SNI support (closed #8)

d74ea54f · Michiel de Jong · e64e0346 · d74ea54f · d74ea54f · d74ea54f
Commit d74ea54f authored 10 years ago by Michiel de Jong
--- a/README.md
+++ b/README.md
@@ -5,16 +5,32 @@
  - run `vagrant plugin install vagrant-hostsupdater` to install

 ## Get started:
+- Put a TLS certificate (self-signed is fine, but make sure you have [public, intermediate, and private all concatenated into one .pem file](https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04)) in /data/per-user/coreos.dev/combined.pem on the host system.
+- Test it with `openssl s_server -cert /data/per-user/coreos.dev/combined.pem -www`

 ```bash
 vagrant up
 ```

-Wait for the provisioning to finish (~40mins), and go to your browser: http://coreos.dev
+Wait for the provisioning to finish (~40mins), and go to your browser: https://coreos.dev
+
+### If you want to add another wordpress instance apart from coreos.dev:
+- For e.g. example.dev, put a cert for it in /data/per-user/example.dev/combined.pem on
+the host system.
+- Test it with `openssl s_server -cert /data/per-user/example.dev/combined.pem -www`
+
+```bash
+vagrant ssh
+sudo sh /data/infrastructure/scripts/approve-user.sh example.dev wordpress
+```
+Check https://example.dev in your bowser!
+
+### Cleaning up
+
+To clean up stuff from previous runs of your VM, you can do:

-### If you want to add another wordpress instance:
 ```bash
 vagrant ssh
-sudo sh /data/infrastructure/scripts/adduser.sh example.dev wordpress
+rm -rf /etc/systemd/system/multi-user.wants/*
 ```
-Check http://example.dev in your bowser!
+and then restart the VM with `vagrant reload`.
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -34,9 +34,10 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
      core.vm.hostname = HOSTNAME
      core.vm.network :private_network, ip: "#{BASE_IP_ADDR}.#{i+1}"
      config.vm.synced_folder ".", "/data/infrastructure"
+      config.vm.synced_folder "/data/per-user", "/data/per-user"
      core.vm.provision :file, source: "./config/user-data", destination: "/var/lib/coreos-vagrant/vagrantfile-user-data"
      core.vm.provision :shell, path: "./scripts/setup.sh"
-      core.vm.provision :shell, path: "./scripts/adduser.sh", args: [HOSTNAME, "wordpress"]
+      core.vm.provision :shell, path: "./scripts/approve-user.sh", args: [HOSTNAME, "nginx"]
    end
  end
 end
--- a/scripts/adduser.sh
+++ b/scripts/adduser.sh
@@ -10,7 +10,22 @@ sleep 10
 IP=`docker inspect --format '{{.NetworkSettings.IPAddress}}' $2-$1`

