013-10-24 11:27:02 +010016#
17# - configure_CA
18# - init_CA
Dean Troyerc83a7e12012-11-29 11:47:58 -060019
Adam Spiers6a5aa7c2013-10-24 11:27:02 +010020# - configure_proxy
21# - start_tls_proxy
Dean Troyerc83a7e12012-11-29 11:47:58 -060022
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +010023# - stop_tls_proxy
24# - cleanup_CA
25
Stanislaw Pitucha2e0f0542014-06-27 16:05:53 +010026# - make_root_CA
27# - make_int_CA
28# - make_cert ca-dir cert-name "common-name" ["alt-name" ...]
Adam Spiers6a5aa7c2013-10-24 11:27:02 +010029# - start_tls_proxy HOST_IP 5000 localhost 5000
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +100030# - ensure_certificates
31# - is_ssl_enabled_service
Rob Crittenden18d47782014-03-19 17:47:42 -040032# - enable_mod_ssl
Dean Troyerc83a7e12012-11-29 11:47:58 -060033
Dean Troyerdc97cb72015-03-28 08:20:50 -050034
Dean Troyercc6b4432013-04-08 15:38:03 -050035# Defaults
36# --------
37
Dean Troyerc83a7e12012-11-29 11:47:58 -060038if is_service_enabled tls-proxy; then
39 # TODO(dtroyer): revisit this below after the search for HOST_IP has been done
Jens Harbottdc7b4292017-09-19 10:52:32 +000040 TLS_IP=${TLS_IP:-$(ipv6_unquote $SERVICE_HOST)}
Dean Troyerc83a7e12012-11-29 11:47:58 -060041fi
42
Rob Crittenden18d47782014-03-19 17:47:42 -040043DEVSTACK_HOSTNAME=$(hostname -f)
Dean Troyerc83a7e12012-11-29 11:47:58 -060044DEVSTACK_CERT_NAME=devstack-cert
45DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
46
47# CA configuration
48ROOT_CA_DIR=${ROOT_CA_DIR:-$DATA_DIR/CA/root-ca}
49INT_CA_DIR=${INT_CA_DIR:-$DATA_DIR/CA/int-ca}
50
51ORG_NAME="OpenStack"
52ORG_UNIT_NAME="DevStack"
53
54# Stud configuration
55STUD_PROTO="--tls"
56STUD_CIPHERS='TLSv1+HIGH:!DES:!aNULL:!eNULL:@STRENGTH'
57
58
59# CA Functions
60# ============
61
62# There may be more than one, get specific
63OPENSSL=${OPENSSL:-/usr/bin/openssl}
64
65# Do primary CA configuration
Ian Wienandaee18c72014-02-21 15:35:08 +110066function configure_CA {
Dean Troyerc83a7e12012-11-29 11:47:58 -060067 # build common config file
68
69 # Verify ``TLS_IP`` is good
Jens Harbottdc7b4292017-09-19 10:52:32 +000070 if [[ -n "$SERVICE_HOST" && "$(ipv6_unquote $SERVICE_HOST)" != "$TLS_IP" ]]; then
Dean Troyerc83a7e12012-11-29 11:47:58 -060071 # auto-discover has changed the IP
Jens Harbottdc7b4292017-09-19 10:52:32 +000072 TLS_IP=$(ipv6_unquote $SERVICE_HOST)
Dean Troyerc83a7e12012-11-29 11:47:58 -060073 fi
74}
75
76# Creates a new CA directory structure
77# create_CA_base ca-dir
Ian Wienandaee18c72014-02-21 15:35:08 +110078function create_CA_base {
Dean Troyerc83a7e12012-11-29 11:47:58 -060079 local ca_dir=$1
80
81 if [[ -d $ca_dir ]]; then
82 # Bail out it exists
83 return 0
84 fi
85
Dean Troyerb1e3d0f2014-07-25 14:57:54 -050086 local i
Dean Troyerc83a7e12012-11-29 11:47:58 -060087 for i in certs crl newcerts private; do
88 mkdir -p $ca_dir/$i
89 done
90 chmod 710 $ca_dir/private
91 echo "01" >$ca_dir/serial
92 cp /dev/null $ca_dir/index.txt
93}
94
Dean Troyerc83a7e12012-11-29 11:47:58 -060095# Create a new CA configuration file
96# create_CA_config ca-dir common-name
Ian Wienandaee18c72014-02-21 15:35:08 +110097function create_CA_config {
Dean Troyerc83a7e12012-11-29 11:47:58 -060098 local ca_dir=$1
99 local common_name=$2
100
101 echo "
102[ ca ]
103default_ca = CA_default
104
105[ CA_default ]
