summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristopher Gervais2016-06-19 17:36:10 +0000
committerChristopher Gervais2016-06-19 17:36:10 +0000
commit42d76270532036d7f00f7f6b319ff0c9e27d5b46 (patch)
tree16ed7f815f640ed282da2a024cbf6a62c9c1b9c6
parent5b722c63c59a35e3f356b2081caeef6c3b24fe37 (diff)
Issue #2751801: (Mostly) remove SSL from core.aegir4_https
-rw-r--r--http/Provision/Config/Apache/Ssl/Server.php19
-rw-r--r--http/Provision/Config/Apache/Ssl/Site.php15
-rw-r--r--http/Provision/Config/Apache/Ssl/server_ssl.tpl.php18
-rw-r--r--http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php104
-rw-r--r--http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php37
-rw-r--r--http/Provision/Config/Http/Ssl/Server.php43
-rw-r--r--http/Provision/Config/Http/Ssl/Site.php77
-rw-r--r--http/Provision/Config/Nginx/Ssl/Server.php19
-rw-r--r--http/Provision/Config/Nginx/Ssl/Site.php15
-rw-r--r--http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php27
-rw-r--r--http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php127
-rw-r--r--http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php54
-rw-r--r--http/Provision/Service/http/apache/ssl.php52
-rw-r--r--http/Provision/Service/http/nginx/ssl.php165
-rw-r--r--http/Provision/Service/http/ssl.php288
15 files changed, 0 insertions, 1060 deletions
diff --git a/http/Provision/Config/Apache/Ssl/Server.php b/http/Provision/Config/Apache/Ssl/Server.php
deleted file mode 100644
index db695c0..0000000
--- a/http/Provision/Config/Apache/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-/**
- * Server config file for Apache + SSL.
- *
- * This configuration file replaces the Apache server configuration file, but
- * inside the template, the original file is once again included.
- *
- * This config is primarily reponsible for enabling the SSL relation settings,
- * so that individual sites can just enable them.
- */
-class Provision_Config_Apache_Ssl_Server extends Provision_Config_Http_Ssl_Server {
- // We use the same extra_config as the apache_server config class.
- function process() {
- parent::process();
- $this->data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_server_config', $this->data));
- }
-}
diff --git a/http/Provision/Config/Apache/Ssl/Site.php b/http/Provision/Config/Apache/Ssl/Site.php
deleted file mode 100644
index 3aa4489..0000000
--- a/http/Provision/Config/Apache/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-
-/**
- * Virtual host config file for Apache + SSL.
- *
- * This file is created in addition to the existing virtual host,
- * and includes some extra directives.
- */
-class Provision_Config_Apache_Ssl_Site extends Provision_Config_Http_Ssl_Site {
- function process() {
- parent::process();
- $this->data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_vhost_config', $this->uri, $this->data));
- }
-}
diff --git a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
deleted file mode 100644
index 6b33a5e..0000000
--- a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,18 +0,0 @@
-NameVirtualHost <?php print "*:" . $http_ssl_port . "\n"; ?>
-
-<IfModule !ssl_module>
- LoadModule ssl_module modules/mod_ssl.so
-</IfModule>
-
-<VirtualHost *:443>
- SSLEngine on
- SSLCertificateFile <?php print $ssl_cert . "\n"; ?>
- SSLCertificateKeyFile <?php print $ssl_cert_key . "\n"; ?>
-<?php if (!empty($ssl_chain_cert)) : ?>
- SSLCertificateChainFile <?php print $ssl_chain_cert . "\n"; ?>
-<?php endif; ?>
- ServerName default
- Redirect 404 /
-</VirtualHost>
-
-<?php include(provision_class_directory('Provision_Config_Apache_Server') . '/server.tpl.php'); ?>
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index f9cb973..0000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,104 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
- <VirtualHost <?php print "{$ip_address}:{$http_ssl_port}"; ?>>
- <?php if ($this->site_mail) : ?>
- ServerAdmin <?php print $this->site_mail; ?>
- <?php endif;?>
-
-<?php
-$aegir_root = drush_get_option('aegir_root');
-if (!$aegir_root && $server->aegir_root) {
- $aegir_root = $server->aegir_root;
-}
-?>
-
- DocumentRoot <?php print $this->root; ?>
-
- ServerName <?php print $this->uri; ?>
-
- SetEnv db_type <?php print urlencode($db_type); ?>
-
- SetEnv db_name <?php print urlencode($db_name); ?>
-
- SetEnv db_user <?php print urlencode($db_user); ?>
-
- SetEnv db_passwd <?php print urlencode($db_passwd); ?>
-
- SetEnv db_host <?php print urlencode($db_host); ?>
-
- SetEnv db_port <?php print urlencode($db_port); ?>
-
- # Enable SSL handling.
