diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-27 17:38:22 +0000 |
---|---|---|
committer | Baserock Gerrit <gerrit@baserock.org> | 2015-03-30 13:41:18 +0000 |
commit | c092bb9f60ef8c37d81210f8be3579af7b90ba70 (patch) | |
tree | e3b9a91dffb370161c2d9f01c15d73ef036f19be | |
parent | 39473587d6b669ccecc6907641aad72942b7fbba (diff) | |
download | infrastructure-c092bb9f60ef8c37d81210f8be3579af7b90ba70.tar.gz |
Use HTTPS for all infrastructure.
This is implemented with the HAProxy frontend doing 'SSL termination'.
So internal traffic between the frontend_haproxy instance and the
various machines serving content is unencrypted HTTP as before, but all
traffic that goes over the public internet is encrypted now.
Note that storyboard.baserock.org is not behind HAProxy, and currently
uses a different, self-signed certificate.
Change-Id: I9140def605fe26c9c613066fa6524e3cf817f97c
-rw-r--r-- | README.mdwn | 14 | ||||
-rw-r--r-- | baserock_gerrit/gerrit.config | 10 | ||||
-rw-r--r-- | baserock_gerrit/instance-ca-certificate-config.yml | 28 | ||||
-rw-r--r-- | baserock_openid_provider/baserock_openid_provider/settings.py | 8 | ||||
-rw-r--r-- | baserock_openid_provider/templates/index.html | 2 | ||||
-rw-r--r-- | baserock_openid_provider/templates/registration/activation_email.txt | 2 | ||||
-rw-r--r-- | baserock_storyboard/site.pp | 2 | ||||
-rw-r--r-- | certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert | 118 | ||||
-rw-r--r-- | frontend/haproxy.cfg | 29 | ||||
-rw-r--r-- | frontend/instance-config.yml | 18 |
10 files changed, 217 insertions, 14 deletions
diff --git a/README.mdwn b/README.mdwn index 4a8a1635..5b92cbd7 100644 --- a/README.mdwn +++ b/README.mdwn @@ -110,6 +110,8 @@ To deploy this system: packer build -only=production frontend/packer_template.json + ansible-playbook -i hosts frontend/instance-config.yml + Full HAProxy 1.5 documentation: <https://cbonte.github.io/haproxy-dconv/configuration-1.5.html>. When setting up a new instance with the frontend already deployed, do the @@ -195,6 +197,14 @@ https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ ansible-playbook -i hosts baserock_openid_provider/instance-config.yml +To change Cherokee configuration, it's usually easiest to use the +cherokee-admin tool in a running instance. SSH in as normal but forward port +9090 to localhost (pass `-L9090:localhost:9090` to SSH). Backup the old +/etc/cherokee/cherokee.conf file, then run `cherokee-admin`, and log in using +the creditials it gives you. After changing the configuration, please update +the cherokee.conf in infrastructure.git to match the changes `cherokee-admin` +made. + ### Gerrit To deploy to production, run these commands in a Baserock 'devel' @@ -241,6 +251,10 @@ Ansible playbook will upload them to the new system. ansible-playbook -i hosts baserock_gerrit/instance-config.yml +For baserock.org Gerrit you will also need to run: + + ansible-playbook -i hosts baserock_gerrit/instance-ca-certificate-config.yml + #### Access control Gerrit should now be up and running and accessible through the web interface. diff --git a/baserock_gerrit/gerrit.config b/baserock_gerrit/gerrit.config index c34aaa45..9adced02 100644 --- a/baserock_gerrit/gerrit.config +++ b/baserock_gerrit/gerrit.config @@ -4,7 +4,7 @@ [gerrit] basePath = git - canonicalWebUrl = http://gerrit.baserock.org/ + canonicalWebUrl = https://gerrit.baserock.org/ [database] type = mysql hostname = 192.168.222.30 @@ -14,12 +14,12 @@ type = LUCENE [auth] type = OPENID_SSO - allowedOpenID = http://openid.baserock.org/ - trustedOpenID = http://openid.baserock.org/ + allowedOpenID = https://openid.baserock.org/ + trustedOpenID = https://openid.baserock.org/ # XRDS is a mechanism for saying 'here are the services I provide'. Gerrit # expects the URL provided here to describe the OpenID provider service # using XRDS. - openIdSsoUrl = http://openid.baserock.org/openid/xrds/ + openIdSsoUrl = https://openid.baserock.org/openid/xrds/ [sendemail] smtpServer = 192.168.222.111 # Send mails as '${user} (Code Review) <gerrit.baserock.org>' @@ -32,7 +32,7 @@ [sshd] listenAddress = *:29418 [httpd] - listenUrl = http://*:8080/ + listenUrl = proxy-https://*:8080/ [cache] directory = cache [user] diff --git a/baserock_gerrit/instance-ca-certificate-config.yml b/baserock_gerrit/instance-ca-certificate-config.yml new file mode 100644 index 00000000..0424b176 --- /dev/null +++ b/baserock_gerrit/instance-ca-certificate-config.yml @@ -0,0 +1,28 @@ +# The CA chain needed for the baserock.org certificate we