106dir = $ca_dir
107policy = policy_match
108database = \$dir/index.txt
109serial = \$dir/serial
110certs = \$dir/certs
111crl_dir = \$dir/crl
112new_certs_dir = \$dir/newcerts
113certificate = \$dir/cacert.pem
114private_key = \$dir/private/cacert.key
115RANDFILE = \$dir/private/.rand
Clark Boylanfaffde12017-04-27 09:54:27 -0700116default_md = sha256
Dean Troyerc83a7e12012-11-29 11:47:58 -0600117
118[ req ]
Clark Boylanfaffde12017-04-27 09:54:27 -0700119default_bits = 2048
120default_md = sha256
Dean Troyerc83a7e12012-11-29 11:47:58 -0600121
122prompt = no
123distinguished_name = ca_distinguished_name
124
125x509_extensions = ca_extensions
126
127[ ca_distinguished_name ]
128organizationName = $ORG_NAME
129organizationalUnitName = $ORG_UNIT_NAME Certificate Authority
130commonName = $common_name
131
132[ policy_match ]
133countryName = optional
134stateOrProvinceName = optional
135organizationName = match
136organizationalUnitName = optional
137commonName = supplied
138
139[ ca_extensions ]
140basicConstraints = critical,CA:true
141subjectKeyIdentifier = hash
142authorityKeyIdentifier = keyid:always, issuer
143keyUsage = cRLSign, keyCertSign
144
145" >$ca_dir/ca.conf
146}
147
148# Create a new signing configuration file
149# create_signing_config ca-dir
Ian Wienandaee18c72014-02-21 15:35:08 +1100150function create_signing_config {
Dean Troyerc83a7e12012-11-29 11:47:58 -0600151 local ca_dir=$1
152
153 echo "
154[ ca ]
155default_ca = CA_default
156
157[ CA_default ]
158dir = $ca_dir
159policy = policy_match
160database = \$dir/index.txt
161serial = \$dir/serial
162certs = \$dir/certs
163crl_dir = \$dir/crl
164new_certs_dir = \$dir/newcerts
165certificate = \$dir/cacert.pem
166private_key = \$dir/private/cacert.key
167RANDFILE = \$dir/private/.rand
168default_md = default
169
170[ req ]
171default_bits = 1024
172default_md = sha1
173
174prompt = no
175distinguished_name = req_distinguished_name
176
177x509_extensions = req_extensions
178
179[ req_distinguished_name ]
180organizationName = $ORG_NAME
181organizationalUnitName = $ORG_UNIT_NAME Server Farm
182
183[ policy_match ]
184countryName = optional
185stateOrProvinceName = optional
186organizationName = match
187organizationalUnitName = optional
188commonName = supplied
189
190[ req_extensions ]
191basicConstraints = CA:false
192subjectKeyIdentifier = hash
193authorityKeyIdentifier = keyid:always, issuer
194keyUsage = digitalSignature, keyEncipherment, keyAgreement
195extendedKeyUsage = serverAuth, clientAuth
196subjectAltName = \$ENV::SUBJECT_ALT_NAME
197
198" >$ca_dir/signing.conf
199}
200
Dean Troyerca802172013-01-09 19:08:02 -0600201# Create root and intermediate CAs
Dean Troyerc83a7e12012-11-29 11:47:58 -0600202# init_CA
203function init_CA {
204 # Ensure CAs are built
205 make_root_CA $ROOT_CA_DIR
206 make_int_CA $INT_CA_DIR $ROOT_CA_DIR
207
208 # Create the CA bundle
209 cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
Rob Crittenden18d47782014-03-19 17:47:42 -0400210 cat $INT_CA_DIR/ca-chain.pem >> $SSL_BUNDLE_FILE
211
212 if is_fedora; then
213 sudo cp $INT_CA_DIR/ca-chain.pem /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
214 sudo update-ca-trust
Clark Boylan35649ae2017-05-27 17:52:55 -0700215 elif is_suse; then
216 sudo cp $INT_CA_DIR/ca-chain.pem /usr/share/pki/trust/anchors/devstack-chain.pem
