unfold-init-ssl.sh is a new script for setting up certs and the like (packaged, but not invoked yet)
Allow from all
</Directory>
</VirtualHost>
+
+# This port (not necessarily well picked) is configured
+# with client-certificate required
+# corresponding trusted roots (e.g. ple.gid and plc.gid) should be
+# configured in /etc/unfold/trusted_roots
+# check Jordan's email and pointer to trac, although we do not want
+# this to be optional on that port
+
+<VirtualHost *:443>
+ WSGIScriptAlias / /usr/share/unfold/myslice/wsgi.py
+ <Directory /usr/share/unfold/apache>
+ <Files myslice.wsgi>
+ Order deny,allow
+ Allow from all
+ </Files>
+ </Directory>
+ Alias /static/ /usr/share/unfold/static/
+ <Directory /usr/share/unfold/static>
+ Order deny,allow
+ Allow from all
+ </Directory>
+
+ SSLEngine on
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env.
+ SSLCACertificatePath /etc/unfold/trusted_roots
+# see init-ssl.sh for how to create self-signed stuff in here
+ SSLCertificateFile /etc/unfold/myslice.cert
+ SSLCertificateKeyFile /etc/unfold/myslice.key
+
+# SSLOptions +StdEnvVars +ExportCertData
+ SSLOptions +StdEnvVars
+</VirtualHost>
--- /dev/null
+#!/bin/bash
+
+COMMAND=$(basename $0)
+
+# minimal script for initializing SSL material for myslice
+# you probably want to take care of this yourself instead,
+# but until somebody gets around to that apache will at least start up
+#
+trusted_roots=/etc/unfold/trusted_roots
+key=/etc/unfold/myslice.key
+cert=/etc/unfold/myslice.cert
+
+if [[ -n "$@" ]] ; then hostname=$1; shift; else hostname=$(hostname); fi
+
+function init_trusted_roots () {
+ if [ ! -d $trusted_roots ] ; then
+ echo "Creating empty" $trusted_roots
+ mkdir -p $trusted_roots
+ echo "You will wish to populate that with e.g. ple.gid or the like"
+ echo "Make sure to re-run this command $COMMAND if you add gids"
+ fi
+ ### c_rehash will consider only files ending in .pem or .crt
+ # so, we create symlinks from *.gid to *.pem
+ pushd $trusted_roots >& /dev/null
+ for gid in *.gid; do
+ base=$(basename $gid .gid)
+ pem=$base.pem
+ [ -f $pem ] && ln -s $gid $pem
+ done
+ ### invoke c_rehash
+ # on debian c_rehash comes with openssl
+ # on fedora this is part of openssl-perl
+ echo -n "Invoking c_rehash in $(pwd) .. "; c_rehash .
+ popd >& /dev/null
+}
+
+function init_server_cert () {
+ # both present : we have nothing to do
+ [ -f $key -a -f $cert ] && return
+ # exactly one present : we have a problem
+ [ -f $key -o -f $cert ] && { echo "server key or cert missing ?!?" ; return ; }
+ # create both
+ echo "Creating server key and cert for hostname ${hostname}"
+ openssl req -new -x509 -days 365 -set_serial $RANDOM -batch \
+ -subj "/CN=${hostname}" -nodes -keyout $key -out $cert
+}
+
+
+function main () {
+ init_trusted_roots
+ init_server_cert
+}
+
+main "$@"
# Thierry: the recipe I'm using somehow only works with several packages
Package: unfold
Architecture: any
-Depends: python, python-django, python-pyparsing, apache2, libapache2-mod-wsgi
+Depends: python, python-django, python-pyparsing, apache2, libapache2-mod-wsgi, openssl
Description: Generic django-based frontend for manifold backends
Requires: python-django
Requires: httpd
Requires: mod_wsgi
+# for c_rehash
+Requires: openssl-perl
BuildRequires: python-setuptools make
%description
packages= [ os.path.dirname(init) for init in (glob("*/__init__.py")+glob("*/*/__init__.py")) ]
setup(packages = packages,
- scripts = [],
+ scripts = [ 'apache/unfold-init-ssl.sh' ],
data_files = [
( 'static/js', glob ('static/js/*')),
( 'static/css', glob ('static/css/*')),
git://git.onelab.eu / myslice.git / commitdiff