From d2f4a8dbac972beb83cb851b802bb845e92aeb9e Mon Sep 17 00:00:00 2001
From: Mark Huang <mlhuang@cs.princeton.edu>
Date: Wed, 29 Mar 2006 05:14:43 +0000
Subject: [PATCH] - always recalculate PLC_API_MAINTENANCE_SOURCES; basically,
 make this   an internal variable - deny access to /db if web server is not
 enabled on this machine - redirect all non-ssl accesses to /db if the web
 server is enabled on   this machine

---
 guest.init | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/guest.init b/guest.init
index d1db98e..dfbbed3 100755
--- a/guest.init
+++ b/guest.init
@@ -6,7 +6,7 @@
 #
 # description:	Manages all PLC services on this machine
 #
-# $Id: guest.init,v 1.5 2006/03/29 00:01:35 mlhuang Exp $
+# $Id: guest.init,v 1.6 2006/03/29 02:56:15 mlhuang Exp $
 #
 
 PATH=/sbin:/bin:/usr/bin:/usr/sbin
@@ -68,22 +68,16 @@ reload ()
 	plc-config --category=plc_api --variable=maintenance_password --value="$PLC_API_MAINTENANCE_PASSWORD" --save
     fi
 
-    if [ -z "$PLC_API_MAINTENANCE_SOURCES" ] ; then
-        # Need to configure network before resolving hostnames
-	config_network start
+    # Need to configure network before resolving hostnames
+    config_network start
+
+    PLC_API_MAINTENANCE_SOURCES=$(
 	for server in API BOOT WWW ; do
 	    eval hostname=\${PLC_${server}_HOST}
-	    ip=$(gethostbyname $hostname)
-	    if [ -n "$ip" ] ; then
-		if [ -n "$PLC_API_MAINTENANCE_SOURCES" ] ; then
-		    PLC_API_MAINTENANCE_SOURCES="$PLC_API_MAINTENANCE_SOURCES $ip"
-		else
-		    PLC_API_MAINTENANCE_SOURCES=$ip
-		fi
-	    fi
-	done
-	plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save
-    fi
+	    gethostbyname $hostname
+	done | sort -u
+    )
+    plc-config --category=plc_api --variable=maintenance_sources --value="$PLC_API_MAINTENANCE_SOURCES" --save
 
     # Save configuration
     mkdir -p /etc/planetlab/php
@@ -477,6 +471,12 @@ config_apache ()
 	    # Set custom Apache directives
 	    (
 		if [ "$PLC_API_ENABLED" = "1" ] ; then
+		    # XXX We should only support non-SSL access to the
+		    # API by writing this to conf.d/plc_ssl.conf, then
+		    # writing "Include conf.d/plc_ssl.conf" to
+		    # conf.d/ssl.conf. Once oldapi, which does not
+		    # support SSL, is removed from the web pages, we
+		    # can do this.
 		    cat <<EOF
 <Location $PLC_API_PATH>
     SetHandler python-program
@@ -486,11 +486,19 @@ config_apache ()
 EOF
 		fi
 
-		cat <<EOF
-<VirtualHost $PLC_WWW_HOST:$PLC_WWW_PORT>
+		if [ "$PLC_WWW_ENABLED" = "1" ] ; then
+		    cat <<EOF
+<VirtualHost *:$PLC_WWW_PORT>
     Redirect /db https://$PLC_WWW_HOST:$PLC_WWW_SSL_PORT/db
 </VirtualHost>
 EOF
+		else
+		    cat <<EOF
+<Location /db>
+    Deny from all
+</Location>
+EOF
+		fi
 	    ) >$plc_conf
 
 	    # Make alpina-logs directory writable for bootmanager log upload
-- 
2.43.0