-
- SSLEngine on
-
- SSLCertificateFile <?php print $ssl_cert; ?>
-
- SSLCertificateKeyFile <?php print $ssl_cert_key; ?>
-
- <?php if (!empty($ssl_chain_cert)) : ?>
- SSLCertificateChainFile <?php print $ssl_chain_cert; ?>
- <?php endif; ?>
-
-<?php
-if (sizeof($this->aliases)) {
- foreach ($this->aliases as $alias) {
- print " ServerAlias " . $alias . "\n";
- }
-}
-?>
-
-<IfModule mod_rewrite.c>
- RewriteEngine on
-<?php
-if ($this->redirection) {
- print " # Redirect all aliases to the selected alias.\n";
- print " RewriteCond %{HTTP_HOST} !^{$this->redirection}$ [NC]\n";
- print " RewriteRule ^/*(.*)$ https://{$this->redirection}/$1 [NE,L,R=301]\n";
-}
-?>
- RewriteRule ^/files/(.*)$ /sites/<?php print $this->uri; ?>/files/$1 [L]
- RewriteCond <?php print $this->site_path; ?>/files/robots.txt -f
- RewriteRule ^/robots.txt /sites/<?php print $this->uri; ?>/files/robots.txt [L]
-</IfModule>
-
- <?php print $extra_config; ?>
-
- # Error handler for Drupal > 4.6.7
- <Directory ~ "sites/.*/files">
- <Files *>
- SetHandler This_is_a_Drupal_security_line_do_not_remove
- </Files>
- Options None
- Options +FollowSymLinks
-
- # If we know how to do it safely, disable the PHP engine entirely.
- <IfModule mod_php5.c>
- php_flag engine off
- </IfModule>
- </Directory>
-
- # Prevent direct reading of files in the private dir.
- # This is for Drupal7 compatibility, which would normally drop
- # a .htaccess in those directories, but we explicitly ignore those
- <Directory "<?php print $this->site_path; ?>/private/" >
- <Files *>
- SetHandler This_is_a_Drupal_security_line_do_not_remove
- </Files>
- Deny from all
- Options None
- Options +FollowSymLinks
-
- # If we know how to do it safely, disable the PHP engine entirely.
- <IfModule mod_php5.c>
- php_flag engine off
- </IfModule>
- </Directory>
-
- </VirtualHost>
-<?php endif; ?>
-
-<?php
- include(provision_class_directory('Provision_Config_Apache_Site') . '/vhost.tpl.php');
-?>
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index a3e1a34..0000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
- <VirtualHost <?php print "{$ip_address}:{$http_ssl_port}"; ?>>
- <?php if ($this->site_mail) : ?>
- ServerAdmin <?php print $this->site_mail; ?>
- <?php endif;?>
-
- DocumentRoot <?php print $this->root; ?>
-
- ServerName <?php print $this->uri; ?>
-
- # Enable SSL handling.
-
- SSLEngine on
-
- SSLCertificateFile <?php print $ssl_cert; ?>
-
- SSLCertificateKeyFile <?php print $ssl_cert_key; ?>
-
-<?php
-if (sizeof($this->aliases)) {
- foreach ($this->aliases as $alias) {
- print " ServerAlias " . $alias . "\n";
- }
-}
-?>
-
- RewriteEngine on
- # the ? at the end is to remove any query string in the original url
- RewriteRule ^(.*)$ <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>?
-
-</VirtualHost>
-<?php endif; ?>
-
-<?php
- include(provision_class_directory('Provision_Config_Apache_Site') . '/vhost_disabled.tpl.php');
-?>
diff --git a/http/Provision/Config/Http/Ssl/Server.php b/http/Provision/Config/Http/Ssl/Server.php
deleted file mode 100644
index 02b33b0..0000000
--- a/http/Provision/Config/Http/Ssl/Server.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-
-/**
- * Base class for SSL enabled server level config.
- */
-class Provision_Config_Http_Ssl_Server extends Provision_Config_Http_Server {
- public $template = 'server_ssl.tpl.php';
- public $description = 'encryption enabled webserver configuration';
-
- function write() {
- parent::write();
-
- if ($this->ssl_enabled && $this->ssl_key) {
- $path = dirname($this->data['ssl_cert']);
- // Make sure the ssl.d directory in the server ssl.d exists.
- provision_file()->create_dir($path,
- dt("Creating SSL Certificate directory for %key on %server", array(
- '%key' => $this->ssl_key,
- '%server' => $this->data['server']->remote_host,
- )), 0700);
-
- // Copy the certificates to the server's ssl.d directory.