 echo IP address of new container \'$2-$1\' is \'$IP\'
-sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-frontend.part | sed s/%IP%/$IP/g >> /data/server-wide/haproxy/frontends.part
+
+if [ -f /data/per-user/$1/combined.pem ]; then
+  echo Importing cert from /data/per-user/$1/combined.pem
+  echo TODO: enforce validity check at this point!
+  echo Please run scripts/check-cert.sh $1 to make sure it\'s OK
+  mkdir -p /data/server-wide/haproxy/approved-certs
+  cp /data/per-user/$1/combined.pem /data/server-wide/haproxy/approved-certs/$1.pem
+  echo /haproxy-override/approved-certs/$1.pem $1 >> /data/server-wide/haproxy/certs/list.txt
+  sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-cert.part >> /data/server-wide/haproxy/certs.part
+else
+  echo WARNING: TLS cert /data/per-user/$1/combined.pem not found! Not enabling SNI for this domain.
+fi
+
+sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-frontend.part >> /data/server-wide/haproxy/frontends.part
+
 sed s/%HOSTNAME%/$1/g /data/infrastructure/templates/haproxy-backend.part | sed s/%IP%/$IP/g >> /data/server-wide/haproxy/backends.part
-cat /data/server-wide/haproxy/haproxy-main.part /data/server-wide/haproxy/frontends.part /data/server-wide/haproxy/backends.part > /data/server-wide/haproxy/haproxy.cfg
+
+cat /data/server-wide/haproxy/haproxy-1.part /data/server-wide/haproxy/certs.part /data/server-wide/haproxy/haproxy-2.part /data/server-wide/haproxy/frontends.part /data/server-wide/haproxy/backends.part > /data/server-wide/haproxy/haproxy.cfg
 systemctl reload haproxy.service
--- a/scripts/check-cert.sh
+++ b/scripts/check-cert.sh
+if [ -f /data/per-user/$1/tls.cert ]; then
+if [ -f /data/per-user/$1/tls.key ]; then
+if [ -f /data/per-user/$1/chain.pem ]; then
+  echo head -5 /data/per-user/$1/tls.cert:
+  head -5 /data/per-user/$1/tls.cert
+  echo head -5 /data/per-user/$1/chain.pem:
+  head -5 /data/per-user/$1/chain.pem
+  echo head -5 /data/per-user/$1/tls.key:
+  head -5 /data/per-user/$1/tls.key
+
+  echo Some information about: /data/per-user/$1/tls.cert:
+  openssl x509 -text -in /data/per-user/$1/tls.cert
+
+  echo Some information about: /data/per-user/$1/chain.pem:
+  openssl x509 -text -in /data/per-user/$1/chain.pem
+
+  echo Some information about: /data/per-user/$1/tls.key:
+  openssl rsa -text -in /data/per-user/$1/tls.key
+
+  if [ -f /data/per-user/$1/combined.pem ]; then
+    echo combined.pem exists! Please make sure it\'s tls.cert + chain.pem + tls.key \(in that order\)
+  else
+    echo Generating /data/per-user/$1/combined.pem:
+    cat /data/per-user/$1/tls.cert /data/per-user/$1/chain.pem /data/per-user/$1/tls.key > /data/per-user/$1/combined.pem
+  fi
+
+  echo Running a test server on port 4433 on this server now \(please use your browser to check\):
+  openssl s_server -cert /data/per-user/$1/combined.pem -www
+else
+  echo Files /data/per-user/$1/{tls.cert,tls.key,chain.pem} not found
+fi
+else
+  echo Files /data/per-user/$1/{tls.cert,tls.key,chain.pem} not found
+fi
+else
+  echo Files /data/per-user/$1/{tls.cert,tls.key,chain.pem} not found
+fi
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -12,8 +12,12 @@ docker pull tutum/nginx
 # Configure and start HAproxy
 docker pull dockerfile/haproxy
 mkdir -p /data/server-wide/haproxy
-cp /data/infrastructure/templates/haproxy-main.part /data/server-wide/haproxy/haproxy-main.part
-rm /data/server-wide/haproxy/frontends.part
-rm /data/server-wide/haproxy/backends.part
+cp /data/infrastructure/templates/haproxy-*.part /data/server-wide/haproxy/
+rm /data/server-wide/haproxy/*.part
+#rm /etc/systemd/system/multi-user.target.wants/*
+touch /data/server-wide/haproxy/certs.part
+touch /data/server-wide/haproxy/frontends.part
+touch /data/server-wide/haproxy/backends.part
+cp /data/infrastructure/templates/haproxy-*.part /data/server-wide/haproxy/
 systemctl enable haproxy.service
 systemctl start  haproxy.service
--- a/templates/haproxy-main.part
+++ b/templates/haproxy-main.part
@@ -15,5 +15,9 @@ defaults
    timeout client 50000
    timeout server 50000

-frontend http-in
-    bind *:80
+frontend https-in
+mode http
+ bind *:443 ssl crt-list /haproxy-override/certs/list.txt crt /haproxy-override/approved-certs/coreos.dev/combined.pem
+ reqadd X-Forwarded-Proto:\ https
+
+
--- a/templates/haproxy-2.part
+++ b/templates/haproxy-2.part
+
+
+default_backend coreos.dev
+    
+frontend http-in
+    bind *:80
--- a/templates/haproxy-cert.part
+++ b/templates/haproxy-cert.part
+
+# %HOSTNAME%:
+    acl is_%HOSTNAME% req_ssl_sni -i %HOSTNAME%
+    use_backend %HOSTNAME% if is_%HOSTNAME%
--- a/unit-files/haproxy.service
+++ b/unit-files/haproxy.service
@@ -11,6 +11,7 @@ ExecStartPre=-/usr/bin/docker rm %p
 ExecStart=/usr/bin/docker run\
 --name %p\
 -p 80:80\
+-p 443:443\
 -v /data/server-wide/%p:/haproxy-override\
 dockerfile/haproxy
 ExecReload=/usr/bin/docker restart %p