[service https] T1443: Correct the use of listen/server_name directives

author: John Estabrook <jestabro@sentrium.io> 2019-08-27 08:13:02 -0500
committer: John Estabrook <jestabro@sentrium.io> 2019-08-27 08:13:02 -0500
commit: 1ace4a35237889bceff7309df0c687bf32ab89a9 (patch)
tree: 03354cc8a05914543f29cb61ddb387972e360553
parent: 93184326fc3768216b734a5fcc60e193b5e27fad (diff)
download: vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.tar.gz
vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.zip
3 files changed, 71 insertions, 10 deletions
diff --git a/interface-definitions/https.xml b/interface-definitions/https.xml
index 13d5c43ea..7a87133f3 100644
--- a/interface-definitions/https.xml
+++ b/interface-definitions/https.xml
@@ -9,7 +9,7 @@
           <priority>1001</priority>
         </properties>
         <children>
-          <leafNode name="listen-address">
+          <tagNode name="listen-addresses">
             <properties>
               <help>Addresses to listen for HTTPS requests</help>
               <valueHelp>
@@ -20,13 +20,25 @@
                 <format>ipv6</format>
                 <description>HTTPS IPv6 address</description>
               </valueHelp>
-              <multi/>
+              <valueHelp>
+                <format>'*'</format>
+                <description>any</description>
+              </valueHelp>
               <constraint>
                 <validator name="ipv4-address"/>
                 <validator name="ipv6-address"/>
+                <regex>^\\*$</regex>
               </constraint>
             </properties>
-          </leafNode>
+            <children>
+              <leafNode name="server-names">
+                <properties>
+                  <help>Server names: exact, wildcard, regex, or '_' (any)</help>
+                  <multi/>
+                </properties>
+              </leafNode>
+            </children>
+          </tagNode>
           <node name="certificates">
             <properties>
               <help>TLS certificates</help>
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index 3e4c02562..85d27d60d 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -29,7 +29,7 @@ cfg_vintage = 'vyatta'
 commit_lock = '/opt/vyatta/config/.lock'
 
 https_data = {
-    'listen_address' : [ '127.0.0.1' ]
+    'listen_addresses' : { '*': ['_'] }
 }
 
 api_data = {
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 289eacf69..d5aa1f5b3 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -40,12 +40,21 @@ server {
         return 302 https://$server_name$request_uri;
 }
 
+{% for addr, names in listen_addresses.items() %}
 server {
 
         # SSL configuration
         #
+{% if addr == '*' %}
         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;
+{% else %}
+        listen {{ addr }}:443 ssl;
+{% endif %}
+
+{% for name in names %}
+        server_name {{ name }};
+{% endfor %}
 
 {% if vyos_cert %}
         include {{ vyos_cert.conf }};
@@ -57,9 +66,42 @@ server {
         include snippets/snakeoil.conf;
 {% endif %}
 
-{% for l_addr in listen_address %}
-        server_name {{ l_addr }};
-{% endfor %}
+        # proxy settings for HTTP API, if enabled; 503, if not
+        location ~ /(retrieve|configure) {
+{% if api %}
+                proxy_pass http://localhost:{{ api.port }};
+                proxy_buffering off;
+{% else %}
+                return 503;
+{% endif %}
+        }
+
+        error_page 501 502 503 =200 @50*_json;
+
+        location @50*_json {
+                default_type application/json;
+                return 200 '{"error": "Start service in configuration mode: set service https api"}';
+        }
+
+}
+{% else %}
+server {
+        # SSL configuration
+        #
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+
+        server_name _;
+
+{% if vyos_cert %}
+        include {{ vyos_cert.conf }};
+{% else %}
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        include snippets/snakeoil.conf;
+{% endif %}
 
         # proxy settings for HTTP API, if enabled; 503, if not
         location ~ /(retrieve|configure) {
@@ -79,6 +121,8 @@ server {
         }
 
 }
+
+{% endfor %}
 """
 
 def get_config():
@@ -89,9 +133,14 @@ def get_config():
     else:
         conf.set_level('service https')
 
-    if conf.exists('listen-address'):
-        addrs = conf.return_values('listen-address')
-        https['listen_address'] = addrs[:]
+    if conf.exists('listen-addresses'):
+        addrs = {}
+        for addr in conf.list_nodes('listen-addresses'):
+            addrs[addr] = ['_']
+            if conf.exists('listen-addresses {0} server-names'.format(addr)):
+                names = conf.return_values('listen-addresses {0} server-names'.format(addr))
+                addrs[addr] = names[:]
+        https['listen_addresses'] = addrs
 
     if conf.exists('certificates'):
         if conf.exists('certificates system-generated-certificate'):
author	John Estabrook <jestabro@sentrium.io>	2019-08-27 08:13:02 -0500
committer	John Estabrook <jestabro@sentrium.io>	2019-08-27 08:13:02 -0500
commit	1ace4a35237889bceff7309df0c687bf32ab89a9 (patch)
tree	03354cc8a05914543f29cb61ddb387972e360553
parent	93184326fc3768216b734a5fcc60e193b5e27fad (diff)
download	vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.tar.gz vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.zip