- provision_file()->copy(
- $this->data['ssl_cert_source'],
- $this->data['ssl_cert'])
- ->succeed('Copied default SSL certificate into place')
- ->fail('Failed to copy default SSL certificate into place');
- provision_file()->copy(
- $this->data['ssl_cert_key_source'],
- $this->data['ssl_cert_key'])
- ->succeed('Copied default SSL key into place')
- ->fail('Failed to copy default SSL key into place');
- // Copy the chain certificate, if it is set.
- if (!empty($this->data['ssl_chain_cert_source'])) {
- provision_file()->copy(
- $this->data['ssl_chain_cert_source'],
- $this->data['ssl_chain_cert'])
- ->succeed('Copied default SSL chain certificate key into place')
- ->fail('Failed to copy default SSL chain certificate into place');
- }
- }
- }
-}
diff --git a/http/Provision/Config/Http/Ssl/Site.php b/http/Provision/Config/Http/Ssl/Site.php
deleted file mode 100644
index 3d91ef3..0000000
--- a/http/Provision/Config/Http/Ssl/Site.php
+++ /dev/null
@@ -1,77 +0,0 @@
-<?php
-
-/**
- * Base class for SSL enabled virtual hosts.
- *
- * This class primarily abstracts the process of making sure the relevant keys
- * are synched to the server when the config files that use them get created.
- */
-class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site {
- public $template = 'vhost_ssl.tpl.php';
- public $disabled_template = 'vhost_ssl_disabled.tpl.php';
-
- public $description = 'encrypted virtual host configuration';
-
- function write() {
- parent::write();
-
- if ($this->ssl_enabled && $this->ssl_key) {
- $path = dirname($this->data['ssl_cert']);
- // Make sure the ssl.d directory in the server ssl.d exists.
- provision_file()->create_dir($path,
- dt("SSL Certificate directory for %key on %server", array(
- '%key' => $this->ssl_key,
- '%server' => $this->data['server']->remote_host,
- )), 0700);
-
- // Touch a file in the server's copy of this key, so that it knows the key is in use.
- // XXX: test. data structure may not be sound. try d($this->uri)
- // if $this fails
- Provision_Service_http_ssl::assign_certificate_site($this->ssl_key, $this);
-
- // Copy the certificates to the server's ssl.d directory.
- provision_file()->copy(
- $this->data['ssl_cert_source'],
- $this->data['ssl_cert'])
- || drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place'));
- provision_file()->copy(
- $this->data['ssl_cert_key_source'],
- $this->data['ssl_cert_key'])
- || drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place'));
- // Copy the chain certificate, if it is set.
- if (!empty($this->data['ssl_chain_cert_source'])) {
- provision_file()->copy(
- $this->data['ssl_chain_cert_source'],
- $this->data['ssl_chain_cert'])
- || drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place'));
- }
- // Sync the key directory to the remote server.
- $this->data['server']->sync($path, array(
- 'exclude' => "{$path}/*.receipt", // Don't need to synch the receipts
- ));
- }
- }
-
- /**
- * Remove a stale certificate file from the server.
- */
- function unlink() {
- parent::unlink();
-
- if ($this->ssl_enabled) {
- // XXX: to be tested, not sure the data structure is sound
- Provision_Service_http_ssl::free_certificate_site($this->ssl_key, $this);
- }
- }
-
- /**
- * Small utility function to stop code duplication.
- *
- * @deprecated unused
- * @see Provision_Service_http_ssl::free_certificate_site()
- */
- private function clear_certs($ssl_key) {
- return FALSE;
- }
-}
-
diff --git a/http/Provision/Config/Nginx/Ssl/Server.php b/http/Provision/Config/Nginx/Ssl/Server.php
deleted file mode 100644
index d952dfd..0000000
--- a/http/Provision/Config/Nginx/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-/**
- * Server config file for Nginx + SSL.
- *
- * This configuration file replaces the Nginx server configuration file, but
- * inside the template, the original file is once again included.
- *
- * This config is primarily reponsible for enabling the SSL relation settings,
- * so that individual sites can just enable them.
- */
-class Provision_Config_Nginx_Ssl_Server extends Provision_Config_Http_Ssl_Server {
- // We use the same extra_config as the nginx_server config class.
- function process() {
- parent::process();
- $this->data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_server_config', $this->data));
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/Site.php b/http/Provision/Config/Nginx/Ssl/Site.php
deleted file mode 100644
index d251d31..0000000
--- a/http/Provision/Config/Nginx/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-
-/**
- * Virtual host config file for Nginx + SSL.
