summaryrefslogtreecommitdiff
path: root/src/conf_mode/https.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2019-10-24 15:26:55 +0200
committerChristian Poessinger <christian@poessinger.com>2019-10-24 15:26:55 +0200
commit1d8e7c841d7eee501e9a822db727fc1eec449b5e (patch)
tree6d31b0319a71e92b2b0ef18abe6c0bd64fb55457 /src/conf_mode/https.py
parent034c68aa62b5a9a493e77e8ac18f4e38ee621b25 (diff)
parent3400b1dd79702553ebbd40516bf454f3fe47885b (diff)
downloadvyos-1x-1d8e7c841d7eee501e9a822db727fc1eec449b5e.tar.gz
vyos-1x-1d8e7c841d7eee501e9a822db727fc1eec449b5e.zip
Merge branch 'current' of github.com:vyos/vyos-1x into equuleus
* 'current' of github.com:vyos/vyos-1x: T1762: adjust the set_level() calls to use the new list representation. [vyos.config] T1764: support both string and list arguments in config functions. T1759: bug fixes, missing interface IP [vyos.config] T1758: use vyos.configtree for reading values, instead of calling cli-shell-api. [HTTP API] Add endpoints for config file and image management. ddclient: T1030: add cloudflare zone config entry [service https] T1443: organize internal data by server block [vyos.config] T1758: check that config setup has completed before calling showConfig, else, default to config.boot [HTTP API] Use a decorator for functions that require authentication. ddclient: T1030: adjust to latest syntax ddclient: T1030: auto create runtime directories ddclient: T1030: use new default configuration file path T1759: Migrating interfaces T1755: fixes issue with 'show vpn ipsec sa' command where lack of keysize (encr-keysize) will result in KeyError - such as for CHACHA20_POLY1305 T1755: fixes issue with 'show vpn ipsec sa' command where lack of hash (integ-alg) will result in KeyError - such as with GCM based options
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-xsrc/conf_mode/https.py109
1 files changed, 47 insertions, 62 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index f948063e9..d7fcb74de 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -30,34 +30,34 @@ config_file = '/etc/nginx/sites-available/default'
# Please be careful if you edit the template.
config_tmpl = """
-### Autogenerated by http-api.py ###
+### Autogenerated by https.py ###
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
- return 302 https://$server_name$request_uri;
+ return 301 https://$server_name$request_uri;
}
-{% for addr, names in listen_addresses.items() %}
+{% for server in server_block_list %}
server {
# SSL configuration
#
-{% if addr == '*' %}
- listen 443 ssl default_server;
- listen [::]:443 ssl default_server;
+{% if server.address == '*' %}
+ listen 443 ssl;
+ listen [::]:443 ssl;
{% else %}
- listen {{ addr }}:443 ssl;
+ listen {{ server.address }}:443 ssl;
{% endif %}
-{% for name in names %}
+{% for name in server.name %}
server_name {{ name }};
{% endfor %}
-{% if vyos_cert %}
- include {{ vyos_cert.conf }};
+{% if server.vyos_cert %}
+ include {{ server.vyos_cert.conf }};
{% else %}
#
# Self signed certs generated by the ssl-cert package
@@ -67,46 +67,9 @@ server {
{% endif %}
# proxy settings for HTTP API, if enabled; 503, if not
- location ~ /(retrieve|configure) {
-{% if api %}
- proxy_pass http://localhost:{{ api.port }};
- proxy_buffering off;
-{% else %}
- return 503;
-{% endif %}
- }
-
- error_page 501 502 503 =200 @50*_json;
-
- location @50*_json {
- default_type application/json;
- return 200 '{"error": "Start service in configuration mode: set service https api"}';
- }
-
-}
-{% else %}
-server {
- # SSL configuration
- #
- listen 443 ssl default_server;
- listen [::]:443 ssl default_server;
-
- server_name _;
-
-{% if vyos_cert %}
- include {{ vyos_cert.conf }};
-{% else %}
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- include snippets/snakeoil.conf;
-{% endif %}
-
- # proxy settings for HTTP API, if enabled; 503, if not
- location ~ /(retrieve|configure) {
-{% if api %}
- proxy_pass http://localhost:{{ api.port }};
+ location ~ /(retrieve|configure|config-file|image) {
+{% if server.api %}
+ proxy_pass http://localhost:{{ server.api.port }};
proxy_buffering off;
{% else %}
return 503;
@@ -125,8 +88,16 @@ server {
{% endfor %}
"""
+default_server_block = {
+ 'address' : '*',
+ 'name' : ['_'],
+ # api :
+ # vyos_cert :
+ # le_cert :
+}
+
def get_config():
- https = vyos.defaults.https_data
+ server_block_list = []
conf = Config()
if not conf.exists('service https'):
return None
@@ -134,25 +105,36 @@ def get_config():
conf.set_level('service https')
if conf.exists('listen-address'):
- addrs = {}
for addr in conf.list_nodes('listen-address'):
- addrs[addr] = ['_']
+ server_block = {'address' : addr}
+ server_block['name'] = ['_']
if conf.exists('listen-address {0} server-name'.format(addr)):
names = conf.return_values('listen-address {0} server-name'.format(addr))
- addrs[addr] = names[:]
- https['listen_addresses'] = addrs
+ server_block['name'] = names[:]
+ server_block_list.append(server_block)
+ if not server_block_list:
+ server_block_list.append(default_server_block)
+
+ vyos_cert_data = {}
if conf.exists('certificates'):
if conf.exists('certificates system-generated-certificate'):
- https['vyos_cert'] = vyos.defaults.vyos_cert_data
+ vyos_cert_data = vyos.defaults.vyos_cert_data
+ if vyos_cert_data:
+ for block in server_block_list:
+ block['vyos_cert'] = vyos_cert_data
+ api_data = {}
if conf.exists('api'):
- https['api'] = vyos.defaults.api_data
-
- if conf.exists('api port'):
- port = conf.return_value('api port')
- https['api']['port'] = port
-
+ api_data = vyos.defaults.api_data
+ if conf.exists('api port'):
+ port = conf.return_value('api port')
+ api_data['port'] = port
+ if api_data:
+ for block in server_block_list:
+ block['api'] = api_data
+
+ https = {'server_block_list' : server_block_list}
return https
def verify(https):
@@ -162,6 +144,9 @@ def generate(https):
if https is None:
return None
+ if 'server_block_list' not in https or not https['server_block_list']:
+ https['server_block_list'] = [default_server_block]
+
tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(https)
with open(config_file, 'w') as f: