diff --git a/http/Provision/Config/Apache/Ssl/Server.php b/http/Provision/Config/Apache/Ssl/Server.php
deleted file mode 100644
index db695c04da514a102b60b95fda3d9b9cc9fdf044..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_server_config', $this->data));
- }
-}
diff --git a/http/Provision/Config/Apache/Ssl/Site.php b/http/Provision/Config/Apache/Ssl/Site.php
deleted file mode 100644
index 3aa4489c2fab924d7e8b37aff4b6395fea6094a3..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_vhost_config', $this->uri, $this->data));
- }
-}
diff --git a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
deleted file mode 100644
index 6b33a5e7f3703fe747bf9ff4c424e7f233400653..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,18 +0,0 @@
-NameVirtualHost
-
-
- LoadModule ssl_module modules/mod_ssl.so
-
-
-
- SSLEngine on
- SSLCertificateFile
- SSLCertificateKeyFile
-
- SSLCertificateChainFile
-
- ServerName default
- Redirect 404 /
-
-
-
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index f9cb9731ba5e6b0a7c87bf8aa4c4ebae9f72e105..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,104 +0,0 @@
-
-ssl_enabled && $this->ssl_key) : ?>
-
- >
- site_mail) : ?>
- ServerAdmin site_mail; ?>
-
-
-aegir_root) {
- $aegir_root = $server->aegir_root;
-}
-?>
-
- DocumentRoot root; ?>
-
- ServerName uri; ?>
-
- SetEnv db_type
-
- SetEnv db_name
-
- SetEnv db_user
-
- SetEnv db_passwd
-
- SetEnv db_host
-
- SetEnv db_port
-
- # Enable SSL handling.
-
- SSLEngine on
-
- SSLCertificateFile
-
- SSLCertificateKeyFile
-
-
- SSLCertificateChainFile
-
-
-aliases)) {
- foreach ($this->aliases as $alias) {
- print " ServerAlias " . $alias . "\n";
- }
-}
-?>
-
-
- RewriteEngine on
-redirection) {
- print " # Redirect all aliases to the selected alias.\n";
- print " RewriteCond %{HTTP_HOST} !^{$this->redirection}$ [NC]\n";
- print " RewriteRule ^/*(.*)$ https://{$this->redirection}/$1 [NE,L,R=301]\n";
-}
-?>
- RewriteRule ^/files/(.*)$ /sites/uri; ?>/files/$1 [L]
- RewriteCond site_path; ?>/files/robots.txt -f
- RewriteRule ^/robots.txt /sites/uri; ?>/files/robots.txt [L]
-
-
-
-
- # Error handler for Drupal > 4.6.7
-
-
- SetHandler This_is_a_Drupal_security_line_do_not_remove
-
- Options None
- Options +FollowSymLinks
-
- # If we know how to do it safely, disable the PHP engine entirely.
-
- php_flag engine off
-
-
-
- # Prevent direct reading of files in the private dir.
- # This is for Drupal7 compatibility, which would normally drop
- # a .htaccess in those directories, but we explicitly ignore those
- site_path; ?>/private/" >
-
- SetHandler This_is_a_Drupal_security_line_do_not_remove
-
- Deny from all
- Options None
- Options +FollowSymLinks
-
- # If we know how to do it safely, disable the PHP engine entirely.
-
- php_flag engine off
-
-
-
-
-
-
-
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index a3e1a346c261fa1e7d67c7979289b078d978603a..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,37 +0,0 @@
-ssl_enabled && $this->ssl_key) : ?>
-
- >
- site_mail) : ?>
- ServerAdmin site_mail; ?>
-
-
- DocumentRoot root; ?>
-
- ServerName uri; ?>
-
- # Enable SSL handling.
-
- SSLEngine on
-
- SSLCertificateFile
-
- SSLCertificateKeyFile
-
-aliases)) {
- foreach ($this->aliases as $alias) {
- print " ServerAlias " . $alias . "\n";
- }
-}
-?>
-
- RewriteEngine on
- # the ? at the end is to remove any query string in the original url
- RewriteRule ^(.*)$ platform->server->web_disable_url . '/' . $this->uri ?>?
-
-
-
-
-
diff --git a/http/Provision/Config/Http/Ssl/Server.php b/http/Provision/Config/Http/Ssl/Server.php
deleted file mode 100644
index 02b33b06ad415af556a032fc77e6e3e7e61e113c..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Http/Ssl/Server.php
+++ /dev/null
@@ -1,43 +0,0 @@
-ssl_enabled && $this->ssl_key) {
- $path = dirname($this->data['ssl_cert']);
- // Make sure the ssl.d directory in the server ssl.d exists.
- provision_file()->create_dir($path,
- dt("Creating SSL Certificate directory for %key on %server", array(
- '%key' => $this->ssl_key,
- '%server' => $this->data['server']->remote_host,
- )), 0700);
-
- // Copy the certificates to the server's ssl.d directory.
- provision_file()->copy(
- $this->data['ssl_cert_source'],
- $this->data['ssl_cert'])
- ->succeed('Copied default SSL certificate into place')
- ->fail('Failed to copy default SSL certificate into place');
- provision_file()->copy(
- $this->data['ssl_cert_key_source'],
- $this->data['ssl_cert_key'])
- ->succeed('Copied default SSL key into place')
- ->fail('Failed to copy default SSL key into place');
- // Copy the chain certificate, if it is set.
- if (!empty($this->data['ssl_chain_cert_source'])) {
- provision_file()->copy(
- $this->data['ssl_chain_cert_source'],
- $this->data['ssl_chain_cert'])
- ->succeed('Copied default SSL chain certificate key into place')
- ->fail('Failed to copy default SSL chain certificate into place');
- }
- }
- }
-}
diff --git a/http/Provision/Config/Http/Ssl/Site.php b/http/Provision/Config/Http/Ssl/Site.php
deleted file mode 100644
index 3d91ef3429a787f28c1c99bc77c9e4f1540bfb3c..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Http/Ssl/Site.php
+++ /dev/null
@@ -1,77 +0,0 @@
-ssl_enabled && $this->ssl_key) {
- $path = dirname($this->data['ssl_cert']);
- // Make sure the ssl.d directory in the server ssl.d exists.
- provision_file()->create_dir($path,
- dt("SSL Certificate directory for %key on %server", array(
- '%key' => $this->ssl_key,
- '%server' => $this->data['server']->remote_host,
- )), 0700);
-
- // Touch a file in the server's copy of this key, so that it knows the key is in use.
- // XXX: test. data structure may not be sound. try d($this->uri)
- // if $this fails
- Provision_Service_http_ssl::assign_certificate_site($this->ssl_key, $this);
-
- // Copy the certificates to the server's ssl.d directory.
- provision_file()->copy(
- $this->data['ssl_cert_source'],
- $this->data['ssl_cert'])
- || drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place'));
- provision_file()->copy(
- $this->data['ssl_cert_key_source'],
- $this->data['ssl_cert_key'])
- || drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place'));
- // Copy the chain certificate, if it is set.
- if (!empty($this->data['ssl_chain_cert_source'])) {
- provision_file()->copy(
- $this->data['ssl_chain_cert_source'],
- $this->data['ssl_chain_cert'])
- || drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place'));
- }
- // Sync the key directory to the remote server.
- $this->data['server']->sync($path, array(
- 'exclude' => "{$path}/*.receipt", // Don't need to synch the receipts
- ));
- }
- }
-
- /**
- * Remove a stale certificate file from the server.
- */
- function unlink() {
- parent::unlink();
-
- if ($this->ssl_enabled) {
- // XXX: to be tested, not sure the data structure is sound
- Provision_Service_http_ssl::free_certificate_site($this->ssl_key, $this);
- }
- }
-
- /**
- * Small utility function to stop code duplication.
- *
- * @deprecated unused
- * @see Provision_Service_http_ssl::free_certificate_site()
- */
- private function clear_certs($ssl_key) {
- return FALSE;
- }
-}
-
diff --git a/http/Provision/Config/Nginx/Ssl/Server.php b/http/Provision/Config/Nginx/Ssl/Server.php
deleted file mode 100644
index d952dfd9719f4f6bbf9c89d58604956c54ce598d..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_server_config', $this->data));
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/Site.php b/http/Provision/Config/Nginx/Ssl/Site.php
deleted file mode 100644
index d251d310866e26c010ca118b8b24db02a94a283d..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-data['extra_config'] = "# Extra configuration from modules:\n";
- $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_vhost_config', $this->uri, $this->data));
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
deleted file mode 100644
index c1a1ef025df996668a2b4e54b9248ed5fb570d00..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,27 +0,0 @@
-
-
-#######################################################
-### nginx default ssl server
-#######################################################
-
-satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-?>
-
-server {
-ip_addresses as $ip) :?>
- listen ;
-
- server_name _;
- location / {
-
- root /var/www/nginx-default;
- index index.html index.htm;
-
- return 404;
-
- }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index 9d032b35c72b370a885d8ff85d6f5bc82b341a4a..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,127 +0,0 @@
-
-ssl_enabled && $this->ssl_key) : ?>
-
-satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
- $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
- $ssl_args = "ssl http2";
-}
-else {
- $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
- $ssl_listen_ip = "*";
-}
-else {
- $ssl_listen_ip = $ip_address;
-}
-?>
-
-redirection): ?>
-aliases as $alias_url): ?>
-server {
- listen ;
-uri instead of
- // $alias_url)
- if ($this->redirection && $alias_url == $this->redirection) {
- $this->uri = str_replace('/', '.', $this->uri);
- print " server_name {$this->uri};\n";
- }
- else {
- $alias_url = str_replace('/', '.', $alias_url);
- print " server_name {$alias_url};\n";
- }
-?>
- ssl on;
- ssl_certificate_key ;
-
- ssl_certificate ;
-
- ssl_certificate ;
-
- return 301 $scheme://redirection; ?>$request_uri;
-}
-
-
-
-server {
- include fastcgi_params;
- fastcgi_param MAIN_SITE_NAME uri; ?>;
- set $main_site_name "uri; ?>";
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param HTTPS on;
-
- fastcgi_param db_type ;
- fastcgi_param db_name ;
- fastcgi_param db_user ;
- fastcgi_param db_passwd ;
- fastcgi_param db_host ;
-server->db_port ? $this->server->db_port : '3306';
- }
-?>
- fastcgi_param db_port ;
- listen ;
- server_name uri)
- if ($this->redirection) {
- print str_replace('/', '.', $this->redirection);
- } else {
- print $this->uri;
- }
- if (!$this->redirection && is_array($this->aliases)) {
- foreach ($this->aliases as $alias_url) {
- if (trim($alias_url)) {
- print " " . str_replace('/', '.', $alias_url);
- }
- }
- } ?>;
- root root}"; ?>;
- ssl on;
- ssl_certificate_key ;
-
- ssl_certificate ;
-
- ssl_certificate ;
-
-
- include include_path; ?>/nginx_vhost_common.conf;
-}
-
-
-
-
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index 8d2362ffab05209effd0ec8e04d099d25752fc14..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,54 +0,0 @@
-
-ssl_enabled && $this->ssl_key) : ?>
-
-satellite_mode) {
- $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
- $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
- $ssl_args = "ssl http2";
-}
-else {
- $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
- $ssl_listen_ip = "*";
-}
-else {
- $ssl_listen_ip = $ip_address;
-}
-?>
-
-server {
- listen ;
- server_name uri . ' ' . implode(' ', str_replace('/', '.', $this->aliases)); ?>;
-
- root /var/www/nginx-default;
- index index.html index.htm;
- ### Do not reveal Aegir front-end URL here.
