diff options
Diffstat (limited to 'src/conf_mode/https.py')
-rwxr-xr-x | src/conf_mode/https.py | 109 |
1 files changed, 47 insertions, 62 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index f948063e9..d7fcb74de 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -30,34 +30,34 @@ config_file = '/etc/nginx/sites-available/default' # Please be careful if you edit the template. config_tmpl = """ -### Autogenerated by http-api.py ### +### Autogenerated by https.py ### # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; server_name _; - return 302 https://$server_name$request_uri; + return 301 https://$server_name$request_uri; } -{% for addr, names in listen_addresses.items() %} +{% for server in server_block_list %} server { # SSL configuration # -{% if addr == '*' %} - listen 443 ssl default_server; - listen [::]:443 ssl default_server; +{% if server.address == '*' %} + listen 443 ssl; + listen [::]:443 ssl; {% else %} - listen {{ addr }}:443 ssl; + listen {{ server.address }}:443 ssl; {% endif %} -{% for name in names %} +{% for name in server.name %} server_name {{ name }}; {% endfor %} -{% if vyos_cert %} - include {{ vyos_cert.conf }}; +{% if server.vyos_cert %} + include {{ server.vyos_cert.conf }}; {% else %} # # Self signed certs generated by the ssl-cert package @@ -67,46 +67,9 @@ server { {% endif %} # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure) { -{% if api %} - proxy_pass http://localhost:{{ api.port }}; - proxy_buffering off; -{% else %} - return 503; -{% endif %} - } - - error_page 501 502 503 =200 @50*_json; - - location @50*_json { - default_type application/json; - return 200 '{"error": "Start service in configuration mode: set service https api"}'; - } - -} -{% else %} -server { - # SSL configuration - # - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - - server_name _; - -{% if vyos_cert %} - include {{ vyos_cert.conf }}; -{% else %} - # - # Self signed certs generated by the ssl-cert package - # Don't use them in a production server! - # - include snippets/snakeoil.conf; -{% endif %} - - # proxy settings for HTTP API, if enabled; 503, if not - location ~ /(retrieve|configure) { -{% if api %} - proxy_pass http://localhost:{{ api.port }}; + location ~ /(retrieve|configure|config-file|image) { +{% if server.api %} + proxy_pass http://localhost:{{ server.api.port }}; proxy_buffering off; {% else %} return 503; @@ -125,8 +88,16 @@ server { {% endfor %} """ +default_server_block = { + 'address' : '*', + 'name' : ['_'], + # api : + # vyos_cert : + # le_cert : +} + def get_config(): - https = vyos.defaults.https_data + server_block_list = [] conf = Config() if not conf.exists('service https'): return None @@ -134,25 +105,36 @@ def get_config(): conf.set_level('service https') if conf.exists('listen-address'): - addrs = {} for addr in conf.list_nodes('listen-address'): - addrs[addr] = ['_'] + server_block = {'address' : addr} + server_block['name'] = ['_'] if conf.exists('listen-address {0} server-name'.format(addr)): names = conf.return_values('listen-address {0} server-name'.format(addr)) - addrs[addr] = names[:] - https['listen_addresses'] = addrs + server_block['name'] = names[:] + server_block_list.append(server_block) + if not server_block_list: + server_block_list.append(default_server_block) + + vyos_cert_data = {} if conf.exists('certificates'): if conf.exists('certificates system-generated-certificate'): - https['vyos_cert'] = vyos.defaults.vyos_cert_data + vyos_cert_data = vyos.defaults.vyos_cert_data + if vyos_cert_data: + for block in server_block_list: + block['vyos_cert'] = vyos_cert_data + api_data = {} if conf.exists('api'): - https['api'] = vyos.defaults.api_data - - if conf.exists('api port'): - port = conf.return_value('api port') - https['api']['port'] = port - + api_data = vyos.defaults.api_data + if conf.exists('api port'): + port = conf.return_value('api port') + api_data['port'] = port + if api_data: + for block in server_block_list: + block['api'] = api_data + + https = {'server_block_list' : server_block_list} return https def verify(https): @@ -162,6 +144,9 @@ def generate(https): if https is None: return None + if 'server_block_list' not in https or not https['server_block_list']: + https['server_block_list'] = [default_server_block] + tmpl = jinja2.Template(config_tmpl, trim_blocks=True) config_text = tmpl.render(https) with open(config_file, 'w') as f: |