diff options
| author | John Estabrook <jestabro@sentrium.io> | 2019-08-27 08:13:02 -0500 |
|---|---|---|
| committer | John Estabrook <jestabro@sentrium.io> | 2019-08-27 08:13:02 -0500 |
| commit | 1ace4a35237889bceff7309df0c687bf32ab89a9 (patch) | |
| tree | 03354cc8a05914543f29cb61ddb387972e360553 /src/conf_mode/https.py | |
| parent | 93184326fc3768216b734a5fcc60e193b5e27fad (diff) | |
| download | vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.tar.gz vyos-1x-1ace4a35237889bceff7309df0c687bf32ab89a9.zip | |
[service https] T1443: Correct the use of listen/server_name directives
Diffstat (limited to 'src/conf_mode/https.py')
| -rwxr-xr-x | src/conf_mode/https.py | 61 |
1 files changed, 55 insertions, 6 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 289eacf69..d5aa1f5b3 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -40,12 +40,21 @@ server { return 302 https://$server_name$request_uri; } +{% for addr, names in listen_addresses.items() %} server { # SSL configuration # +{% if addr == '*' %} listen 443 ssl default_server; listen [::]:443 ssl default_server; +{% else %} + listen {{ addr }}:443 ssl; +{% endif %} + +{% for name in names %} + server_name {{ name }}; +{% endfor %} {% if vyos_cert %} include {{ vyos_cert.conf }}; @@ -57,9 +66,42 @@ server { include snippets/snakeoil.conf; {% endif %} -{% for l_addr in listen_address %} - server_name {{ l_addr }}; -{% endfor %} + # proxy settings for HTTP API, if enabled; 503, if not + location ~ /(retrieve|configure) { +{% if api %} + proxy_pass http://localhost:{{ api.port }}; + proxy_buffering off; +{% else %} + return 503; +{% endif %} + } + + error_page 501 502 503 =200 @50*_json; + + location @50*_json { + default_type application/json; + return 200 '{"error": "Start service in configuration mode: set service https api"}'; + } + +} +{% else %} +server { + # SSL configuration + # + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + server_name _; + +{% if vyos_cert %} + include {{ vyos_cert.conf }}; +{% else %} + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + include snippets/snakeoil.conf; +{% endif %} # proxy settings for HTTP API, if enabled; 503, if not location ~ /(retrieve|configure) { @@ -79,6 +121,8 @@ server { } } + +{% endfor %} """ def get_config(): @@ -89,9 +133,14 @@ def get_config(): else: conf.set_level('service https') - if conf.exists('listen-address'): - addrs = conf.return_values('listen-address') - https['listen_address'] = addrs[:] + if conf.exists('listen-addresses'): + addrs = {} + for addr in conf.list_nodes('listen-addresses'): + addrs[addr] = ['_'] + if conf.exists('listen-addresses {0} server-names'.format(addr)): + names = conf.return_values('listen-addresses {0} server-names'.format(addr)) + addrs[addr] = names[:] + https['listen_addresses'] = addrs if conf.exists('certificates'): if conf.exists('certificates system-generated-certificate'): |