-
- return 302 platform->server->web_disable_url . '/' . $this->uri ?>;
-
- ssl on;
- ssl_certificate_key ;
-
- ssl_certificate ;
-
- ssl_certificate ;
-
-}
-
-
-
-
diff --git a/http/Provision/Service/http/apache/ssl.php b/http/Provision/Service/http/apache/ssl.php
deleted file mode 100644
index e4eae94ae8e7652f11d6a9c6f54642d5d41aa0b4..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/apache/ssl.php
+++ /dev/null
@@ -1,52 +0,0 @@
-configs['server'][] = 'Provision_Config_Apache_Ssl_Server';
-
- // Just re-use the standard platform config.
- $this->configs['platform'][] = 'Provision_Config_Apache_Platform';
-
- $this->configs['site'][] = 'Provision_Config_Apache_Ssl_Site';
- }
-
- /**
- * Restart apache to pick up the new config files.
- */
- function parse_configs() {
- return $this->restart();
- }
-}
diff --git a/http/Provision/Service/http/nginx/ssl.php b/http/Provision/Service/http/nginx/ssl.php
deleted file mode 100644
index 157bf8f6aed0f8d6caa86ac576f812366a3a2871..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/nginx/ssl.php
+++ /dev/null
@@ -1,165 +0,0 @@
-configs['server'][] = 'Provision_Config_Nginx_Ssl_Server';
- $this->configs['server'][] = 'Provision_Config_Nginx_Inc_Server';
- $this->configs['site'][] = 'Provision_Config_Nginx_Ssl_Site';
- $this->server->setProperty('nginx_config_mode', 'extended');
- $this->server->setProperty('nginx_is_modern', FALSE);
- $this->server->setProperty('nginx_has_http2', FALSE);
- $this->server->setProperty('nginx_has_gzip', FALSE);
- $this->server->setProperty('nginx_has_upload_progress', FALSE);
- $this->server->setProperty('provision_db_cloaking', TRUE);
- $this->server->setProperty('phpfpm_mode', 'port');
- $this->server->setProperty('satellite_mode', 'vanilla');
- }
-
- function save_server() {
- // Find nginx executable.
- if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
- $path = "/usr/local/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
- $path = "/usr/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
- $path = "/usr/local/bin/nginx";
- }
- else {
- return;
- }
- // Check if some nginx features are supported and save them for later.
- $this->server->shell_exec($path . ' -V');
- $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
- // Use basic nginx configuration if this control file exists.
- $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
- if (provision_file()->exists($nginx_config_mode_file)->status()) {
- $this->server->nginx_config_mode = 'basic';
- drush_log(dt('Basic Nginx Config Active -SAVE- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
- else {
- $this->server->nginx_config_mode = 'extended';
- drush_log(dt('Extended Nginx Config Active -SAVE- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
-
- // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
- if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
- $this->server->phpfpm_mode = 'socket';
- drush_log(dt('PHP-FPM unix socket mode detected -SAVE- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
- else {
- $this->server->phpfpm_mode = 'port';
- drush_log(dt('PHP-FPM port mode detected -SAVE- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
-
- // Check if there is BOA specific global.inc file to enable extra Nginx locations
- if (provision_file()->exists('/data/conf/global.inc')->status()) {
- $this->server->satellite_mode = 'boa';
- drush_log(dt('BOA mode detected -SAVE- YES file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- else {
- $this->server->satellite_mode = 'vanilla';
- drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- }
-
- function verify_server_cmd() {
- // Find nginx executable.
- if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
- $path = "/usr/local/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
- $path = "/usr/sbin/nginx";
- }
- elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
- $path = "/usr/local/bin/nginx";
- }
- else {
- return;
- }
- // Check if some nginx features are supported and save them for later.
