From fc78e094919257f523707ec02d897505d7107699 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 12:08:54 -0400 Subject: Make static tor hidden services work (#8212). When tor hidden services were enabled for static sites, only a very basic configuration was setup and it didn't take into account the different location configurations that can be configured for a static site. This commit resolves that by making a site_static::hidden_service class similar to the site_webapp::hidden_service class, and fixes up the apache vhost template to properly create the location blocks for the hidden service vhost. Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a --- .../site_static/manifests/hidden_service.pp | 37 +++++++++++++++++ puppet/modules/site_static/manifests/init.pp | 20 ++++----- .../modules/site_static/templates/apache.conf.erb | 47 +++++++++++++++++++++- 3 files changed, 94 insertions(+), 10 deletions(-) create mode 100644 puppet/modules/site_static/manifests/hidden_service.pp (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp new file mode 100644 index 00000000..f1f15f8e --- /dev/null +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -0,0 +1,37 @@ +# create hidden service for static sites +class site_static::hidden_service { + + include tor::daemon + tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } + file { + '/var/lib/tor/webapp/': + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; + + '/var/lib/tor/static/private_key': + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; + + '/var/lib/tor/static/hostname': + ensure => present, + content => "${::site_static::tor_domain}\n", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; + } + + # it is necessary to zero out the config of the status module + # because we are configuring our own version that is unavailable + # over the hidden service (see: #7456 and #7776) + apache::module { 'status': ensure => present, conf_content => ' ' } + + include site_shorewall::tor +} + diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4a722d62..5b432f29 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,11 +7,14 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + + $tor = hiera('tor', false) + $hidden_service = $tor['hidden_service'] + $tor_domain = "${hidden_service['address']}.onion" if $bootstrap['enabled'] { $bootstrap_domain = $bootstrap['domain'] @@ -57,15 +60,14 @@ class site_static { } } - create_resources(site_static::domain, $domains) - if $tor { - $hidden_service = $tor['hidden_service'] if $hidden_service['active'] { - include site_webapp::hidden_service + include site_static::hidden_service } } + create_resources(site_static::domain, $domains) + include site_shorewall::defaults include site_shorewall::service::http include site_shorewall::service::https diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 6b969d1c..bd088180 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -23,12 +23,56 @@ bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> + + Require all granted + + +<%- if @tor -%> + + ServerName <%= @tor_domain %> + ServerAlias www.<%= @tor_domain %> + + + Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime + + + DocumentRoot "/<%= @document_root %>/" + AccessFileName .htaccess + +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> + ## + ## <%= name %> (<%= location['format'] %>) + ## +<%= scope.function_templatewlv([template_path, local_vars]) %> +<%- end -%> +<%- end -%> + + ServerName <%= @domain %> ServerAlias www.<%= @domain %> <%- @aliases && @aliases.each do |domain_alias| -%> ServerAlias <%= domain_alias %> <%- end -%> + <%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] @@ -47,12 +91,14 @@ Include include.d/ssl_common.inc + <%- if @tls_only -%> Header always set Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> Header set X-Frame-Options "deny" Header always unset X-Powered-By Header always unset X-Runtime + SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -84,5 +130,4 @@ ## <%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> - -- cgit v1.2.3