From a4d23a58efbb485f4c98da8274ead6c8004e7cc5 Mon Sep 17 00:00:00 2001 From: Peter Hormanns Date: Mon, 7 Sep 2015 16:34:26 +0200 Subject: [PATCH 1/2] merge changes for sni --- .../META-INF/persistence-with-sql-logging.xml | 1 - hsarback/conf/META-INF/persistence.xml | 1 - hsarback/conf/WEB-INF/prod-web.xml | 17 +++++++------ hsarback/conf/WEB-INF/test-web.xml | 13 ++++++---- .../qserv/QueueStatusReceiverServlet.java | 6 +++++ .../mods/dom/DomainProcessorFactory.java | 24 ++++++++++--------- .../src/de/hsadmin/mods/dom/apache-vhost.vm | 7 +++--- 7 files changed, 40 insertions(+), 29 deletions(-) diff --git a/hsarback/conf/META-INF/persistence-with-sql-logging.xml b/hsarback/conf/META-INF/persistence-with-sql-logging.xml index f551d23..cbbe3f5 100644 --- a/hsarback/conf/META-INF/persistence-with-sql-logging.xml +++ b/hsarback/conf/META-INF/persistence-with-sql-logging.xml @@ -6,7 +6,6 @@ de.hsadmin.core.qserv.QueueTask de.hsadmin.mods.cust.Customer de.hsadmin.mods.cust.Contact - de.hsadmin.mods.cust.BankAccount de.hsadmin.mods.pac.Pac de.hsadmin.mods.pac.BasePac de.hsadmin.mods.pac.BaseComponent diff --git a/hsarback/conf/META-INF/persistence.xml b/hsarback/conf/META-INF/persistence.xml index 5e0734c..ae4304b 100644 --- a/hsarback/conf/META-INF/persistence.xml +++ b/hsarback/conf/META-INF/persistence.xml @@ -6,7 +6,6 @@ de.hsadmin.core.qserv.QueueTask de.hsadmin.mods.cust.Customer de.hsadmin.mods.cust.Contact - de.hsadmin.mods.cust.BankAccount de.hsadmin.mods.pac.Pac de.hsadmin.mods.pac.BasePac de.hsadmin.mods.pac.BaseComponent diff --git a/hsarback/conf/WEB-INF/prod-web.xml b/hsarback/conf/WEB-INF/prod-web.xml index 1b71c01..4899424 100644 --- a/hsarback/conf/WEB-INF/prod-web.xml +++ b/hsarback/conf/WEB-INF/prod-web.xml @@ -11,6 +11,14 @@ Queue Status Servlet de.hsadmin.core.qserv.QueueStatusReceiverServlet + + proxyValidateUrl + https://@LOGIN_HOST@:@LOGIN_PORT@/cas/proxyValidate + + + proxyServiceUrl + https://@CONFIG_HOST@:@CONFIG_PORT@/hsar/backend + 1 @@ -18,8 +26,8 @@ XmlRpcServlet de.hsadmin.remote.HSXmlRpcServlet - enabledForExtensions - true + enabledForExtensions + true @@ -28,11 +36,6 @@ /queueStatus - - CLI Client Connector - /hsadmin/cli-interface/ - - XmlRpcServlet /xmlrpc/* diff --git a/hsarback/conf/WEB-INF/test-web.xml b/hsarback/conf/WEB-INF/test-web.xml index df5a9df..47c2dd5 100644 --- a/hsarback/conf/WEB-INF/test-web.xml +++ b/hsarback/conf/WEB-INF/test-web.xml @@ -11,6 +11,14 @@ Queue Status Servlet de.hsadmin.core.qserv.QueueStatusReceiverServlet + + proxyValidateUrl + https://@LOGIN_HOST@:@LOGIN_PORT@/cas/proxyValidate + + + proxyServiceUrl + https://@CONFIG_HOST@:@CONFIG_PORT@/hsar/backend + 1 @@ -28,11 +36,6 @@ /queueStatus - - CLI Client Connector - /hsadmin/cli-interface/ - - XmlRpcServlet /xmlrpc/* diff --git a/hsarback/src/de/hsadmin/core/qserv/QueueStatusReceiverServlet.java b/hsarback/src/de/hsadmin/core/qserv/QueueStatusReceiverServlet.java index af52c92..1d70163 100644 --- a/hsarback/src/de/hsadmin/core/qserv/QueueStatusReceiverServlet.java +++ b/hsarback/src/de/hsadmin/core/qserv/QueueStatusReceiverServlet.java @@ -18,12 +18,14 @@ import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.persistence.EntityManager; +import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import de.hsadmin.core.model.TechnicalException; +import de.hsadmin.core.model.TicketValidator; import de.hsadmin.core.model.Transaction; import de.hsadmin.core.util.Config; @@ -43,6 +45,10 @@ public class QueueStatusReceiverServlet extends HttpServlet @Override public void init() throws ServletException { + final ServletConfig cfg = getServletConfig(); + final String validateURL = cfg.getInitParameter("proxyValidateUrl"); + final String serviceURL = cfg.getInitParameter("proxyServiceUrl"); + TicketValidator.getInstance().initialize(validateURL, serviceURL); isConnected = false; messageCount = 0; errorCount = 0; diff --git