- $this->server->shell_exec($path . ' -V');
- $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
- $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
- // Use basic nginx configuration if this control file exists.
- $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
- if (provision_file()->exists($nginx_config_mode_file)->status()) {
- $this->server->nginx_config_mode = 'basic';
- drush_log(dt('Basic Nginx Config Active -VERIFY- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
- else {
- $this->server->nginx_config_mode = 'extended';
- drush_log(dt('Extended Nginx Config Active -VERIFY- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
- }
-
- // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
- if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
- $this->server->phpfpm_mode = 'socket';
- drush_log(dt('PHP-FPM unix socket mode detected -VERIFY- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
- else {
- $this->server->phpfpm_mode = 'port';
- drush_log(dt('PHP-FPM port mode detected -VERIFY- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
- }
-
- // Check if there is BOA specific global.inc file to enable extra Nginx locations
- if (provision_file()->exists('/data/conf/global.inc')->status()) {
- $this->server->satellite_mode = 'boa';
- drush_log(dt('BOA mode detected -VERIFY- YES file found @path.', array('@path' => '/data/conf/global.inc')));
- }
- else {
- $this->server->satellite_mode = 'vanilla';
- drush_log(dt('Vanilla mode detected -VERIFY- NO file found @path.', array('@path' => '/data/conf/global.inc')));
- }
-
- // Call the parent at the end. it will restart the server when it finishes.
- parent::verify_server_cmd();
- }
-
- /**
- * Restart/reload nginx to pick up the new config files.
- */
- function parse_configs() {
- return $this->restart();
- }
-}
diff --git a/http/Provision/Service/http/ssl.php b/http/Provision/Service/http/ssl.php
deleted file mode 100644
index 581c04db5dfb7bd766fe7f3413bfb3feb5376384..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/ssl.php
+++ /dev/null
@@ -1,288 +0,0 @@
-server->setProperty('http_ssl_port', $this->default_ssl_port());
-
- // SSL certificate store.
- // The certificates are generated from here, and distributed to the servers,
- // as needed.
- $this->server->ssld_path = "{$this->server->aegir_root}/config/ssl.d";
-
- // SSL certificate store for this server.
- // This server's certificates will be stored here.
- $this->server->http_ssld_path = "{$this->server->config_path}/ssl.d";
- $this->server->ssl_enabled = 1;
- $this->server->ssl_key = 'default';
- }
-
- function init_site() {
- parent::init_site();
-
- $this->context->setProperty('ssl_enabled', 0);
- $this->context->setProperty('ssl_key', NULL);
- $this->context->setProperty('ip_addresses', array());
- }
-
-
- function config_data($config = NULL, $class = NULL) {
- $data = parent::config_data($config, $class);
- $data['http_ssl_port'] = $this->server->http_ssl_port;
-
- if ($config == 'server') {
- // Generate a certificate for the default SSL vhost, and retrieve the
- // path to the cert and key files. It will be generated if not found.
- $certs = $this->get_certificates('default');
- $data = array_merge($data, $certs);
- }
-
- if ($config == 'site' && $this->context->ssl_enabled) {
- foreach ($this->context->ip_addresses as $server => $ip_address) {
- if ($server == $this->server->name || '@' . $server == $this->server->name) {
- $data['ip_address'] = $ip_address;
- break;
- }
- }
- if (!isset($data['ip_address'])) {
- drush_log(dt('No proper IP provided by the frontend for server %servername, using wildcard', array('%servername' => $this->server->name)), 'info');
- $data['ip_address'] = '*';
- }
- if ($this->context->ssl_enabled == 2) {
- $data['ssl_redirection'] = TRUE;
- $data['redirect_url'] = "https://{$this->context->uri}";
- }
-
- if ($ssl_key = $this->context->ssl_key) {
- // Retrieve the paths to the cert and key files.
- // they are generated if not found.
