diff options
author | elijah <elijah@riseup.net> | 2013-05-21 13:17:25 -0700 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2013-05-21 13:17:25 -0700 |
commit | aafeaecb26fbb05284558114332a89439261637b (patch) | |
tree | 09ab1eedfb9c4f64e7c183737d58dc71baad25ee /puppet/modules | |
parent | c591f65a555a20bd6bc3a2171cffb55283dd9d0c (diff) |
nickserver - added support for apache reverse proxy frontend to handle the TLS.
Diffstat (limited to 'puppet/modules')
3 files changed, 90 insertions, 14 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 03af4acb..7dfa2603 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,6 +1,10 @@ # -# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. -# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. # class site_nickserver { @@ -12,12 +16,23 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + # # USER AND GROUP # @@ -30,16 +45,16 @@ class site_nickserver { ensure => present, allowdupe => false, gid => 'nickserver', - groups => 'ssl-cert', home => '/srv/leap/nickserver', require => Group['nickserver']; } # # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. # - # libssl-dev must be installed before eventmachine gem in order to support TLS package { 'libssl-dev': ensure => installed; } @@ -100,6 +115,7 @@ class site_nickserver { # # FIREWALL + # poke a hole in the firewall to allow nickserver requests # file { '/etc/shorewall/macro.nickserver': @@ -115,4 +131,32 @@ class site_nickserver { order => 200; } + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } }
\ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb new file mode 100644 index 00000000..67896cd3 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -0,0 +1,23 @@ +# +# Apache reverse proxy configuration for the Nickserver +# + +Listen 0.0.0.0:<%= @nickserver_port -%> + +<VirtualHost *:<%= @nickserver_port -%>> + ServerName <%= @nickserver_domain %> + ServerAlias <%= @address_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/nickserver.pem + SSLCertificateKeyFile /etc/x509/keys/nickserver.key + SSLCertificateFile /etc/x509/certs/nickserver.crt + + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ + ProxyPreserveHost On # preserve Host header in HTTP request +</VirtualHost> diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb index b6e0b3bf..7aab5605 100644 --- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -1,10 +1,19 @@ -couch_host: <%= @couchdb_host %> +# +# configuration for nickserver. +# + +domain: "<%= @address_domain %>" + +couch_host: "<%= @couchdb_host %>" couch_port: <%= @couchdb_port %> -couch_database: 'users' -couch_user: <%= @couchdb_user %> -couch_password: <%= @couchdb_password %> -hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup' -port: <%= @nickserver_port %> -pid_file: '/var/run/nickserver' -user: 'nickserver' -log_file: '/var/log/nickserver.log' +couch_database: "users" +couch_user: "<%= @couchdb_user %>" +couch_password: "<%= @couchdb_password %>" + +hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup" + +user: "nickserver" +port: <%= @nickserver_local_port %> +pid_file: "/var/run/nickserver" +log_file: "/var/log/nickserver.log" + |