|
|
|
@ -32,9 +32,14 @@ export -f apache_publish_dir |
|
|
|
|
|
|
|
apache_vhost_create () { |
|
|
|
export APACHE_CONFIG_LOCATION="$SERVICE_CONFIGSTORE/etc/apache2/sites-enabled" |
|
|
|
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true |
|
|
|
|
|
|
|
export PROTOCOLS=$(__vhost_cfg_normalize_protocol) || return 1 |
|
|
|
|
|
|
|
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1 |
|
|
|
if is_protocol_enabled https; then |
|
|
|
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl)" || return 1 |
|
|
|
fi |
|
|
|
apache_vhost_statement "$PROTOCOLS" | |
|
|
|
file_put "$APACHE_CONFIG_LOCATION/$prefix$DOMAIN.conf" || return 1 |
|
|
|
|
|
|
|
@ -43,9 +48,7 @@ apache_vhost_create () { |
|
|
|
apache_passwd_file || return 1 |
|
|
|
fi |
|
|
|
|
|
|
|
if is_protocol_enabled https; then |
|
|
|
apache_ssl_files |
|
|
|
fi |
|
|
|
"$SSL_PLUGIN_FUN"_prepare "$(relation-get ssl)" || return 1 |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
@ -91,10 +94,55 @@ __vhost_cfg_normalize_protocol() { |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
apache_ssl_files() { |
|
|
|
local content |
|
|
|
## XXXvlab: called twice... no better way to do this ? |
|
|
|
__vhost_ssl_statement > /dev/null |
|
|
|
## ssl_plugin_* and ssl_fallback should : |
|
|
|
## - do anything to ensure that |
|
|
|
## - issue config-add to add volumes if necessary |
|
|
|
## - output 3 vars of where to find the 3 files from within the docker apache |
|
|
|
|
|
|
|
ssl_get_plugin_fun() { |
|
|
|
local cfg="$(relation-get ssl 2>/dev/null)" |
|
|
|
if [[ "$(echo "$cfg" | shyaml get-type 2>/dev/null)" == "str" ]]; then |
|
|
|
target_relation= |
|
|
|
while read-0 relation_name target_service relation_config tech_dep; do |
|
|
|
[ "$target_service" == "$cfg" ] || continue |
|
|
|
verb "service ${DARKYELLOW}$target_service${NORMAL} matches" \ |
|
|
|
"${WHITE}ssl${NORMAL} value: candidate relation is ${DARKBLUE}$relation_name${NORMAL}" |
|
|
|
fun="ssl_plugin_${relation_name}" |
|
|
|
if declare -F "${fun}_vars" >/dev/null 2>&1 && declare -F "${fun}_prepare" >/dev/null 2>&1; then |
|
|
|
verb "Corresponding plugin ${DARKGREEN}found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}" |
|
|
|
echo "$fun" |
|
|
|
return 0 |
|
|
|
else |
|
|
|
verb "Corresponding plugin ${DARKRED}not found${NORMAL} for relation ${DARKBLUE}$relation_name${NORMAL}" |
|
|
|
fi |
|
|
|
done < <(get_compose_relations "$SERVICE_NAME") || return 1 |
|
|
|
err "Invalid ${WHITE}ssl${NORMAL} value: '$cfg' is not a valid linked service through a support relation." |
|
|
|
return 1 |
|
|
|
else |
|
|
|
echo ssl_fallback |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
ssl_fallback_vars() { |
|
|
|
local cfg="$1" cert key ca_cert |
|
|
|
|
|
|
|
if __vhost_cfg_ssl_cert=$(echo "$cfg" | shyaml get-value cert 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem |
|
|
|
fi |
|
|
|
|
|
|
|
if __vhost_cfg_ssl_key=$(echo "$cfg" | shyaml get-value key 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key |
|
|
|
fi |
|
|
|
|
|
|
|
if __vhost_cfg_ssl_ca_cert=$(echo "$cfg" | shyaml get-value ca-cert 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem |
|
|
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
ssl_fallback_prepare() { |
|
|
|
local cfg="$1" cert key ca_cert |
|
|
|
|
|
|
|
dst="$CONFIGSTORE/$BASE_CHARM_NAME" |
|
|
|
volumes="" |
|
|
|
for label in cert key ca_cert; do |
|
|
|
@ -117,6 +165,31 @@ $volumes |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
ssl_plugin_letsencrypt-dns_vars() { |
|
|
|
|
|
|
|
__vhost_cfg_SSL_CERT_LOCATION=/etc/letsencrypt/live/${DOMAIN}/cert.pem |
|
|
|
__vhost_cfg_SSL_KEY_LOCATION=/etc/letsencrypt/live/${DOMAIN}/privkey.pem |
|
|
|
__vhost_cfg_SSL_CHAIN=/etc/letsencrypt/live/${DOMAIN}/chain.pem |
|
|
|
} |
|
|
|
|
|
|
|
ssl_plugin_letsencrypt-dns_prepare() { |
|
|
|
local service="$1" letsencrypt_charm |
|
|
|
shift |
|
|
|
|
|
|
|
export DEFAULT_COMPOSE_FILE="$COMPOSE_YML_FILE" |
|
|
|
run_service_action "$service" add "$DOMAIN" $(echo "$SERVER_ALIAS" | shyaml get-values 2>/dev/null) || return 1 |
|
|
|
letsencrypt_charm=$(get_service_charm "$service") || return 1 |
|
|
|
|
|
|
|
config-add "\ |
|
|
|
services: |
|
|
|
$MASTER_TARGET_CHARM_NAME: |
|
|
|
volumes: |
|
|
|
- $DATASTORE/${letsencrypt_charm}/etc/letsencrypt:/etc/letsencrypt:ro |
|
|
|
" || return 1 |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
apache_passwd_file() { |
|
|
|
include parse || true |
|
|
|
|
|
|
|
@ -142,12 +215,15 @@ apache_passwd_file() { |
|
|
|
## Produce the full statements depending on relation-get informations |
|
|
|
apache_vhost_statement() { |
|
|
|
local vhost_statement |
|
|
|
export SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true |
|
|
|
export PROTOCOLS="$1" |
|
|
|
|
|
|
|
if is_protocol_enabled http; then |
|
|
|
__vhost_full_vhost_statement http |
|
|
|
fi |
|
|
|
if is_protocol_enabled https; then |
|
|
|
export SSL_PLUGIN_FUN=$(ssl_get_plugin_fun) || return 1 |
|
|
|
"$SSL_PLUGIN_FUN"_vars "$(relation-get ssl 2>/dev/null)" |
|
|
|
cat <<EOF |
|
|
|
|
|
|
|
<IfModule mod_ssl.c> |
|
|
|
@ -246,28 +322,11 @@ $MASTER_BASE_CHARM_NAME: |
|
|
|
|
|
|
|
|
|
|
|
__vhost_ssl_statement() { |
|
|
|
local key cert ca_cert |
|
|
|
|
|
|
|
__vhost_cfg_ssl="$(relation-get ssl 2>/dev/null)" |
|
|
|
if __vhost_cfg_ssl_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value cert 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}.pem |
|
|
|
fi |
|
|
|
## defaults |
|
|
|
|
|
|
|
if __vhost_cfg_ssl_key=$(echo "$__vhost_cfg_ssl" | shyaml get-value key 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/${DOMAIN}.key |
|
|
|
fi |
|
|
|
|
|
|
|
if __vhost_cfg_ssl_ca_cert=$(echo "$__vhost_cfg_ssl" | shyaml get-value ca-cert 2>/dev/null); then |
|
|
|
__vhost_cfg_SSL_CA_CERT_LOCATION=/etc/ssl/certs/${DOMAIN}-ca.pem |
|
|
|
fi |
|
|
|
|
|
|
|
if [ -z "$__vhost_cfg_SSL_CERT_LOCATION" ]; then |
|
|
|
__vhost_cfg_SSL_CERT_LOCATION=/etc/ssl/certs/ssl-cert-snakeoil.pem |
|
|
|
fi |
|
|
|
|
|
|
|
if [ -z "$__vhost_cfg_SSL_KEY_LOCATION" ]; then |
|
|
|
__vhost_cfg_SSL_KEY_LOCATION=/etc/ssl/private/ssl-cert-snakeoil.key |
|
|
|
fi |
|
|
|
__vhost_cfg_SSL_CERT_LOCATION=${__vhost_cfg_SSL_CERT_LOCATION:-/etc/ssl/certs/ssl-cert-snakeoil.pem} |
|
|
|
__vhost_cfg_SSL_KEY_LOCATION=${__vhost_cfg_SSL_KEY_LOCATION:-/etc/ssl/private/ssl-cert-snakeoil.key} |
|
|
|
|
|
|
|
cat <<EOF |
|
|
|
|
|
|
|
@ -280,13 +339,14 @@ SSLEngine On |
|
|
|
SSLCertificateFile $__vhost_cfg_SSL_CERT_LOCATION |
|
|
|
SSLCertificateKeyFile $__vhost_cfg_SSL_KEY_LOCATION |
|
|
|
$([ -z "$__vhost_cfg_SSL_CA_CERT_LOCATION" ] || echo "SSLCACertificateFile $__vhost_cfg_SSL_CA_CERT_LOCATION") |
|
|
|
$([ -z "$__vhost_cfg_SSL_CHAIN" ] || echo "SSLCertificateChainFile $__vhost_cfg_SSL_CHAIN") |
|
|
|
SSLVerifyClient None |
|
|
|
EOF |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
__vhost_creds_statement() { |
|
|
|
|
|
|
|
__vhost_creds_statement() { |
|
|
|
if ! __vhost_cfg_creds_enabled=$(relation-get creds 2>/dev/null); then |
|
|
|
echo "Allow from all" |
|
|
|
return 0 |
|
|
|
@ -306,7 +366,6 @@ EOF |
|
|
|
|
|
|
|
__vhost_head_statement() { |
|
|
|
local protocol="$1" |
|
|
|
SERVER_ALIAS=$(relation-get server-aliases 2>/dev/null) || true |
|
|
|
|
|
|
|
if [ "$protocol" == "https" ]; then |
|
|
|
prefix="s-" |
|
|
|
|