- $certs = $this->get_certificates($ssl_key);
- $data = array_merge($data, $certs);
- }
- }
-
- return $data;
- }
-
- /**
- * Retrieve an array containing the actual files for this ssl_key.
- *
- * If the files could not be found, this function will proceed to generate
- * certificates for the current site, so that the operation can complete
- * succesfully.
- */
- function get_certificates($ssl_key) {
- $source_path = "{$this->server->ssld_path}/{$ssl_key}";
- $certs['ssl_cert_key_source'] = "{$source_path}/openssl.key";
- $certs['ssl_cert_source'] = "{$source_path}/openssl.crt";
-
- foreach ($certs as $cert) {
- $exists = provision_file()->exists($cert)->status();
- if (!$exists) {
- // if any of the files don't exist, regenerate them.
- $this->generate_certificates($ssl_key);
-
- // break out of the loop.
- break;
- }
- }
-
- $path = "{$this->server->http_ssld_path}/{$ssl_key}";
- $certs['ssl_cert_key'] = "{$path}/openssl.key";
- $certs['ssl_cert'] = "{$path}/openssl.crt";
-
- // If a certificate chain file exists, add it.
- $chain_cert_source = "{$source_path}/openssl_chain.crt";
- if (provision_file()->exists($chain_cert_source)->status()) {
- $certs['ssl_chain_cert_source'] = $chain_cert_source;
- $certs['ssl_chain_cert'] = "{$path}/openssl_chain.crt";
- }
- return $certs;
- }
-
- /**
- * Generate a self-signed certificate for that key.
- *
- * Because we only generate certificates for sites we make some assumptions
- * based on the uri, but this cert may be replaced by the admin if they
- * already have an existing certificate.
- */
- function generate_certificates($ssl_key) {
- $path = "{$this->server->ssld_path}/{$ssl_key}";
-
- provision_file()->create_dir($path,
- dt("SSL certificate directory for %ssl_key", array(
- '%ssl_key' => $ssl_key
- )), 0700);
-
- if (provision_file()->exists($path)->status()) {
- drush_log(dt('generating 2048 bit RSA key in %path/', array('%path' => $path)));
- /*
- * according to RSA security and most sites I could read, 1024
- * was recommended until 2010-2015 and 2048 is now the
- * recommended length for more sensitive data. we are therefore
- * taking the safest route.
- *
- * http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
- * http://www.vocal.com/cryptography/rsa-key-size-selection/
- * https://en.wikipedia.org/wiki/Key_size#Key_size_and_encryption_system
- * http://www.redkestrel.co.uk/Articles/CSR.html
- */
- drush_shell_exec('openssl genrsa -out %s/openssl.key 2048', $path)
- || drush_set_error('SSL_KEY_GEN_FAIL', dt('failed to generate SSL key in %path', array('%path' => $path . '/openssl.key')));
-
- // Generate the CSR to make the key certifiable by third parties
- $domain = $ssl_key == 'default' ? 'default.invalid' : $this->context->uri;
- $ident = "/CN={$domain}/emailAddress=abuse@{$domain}";
- drush_shell_exec("openssl req -new -subj '%s' -key %s/openssl.key -out %s/openssl.csr -batch", $ident, $path, $path)
- || drush_log(dt('failed to generate signing request for certificate in %path', array('%path' => $path . '/openssl.csr')));
-
- // sign the certificate with itself, generating a self-signed
- // certificate. this will make a SHA1 certificate by default in
- // current OpenSSL.
- drush_shell_exec("openssl x509 -req -days 365 -in %s/openssl.csr -signkey %s/openssl.key -out %s/openssl.crt", $path, $path, $path)
- || drush_set_error('SSL_CERT_GEN_FAIL', dt('failed to generate self-signed certificate in %path', array('%path' => $path . '/openssl.crt')));
- }
- }
-
- /**
- * Assign the given site to a certificate to mark its usage.
