summaryrefslogtreecommitdiff
path: root/src/conf_mode/https.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-xsrc/conf_mode/https.py59
1 files changed, 54 insertions, 5 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 289eacf69..f948063e9 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -40,12 +40,21 @@ server {
return 302 https://$server_name$request_uri;
}
+{% for addr, names in listen_addresses.items() %}
server {
# SSL configuration
#
+{% if addr == '*' %}
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
+{% else %}
+ listen {{ addr }}:443 ssl;
+{% endif %}
+
+{% for name in names %}
+ server_name {{ name }};
+{% endfor %}
{% if vyos_cert %}
include {{ vyos_cert.conf }};
@@ -57,9 +66,42 @@ server {
include snippets/snakeoil.conf;
{% endif %}
-{% for l_addr in listen_address %}
- server_name {{ l_addr }};
-{% endfor %}
+ # proxy settings for HTTP API, if enabled; 503, if not
+ location ~ /(retrieve|configure) {
+{% if api %}
+ proxy_pass http://localhost:{{ api.port }};
+ proxy_buffering off;
+{% else %}
+ return 503;
+{% endif %}
+ }
+
+ error_page 501 502 503 =200 @50*_json;
+
+ location @50*_json {
+ default_type application/json;
+ return 200 '{"error": "Start service in configuration mode: set service https api"}';
+ }
+
+}
+{% else %}
+server {
+ # SSL configuration
+ #
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ server_name _;
+
+{% if vyos_cert %}
+ include {{ vyos_cert.conf }};
+{% else %}
+ #
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ #
+ include snippets/snakeoil.conf;
+{% endif %}
# proxy settings for HTTP API, if enabled; 503, if not
location ~ /(retrieve|configure) {
@@ -79,6 +121,8 @@ server {
}
}
+
+{% endfor %}
"""
def get_config():
@@ -90,8 +134,13 @@ def get_config():
conf.set_level('service https')
if conf.exists('listen-address'):
- addrs = conf.return_values('listen-address')
- https['listen_address'] = addrs[:]
+ addrs = {}
+ for addr in conf.list_nodes('listen-address'):
+ addrs[addr] = ['_']
+ if conf.exists('listen-address {0} server-name'.format(addr)):
+ names = conf.return_values('listen-address {0} server-name'.format(addr))
+ addrs[addr] = names[:]
+ https['listen_addresses'] = addrs
if conf.exists('certificates'):
if conf.exists('certificates system-generated-certificate'):