From d0d3071e99eb65edb888c26ef2fdc9e038438887 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sat, 6 Jan 2024 10:55:42 +0100
Subject: https: T5902: remove virtual-host configuration

We have not seen the adoption of the https virtual-host CLI option.

What it did?
* Create multiple webservers each listening on a different IP/port
  (but in the same VRF)
* All webservers shared one common document root
* All webservers shared the same SSL certificates
* All webservers could have had individual allow-client configurations
* API could be enabled for a particular virtual-host but was always enabled on
  the default host

This configuration tried to provide a full webserver via the CLI but VyOS is a
router and the Webserver is there for an API or to serve files for a local-ui.

Changes

Remove support for virtual-hosts as it's an incomplete and thus mostly useless
"thing". Migrate all allow-client statements to one top-level allow statement.
---
 data/templates/https/nginx.default.j2         | 101 ++++++++++++++------------
 data/templates/https/vyos-http-api.service.j2 |   2 +-
 2 files changed, 54 insertions(+), 49 deletions(-)

(limited to 'data')

diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index a530c14ba..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,60 +1,65 @@
 ### Autogenerated by service_https.py ###
-# Default server configuration
 
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
 server {
-        # SSL configuration
-        #
-{%     if server.address == '*' %}
-        listen {{ server.port }} ssl;
-        listen [::]:{{ server.port }} ssl;
-{%     else %}
-        listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{%     endif %}
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
 
-{%     for name in server.name %}
-        server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
 {%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
 
-        root /srv/localui;
+    server_name {{ hostname }};
+    root /srv/localui;
 
-{%     if server.vyos_cert %}
-        ssl_certificate {{ server.vyos_cert.crt }};
-        ssl_certificate_key {{ server.vyos_cert.key }};
-{%     else %}
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        include snippets/snakeoil.conf;
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
 {%     endif %}
-        ssl_session_cache shared:le_nginx_SSL:10m;
-        ssl_session_timeout 1440m;
-        ssl_session_tickets off;
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
 
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
 
-        # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
-{%     if server.api %}
-                proxy_pass http://unix:/run/api.sock;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_read_timeout 600;
-                proxy_buffering off;
-{%     else %}
-                return 503;
-{%     endif %}
-{%     if server.allow_client %}
-{%         for client in server.allow_client %}
-                allow {{ client }};
-{%         endfor %}
-                deny all;
-{%     endif %}
-        }
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
-        error_page 497 =301 https://$host:{{ server.port }}$request_uri;
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
 }
-
-{% endfor %}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index f620b3248..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,6 +3,7 @@
 Description=VyOS HTTP API service
 After=vyos-router.service
 Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
 
 [Service]
 ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
@@ -20,4 +21,3 @@ Group=vyattacfg
 
 [Install]
 WantedBy=vyos.target
-
-- 
cgit v1.2.3