- *
- * This is necessary for the backend to figure out when it's okay to
- * remove certificates.
- *
- * Should never fail unless the receipt file cannot be created.
- *
- * @return the path to the receipt file if allocation succeeded
- */
- static function assign_certificate_site($ssl_key, $site) {
- $path = $site->data['server']->http_ssld_path . "/" . $ssl_key . "/" . $site->uri . ".receipt";
- drush_log(dt("registering site %site with SSL certificate %key with receipt file %path", array("%site" => $site->uri, "%key" => $ssl_key, "%path" => $path)));
- if (touch($path)) {
- return $path;
- }
- else {
- return FALSE;
- }
- }
-
- /**
- * Unallocate this certificate from that site.
- *
- * @return the path to the receipt file if removal was successful
- */
- static function free_certificate_site($ssl_key, $site) {
- if (empty($ssl_key)) return FALSE;
- $ssl_dir = $site->platform->server->http_ssld_path . "/" . $ssl_key . "/";
- // Remove the file system reciept we left for this file
- if (provision_file()->unlink($ssl_dir . $site->uri . ".receipt")->
- succeed(dt("Deleted SSL Certificate association receipt for %site on %server", array(
- '%site' => $site->uri,
- '%server' => $site->server->remote_host)))->status()) {
- if (!Provision_Service_http_ssl::certificate_in_use($ssl_key, $site->server)) {
- drush_log(dt("Deleting unused SSL directory: %dir", array('%dir' => $ssl_dir)));
- _provision_recursive_delete($ssl_dir);
- $site->server->sync($path);
- }
- return $path;
- }
- else {
- return FALSE;
- }
- }
-
- /**
- * Assign the certificate it's own distinct IP address for this server.
- *
- * Each certificate needs a unique IP address on each server in order
- * to be able to be encrypted.
- *
- * This code uses the filesystem by touching a reciept file in the
- * server's ssl.d directory.
- *
- * @deprecated this is now based the site URI
- * @see assign_certificate_site()
- */
- static function assign_certificate_ip($ssl_key, $server) {
- return FALSE;
- }
-
- /**
- * Remove the certificate's lock on the server's public IP.
- *
- * This function will delete the receipt file left behind by
- * the assign_certificate_ip script, allowing the IP to be used
- * by other certificates.
- *
- * @deprecated this is now based on the site URI
- * @see free_certificate_site()
- */
- static function free_certificate_ip($ssl_key, $server) {
- return FALSE;
- }
-
-
- /**
- * Retrieve the status of a certificate on this server.
- *
- * This is primarily used to know when it's ok to remove the file.
- * Each time a config file uses the key on the server, it touches
- * a 'receipt' file, and every time the site stops using it,
- * the receipt is removed.
- *
- * This function just checks if any of the files are still present.
- */
- static function certificate_in_use($ssl_key, $server) {
- $pattern = $server->http_ssld_path . "/$ssl_key/*.receipt";
- return sizeof(glob($pattern));
- }
-
-
- /**
- * Check for an existing record for this IP address.
- *
- * @deprecated we only use the URI-based allocation now
- */
- static function get_ip_certificate($ip, $server) {
- return FALSE;
- }
-
- /**
- * Verify server.
- */
- function verify_server_cmd() {
- if ($this->context->type === 'server') {
- provision_file()->create_dir($this->server->ssld_path, dt("Central SSL certificate repository."), 0700);
-
- provision_file()->create_dir($this->server->http_ssld_path,
- dt("SSL certificate repository for %server",
- array('%server' => $this->server->remote_host)), 0700);
-
- $this->sync($this->server->http_ssld_path, array(
- 'exclude' => $this->server->http_ssld_path . '/*', // Make sure remote directory is created
- ));
- $this->sync($this->server->http_ssld_path . '/default');
- }
-
- // Call the parent at the end. it will restart the server when it finishes.
- parent::verify_server_cmd();
- }
-}