summaryrefslogtreecommitdiff
path: root/src/conf_mode/https.py
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-xsrc/conf_mode/https.py107
1 files changed, 46 insertions, 61 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index 233c815bc..d7fcb74de 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -30,34 +30,34 @@ config_file = '/etc/nginx/sites-available/default'
# Please be careful if you edit the template.
config_tmpl = """
-### Autogenerated by http-api.py ###
+### Autogenerated by https.py ###
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
- return 302 https://$server_name$request_uri;
+ return 301 https://$server_name$request_uri;
}
-{% for addr, names in listen_addresses.items() %}
+{% for server in server_block_list %}
server {
# SSL configuration
#
-{% if addr == '*' %}
- listen 443 ssl default_server;
- listen [::]:443 ssl default_server;
+{% if server.address == '*' %}
+ listen 443 ssl;
+ listen [::]:443 ssl;
{% else %}
- listen {{ addr }}:443 ssl;
+ listen {{ server.address }}:443 ssl;
{% endif %}
-{% for name in names %}
+{% for name in server.name %}
server_name {{ name }};
{% endfor %}
-{% if vyos_cert %}
- include {{ vyos_cert.conf }};
+{% if server.vyos_cert %}
+ include {{ server.vyos_cert.conf }};
{% else %}
#
# Self signed certs generated by the ssl-cert package
@@ -68,45 +68,8 @@ server {
# proxy settings for HTTP API, if enabled; 503, if not
location ~ /(retrieve|configure|config-file|image) {
-{% if api %}
- proxy_pass http://localhost:{{ api.port }};
- proxy_buffering off;
-{% else %}
- return 503;
-{% endif %}
- }
-
- error_page 501 502 503 =200 @50*_json;
-
- location @50*_json {
- default_type application/json;
- return 200 '{"error": "Start service in configuration mode: set service https api"}';
- }
-
-}
-{% else %}
-server {
- # SSL configuration
- #
- listen 443 ssl default_server;
- listen [::]:443 ssl default_server;
-
- server_name _;
-
-{% if vyos_cert %}
- include {{ vyos_cert.conf }};
-{% else %}
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- include snippets/snakeoil.conf;
-{% endif %}
-
- # proxy settings for HTTP API, if enabled; 503, if not
- location ~ /(retrieve|configure) {
-{% if api %}
- proxy_pass http://localhost:{{ api.port }};
+{% if server.api %}
+ proxy_pass http://localhost:{{ server.api.port }};
proxy_buffering off;
{% else %}
return 503;
@@ -125,8 +88,16 @@ server {
{% endfor %}
"""
+default_server_block = {
+ 'address' : '*',
+ 'name' : ['_'],
+ # api :
+ # vyos_cert :
+ # le_cert :
+}
+
def get_config():
- https = vyos.defaults.https_data
+ server_block_list = []
conf = Config()
if not conf.exists('service https'):
return None
@@ -134,25 +105,36 @@ def get_config():
conf.set_level('service https')
if conf.exists('listen-address'):
- addrs = {}
for addr in conf.list_nodes('listen-address'):
- addrs[addr] = ['_']
+ server_block = {'address' : addr}
+ server_block['name'] = ['_']
if conf.exists('listen-address {0} server-name'.format(addr)):
names = conf.return_values('listen-address {0} server-name'.format(addr))
- addrs[addr] = names[:]
- https['listen_addresses'] = addrs
+ server_block['name'] = names[:]
+ server_block_list.append(server_block)
+ if not server_block_list:
+ server_block_list.append(default_server_block)
+
+ vyos_cert_data = {}
if conf.exists('certificates'):
if conf.exists('certificates system-generated-certificate'):
- https['vyos_cert'] = vyos.defaults.vyos_cert_data
+ vyos_cert_data = vyos.defaults.vyos_cert_data
+ if vyos_cert_data:
+ for block in server_block_list:
+ block['vyos_cert'] = vyos_cert_data
+ api_data = {}
if conf.exists('api'):
- https['api'] = vyos.defaults.api_data
-
- if conf.exists('api port'):
- port = conf.return_value('api port')
- https['api']['port'] = port
-
+ api_data = vyos.defaults.api_data
+ if conf.exists('api port'):
+ port = conf.return_value('api port')
+ api_data['port'] = port
+ if api_data:
+ for block in server_block_list:
+ block['api'] = api_data
+
+ https = {'server_block_list' : server_block_list}
return https
def verify(https):
@@ -162,6 +144,9 @@ def generate(https):
if https is None:
return None
+ if 'server_block_list' not in https or not https['server_block_list']:
+ https['server_block_list'] = [default_server_block]
+
tmpl = jinja2.Template(config_tmpl, trim_blocks=True)
config_text = tmpl.render(https)
with open(config_file, 'w') as f: