From 78ed9c4a6e34dd6297ec15fc6767183ebd68609e Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Mon, 10 Feb 2014 14:38:03 +0100 Subject: [PATCH] split unfold and unfold-ssl so we can enable only the non-SSL stuff; the SSL service requires /etc/unfold/trusted_roots/ to be non-empty, so we cannot enable this by default --- apache/unfold-ssl.conf | 49 ++++++++++++++++++++++++++++++++++++++++++ apache/unfold.conf | 40 ++-------------------------------- setup.py | 2 +- 3 files changed, 52 insertions(+), 39 deletions(-) create mode 100644 apache/unfold-ssl.conf diff --git a/apache/unfold-ssl.conf b/apache/unfold-ssl.conf new file mode 100644 index 00000000..f75cc940 --- /dev/null +++ b/apache/unfold-ssl.conf @@ -0,0 +1,49 @@ +# see also unfold.conf +# +# NOTE on packaging +# +# this is not enabled by default because it would prevent apache from +# starting up properly when /etc/unfold/trusted_roots is empty +# +# So on debian you would typically need to run +# a2ensite unfold-ssl.conf +# unfold-init-ssl.sh +# service apache2 restart +# +# This port (not necessarily well picked) is configured +# with client-certificate required +# corresponding trusted roots (e.g. ple.gid and plc.gid) should be +# configured in /etc/unfold/trusted_roots +# check Jordan's email and pointer to trac, although we do not want +# this to be optional on that port + + + WSGIDaemonProcess unfold-ssl processes=2 threads=25 + WSGIProcessGroup unfold-ssl + CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common + ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log + WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi + + + Order deny,allow + Allow from all + + + Alias /static/ /usr/share/unfold/static/ + + Order deny,allow + Allow from all + + + SSLEngine on + SSLVerifyClient require + SSLVerifyDepth 5 +# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env. + SSLCACertificatePath /etc/unfold/trusted_roots +# see init-ssl.sh for how to create self-signed stuff in here + SSLCertificateFile /etc/unfold/myslice.cert + SSLCertificateKeyFile /etc/unfold/myslice.key + +# SSLOptions +StdEnvVars +ExportCertData + SSLOptions +StdEnvVars + diff --git a/apache/unfold.conf b/apache/unfold.conf index ff3de7f0..357db7ee 100644 --- a/apache/unfold.conf +++ b/apache/unfold.conf @@ -1,3 +1,5 @@ +# see also unfold-ssl.conf + WSGIDaemonProcess unfold processes=2 threads=25 WSGIProcessGroup unfold @@ -16,41 +18,3 @@ Allow from all - -# This port (not necessarily well picked) is configured -# with client-certificate required -# corresponding trusted roots (e.g. ple.gid and plc.gid) should be -# configured in /etc/unfold/trusted_roots -# check Jordan's email and pointer to trac, although we do not want -# this to be optional on that port - - - WSGIDaemonProcess unfold-ssl processes=2 threads=25 - WSGIProcessGroup unfold-ssl - CustomLog ${APACHE_LOG_DIR}/myslice-ssl-access.log common - ErrorLog ${APACHE_LOG_DIR}/myslice-ssl-error.log - WSGIScriptAlias / /usr/share/unfold/apache/unfold.wsgi - - - Order deny,allow - Allow from all - - - Alias /static/ /usr/share/unfold/static/ - - Order deny,allow - Allow from all - - - SSLEngine on - SSLVerifyClient require - SSLVerifyDepth 5 -# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env. - SSLCACertificatePath /etc/unfold/trusted_roots -# see init-ssl.sh for how to create self-signed stuff in here - SSLCertificateFile /etc/unfold/myslice.cert - SSLCertificateKeyFile /etc/unfold/myslice.key - -# SSLOptions +StdEnvVars +ExportCertData - SSLOptions +StdEnvVars - diff --git a/setup.py b/setup.py index 5d767922..d7008a38 100644 --- a/setup.py +++ b/setup.py @@ -21,7 +21,7 @@ setup(packages = packages, ( '/usr/share/unfold/static/img', glob ('static/img/*')), ( '/usr/share/unfold/static/fonts', glob ('static/fonts/*')), ( '/usr/share/unfold/templates', glob ('templates/*')), - ( 'apache', [ 'apache/unfold.conf', 'apache/unfold.wsgi' ]), + ( 'apache', [ 'apache/unfold.conf', 'apache/unfold-ssl.conf', 'apache/unfold.wsgi' ]), ( '/etc/unfold/trusted_roots', []), ( '/var/unfold', []), ]) -- 2.43.0