- *
- * This file is created in addition to the existing virtual host,
- * and includes some extra directives.
- */
-class Provision_Config_Nginx_Ssl_Site extends Provision_Config_Http_Ssl_Site {
- function process() {
- parent::process();
- $this->data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_vhost_config', $this->uri, $this->data));
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
deleted file mode 100644
index c1a1ef0..0000000
--- a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,27 +0,0 @@
-<?php include(provision_class_directory('Provision_Config_Nginx_Server') . '/server.tpl.php'); ?>
-
-#######################################################
-### nginx default ssl server
-#######################################################
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-?>
-
-server {
-<?php foreach ($server->ip_addresses as $ip) :?>
- listen <?php print $ip . ':' . $http_ssl_port; ?>;
-<?php endforeach; ?>
- server_name _;
- location / {
-<?php if ($satellite_mode == 'boa'): ?>
- root /var/www/nginx-default;
- index index.html index.htm;
-<?php else: ?>
- return 404;
-<?php endif; ?>
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index 9d032b3..0000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,127 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
- $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
- $ssl_args = "ssl http2";
-}
-else {
- $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
- $ssl_listen_ip = "*";
-}
-else {
- $ssl_listen_ip = $ip_address;
-}
-?>
-
-<?php if ($this->redirection): ?>
-<?php foreach ($this->aliases as $alias_url): ?>
-server {
- listen <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
-<?php
- // if we use redirections, we need to change the redirection
- // target to be the original site URL ($this->uri instead of
- // $alias_url)
- if ($this->redirection && $alias_url == $this->redirection) {
- $this->uri = str_replace('/', '.', $this->uri);
- print " server_name {$this->uri};\n";
- }
- else {
- $alias_url = str_replace('/', '.', $alias_url);
- print " server_name {$alias_url};\n";
- }
-?>
- ssl on;
- ssl_certificate_key <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
- ssl_certificate <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
- ssl_certificate <?php print $ssl_cert; ?>;
-<?php endif; ?>
- return 301 $scheme://<?php print $this->redirection; ?>$request_uri;
-}
-<?php endforeach; ?>
-<?php endif; ?>
-
-server {
- include fastcgi_params;
- fastcgi_param MAIN_SITE_NAME <?php print $this->uri; ?>;
- set $main_site_name "<?php print $this->uri; ?>";
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param HTTPS on;
-<?php
- // If any of those parameters is empty for any reason, like after an attempt
- // to import complete platform with sites without importing their databases,
- // it will break Nginx reload and even shutdown all sites on the system on
- // Nginx restart, so we need to use dummy placeholders to avoid affecting
- // other sites on the system if this site is broken.
- if (!$db_type || !$db_name || !$db_user || !$db_passwd || !$db_host) {
- $db_type = 'mysqli';
- $db_name = 'none';
- $db_user = 'none';
- $db_passwd = 'none';
- $db_host = 'localhost';
- }
-?>
- fastcgi_param db_type <?php print urlencode($db_type); ?>;
- fastcgi_param db_name <?php print urlencode($db_name); ?>;
- fastcgi_param db_user <?php print urlencode($db_user); ?>;
- fastcgi_param db_passwd <?php print urlencode($db_passwd); ?>;
- fastcgi_param db_host <?php print urlencode($db_host); ?>;
-<?php
- // Until the real source of this problem is fixed elsewhere, we have to
- // use this simple fallback to guarantee that empty db_port does not
- // break Nginx reload which results with downtime for the affected vhosts.
- if (!$db_port) {
- $db_port = $this->server->db_port ? $this->server->db_port : '3306';
- }
-?>
- fastcgi_param db_port <?php print urlencode($db_port); ?>;
- listen <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
- server_name <?php
- // this is the main vhost, so we need to put the redirection
- // target as the hostname (if it exists) and not the original URL
- // ($this->uri)
- if ($this->redirection) {
- print str_replace('/', '.', $this->redirection);
- } else {
- print $this->uri;
- }
- if (!$this->redirection && is_array($this->aliases)) {
- foreach ($this->aliases as $alias_url) {
- if (trim($alias_url)) {
- print " " . str_replace('/', '.', $alias_url);
- }
- }
- } ?>;
- root <?php print "{$this->root}"; ?>;
- ssl on;
- ssl_certificate_key <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
- ssl_certificate <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
- ssl_certificate <?php print $ssl_cert; ?>;
-<?php endif; ?>
-<?php print $extra_config; ?>
- include <?php print $server->include_path; ?>/nginx_vhost_common.conf;
-}
-
-<?php endif; ?>
-
-<?php
- // Generate the standard virtual host too.