use is present in +# the system, but it's not present in the set of trusted root certificates +# bundled with Java. +# +# We need Gerrit to trust the baserock.org certificate so that it will trust +# https://openid.baserock.org/. +# +# This playbook is a hack at present: the second time you run it, the command +# will fail because the certificate is already present. There is a proposed +# Ansible module that can do this in a nicer way: +# <https://github.com/ansible/ansible-modules-extras/pull/286/commits>. +--- +- hosts: gerrit + gather_facts: False + vars: + JRE_DIR: /opt/jdk1.8.0_40 + tasks: + - name: baserock.org SSL certificate with chain of trust + copy: src=../certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert dest=/home/gerrit + + - name: install SSL certificate into Java certificate keystore + shell: > + {{ JRE_DIR }}/jre/bin/keytool \ + -file /home/gerrit/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert \ + -importcert \ + -keystore {{ JRE_DIR }}/jre/lib/security/cacerts \ + -storepass changeit \ + -noprompt diff --git a/baserock_openid_provider/baserock_openid_provider/settings.py b/baserock_openid_provider/baserock_openid_provider/settings.py index 1ac1d147..a7e892ba 100644 --- a/baserock_openid_provider/baserock_openid_provider/settings.py +++ b/baserock_openid_provider/baserock_openid_provider/settings.py @@ -32,6 +32,14 @@ ALLOWED_HOSTS = [ 'openid.baserock.org', ] +# All connections for openid.baserock.org are forced through HTTPS by HAProxy. +# This line is necessary so that the Django code generates https:// rather than +# http:// URLs for internal redirects. +# +# You MUST remove this line if this application is not running behind a proxy +# that forces all traffic through HTTPS. +SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') + # Application definition diff --git a/baserock_openid_provider/templates/index.html b/baserock_openid_provider/templates/index.html index b2f46630..1cb4bf73 100644 --- a/baserock_openid_provider/templates/index.html +++ b/baserock_openid_provider/templates/index.html @@ -8,7 +8,7 @@ <p>You are registered as {{ user.get_full_name }}.</p> <p>Your OpenID is: - <a href="http://openid.baserock.org/openid/{{ user.username }}/">http://openid.baserock.org/openid/{{ user.username }}/</a> + <a href="https://openid.baserock.org/openid/{{ user.username }}/">https://openid.baserock.org/openid/{{ user.username }}/</a> </p> {% endif %} diff --git a/baserock_openid_provider/templates/registration/activation_email.txt b/baserock_openid_provider/templates/registration/activation_email.txt index 911df019..bfa784d9 100644 --- a/baserock_openid_provider/templates/registration/activation_email.txt +++ b/baserock_openid_provider/templates/registration/activation_email.txt @@ -1,6 +1,6 @@ {% load i18n %} {% trans "Activate account at" %} {{ site.name }}: -http://{{ site.domain }}{% url 'registration_activate' activation_key %} +https://{{ site.domain }}{% url 'registration_activate' activation_key %} {% blocktrans %}Link is valid for {{ expiration_days }} days.{% endblocktrans %} diff --git a/baserock_storyboard/site.pp b/baserock_storyboard/site.pp index d062f817..32323877 100644 --- a/baserock_storyboard/site.pp +++ b/baserock_storyboard/site.pp @@ -28,7 +28,7 @@ node default { # need class storyboard::rabbitmq too class { 'storyboard::application': - openid_url => 'http://openid.baserock.org/', + openid_url => 'https://openid.baserock.org/', mysql_host => '192.168.222.30', mysql_database => 'storyboard', diff --git a/certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert b/certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert new file mode 100644 index 00000000..78a80f5e --- /dev/null +++ b/certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert @@ -0,0 +1,118 @@ +-----BEGIN CERTIFICATE----- +MIIGkTCCBXmgAwIBAgIHBv5yWci2CjANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE +BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE +aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs +YXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MDMyNjIz +MjEyM1oXDTE3MDMyNzA5MjcxOFowgZUxCzAJBgNVBAYTAkdCMRMwEQYDVQQIEwpN +YW5jaGVzdGVyMRMwEQYDVQQHEwpNYW5jaGVzdGVyMRswGQYDVQQKExJEYW5pZWwg +U2lsdmVyc3RvbmUxFzAVBgNVBAMUDiouYmFzZXJvY2sub3JnMSYwJAYJKoZIhvcN +AQkBFhdwb3N0bWFzdGVyQGJhc2Vyb2NrLm9yZzCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAM4nR/R7lmJ9wdtp9AqG3AWjCPrKcZp1JSnCe6K5y4tqvT+A +GJ6FyJHLzEaiYTpvTIALTQQEhqj/POG3wVZunj9MUJLuXRtFfyEmcHwmKDYhfxsW +KrqI3N4K5WYZWA/W8Ly8shltp968ub0KP6PW9kPDgtAZ2Ds96T2bqTiVZkrS/pwq +8mNtdIhxUs3L5j/8zGY5gpmFcDQiRTsHf6qwpce0xzK425WhPjdjeSIf/LTEEebI +jdausyhssM1TSA3obfV5pfovRG/tr2FOt38WoH7qeImDWFW8s5l5089XbgD4nXiZ +9RG4FIQnlaIYyBOIXw56ZjeOsQASNE8Z5J1icssCAwEAAaOCAuswggLnMAkGA1Ud +EwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD +ATAdBgNVHQ4EFgQU74kXy6Zm5IHkNEdJpyROwvWGBBUwHwYDVR0jBBgwFoAUEdsj +Rf1UzGpxb4SKA9e+9wEvJoYwJwYDVR0RBCAwHoIOKi5iYXNlcm9jay5vcmeCDGJh +c2Vyb2NrLm9yZzCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECAjCCATsGCysGAQQB +gbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20v +cG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3Vl +ZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVu +dHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3Ig +dGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWlu +ZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2Ny +bC5zdGFydHNzbC5jb20vY3J0Mi1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkG +CCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMi9z +ZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2Nl +cnRzL3N1Yi5jbGFzczIuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8v +d3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAI8iIwqDTd673Dvk +JNon+bcUoTfWAOasthSAbE646Xly3G4o29egj+FciVRk37arEXU2tJYOt+ypBEgZ +zWHwdf/uZaUFnxZCPbb1KuAeNnKMS2OWWrQGSwqw5aGiKR2ianDpNXsmNtroTjFM +5rXCs0s5WWTBE2Jgw7shGG0GD1xaHUlMQg0vRQeRRFd/NHvEuKC7Ry8zKlMHRIbu +Osr+lwq95GsC96vcXteL8ELnIuPUrWrixnqMPyMvi/01YA2P/r3BWlEmWTphVBrQ +VoE7IHAL9DUzw0nxVDO/tvyqbAgpckat1zsIYQIAgo75ExXo+kJznJllT9BsDsfD +5D3fiF8= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW +MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg +Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NzA5WhcNMTcxMDI0MjA1NzA5WjCB +jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT +IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0 +YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4IPlfyiAEh +G5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENVsTUJm9m8 +H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1ks3RVG7RL +hiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125w2oLJxGE +d2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhHM7BUxkYa +8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQpZ4rEAwID +AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD +VR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaAFE4L7xqkQFul +F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov +L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0 +YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3 +dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0 +c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu +BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0 +BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl +LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAnQfh7pB2MWcWRXCMy4SLS1doRKWJwfJ+ +yyiL9edwd9W29AshYKWhdHMkIoDW2LqNomJdCTVCKfs5Y0ULpLA4Gmj0lRPM4EOU +7Os5GuxXKdmZbfWEzY5zrsncavqenRZkkwjHHMKJVJ53gJD2uSl26xNnSFn4Ljox +uMnTiOVfTtIZPUOO15L/zzi24VuKUx3OrLR2L9j3QGPV7mnzRX2gYsFhw3XtsntN +rCEnME5ZRmqTF8rIOS0Bc2Vb6UGbERecyMhK76F2YC2uk/8M1TMTn08Tzt2G8fz4 +NVQVqFvnhX76Nwn/i7gxSZ4Nbt600hItuO3Iw/G2QqBMl3nf/sOjn6H0bSyEd6Si +BeEX/zHdmvO4esNSwhERt1Axin/M51qJzPeGmmGSTy+UtpjHeOBiS0N9PN7WmrQQ +oUCcSyrcuNDUnv3xhHgbDlePaVRCaHvqoO91DweijHOZq1X1BwnSrzgDapADDC+P +4uhDwjHpb62H5Y29TiyJS1HmnExUdsASgVOb7KD8LJzaGJVuHjgmQid4YAjff20y +6NjAbx/rJnWfk/x7G/41kNxTowemP4NVCitOYoIlzmYwXSzg+RkbdbmdmFamgyd6 +0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v +qhykguAzx/Q= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW +MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg +Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh +dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9 +MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi +U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh +cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk +pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf +OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C +Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT +Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi +HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM +Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w ++2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+ +Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3 +Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B +26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID +AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE +FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j +ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js +LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM +BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0 +Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy +dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh +cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh +YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg +dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp +bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ +YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT +TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ +9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8 +jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW +FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz +ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1 +ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L +EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu +L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq +yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC +O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V +um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh +NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14= +-----END CERTIFICATE----- diff --git a/frontend/haproxy.cfg b/frontend/haproxy.cfg index b0b46d00..5ebbc031 100644 --- a/frontend/haproxy.cfg +++ b/frontend/haproxy.cfg @@ -11,6 +11,13 @@ global log /dev/log local0 stats socket /var/lib/haproxy/stats + # Maximum number of bits used when generating temporary + # keys for DHE key exchange. Higher values involve more CPU + # usage, lower values are less secure. HAProxy's default is + # 1024, which is too low and HAProxy actually warns if you use + # the default. + tune.ssl.default-dh-param 2048 + defaults mode http timeout connect 5000ms @@ -21,7 +28,18 @@ defaults option httplog frontend http-in + # All HTTP traffic is redirected to HTTPS using the '301 Moved' HTTP code. bind *:80 + redirect scheme https code 301 + +frontend https-in + # We do 'SSL termination' with HAProxy. So secure requests are received in + # the frontend, then decrypted and sent over HTTP on the internal network. + # This means we only need to have the certificate in one place, and the + # configuration of the other instances is simpler. It does mean that we + # need to avoid having any insecure machines in the cloud. + bind *:443 ssl crt /etc/pki/tls/private/baserock.pem + reqadd X-Forwarded-Proto:\ https # Rules below here implement the URL-based forwarding to the # appropriate instance. The hdr(host) call means 'extract the @@ -44,8 +62,7 @@ frontend http-in acl host_mason_x86_64 hdr(host) -m beg -i mason-x86-64 use_backend baserock_mason_x86_64_http if host_mason_x86_64 - acl host_openid hdr(host) -m beg -i openid - use_backend baserock_openid_provider_http if host_openid + use_backend baserock_openid_provider_http if { hdr(host) -m beg -i openid } frontend ssh-in: # FIXME: it'd be better if we could limit traffic on port 29418 to @@ -68,13 +85,13 @@ backend baserock_gerrit_ssh server baserock_gerrit 192.168.222.69:29418 backend baserock_irclogs_http - server baserock_irclogs 192.168.222.74 + server baserock_irclogs 192.168.222.74:80 backend baserock_mason_x86_32_http - server baserock_mason_x86_32 192.168.222.81 + server baserock_mason_x86_32 192.168.222.81:80 backend baserock_mason_x86_64_http - server baserock_mason_x86_64 192.168.222.80 + server baserock_mason_x86_64 192.168.222.80:80 backend baserock_openid_provider_http - server baserock_openid_provider 192.168.222.67 + server baserock_openid_provider 192.168.222.67:80 diff --git a/frontend/instance-config.yml b/frontend/instance-config.yml new file mode 100644 index 00000000..5484c344 --- /dev/null +++ b/frontend/instance-config.yml @@ -0,0 +1,18 @@ +# Instance configuration for Baserock HAProxy instance. +# +# This playbook should be run after starting an instance of the Baserock +# frontend image. +--- +- hosts: frontend-haproxy + gather_facts: false + sudo: yes + tasks: + - name: ensure system up to date + yum: name=* state=latest + + # To create the .pem file, simply concatenate + # certs/baserock.org-ssl-certificate-temporary-dsilverstone.full.cert with + # the private key for that certificate (which is not committed to Git, of + # course). + - name: install SSL certificate + copy: src=../private/baserock.org-ssl-certificate-temporary-dsilverstone.pem owner=haproxy mode=400 |