From dc3d191c13e3855b982e51594c745a3eec59c773 Mon Sep 17 00:00:00 2001 From: maany Date: Tue, 12 Mar 2024 21:09:21 +0100 Subject: [PATCH] ui: fix apache config, Dockerfile --- ui/Dockerfile | 3 ++ ui/README.md | 3 ++ ui/docker-entrypoint.sh | 2 + ui/rucio.conf.j2 | 98 +++++++++++++++++++++++------------------ 4 files changed, 63 insertions(+), 43 deletions(-) diff --git a/ui/Dockerfile b/ui/Dockerfile index f9db828..594756f 100644 --- a/ui/Dockerfile +++ b/ui/Dockerfile @@ -46,9 +46,12 @@ ADD 00-mpm.conf.j2 /tmp ADD docker-entrypoint.sh / RUN rm /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/ssl.conf +RUN update-crypto-policies --set DEFAULT:SHA1 + VOLUME /var/log/httpd VOLUME /opt/rucio/etc +EXPOSE 80 EXPOSE 443 ENTRYPOINT ["/docker-entrypoint.sh"] diff --git a/ui/README.md b/ui/README.md index 1deac9b..4690435 100644 --- a/ui/README.md +++ b/ui/README.md @@ -59,6 +59,9 @@ Same as `RUCIO_PROXY_SCHEME` but for the authentication server. If you are using SSL and want use `SSLCACertificatePath` and `SSLCARevocationPath` you can do so by specifying the path in this variable. +### `RUCIO_CA_FILE` +If you are using SSL and do not want to hash the CA certificates you can specify the path to the single CA file that contains all of the required certificates in this variable. It sets the `SSLCACertificateFile` and `SSLCARevocationFile` directives in the apache config. + ### `RUCIO_ENABLE_LOGS` By default the log output of the web server is written to stdout and stderr. If you set this variable to `True` the output will be written to `access_log` and `error_log` under `/var/log/httpd`. diff --git a/ui/docker-entrypoint.sh b/ui/docker-entrypoint.sh index 44e166d..931182b 100755 --- a/ui/docker-entrypoint.sh +++ b/ui/docker-entrypoint.sh @@ -32,4 +32,6 @@ echo "=================== /etc/httpd/conf.d/rucio.conf ========================" cat /etc/httpd/conf.d/rucio.conf echo "" +pkill httpd || : +sleep 2 exec httpd -D FOREGROUND diff --git a/ui/rucio.conf.j2 b/ui/rucio.conf.j2 index 0da6eac..e35e191 100644 --- a/ui/rucio.conf.j2 +++ b/ui/rucio.conf.j2 @@ -2,7 +2,9 @@ LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so LoadModule unique_id_module modules/mod_unique_id.so LoadModule wsgi_module /usr/lib64/httpd/modules/mod_wsgi.so +{% if RUCIO_ENABLE_SSL|default('False') == 'True' %} Listen 443 +{% endif %} Listen 80 Header set X-Rucio-Host "%{HTTP_HOST}e" @@ -20,16 +22,9 @@ LoadModule cache_disk_module modules/mod_cache_disk.so CacheEnable disk / CacheRoot /tmp +{% macro common_virtual_host_config() %} {% if RUCIO_HOSTNAME is defined %} - ServerName {{ RUCIO_HOSTNAME }}:80 - Redirect / https://{{ RUCIO_HOSTNAME }}/ - - - - ServerName {{ RUCIO_HOSTNAME }}:443 -{% else %} - {% endif %} {% if RUCIO_SERVER_ADMIN is defined %} ServerAdmin {{ RUCIO_SERVER_ADMIN }} @@ -37,34 +32,6 @@ CacheRoot /tmp ServerAdmin rucio-admin@cern.ch {% endif %} -{% if RUCIO_ENABLE_SSL|default('False') == 'True' %} - SSLEngine on - SSLCertificateFile /etc/grid-security/hostcert.pem - SSLCertificateKeyFile /etc/grid-security/hostkey.pem -{% if RUCIO_CA_PATH is defined %} - SSLCACertificatePath {{ RUCIO_CA_PATH }} - SSLCARevocationPath {{ RUCIO_CA_PATH }} -{% else %} - SSLCACertificateFile /etc/grid-security/ca.pem -{% endif %} - SSLVerifyClient optional_no_ca - SSLVerifyDepth 10 -{% if RUCIO_HTTPD_LEGACY_DN|default('False') == 'True' %} - SSLOptions +StdEnvVars +LegacyDNStringFormat -{% else %} - SSLOptions +StdEnvVars -{% endif %} - SSLProxyEngine On -{% if RUCIO_SSL_PROTOCOL is defined %} - #AB: SSLv3 disable - SSLProtocol {{ RUCIO_SSL_PROTOCOL }} -{% else %} - SSLProtocol +TLSv1.2 -{% endif %} - #AB: for Security - SSLCipherSuite HIGH:!CAMELLIA:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!3DES -{% endif %} - {% if RUCIO_LOG_LEVEL is defined %} LogLevel {{ RUCIO_LOG_LEVEL }} {% else %} @@ -72,13 +39,8 @@ CacheRoot /tmp {% endif %} {% if RUCIO_ENABLE_LOGS|default('False') == 'True' %} -{% if RUCIO_HTTPD_LOG_DIR is defined %} - CustomLog {{RUCIO_HTTPD_LOG_DIR}}/access_log combinedrucio - ErrorLog {{RUCIO_HTTPD_LOG_DIR}}/error_log -{% else %} - CustomLog logs/access_log combinedrucio - ErrorLog logs/error_log -{% endif %} + CustomLog {{RUCIO_HTTPD_LOG_DIR | default('logs') }}/access_log combinedrucio + ErrorLog {{RUCIO_HTTPD_LOG_DIR | default('logs') }}/error_log {% else %} CustomLog /dev/stdout combinedrucio ErrorLog /dev/stderr @@ -100,4 +62,54 @@ CacheRoot /tmp ProxyPass /authproxy {{ RUCIO_AUTH_PROXY_SCHEME | default('https') }}://{{ RUCIO_AUTH_PROXY }} ProxyPassReverse /authproxy {{ RUCIO_AUTH_PROXY_SCHEME | default('https') }}://{{ RUCIO_AUTH_PROXY }} {% endif %} +{% endmacro %} + + +{% if RUCIO_ENABLE_SSL|default('False') == 'True' %} + {% if RUCIO_HOSTNAME is defined %} + Redirect / https://{{ RUCIO_HOSTNAME }}/ + {% else %} + Redirect / https://localhost/ + {% endif %} +{% else %} + {{ common_virtual_host_config()}} + {% endif%} + + +{% if RUCIO_ENABLE_SSL|default('False') == 'True' %} + +{{ common_virtual_host_config()}} +{% if RUCIO_ENABLE_SSL|default('False') == 'True' %} + SSLEngine on + SSLCertificateFile /etc/grid-security/hostcert.pem + SSLCertificateKeyFile /etc/grid-security/hostkey.pem +{% if RUCIO_CA_PATH is defined %} + SSLCACertificatePath {{ RUCIO_CA_PATH }} + SSLCARevocationPath {{ RUCIO_CA_PATH }} +{% elif RUCIO_CA_FILE is defined %} + SSLCACertificateFile {{ RUCIO_CA_FILE }} + SSLCARevocationFile {{ RUCIO_CA_FILE }} +{% else %} + SSLCACertificateFile /etc/grid-security/ca.pem + SSLCARevocationFile /etc/grid-security/ca.pem +{% endif %} + SSLVerifyClient optional_no_ca + SSLVerifyDepth 10 +{% if RUCIO_HTTPD_LEGACY_DN|default('False') == 'True' %} + SSLOptions +StdEnvVars +LegacyDNStringFormat +{% else %} + SSLOptions +StdEnvVars +{% endif %} + SSLProxyEngine On +{% if RUCIO_SSL_PROTOCOL is defined %} + #AB: SSLv3 disable + SSLProtocol {{ RUCIO_SSL_PROTOCOL }} +{% else %} + SSLProtocol +TLSv1.2 +{% endif %} + #AB: for Security + SSLCipherSuite HIGH:!CAMELLIA:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!3DES +{% endif %} +{% endif %} +