- include(provision_class_directory('Provision_Config_Nginx_Site') . '/vhost.tpl.php');
-?>
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index 8d2362f..0000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,54 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
- $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
- $ssl_args = "ssl http2";
-}
-else {
- $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
- $ssl_listen_ip = "*";
-}
-else {
- $ssl_listen_ip = $ip_address;
-}
-?>
-
-server {
- listen <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
- server_name <?php print $this->uri . ' ' . implode(' ', str_replace('/', '.', $this->aliases)); ?>;
-<?php if ($satellite_mode == 'boa'): ?>
- root /var/www/nginx-default;
- index index.html index.htm;
- ### Do not reveal Aegir front-end URL here.
-<?php else: ?>
- return 302 <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>;
-<?php endif; ?>
- ssl on;
- ssl_certificate_key <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
- ssl_certificate <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
- ssl_certificate <?php print $ssl_cert; ?>;
-<?php endif; ?>
-}
-
-<?php endif; ?>
-
-<?php
- // Generate the standard virtual host too.
- include(provision_class_directory('Provision_Config_Nginx_Site') . '/vhost_disabled.tpl.php');
-?>
diff --git a/http/Provision/Service/http/apache/ssl.php b/http/Provision/Service/http/apache/ssl.php
deleted file mode 100644
index e4eae94..0000000
--- a/http/Provision/Service/http/apache/ssl.php
+++ /dev/null
@@ -1,52 +0,0 @@
-<?php
-
-/**
- * Apache SSL service class.
- *
- * This class doesn't extend the apache service itself, so there may
- * be some duplication of code between them. The majority of the
- * functionality is however implemented in the Provision_Service_http_public
- * class, which we do extend.
- */
-class Provision_Service_http_apache_ssl extends Provision_Service_http_ssl {
- // We share the application name with apache.
- protected $application_name = 'apache';
- protected $has_restart_cmd = TRUE;
-
- function default_restart_cmd() {
- // The apache service defines it's restart command as a static
- // method so that we can make use of it here.
- return Provision_Service_http_apache::apache_restart_cmd();
- }
-
- public $ssl_enabled = TRUE;
-
- function cloaked_db_creds() {
- return TRUE;
- }
-
- /**
- * Initialize the configuration files.
- *
- * These config classes are a mix of the SSL and Non-SSL apache
- * classes. In some cases they extend the Apache classes too.
- */
- function init_server() {
- parent::init_server();
-
- // Replace the server config with our own. See the class for more info.
- $this->configs['server'][] = 'Provision_Config_Apache_Ssl_Server';
-
- // Just re-use the standard platform config.
- $this->configs['platform'][] = 'Provision_Config_Apache_Platform';
-
- $this->configs['site'][] = 'Provision_Config_Apache_Ssl_Site';
- }
-
- /**
- * Restart apache to pick up the new config files.
- */
- function parse_configs() {
- return $this->restart();
- }
-}
diff --git a/http/Provision/Service/http/nginx/ssl.php b/http/Provision/Service/http/nginx/ssl.php
deleted file mode 100644
index 157bf8f..0000000
--- a/http/Provision/Service/http/nginx/ssl.php
+++ /dev/null
@@ -1,165 +0,0 @@
-<?php
-
-/**
- * Nginx SSL service class.
- *
- * This class doesn't extend the nginx service itself, so there may
- * be some duplication of code between them. The majority of the
- * functionality is however implemented in the Provision_Service_http_public
- * class, which we do extend.
- */
-class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl {
- // We share the application name with nginx.
- protected $application_name = 'nginx';
- protected $has_restart_cmd = TRUE;
-
- function default_restart_cmd() {
- // The nginx service defines it's restart command as a static
- // method so that we can make use of it here.
- return Provision_Service_http_nginx::nginx_restart_cmd();
- }
-
- public $ssl_enabled = TRUE;
-
- function cloaked_db_creds() {
- return TRUE;
- }
-
- /**
- * Initialize the configuration files.
- *
- * These config classes are a mix of the SSL and Non-SSL nginx
- * classes. In some cases they extend the Nginx classes too.
- */
- function init_server() {
- parent::init_server();
- // Replace the server config with our own. See the class for more info.
- $this->configs['server'][] = 'Provision_Config_Nginx_Ssl_Server';
- $this->configs['server'][] = 'Provision_Config_Nginx_Inc_Server';
- $this->configs['site'][] = 'Provision_Config_Nginx_Ssl_Site';
- $this->server->setProperty('nginx_config_mode', 'extended');
- $this->server->setProperty('nginx_is_modern', FALSE);
- $this->server->setProperty('nginx_has_http2', FALSE);
- $this->server->setProperty('nginx_has_gzip', FALSE);
- $this->server->setProperty('nginx_has_upload_progress', FALSE);
- $this->server->setProperty('provision_db_cloaking', TRUE);
- $this->server->setProperty('phpfpm_mode', 'port');
- $this->server->setProperty('satellite_mode', 'vanilla');
- }
-
- function save_server() {
- // Find nginx executable.
