Further modification required to get SSL to work

* substitute host name into ServerName directive in SSL vhost config * update documentation for OPENTREE_HOST config variable * remove SSLCertificateChainFile which is deprecated in apache 2.4 * move WSGIDaemonProcess directive outside of vhost block * make POODLE protection specific to apache 2.2
OpenTreeOfLife · May 2, 2015 · e62b653 · e62b653
1 parent a6d6804
commit e62b653
Show file tree

Hide file tree

Showing 6 changed files with 43 additions and 24 deletions.
diff --git a/deploy/as-admin.sh b/deploy/as-admin.sh
@@ -105,10 +105,12 @@ fi
 if [ ! -r /etc/apache2/mods-enabled/ssl.load ]; then
     sudo a2enmod ssl
 fi
-# Protect against POODLE vulnerability in SSLv3; see https://zmap.io/sslv3/servers.html#apache
-sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol TLSv1+" /etc/apache2/mods-available/ssl.conf
-# N.B. httpd version 2.2.23+ will need this change instead:
-#sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol ALL -SSLv2 -SSLv3+" /etc/apache2/mods-available/ssl.conf
+if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then
+    # Protect against POODLE vulnerability in SSLv3; see https://zmap.io/sslv3/servers.html#apache
+    sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol TLSv1+" /etc/apache2/mods-available/ssl.conf
+    # N.B. httpd version 2.2.23+ will need this change instead:
+    #sudo sed -i -e "s+^SSLProtocol.*+SSLProtocol ALL -SSLv2 -SSLv3+" /etc/apache2/mods-available/ssl.conf
+fi
 
 # ---------- UNZIP ----------
 # unzip is needed for unpacking web2py.  Somebody broke the 'which' program -
@@ -184,18 +186,18 @@ fi
 
 # How the apache config (the one found in the deployment setup
 # directory) was created: we copied the apache default vhost config
-# (000-default) from a fresh EC2 instance, then modified it to make
+# (000-default) from a fresh EC2 (woody) instance, then modified it to make
 # web2py work, per instructions found on the web.  See
 # /etc/apache2/sites-available/default .
 # 
 # After adding a second VirtualHost file for HTTPS, we moved all common
 # configuration to a third file '{apache|opentree}-config-shared', which is
 # used in both vhosts via the Include directive.
 
-# The purpose here (of clobbering the default vhost) is to avoid
+# The purpose of clobbering the default vhost is to avoid
 # having to know all of our own vhost names.  Instead we make opentree
-# the default 'vhost'.  The opentree config file gets put into
-# place later on in the setup sequence.
+# the default 'vhost'.  The opentree vhost config files get put into
+# place later on in the setup sequence (restart-apache.sh).
 
 if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then
     # Keep old script transiently; flush this after full transition to 2.4+
@@ -236,6 +238,15 @@ else
     fi
 fi
 
+# Apache 2.4 is finicky about protection of the key file
+
+if sudo test -e /etc/ssl/private/opentreeoflife.org.key; then
+    sudo chmod o-r /etc/ssl/private/opentreeoflife.org.key
+    if egrep -q ssl-cert /etc/group; then
+        sudo chgrp ssl-cert /etc/ssl/private/opentreeoflife.org.key
+    fi
+fi
+
 # ---------- UNPRIVILEGED USER ----------
 
 # Credit goes to Richard Bronosky via stackoverflow for this

diff --git a/deploy/push.sh b/deploy/push.sh
@@ -231,7 +231,7 @@ function push_neo4j {
 function restart_apache {
     if [ $DRYRUN = "yes" ]; then echo "[restarting apache]"; return; fi
     scp -p -i "${OPENTREE_IDENTITY}" restart-apache.sh "$ADMIN@$OPENTREE_HOST":
-    ${SSH} "$ADMIN@$OPENTREE_HOST" bash restart-apache.sh "$OT_USER"
+    ${SSH} "$ADMIN@$OPENTREE_HOST" bash restart-apache.sh "$OT_USER" "$OPENTREE_HOST"
 }
 
 function push_opentree {

diff --git a/deploy/restart-apache.sh b/deploy/restart-apache.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 
+# This script runs as the admin user, which has sudo privileges
+
 OPENTREE_USER=$1
+OPENTREE_HOST=$2
 OPENTREE_HOME=$(bash <<< "echo ~$OPENTREE_USER")
 
 if apt-cache policy apache2 | egrep -q "Installed: 2.2"; then
@@ -35,21 +38,23 @@ else
 # Modern code, apache 2.4+
 
 if [ ! -r /etc/apache2/sites-available/opentree.conf ] || \
-   ! cmp "$OPENTREE_HOME/setup/opentree.conf" /etc/apache2/sites-available/opentree; then
+   ! cmp -s "$OPENTREE_HOME/setup/opentree.conf" /etc/apache2/sites-available/opentree; then
     echo "Installing opentree vhost config"
     sudo cp -p "$OPENTREE_HOME/setup/opentree.conf" /etc/apache2/sites-available/ || "Sudo failed"
 fi
 
 if [ ! -r /etc/apache2/sites-available/opentree-ssl ] || \
-   ! cmp "$OPENTREE_HOME/setup/opentree-ssl.conf" /etc/apache2/sites-available/opentree-ssl.conf; then
+   ! cmp -s "$OPENTREE_HOME/setup/opentree-ssl.conf" /etc/apache2/sites-available/opentree-ssl.conf; then
     echo "Installing opentree ssl vhost config"
     sudo cp -p "$OPENTREE_HOME/setup/opentree-ssl.conf" /etc/apache2/sites-available/ || "Sudo failed"
+    sudo sed -i -e s/SERVERNAME_REPLACEME/$OPENTREE_HOST/ \
+      /etc/apache2/sites-available/opentree-ssl.conf  || "Sudo failed"
 fi
 
 TMP=/tmp/$$.tmp
 sed -e s+/home/opentree+$OPENTREE_HOME+ <"$OPENTREE_HOME/setup/opentree-shared.conf" >$TMP
 if [ ! -r /etc/apache2/opentree-shared.conf ] || \
-   ! cmp $TMP /etc/apache2/opentree-shared.conf; then
+   ! cmp -s $TMP /etc/apache2/opentree-shared.conf; then
     echo "Installing opentree vhosts shared config"
     sudo cp -p $TMP /etc/apache2/opentree-shared.conf || "Sudo failed"
 fi

diff --git a/deploy/sample.config b/deploy/sample.config
@@ -14,10 +14,10 @@ OPENTREE_TAG=ot3
 
 # -----
 # OPENTREE_HOST is the host that you're going to initialize or update.
-# This is used as a target for ssh during deployment. Our common pattern is to
-# use domain names starting with the tag value above, e.g., ot3.opentreeoflife.org
+# This is used as a target for ssh during deployment. It is also used
+# as the ServerName in the apache HTTPS vhost configuration.
 
-OPENTREE_HOST=${OPENTREE_TAG}.opentreeoflife.org
+OPENTREE_HOST=ctenophora.opentreeoflife.org
 
 #-----
 # OPENTREE_COMPONENTS is a list of components that are to be intalled

diff --git a/deploy/setup/opentree-ssl.conf b/deploy/setup/opentree-ssl.conf
@@ -12,15 +12,17 @@
 <IfModule mod_ssl.c>
 <VirtualHost *:443>
 
+    # This is edited by restart-apache.sh
+    ServerName SERVERNAME_REPLACEME
+
     ErrorLog ${APACHE_LOG_DIR}/ssl_error.log
 
     # Possible values include: debug, info, notice, warn, error, crit,
     # alert, emerg.
     LogLevel warn
 
     SSLEngine on
-    SSLCertificateFile         /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem
-    SSLCertificateChainFile    /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem
+    SSLCertificateFile    /etc/ssl/certs/opentree/STAR_opentreeoflife_org.pem
     SSLCertificateKeyFile /etc/ssl/private/opentreeoflife.org.key
 
     #   SSL Engine Options:

diff --git a/deploy/setup/opentree.conf b/deploy/setup/opentree.conf
@@ -26,14 +26,15 @@
       Require ip 127.0.0.1
     </LocationMatch>
 
-    # See http://stackoverflow.com/questions/13216837/install-web2py-in-virtual-hosting
-    #
-    # NOTE that we can only specify WSGIDaemonProcess once, so this directive has been
-    # retained in this file. All other WSGI directives are shared
-    # across both vhosts
-    WSGIDaemonProcess web2py user=opentree group=opentree display-name=%{GROUP}
-
     # OPENTREE SHARED CONFIGURATION
     Include /etc/apache2/opentree-shared.conf
 
 </VirtualHost>
+
+# See http://stackoverflow.com/questions/13216837/install-web2py-in-virtual-hosting
+# and http://stackoverflow.com/questions/11991891/daemon-process-cannot-be-accessed-by-this-wsgi-application-mod-wsgi
+#
+# NOTE that we can only specify WSGIDaemonProcess once, so this directive has been
+# retained in this file. All other WSGI directives are shared
+# across both vhosts
+WSGIDaemonProcess web2py user=opentree group=opentree display-name=%{GROUP}