217 sudo update-ca-certificates
Rob Crittenden18d47782014-03-19 17:47:42 -0400218 elif is_ubuntu; then
219 sudo cp $INT_CA_DIR/ca-chain.pem /usr/local/share/ca-certificates/devstack-int.crt
220 sudo cp $ROOT_CA_DIR/cacert.pem /usr/local/share/ca-certificates/devstack-root.crt
221 sudo update-ca-certificates
222 fi
223}
224
Dean Troyerca802172013-01-09 19:08:02 -0600225# Create an initial server cert
226# init_cert
227function init_cert {
Dean Troyerc83a7e12012-11-29 11:47:58 -0600228 if [[ ! -r $DEVSTACK_CERT ]]; then
229 if [[ -n "$TLS_IP" ]]; then
aojeagarcia9a543a82018-09-28 08:55:49 +0200230 if python3_enabled; then
231 TLS_IP="IP:$TLS_IP"
232 else
233 # Lie to let incomplete match routines work with python2
234 # see https://bugs.python.org/issue23239
235 TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
236 fi
Julia Kreger0fe25e32019-06-20 20:39:53 -0700237 if [[ -n "$HOST_IPV6" ]]; then
238 TLS_IP="$TLS_IP,IP:$HOST_IPV6"
239 fi
Dean Troyerc83a7e12012-11-29 11:47:58 -0600240 fi
241 make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
242
243 # Create a cert bundle
244 cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
245 fi
246}
247
Dean Troyerc83a7e12012-11-29 11:47:58 -0600248# make_cert creates and signs a new certificate with the given commonName and CA
249# make_cert ca-dir cert-name "common-name" ["alt-name" ...]
Ian Wienandaee18c72014-02-21 15:35:08 +1100250function make_cert {
Dean Troyerc83a7e12012-11-29 11:47:58 -0600251 local ca_dir=$1
252 local cert_name=$2
253 local common_name=$3
254 local alt_names=$4
255
Rob Crittendenbe00e952016-03-24 18:09:22 -0400256 if [ "$common_name" != "$SERVICE_HOST" ]; then
Ian Cordasco69e3c0a2016-09-26 12:53:14 -0500257 if is_ipv4_address "$SERVICE_HOST" ; then
258 alt_names="$alt_names,IP:$SERVICE_HOST"
259 fi
Rob Crittendenbe00e952016-03-24 18:09:22 -0400260 fi
261
Stanislaw Pitucha2f69c6b2014-06-25 15:07:48 +0100262 # Only generate the certificate if it doesn't exist yet on the disk
263 if [ ! -r "$ca_dir/$cert_name.crt" ]; then
264 # Generate a signing request
265 $OPENSSL req \
266 -sha1 \
267 -newkey rsa \
268 -nodes \
269 -keyout $ca_dir/private/$cert_name.key \
270 -out $ca_dir/$cert_name.csr \
271 -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}"
Dean Troyerc83a7e12012-11-29 11:47:58 -0600272
Stanislaw Pitucha2f69c6b2014-06-25 15:07:48 +0100273 if [[ -z "$alt_names" ]]; then
274 alt_names="DNS:${common_name}"
275 else
276 alt_names="DNS:${common_name},${alt_names}"
277 fi
278
279 # Sign the request valid for 1 year
280 SUBJECT_ALT_NAME="$alt_names" \
281 $OPENSSL ca -config $ca_dir/signing.conf \
282 -extensions req_extensions \
283 -days 365 \
284 -notext \
285 -in $ca_dir/$cert_name.csr \
286 -out $ca_dir/$cert_name.crt \
287 -subj "/O=${ORG_NAME}/OU=${ORG_UNIT_NAME} Servers/CN=${common_name}" \
288 -batch
Dean Troyerc83a7e12012-11-29 11:47:58 -0600289 fi
Dean Troyerc83a7e12012-11-29 11:47:58 -0600290}
291
Dean Troyerc83a7e12012-11-29 11:47:58 -0600292# Make an intermediate CA to sign everything else
293# make_int_CA ca-dir signing-ca-dir
Ian Wienandaee18c72014-02-21 15:35:08 +1100294function make_int_CA {
Dean Troyerc83a7e12012-11-29 11:47:58 -0600295 local ca_dir=$1
296 local signing_ca_dir=$2
297
298 # Create the root CA
299 create_CA_base $ca_dir
