From 08dc5c2006e7b53dcd38369134ab7e1f43536bec Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 11 Feb 2015 21:59:50 +0000
Subject: [PATCH] Move security.openstack.org to HTTPS
As we migrate things like security contact information off
www.openstack.org and onto security.openstack.org, people are going
to want some extra assurances they're not looking at a copy that's
been monkeyed with in transit. Serve it via HTTPS and redirect prior
HTTP URLs.
Change-Id: Ifdd8eaa7d92c3103637360ec125e6a6096fed598
---
manifests/site.pp | 19 +++---
modules/openstack_project/manifests/static.pp | 58 +++++++++++++++++--
.../templates/security.vhost.erb | 38 ++++++++++++
3 files changed, 103 insertions(+), 12 deletions(-)
create mode 100644 modules/openstack_project/templates/security.vhost.erb
diff --git a/manifests/site.pp b/manifests/site.pp
index f271baeff4..21b6c7a46d 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -451,14 +451,17 @@ node 'storyboard.openstack.org' {
# Node-OS: precise
node 'static.openstack.org' {
class { 'openstack_project::static':
- project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
- sysadmins => hiera('sysadmins', []),
- swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
- swift_user => 'infra-files-ro',
- swift_key => hiera('infra_files_ro_password', 'XXX'),
- swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
- swift_region_name => 'DFW',
- swift_default_container => 'infra-files',
+ project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
+ sysadmins => hiera('sysadmins', []),
+ swift_authurl => 'https://identity.api.rackspacecloud.com/v2.0/',
+ swift_user => 'infra-files-ro',
+ swift_key => hiera('infra_files_ro_password', 'XXX'),
+ swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
+ swift_region_name => 'DFW',
+ swift_default_container => 'infra-files',
+ security_ssl_cert_file_contents => hiera('security_ssl_cert_file_contents', 'XXX'),
+ security_ssl_key_file_contents => hiera('security_ssl_key_file_contents', 'XXX'),
+ security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'),
}
}
diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index 97ceac057e..39063a10fa 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -9,6 +9,9 @@ class openstack_project::static (
$swift_region_name = '',
$swift_default_container = '',
$project_config_repo = '',
+ $security_ssl_cert_file_contents = '',
+ $security_ssl_key_file_contents = '',
+ $security_ssl_chain_file_contents = '',
$jenkins_gitfullname = 'OpenStack Jenkins',
$jenkins_gitemail = 'jenkins@openstack.org',
) {
@@ -229,10 +232,13 @@ class openstack_project::static (
# Security
apache::vhost { 'security.openstack.org':
- port => 80,
- priority => '50',
- docroot => '/srv/static/security',
- require => File['/srv/static/security'],
+ port => 443, # Is required despite not being used.
+ docroot => '/srv/static/security',
+ priority => '50',
+ ssl => true,
+ template => 'openstack_project/security.vhost.erb',
+ vhost_name => 'security.openstack.org',
+ require => File['/srv/static/security'],
}
file { '/srv/static/security':
@@ -242,6 +248,50 @@ class openstack_project::static (
require => User['jenkins'],
}
+ file { '/etc/ssl/certs':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
+
+ file { '/etc/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0700',
+ }
+
+ file { '/etc/ssl/certs/security.openstack.org.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $security_ssl_cert_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => Apache::Vhost['security.openstack.org'],
+ }
+
+ file { '/etc/ssl/private/security.openstack.org.key':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0600',
+ content => $security_ssl_key_file_contents,
+ require => File['/etc/ssl/private'],
+ before => Apache::Vhost['security.openstack.org'],
+ }
+
+ file { '/etc/ssl/certs/security.openstack.org_intermediate.pem':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $security_ssl_chain_file_contents,
+ require => File['/etc/ssl/certs'],
+ before => Apache::Vhost['security.openstack.org'],
+ }
+
###########################################################
# Governance
diff --git a/modules/openstack_project/templates/security.vhost.erb b/modules/openstack_project/templates/security.vhost.erb
new file mode 100644
index 0000000000..79464e450c
--- /dev/null
+++ b/modules/openstack_project/templates/security.vhost.erb
@@ -0,0 +1,38 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+ ServerName <%= @vhost_name %>
+ RewriteEngine On
+ RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+ ServerName <%= @vhost_name %>
+ DocumentRoot <%= @docroot %>
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ # Once the machine is using something to terminate TLS that supports ECDHE
+ # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+ # only is guarenteed.
+ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+ SSLHonorCipherOrder on
+ SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
+ SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
+ <Directory <%= @docroot %>>
+ Allow from all
+ Satisfy Any
+ </Directory>
+ LogLevel warn
+ ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+ CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+ ServerSignature Off
+</VirtualHost>
+</IfModule>