From 34eadcf2f74ae57342997bed77ce64bddd34219b Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 6 Jan 2024 10:55:42 +0100 Subject: https: T5902: remove virtual-host configuration We have not seen the adoption of the https virtual-host CLI option. What it did? * Create multiple webservers each listening on a different IP/port (but in the same VRF) * All webservers shared one common document root * All webservers shared the same SSL certificates * All webservers could have had individual allow-client configurations * API could be enabled for a particular virtual-host but was always enabled on the default host This configuration tried to provide a full webserver via the CLI but VyOS is a router and the Webserver is there for an API or to serve files for a local-ui. Changes Remove support for virtual-hosts as it's an incomplete and thus mostly useless "thing". Migrate all allow-client statements to one top-level allow statement. (cherry picked from commit d0d3071e99eb65edb888c26ef2fdc9e038438887) --- interface-definitions/include/pki/dh-params.xml.i | 10 +++ interface-definitions/interfaces_openvpn.xml.in | 9 +-- interface-definitions/service_https.xml.in | 89 ++++++++--------------- 3 files changed, 43 insertions(+), 65 deletions(-) create mode 100644 interface-definitions/include/pki/dh-params.xml.i (limited to 'interface-definitions') diff --git a/interface-definitions/include/pki/dh-params.xml.i b/interface-definitions/include/pki/dh-params.xml.i new file mode 100644 index 000000000..a422df832 --- /dev/null +++ b/interface-definitions/include/pki/dh-params.xml.i @@ -0,0 +1,10 @@ + + + + Diffie Hellman parameters (server only) + + pki dh + + + + diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in index dadf5cb48..f7e8f8b9f 100644 --- a/interface-definitions/interfaces_openvpn.xml.in +++ b/interface-definitions/interfaces_openvpn.xml.in @@ -736,14 +736,7 @@ #include #include - - - Diffie Hellman parameters (server only) - - pki dh - - - + #include Static key to use to authenticate control channel diff --git a/interface-definitions/service_https.xml.in b/interface-definitions/service_https.xml.in index 57f36a982..b60c7ff2e 100644 --- a/interface-definitions/service_https.xml.in +++ b/interface-definitions/service_https.xml.in @@ -8,52 +8,6 @@ 1001 - - - Identifier for virtual host - - [a-zA-Z0-9-_.:]{1,255} - - illegal characters in identifier or identifier longer than 255 characters - - - - - Address to listen for HTTPS requests - - - - - ipv4 - HTTPS IPv4 address - - - ipv6 - HTTPS IPv6 address - - - '*' - any - - - - \* - - - - #include - - 443 - - - - Server names: exact, wildcard, or regex - - - - #include - - VyOS HTTP API configuration @@ -172,19 +126,18 @@ - + #include + - Restrict api proxy to subset of virtual hosts + Enable HTTP to HTTPS redirect + - - - - Restrict proxy to virtual host(s) - - - - - + + #include + #include + + 443 + TLS certificates @@ -192,8 +145,30 @@ #include #include + #include + + + Specify available TLS version(s) + + 1.2 1.3 + + + 1.2 + TLSv1.2 + + + 1.3 + TLSv1.3 + + + (1.2|1.3) + + + + 1.2 1.3 + #include -- cgit v1.2.3