300 create_CA_config $ca_dir 'Intermediate CA'
301 create_signing_config $ca_dir
302
Stanislaw Pitucha2f69c6b2014-06-25 15:07:48 +0100303 if [ ! -r "$ca_dir/cacert.pem" ]; then
304 # Create a signing certificate request
305 $OPENSSL req -config $ca_dir/ca.conf \
306 -sha1 \
307 -newkey rsa \
308 -nodes \
309 -keyout $ca_dir/private/cacert.key \
310 -out $ca_dir/cacert.csr \
311 -outform PEM
Dean Troyerc83a7e12012-11-29 11:47:58 -0600312
Stanislaw Pitucha2f69c6b2014-06-25 15:07:48 +0100313 # Sign the intermediate request valid for 1 year
314 $OPENSSL ca -config $signing_ca_dir/ca.conf \
315 -extensions ca_extensions \
316 -days 365 \
317 -notext \
318 -in $ca_dir/cacert.csr \
319 -out $ca_dir/cacert.pem \
320 -batch
321 fi
Dean Troyerc83a7e12012-11-29 11:47:58 -0600322}
323
324# Make a root CA to sign other CAs
325# make_root_CA ca-dir
Ian Wienandaee18c72014-02-21 15:35:08 +1100326function make_root_CA {
Dean Troyerc83a7e12012-11-29 11:47:58 -0600327 local ca_dir=$1
328
329 # Create the root CA
330 create_CA_base $ca_dir
331 create_CA_config $ca_dir 'Root CA'
332
Clark Boylan323b7262016-09-23 13:33:40 -0700333 if [ ! -r "$ca_dir/cacert.pem" ]; then
334 # Create a self-signed certificate valid for 5 years
335 $OPENSSL req -config $ca_dir/ca.conf \
336 -x509 \
337 -nodes \
338 -newkey rsa \
339 -days 21360 \
340 -keyout $ca_dir/private/cacert.key \
341 -out $ca_dir/cacert.pem \
342 -outform PEM
343 fi
Dean Troyerc83a7e12012-11-29 11:47:58 -0600344}
345
Daniel P. Berrangee9870eb2016-11-10 13:03:32 +0000346# Deploy the service cert & key to a service specific
347# location
348function deploy_int_cert {
349 local cert_target_file=$1
350 local key_target_file=$2
351
352 sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
353 sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
354}
355
356# Deploy the intermediate CA cert bundle file to a service
357# specific location
358function deploy_int_CA {
359 local ca_target_file=$1
360
361 sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
362}
363
Rob Crittenden1987fcc2015-06-10 11:00:59 -0400364# If a non-system python-requests is installed then it will use the
365# built-in CA certificate store rather than the distro-specific
366# CA certificate store. Detect this and symlink to the correct
367# one. If the value for the CA is not rooted in /etc then we know
368# we need to change it.
369function fix_system_ca_bundle_path {
Sean Daguef3b2f4c2017-04-13 10:11:48 -0400370 if is_service_enabled tls-proxy; then
Ian Wienandada886d2015-10-07 14:06:26 +1100371 local capath
Ian Wienand3cd41012020-04-16 13:06:07 +1000372 capath=$(python3 -c $'try:\n from requests import certs\n print (certs.where())\nexcept ImportError: pass')
Rob Crittenden1987fcc2015-06-10 11:00:59 -0400373
374 if [[ ! $capath == "" && ! $capath =~ ^/etc/.* && ! -L $capath ]]; then
375 if is_fedora; then
376 sudo rm -f $capath
377 sudo ln -s /etc/pki/tls/certs/ca-bundle.crt $capath
378 elif is_ubuntu; then
379 sudo rm -f $capath
380 sudo ln -s /etc/ssl/certs/ca-certificates.crt $capath
Clark Boylan35649ae2017-05-27 17:52:55 -0700381 elif is_suse; then
382 sudo rm -f $capath
383 sudo ln -s /etc/ssl/ca-bundle.pem $capath
Rob Crittenden1987fcc2015-06-10 11:00:59 -0400384 else
385 echo "Don't know how to set the CA bundle, expect the install to fail."
386 fi
387 fi
388 fi
389}
390
Dean Troyerc83a7e12012-11-29 11:47:58 -0600391
Sean Daguef3b2f4c2017-04-13 10:11:48 -0400392# Only for compatibility, return if the tls-proxy is enabled
393function is_ssl_enabled_service {
394 return is_service_enabled tls-proxy
395}
396
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000397# Certificate Input Configuration
398# ===============================
399
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000400# Ensure that the certificates for a service are in place. This function does
401# not check that a service is SSL enabled, this should already have been
402# completed.
403#
404# The function expects to find a certificate, key and CA certificate in the
Dean Troyerdc97cb72015-03-28 08:20:50 -0500405# variables ``{service}_SSL_CERT``, ``{service}_SSL_KEY`` and ``{service}_SSL_CA``. For
406# example for keystone this would be ``KEYSTONE_SSL_CERT``, ``KEYSTONE_SSL_KEY`` and
407# ``KEYSTONE_SSL_CA``.
Rob Crittenden18d47782014-03-19 17:47:42 -0400408#
Dean Troyerdc97cb72015-03-28 08:20:50 -0500409# If it does not find these certificates then the DevStack-issued server
Rob Crittenden18d47782014-03-19 17:47:42 -0400410# certificate, key and CA certificate will be associated with the service.
411#
412# If only some of the variables are provided then the function will quit.
Ian Wienandaee18c72014-02-21 15:35:08 +1100413function ensure_certificates {
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000414 local service=$1
415
416 local cert_var="${service}_SSL_CERT"
417 local key_var="${service}_SSL_KEY"
418 local ca_var="${service}_SSL_CA"
419
420 local cert=${!cert_var}
421 local key=${!key_var}
422 local ca=${!ca_var}
423
Rob Crittenden18d47782014-03-19 17:47:42 -0400424 if [[ -z "$cert" && -z "$key" && -z "$ca" ]]; then
425 local cert="$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
426 local key="$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
427 local ca="$INT_CA_DIR/ca-chain.pem"
428 eval ${service}_SSL_CERT=\$cert
429 eval ${service}_SSL_KEY=\$key
430 eval ${service}_SSL_CA=\$ca
431 return # the CA certificate is already in the bundle
432 elif [[ -z "$cert" || -z "$key" || -z "$ca" ]]; then
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000433 die $LINENO "Missing either the ${cert_var} ${key_var} or ${ca_var}" \
434 "variable to enable SSL for ${service}"
435 fi
436
437 cat $ca >> $SSL_BUNDLE_FILE
438}
439
Rob Crittenden18d47782014-03-19 17:47:42 -0400440# Enable the mod_ssl plugin in Apache
441function enable_mod_ssl {
442 echo "Enabling mod_ssl"
443
444 if is_ubuntu; then
445 sudo a2enmod ssl
Clark Boylan35649ae2017-05-27 17:52:55 -0700446 elif is_suse; then
447 sudo a2enmod ssl
448 sudo a2enflag SSL
Rob Crittenden18d47782014-03-19 17:47:42 -0400449 elif is_fedora; then
450 # Fedora enables mod_ssl by default
451 :
452 fi
453 if ! sudo `which httpd || which apache2ctl` -M | grep -w -q ssl_module; then
454 die $LINENO "mod_ssl is not enabled in apache2/httpd, please check for it manually and run stack.sh again"
455 fi
456}
457
Jamie Lennoxbd24a8d2013-09-20 16:26:42 +1000458
Dean Troyerc83a7e12012-11-29 11:47:58 -0600459# Proxy Functions
460# ===============
461
Clark Boylancfb9f052016-11-29 10:43:05 -0800462function tune_apache_connections {
463 local tuning_file=$APACHE_SETTINGS_DIR/connection-tuning.conf
464 if ! [ -f $tuning_file ] ; then
465 sudo bash -c "cat > $tuning_file" << EOF
466# worker MPM
467# StartServers: initial number of server processes to start
468# MinSpareThreads: minimum number of worker threads which are kept spare
469# MaxSpareThreads: maximum number of worker threads which are kept spare
470# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
471# graceful restart. ThreadLimit can only be changed by stopping
472# and starting Apache.
473# ThreadsPerChild: constant number of worker threads in each server process
474# MaxClients: maximum number of simultaneous client connections
475# MaxRequestsPerChild: maximum number of requests a server process serves
476#
Clark Boylan8cf9acd2017-03-16 14:06:58 -0700477# We want to be memory thrifty so tune down apache to allow 256 total
478# connections. This should still be plenty for a dev env yet lighter than
479# apache defaults.