- if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
- $path = "/usr/local/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
- $path = "/usr/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
- $path = "/usr/local/bin/nginx";
- }
- else {
- return;
- }
- // Check if some nginx features are supported and save them for later.
- $this->server->shell_exec($path . ' -V');
- $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
- // Use basic nginx configuration if this control file exists.
- $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
- if (provision_file()->exists($nginx_config_mode_file)->status()) {
- $this->server->nginx_config_mode = 'basic';
- drush_log(dt('Basic Nginx Config Active -SAVE- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
- else {
- $this->server->nginx_config_mode = 'extended';
- drush_log(dt('Extended Nginx Config Active -SAVE- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
-
- // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
- if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
- $this->server->phpfpm_mode = 'socket';
- drush_log(dt('PHP-FPM unix socket mode detected -SAVE- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
- else {
- $this->server->phpfpm_mode = 'port';
- drush_log(dt('PHP-FPM port mode detected -SAVE- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
-
- // Check if there is BOA specific global.inc file to enable extra Nginx locations
- if (provision_file()->exists('/data/conf/global.inc')->status()) {
- $this->server->satellite_mode = 'boa';
- drush_log(dt('BOA mode detected -SAVE- YES file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- else {
- $this->server->satellite_mode = 'vanilla';
- drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- }
-
- function verify_server_cmd() {
- // Find nginx executable.
- if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
- $path = "/usr/local/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
- $path = "/usr/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
- $path = "/usr/local/bin/nginx";
- }
- else {
- return;
- }
- // Check if some nginx features are supported and save them for later.
- $this->server->shell_exec($path . ' -V');
- $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
- // Use basic nginx configuration if this control file exists.
- $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
- if (provision_file()->exists($nginx_config_mode_file)->status()) {
- $this->server->nginx_config_mode = 'basic';
- drush_log(dt('Basic Nginx Config Active -VERIFY- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
- else {
- $this->server->nginx_config_mode = 'extended';
- drush_log(dt('Extended Nginx Config Active -VERIFY- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
-
- // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
- if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
- $this->server->phpfpm_mode = 'socket';
- drush_log(dt('PHP-FPM unix socket mode detected -VERIFY- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
- else {
- $this->server->phpfpm_mode = 'port';
- drush_log(dt('PHP-FPM port mode detected -VERIFY- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
-
- // Check if there is BOA specific global.inc file to enable extra Nginx locations
- if (provision_file()->exists('/data/conf/global.inc')->status()) {
- $this->server->satellite_mode = 'boa';
- drush_log(dt('BOA mode detected -VERIFY- YES file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- else {
- $this->server->satellite_mode = 'vanilla';
- drush_log(dt('Vanilla mode detected -VERIFY- NO file found @path.', array('@path' => '/data/conf/global.inc')));
- }
-
- // Call the parent at the end. it will restart the server when it finishes.
- parent::verify_server_cmd();
- }
-
- /**
- * Restart/reload nginx to pick up the new config files.
- */
- function parse_configs() {
- return $this->restart();
- }
-}
diff --git a/http/Provision/Service/http/ssl.php b/http/Provision/Service/http/ssl.php
deleted file mode 100644
index 581c04d..0000000
--- a/http/Provision/Service/http/ssl.php
+++ /dev/null
@@ -1,288 +0,0 @@
-<?php
-/**
- * @file
- * The base implementation of the SSL capabale web service.
- */
-
-/**
- * The base class for SSL supporting servers.
- *
- * In general, these function the same as normal servers, but have an extra
- * port and some extra variables in their templates.
- */
-class Provision_Service_http_ssl extends Provision_Service_http_public {
- protected $ssl_enabled = TRUE;
-
- function default_ssl_port() {
- return 443;
- }
-
- function init_server() {
- parent::init_server();
-
- // SSL Port.
- $this->server->setProperty('http_ssl_port', $this->default_ssl_port());
-
- // SSL certificate store.
- // The certificates are generated from here, and distributed to the servers,
- // as needed.
- $this->server->ssld_path = "{$this->server->aegir_root}/config/ssl.d";
-
- // SSL certificate store for this server.
- // This server's certificates will be stored here.