a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java index f6c0cdf..feab37b 100644 --- a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java +++ b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java @@ -256,25 +256,26 @@ public class DomainProcessorFactory implements EntityProcessorFactory { return domDirsProcessor; } - private Processor createApacheVHostSetupProcessor(EntityManager em, Domain dom) throws ProcessorException { - Map templateVars = new HashMap(); + private Processor createApacheVHostSetupProcessor(final EntityManager em, final Domain dom) throws ProcessorException { + final Map templateVars = new HashMap(); templateVars.put("dynamicWeb", new Boolean(dom.isDynamic())); - String domName = dom.getName(); + final String domName = dom.getName(); int level = domName.split("\\.").length; - String linkPrefix = Integer.toString(100 - level); - String pac = dom.getUser().getPac().getName(); - Query query = em.createQuery("SELECT d FROM Domains d WHERE d.domainoptions.name = :option AND d.name = :domname"); + final String linkPrefix = Integer.toString(100 - level); + final Query query = em.createQuery("SELECT d FROM Domains d WHERE d.domainoptions.name = :option AND d.name = :domname"); query.setParameter("domname", dom.getName()); ifOption(templateVars, query, "indexes", "+Indexes", "-Indexes"); ifOption(templateVars, query, "includes", "+IncludesNoExec", "-Includes"); ifOption(templateVars, query, "multiviews", "+MultiViews", "-MultiViews"); ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE); - Processor domSetupProcessor = new CompoundProcessor( + final Processor domSetupProcessor = new CompoundProcessor( + new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled/" + dom.getUser().getName() + " && " + + "mkdir -p $PEMS_DIR/ && " + + "cd $PEMS_DIR && " + + "( ls " + domName + ".crt || ( echo \"\" > " + domName + ".chain && " + + "openssl req -x509 -newkey rsa:2048 -keyout " + domName + ".key -out " + domName + ".crt -days 1100 -nodes -sha256 -subj '/CN=" + domName + "' ) ) &&" + + "chmod 400 " + domName + "*"), new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true), - new ShellProcessor("ls /etc/apache2/pems/" + pac + ".pem >/dev/null 2>&1" + - " && sed -i '/SSLCertificate.*default/d' " + "/etc/apache2/sites-available/" + domName + ".tmp" + - " && (ls /etc/apache2/pems/" + pac + ".chain.pem >/dev/null 2>&1 || sed -i '/SSLCertificateChain.*" + pac + "/d' " + "/etc/apache2/sites-available/" + domName + ".tmp )" + - " || sed -i '/SSLCertificate.*" + pac + "/d' " + "/etc/apache2/sites-available/" + domName + ".tmp"), new ShellProcessor( " (diff -q /etc/apache2/sites-available/" + domName + ".tmp /etc/apache2/sites-available/" + domName + " && rm /etc/apache2/sites-available/" + domName + ".tmp ) " + " || (mv /etc/apache2/sites-available/" + domName + ".tmp /etc/apache2/sites-available/" + domName + @@ -302,6 +303,7 @@ public class DomainProcessorFactory implements EntityProcessorFactory { new ShellProcessor("rm -f /home/doms/" + domName + " && rm -f /etc/apache2/sites-enabled/" + linkPrefix + "-" + domName + " && rm -f /etc/apache2/sites-available/" + domName + + " && rm -f /etc/apache2/pems-enabled/" + dom.getUser().getName() + "/" + domName + ".*" + " && rm -rf " + dom.getUser().getHomedir() + "/doms/" + domName + " && invoke-rc.d apache2 reload >/dev/null 2>&1"); return vhostDelProcessor; diff --git a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm index b98de63..e4fdd2d 100644 --- a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm +++ b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm @@ -90,10 +90,9 @@ #end SSLEngine On - SSLCertificateFile /etc/apache2/pems/default.pem - SSLCertificateChainFile /etc/apache2/pems/default.chain.pem - SSLCertificateFile /etc/apache2/pems/${pac.name}.pem - SSLCertificateChainFile /etc/apache2/pems/${pac.name}.chain.pem + SSLCertificateFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.crt + SSLCertificateKeyFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.key + SSLCertificateChainFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.chain DocumentRoot /home/doms/${dom.name}/htdocs-ssl From 2c91cdc6369c53c24148e246f6c347a04c6e8497 Mon Sep 17 00:00:00 2001 From: Peter Hormanns Date: Wed, 25 Nov 2015 16:55:35 +0100 Subject: [PATCH 2/2] SNI change pems structure --- .../mods/dom/DomainProcessorFactory.java | 17 +++++++++++++---- .../src/de/hsadmin/mods/dom/apache-vhost.vm | 6 +++--- .../src/de/hsadmin/mods/dom/openssl-sna.cnf | 12 ++++++++++++ 3 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 hsarback/src/de/hsadmin/mods/dom/openssl-sna.cnf diff --git a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java index feab37b..0bd881e 100644 --- a/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java +++ b/hsarback/src/de/hsadmin/mods/dom/DomainProcessorFactory.java @@ -269,11 +269,20 @@ public class DomainProcessorFactory implements EntityProcessorFactory { ifOption(templateVars, query, "multiviews", "+MultiViews", "-MultiViews"); ifOption(templateVars, query, "htdocsfallback", Boolean.TRUE, Boolean.FALSE); final Processor domSetupProcessor = new CompoundProcessor( - new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled/" + dom.getUser().getName() + " && " - + "mkdir -p $PEMS_DIR/ && " + new CreateFileProcessor("/de/hsadmin/mods/dom/openssl-sna.cnf", templateVars, dom, "/tmp/openssl-sna.cnf", "root", "root", "644", true), + new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-generated && " + + "mkdir -p $PEMS_DIR && " + "cd $PEMS_DIR && " - + "( ls " + domName + ".crt || ( echo \"\" > " + domName + ".chain && " - + "openssl req -x509 -newkey rsa:2048 -keyout " + domName + ".key -out " + domName + ".crt -days 1100 -nodes -sha256 -subj '/CN=" + domName + "' ) ) &&" + + "( ls " + domName + ".crt || ( echo \"\" > _." + domName + ".chain && " + + "openssl req -x509 -newkey rsa:2048 -keyout _." + domName + ".key -out _." + domName + ".crt -days 1100 -nodes -sha256 -config /tmp/openssl-sna.cnf ) ) &&" + + "chmod 400 _." + domName + "*"), + new ShellProcessor("export PEMS_DIR=/etc/apache2/pems-enabled && " + + "mkdir -p $PEMS_DIR && " + + "cd $PEMS_DIR && " + + "( ls " + domName + ".crt ||" + + " ( ln -s ../pems-generated/_." + domName + ".key " + domName + ".key" + + " && ln -s ../pems-generated/_." + domName + ".crt " + domName + ".crt" + + " && ln -s ../pems-generated/_." + domName + ".chain " + domName + ".chain ) ) && " + "chmod 400 " + domName + "*"), new CreateFileProcessor("/de/hsadmin/mods/dom/apache-vhost.vm", templateVars, dom, "/etc/apache2/sites-available/" + domName + ".tmp", "root", "root", "644", true), new ShellProcessor( diff --git a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm index e4fdd2d..320e786 100644 --- a/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm +++ b/hsarback/src/de/hsadmin/mods/dom/apache-vhost.vm @@ -90,9 +90,9 @@ #end SSLEngine On - SSLCertificateFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.crt - SSLCertificateKeyFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.key - SSLCertificateChainFile /etc/apache2/pems-enabled/${dom.user.name}/${dom.name}.chain + SSLCertificateFile /etc/apache2/pems-enabled/${dom.name}.crt + SSLCertificateKeyFile /etc/apache2/pems-enabled/${dom.name}.key + SSLCertificateChainFile /etc/apache2/pems-enabled/${dom.name}.chain DocumentRoot /home/doms/${dom.name}/htdocs-ssl diff --git a/hsarback/src/de/hsadmin/mods/dom/openssl-sna.cnf b/hsarback/src/de/hsadmin/mods/dom/openssl-sna.cnf new file mode 100644 index 0000000..b5cd207 --- /dev/null +++ b/hsarback/src/de/hsadmin/mods/dom/openssl-sna.cnf @@ -0,0 +1,12 @@ +[req] +prompt = no +distinguished_name = req_dn +x509_extensions = v3_ca + +[req_dn] +commonName = *.${dom.name} + +[v3_ca] +basicConstraints = CA:FALSE +extendedKeyUsage=serverAuth +subjectAltName=DNS:*.${dom.name},DNS:${dom.name}