Clark Boylancfb9f052016-11-29 10:43:05 -0800480<IfModule mpm_worker_module>
481# Note that the next three conf values must be changed together.
482# MaxClients = ServerLimit * ThreadsPerChild
Clark Boylan8cf9acd2017-03-16 14:06:58 -0700483ServerLimit 8
Clark Boylancfb9f052016-11-29 10:43:05 -0800484ThreadsPerChild 32
Clark Boylan8cf9acd2017-03-16 14:06:58 -0700485MaxClients 256
486StartServers 2
487MinSpareThreads 32
488MaxSpareThreads 96
Clark Boylancfb9f052016-11-29 10:43:05 -0800489ThreadLimit 64
490MaxRequestsPerChild 0
491</IfModule>
492<IfModule mpm_event_module>
493# Note that the next three conf values must be changed together.
494# MaxClients = ServerLimit * ThreadsPerChild
Clark Boylan8cf9acd2017-03-16 14:06:58 -0700495ServerLimit 8
Clark Boylancfb9f052016-11-29 10:43:05 -0800496ThreadsPerChild 32
Clark Boylan8cf9acd2017-03-16 14:06:58 -0700497MaxClients 256
498StartServers 2
499MinSpareThreads 32
500MaxSpareThreads 96
Clark Boylancfb9f052016-11-29 10:43:05 -0800501ThreadLimit 64
502MaxRequestsPerChild 0
503</IfModule>
504EOF
505 restart_apache_server
506 fi
507}
508
Dean Troyerc83a7e12012-11-29 11:47:58 -0600509# Starts the TLS proxy for the given IP/ports
Jens Harbott46399842017-08-28 11:43:37 +0000510# start_tls_proxy service-name front-host front-port back-host back-port
Ian Wienandaee18c72014-02-21 15:35:08 +1100511function start_tls_proxy {
Gregory Haynes4b49e402016-08-31 18:19:51 -0700512 local b_service="$1-tls-proxy"
513 local f_host=$2
514 local f_port=$3
515 local b_host=$4
516 local b_port=$5
Clark Boylanf4dbd122017-05-31 13:17:22 -0700517 # 8190 is the default apache size.
518 local f_header_size=${6:-8190}
Dean Troyerc83a7e12012-11-29 11:47:58 -0600519
Clark Boylancfb9f052016-11-29 10:43:05 -0800520 tune_apache_connections
521
Gregory Haynes4b49e402016-08-31 18:19:51 -0700522 local config_file
523 config_file=$(apache_site_config_for $b_service)
524 local listen_string
525 # Default apache configs on ubuntu and centos listen on 80 and 443
526 # newer apache seems fine with duplicate listen directive but older
527 # apache does not so special case 80 and 443.
528 if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
529 listen_string=""
530 elif [[ "$f_host" == '*' ]] ; then
531 listen_string="Listen $f_port"
532 else
533 listen_string="Listen $f_host:$f_port"
534 fi
535 sudo bash -c "cat >$config_file" << EOF
536$listen_string
537
538<VirtualHost $f_host:$f_port>
539 SSLEngine On
540 SSLCertificateFile $DEVSTACK_CERT
541
Jordan Pittier43709252017-02-14 16:48:20 +0100542 # Disable KeepAlive to fix bug #1630664 a.k.a the
543 # ('Connection aborted.', BadStatusLine("''",)) error
544 KeepAlive Off
545
Clark Boylanf4dbd122017-05-31 13:17:22 -0700546 # This increase in allowed request header sizes is required
547 # for swift functional testing to work with tls enabled. It is 2 bytes
548 # larger than the apache default of 8190.
549 LimitRequestFieldSize $f_header_size
Jens Harbott411c34d2017-08-29 14:40:26 +0000550 RequestHeader set X-Forwarded-Proto "https"
Clark Boylanf4dbd122017-05-31 13:17:22 -0700551
Clark Boylane344c972018-12-07 14:49:15 -0800552 # Avoid races (at the cost of performance) to re-use a pooled connection
553 # where the connection is closed (bug 1807518).