- $this->server->http_ssld_path = "{$this->server->config_path}/ssl.d";
- $this->server->ssl_enabled = 1;
- $this->server->ssl_key = 'default';
- }
-
- function init_site() {
- parent::init_site();
-
- $this->context->setProperty('ssl_enabled', 0);
- $this->context->setProperty('ssl_key', NULL);
- $this->context->setProperty('ip_addresses', array());
- }
-
-
- function config_data($config = NULL, $class = NULL) {
- $data = parent::config_data($config, $class);
- $data['http_ssl_port'] = $this->server->http_ssl_port;
-
- if ($config == 'server') {
- // Generate a certificate for the default SSL vhost, and retrieve the
- // path to the cert and key files. It will be generated if not found.
- $certs = $this->get_certificates('default');
- $data = array_merge($data, $certs);
- }
-
- if ($config == 'site' && $this->context->ssl_enabled) {
- foreach ($this->context->ip_addresses as $server => $ip_address) {
- if ($server == $this->server->name || '@' . $server == $this->server->name) {
- $data['ip_address'] = $ip_address;
- break;
- }
- }
- if (!isset($data['ip_address'])) {
- drush_log(dt('No proper IP provided by the frontend for server %servername, using wildcard', array('%servername' => $this->server->name)), 'info');
- $data['ip_address'] = '*';
- }
- if ($this->context->ssl_enabled == 2) {
- $data['ssl_redirection'] = TRUE;
- $data['redirect_url'] = "https://{$this->context->uri}";
- }
-
- if ($ssl_key = $this->context->ssl_key) {
- // Retrieve the paths to the cert and key files.
- // they are generated if not found.
- $certs = $this->get_certificates($ssl_key);
- $data = array_merge($data, $certs);
- }
- }
-
- return $data;
- }
-
- /**
- * Retrieve an array containing the actual files for this ssl_key.
- *
- * If the files could not be found, this function will proceed to generate
- * certificates for the current site, so that the operation can complete
- * succesfully.
- */
- function get_certificates($ssl_key) {
- $source_path = "{$this->server->ssld_path}/{$ssl_key}";
- $certs['ssl_cert_key_source'] = "{$source_path}/openssl.key";
- $certs['ssl_cert_source'] = "{$source_path}/openssl.crt";
-
- foreach ($certs as $cert) {
- $exists = provision_file()->exists($cert)->status();
- if (!$exists) {
- // if any of the files don't exist, regenerate them.
- $this->generate_certificates($ssl_key);
-
- // break out of the loop.
- break;
- }
- }
-
- $path = "{$this->server->http_ssld_path}/{$ssl_key}";
- $certs['ssl_cert_key'] = "{$path}/openssl.key";
- $certs['ssl_cert'] = "{$path}/openssl.crt";
-
- // If a certificate chain file exists, add it.
- $chain_cert_source = "{$source_path}/openssl_chain.crt";
- if (provision_file()->exists($chain_cert_source)->status()) {
- $certs['ssl_chain_cert_source'] = $chain_cert_source;
- $certs['ssl_chain_cert'] = "{$path}/openssl_chain.crt";
- }
- return $certs;
- }
-
- /**
- * Generate a self-signed certificate for that key.
- *
- * Because we only generate certificates for sites we make some assumptions
- * based on the uri, but this cert may be replaced by the admin if they
- * already have an existing certificate.
- */
- function generate_certificates($ssl_key) {
- $path = "{$this->server->ssld_path}/{$ssl_key}";
-
- provision_file()->create_dir($path,
- dt("SSL certificate directory for %ssl_key", array(
- '%ssl_key' => $ssl_key
- )), 0700);
-
- if (provision_file()->exists($path)->status()) {
- drush_log(dt('generating 2048 bit RSA key in %path/', array('%path' => $path)));
- /*
- * according to RSA security and most sites I could read, 1024
- * was recommended until 2010-2015 and 2048 is now the
- * recommended length for more sensitive data. we are therefore
- * taking the safest route.
- *
- * http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
- * http://www.vocal.com/cryptography/rsa-key-size-selection/
- * https://en.wikipedia.org/wiki/Key_size#Key_size_and_encryption_system
- * http://www.redkestrel.co.uk/Articles/CSR.html
- */
- drush_shell_exec('openssl genrsa -out %s/openssl.key 2048', $path)
- || drush_set_error('SSL_KEY_GEN_FAIL', dt('failed to generate SSL key in %path', array('%path' => $path . '/openssl.key')));
-
- // Generate the CSR to make the key certifiable by third parties
- $domain = $ssl_key == 'default' ? 'default.invalid' : $this->context->uri;
- $ident = "/CN={$domain}/emailAddress=abuse@{$domain}";
- drush_shell_exec("openssl req -new -subj '%s' -key %s/openssl.key -out %s/openssl.csr -batch", $ident, $path, $path)
- || drush_log(dt('failed to generate signing request for certificate in %path', array('%path' => $path . '/openssl.csr')));
-
- // sign the certificate with itself, generating a self-signed
- // certificate. this will make a SHA1 certificate by default in
- // current OpenSSL.
- drush_shell_exec("openssl x509 -req -days 365 -in %s/openssl.csr -signkey %s/openssl.key -out %s/openssl.crt", $path, $path, $path)
- || drush_set_error('SSL_CERT_GEN_FAIL', dt('failed to generate self-signed certificate in %path', array('%path' => $path . '/openssl.crt')));
- }
- }
-
- /**
- * Assign the given site to a certificate to mark its usage.
- *
- * This is necessary for the backend to figure out when it's okay to
- * remove certificates.
- *
- * Should never fail unless the receipt file cannot be created.
- *
- * @return the path to the receipt file if allocation succeeded
- */
- static function assign_certificate_site($ssl_key, $site) {
- $path = $site->data['server']->http_ssld_path . "/" . $ssl_key . "/" . $site->uri . ".receipt";
- drush_log(dt("registering site %site with SSL certificate %key with receipt file %path", array("%site" => $site->uri, "%key" => $ssl_key, "%path" => $path)));
- if (touch($path)) {
- return $path;
- }
- else {
- return FALSE;
- }
- }
-
- /**
- * Unallocate this certificate from that site.
- *
- * @return the path to the receipt file if removal was successful
- */
- static function free_certificate_site($ssl_key, $site) {
- if (empty($ssl_key)) return FALSE;
- $ssl_dir = $site->platform->server->http_ssld_path . "/" . $ssl_key . "/";
- // Remove the file system reciept we left for this file
- if (provision_file()->unlink($ssl_dir . $site->uri . ".receipt")->
- succeed(dt("Deleted SSL Certificate association receipt for %site on %server", array(
- '%site' => $site->uri,
- '%server' => $site->server->remote_host)))->status()) {
- if (!Provision_Service_http_ssl::certificate_in_use($ssl_key, $site->server)) {
- drush_log(dt("Deleting unused SSL directory: %dir", array('%dir' => $ssl_dir)));
- _provision_recursive_delete($ssl_dir);
- $site->server->sync($path);
- }
- return $path;
- }
- else {
- return FALSE;
- }
- }
-
- /**
- * Assign the certificate it's own distinct IP address for this server.
- *
- * Each certificate needs a unique IP address on each server in order
- * to be able to be encrypted.
- *
- * This code uses the filesystem by touching a reciept file in the
- * server's ssl.d directory.
- *
- * @deprecated this is now based the site URI
- * @see assign_certificate_site()
- */
- static function assign_certificate_ip($ssl_key, $server) {
- return FALSE;
- }
-
- /**
- * Remove the certificate's lock on the server's public IP.
- *
- * This function will delete the receipt file left behind by
- * the assign_certificate_ip script, allowing the IP to be used
- * by other certificates.
- *
- * @deprecated this is now based on the site URI
- * @see free_certificate_site()
- */
- static function free_certificate_ip($ssl_key, $server) {
- return FALSE;
- }
-
-
- /**
- * Retrieve the status of a certificate on this server.
- *
- * This is primarily used to know when it's ok to remove the file.
- * Each time a config file uses the key on the server, it touches
- * a 'receipt' file, and every time the site stops using it,
- * the receipt is removed.
- *
- * This function just checks if any of the files are still present.
- */
- static function certificate_in_use($ssl_key, $server) {
- $pattern = $server->http_ssld_path . "/$ssl_key/*.receipt";
- return sizeof(glob($pattern));
- }
-
-
- /**
- * Check for an existing record for this IP address.
- *
- * @deprecated we only use the URI-based allocation now
- */
- static function get_ip_certificate($ip, $server) {
- return FALSE;
- }
-
- /**
- * Verify server.
- */
- function verify_server_cmd() {
- if ($this->context->type === 'server') {
- provision_file()->create_dir($this->server->ssld_path, dt("Central SSL certificate repository."), 0700);
-
- provision_file()->create_dir($this->server->http_ssld_path,
- dt("SSL certificate repository for %server",
- array('%server' => $this->server->remote_host)), 0700);
-
- $this->sync($this->server->http_ssld_path, array(
- 'exclude' => $this->server->http_ssld_path . '/*', // Make sure remote directory is created
- ));
- $this->sync($this->server->http_ssld_path . '/default');
- }
-
- // Call the parent at the end. it will restart the server when it finishes.
- parent::verify_server_cmd();
- }
-}