554 SetEnv proxy-initial-not-pooled
Gregory Haynes4b49e402016-08-31 18:19:51 -0700555 <Location />
Sean Daguea1446b92017-04-17 14:31:21 -0400556 ProxyPass http://$b_host:$b_port/ retry=0 nocanon
Gregory Haynes4b49e402016-08-31 18:19:51 -0700557 ProxyPassReverse http://$b_host:$b_port/
558 </Location>
Clark Boylan66ce5c22016-10-05 12:11:05 -0700559 ErrorLog $APACHE_LOG_DIR/tls-proxy_error.log
Ian Wienand139837d2017-08-08 17:51:29 +1000560 ErrorLogFormat "%{cu}t [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [frontend\ %A] %M% ,\ referer\ %{Referer}i"
Clark Boylan66ce5c22016-10-05 12:11:05 -0700561 LogLevel info
Ian Wienand139837d2017-08-08 17:51:29 +1000562 CustomLog $APACHE_LOG_DIR/tls-proxy_access.log "%{%Y-%m-%d}t %{%T}t.%{msec_frac}t [%l] %a \"%r\" %>s %b"
Gregory Haynes4b49e402016-08-31 18:19:51 -0700563</VirtualHost>
564EOF
Clark Boylan35649ae2017-05-27 17:52:55 -0700565 if is_suse ; then
566 sudo a2enflag SSL
567 fi
Jens Harbott411c34d2017-08-29 14:40:26 +0000568 for mod in headers ssl proxy proxy_http; do
Gregory Haynes4b49e402016-08-31 18:19:51 -0700569 enable_apache_mod $mod
570 done
571 enable_apache_site $b_service
Ian Wienandf6a2d2c2017-04-26 10:50:29 +1000572 restart_apache_server
Dean Troyerc83a7e12012-11-29 11:47:58 -0600573}
Sean Dague584d90e2013-03-29 14:34:53 -0400574
Sean Daguef06455e2016-10-07 06:57:03 -0400575# Follow TLS proxy
576function follow_tls_proxy {
577 sudo touch /var/log/$APACHE_NAME/tls-proxy_error.log
578 tail_log tls-error /var/log/$APACHE_NAME/tls-proxy_error.log
579 sudo touch /var/log/$APACHE_NAME/tls-proxy_access.log
580 tail_log tls-proxy /var/log/$APACHE_NAME/tls-proxy_access.log
581}
Dean Troyercc6b4432013-04-08 15:38:03 -0500582
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100583# Cleanup Functions
Dean Troyer3324f192014-09-18 09:26:39 -0500584# =================
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100585
Gregory Haynes4b49e402016-08-31 18:19:51 -0700586# Stops the apache service. This should be done only after all services
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100587# using tls configuration are down.
588function stop_tls_proxy {
Gregory Haynes4b49e402016-08-31 18:19:51 -0700589 stop_apache_server
Jens Harbott1db9b5d2017-11-03 08:37:21 +0000590
591 # NOTE(jh): Removing all tls-proxy configs is a bit of a hack, but
592 # necessary so that we can restart after an unstack. A better
593 # solution would be to ensure that each service calling
594 # start_tls_proxy will call stop_tls_proxy with the same
595 # parameters on shutdown so we can use the disable_apache_site
596 # function and remove individual files there.
597 if is_ubuntu; then
598 sudo rm -f /etc/apache2/sites-enabled/*-tls-proxy.conf
599 else
600 for i in $APACHE_CONF_DIR/*-tls-proxy.conf; do
601 sudo mv $i $i.disabled
602 done
603 fi
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100604}
605
Gregory Haynes4b49e402016-08-31 18:19:51 -0700606# Clean up the CA files
607# cleanup_CA
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100608function cleanup_CA {
Gregory Haynes4b49e402016-08-31 18:19:51 -0700609 if is_fedora; then
610 sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
611 sudo update-ca-trust
612 elif is_ubuntu; then
613 sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
614 sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
615 sudo update-ca-certificates
616 fi
617
Clark Boylan323b7262016-09-23 13:33:40 -0700618 rm -rf "$INT_CA_DIR" "$ROOT_CA_DIR" "$DEVSTACK_CERT"
Stanislaw Pituchabd5dae02014-06-25 15:29:43 +0100619}
620
Adam Spiers6a5aa7c2013-10-24 11:27:02 +0100621# Tell emacs to use shell-script-mode
622## Local variables:
623## mode: shell-script
624## End: