Use SSL by default

Makefile

@@ -1,5 +1,5 @@
 NAME          = rmt-server
-VERSION       = 0.0.4
+VERSION       = 0.0.5
 
 all:
 	@:
@@ -25,16 +25,21 @@ dist: clean man
 	@cp -r Gemfile $(NAME)-$(VERSION)/
 	@cp -r Gemfile.lock $(NAME)-$(VERSION)/
 	@cp -r lib $(NAME)-$(VERSION)/
+
 	@mkdir $(NAME)-$(VERSION)/log
 	@cp -r log/.keep $(NAME)-$(VERSION)/log
-	@cp -r Rakefile $(NAME)-$(VERSION)/
-	@cp -r README.md $(NAME)-$(VERSION)/
+	@mkdir $(NAME)-$(VERSION)/ssl
+	@cp -r ssl/.keep $(NAME)-$(VERSION)/ssl
 	@mkdir $(NAME)-$(VERSION)/tmp
 	@cp -r tmp/.keep $(NAME)-$(VERSION)/tmp
+
+	@cp -r Rakefile $(NAME)-$(VERSION)/
+	@cp -r README.md $(NAME)-$(VERSION)/
 	@cp -r .bundle $(NAME)-$(VERSION)/
 	@cp -r locale $(NAME)-$(VERSION)/
 	@mkdir $(NAME)-$(VERSION)/vendor
 	@mkdir -p $(NAME)-$(VERSION)/public/repo/
+	@cp -r public/tools $(NAME)-$(VERSION)/public/
 
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.yml
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.local.yml

lib/rmt.rb

@@ -1,5 +1,5 @@
 module RMT
-  VERSION ||= '0.0.4'.freeze
+  VERSION ||= '0.0.5'.freeze
 
   DEFAULT_USER = '_rmt'.freeze
   DEFAULT_GROUP = 'nginx'.freeze

package/nginx-http.conf

@@ -0,0 +1,15 @@
+server {
+    listen 80   default;
+    server_name rmt;
+    access_log  /var/log/nginx/rmt_http_access.log;
+    error_log   /var/log/nginx/rmt_http_error.log;
+    root        /usr/share/rmt/public;
+
+    location / {
+        autoindex off;
+    }
+
+    location /repo {
+        autoindex on;
+    }
+}

package/nginx-https.conf

@@ -0,0 +1,42 @@
+upstream rmt {
+    server localhost:4224;
+}
+
+server {
+    listen 443   ssl;
+    server_name rmt;
+
+    access_log  /var/log/nginx/rmt_https_access.log;
+    error_log   /var/log/nginx/rmt_https_error.log;
+    root        /usr/share/rmt/public;
+
+    ssl_certificate     /usr/share/rmt/ssl/rmt-server.crt;
+    ssl_certificate_key /usr/share/rmt/ssl/rmt-server.key;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+
+    location / {
+        try_files $uri/index.html $uri.html $uri @rmt_app;
+        autoindex off;
+    }
+
+    location /repo {
+        autoindex on;
+    }
+
+    location @rmt_app {
+        proxy_pass          http://rmt;
+        proxy_redirect      off;
+        proxy_read_timeout  600;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Ssl on;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    # An alias to RMT CA certificate, so that it can be downloaded to client machines.
+    location /rmt.crt {
+        alias /usr/share/rmt/ssl/rmt-ca.crt;
+    }
+}

package/rmt-server.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Apr  9 09:58:02 UTC 2018 - ikapelyukhin@suse.com
+
+- version 0.0.5
+- Allow access to the API only via HTTPS, add directories to store SSL
+  keys & certificates, add clientSetup4RMT.sh script
+  https://github.com/SUSE/rmt/pull/122
+
 -------------------------------------------------------------------
 Fri Apr  6 13:45:21 UTC 2018 - hschmidt@suse.com
 

package/rmt-server.spec

@@ -27,7 +27,7 @@
 %define rmt_group   nginx
 
 Name:           rmt-server
-Version:        0.0.4
+Version:        0.0.5
 Release:        0
 Summary:        Repository mirroring tool and registration proxy for SCC
 License:        GPL-2.0+
@@ -40,7 +40,7 @@ Source0:        %{name}-%{version}.tar.bz2
 Source1:        rmt-server-rpmlintrc
 Source2:        rmt.conf
 Source3:        rmt.8.gz
-Source4:        rmt-server.conf
+Source4:        nginx-http.conf
 Source5:        rmt-server-mirror.service
 Source6:        rmt-server-mirror.timer
 Source7:        rmt-server-sync.service
@@ -50,6 +50,7 @@ Source10:       rmt.target
 Source11:       rmt-migration.service
 Source12:       rmt-server-sync-sles12.timer
 Source13:       rmt-server-mirror-sles12.timer
+Source14:       nginx-https.conf
 
 Patch0:         use-ruby-2.5-in-rmt-cli.patch
 Patch1:         use-ruby-2.5-in-rails.patch
@@ -104,12 +105,14 @@ mkdir -p %{buildroot}%{lib_dir}
 mkdir -p %{buildroot}%{app_dir}
 
 mv tmp %{buildroot}%{data_dir}
-mv public %{buildroot}%{data_dir}
+mkdir %{buildroot}%{data_dir}/public
+mv public/repo %{buildroot}%{data_dir}/public/
 mv vendor %{buildroot}%{lib_dir}
+mv ssl %{buildroot}%{app_dir}
 
 cp -ar . %{buildroot}%{app_dir}
 ln -s %{data_dir}/tmp %{buildroot}%{app_dir}/tmp
-ln -s %{data_dir}/public %{buildroot}%{app_dir}/public
+ln -s %{data_dir}/public/repo %{buildroot}%{app_dir}/public/repo
 mkdir -p %{buildroot}%{_bindir}
 ln -s %{app_dir}/bin/rmt-cli %{buildroot}%{_bindir}
 install -D -m 644 %_sourcedir/rmt.8.gz %{buildroot}%_mandir/man8/rmt.8.gz
@@ -140,7 +143,8 @@ mkdir -p %{buildroot}%{_sysconfdir}
 mv %{_builddir}/rmt.conf %{buildroot}%{_sysconfdir}/rmt.conf
 
 # nginx
-install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/nginx/vhosts.d/rmt-server.conf
+install -D -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/nginx/vhosts.d/rmt-server-http.conf
+install -D -m 644 %{SOURCE14} %{buildroot}%{_sysconfdir}/nginx/vhosts.d/rmt-server-https.conf
 
 sed -i -e '/BUNDLE_PATH: .*/cBUNDLE_PATH: "\/usr\/lib64\/rmt\/vendor\/bundle\/"' \
     -e 's/^BUNDLE_JOBS: .*/BUNDLE_JOBS: "1"/' \
@@ -179,7 +183,8 @@ find %{buildroot}%{lib_dir}/vendor/bundle/ruby/*/gems/yard*/ -type f -exec chmod
 %attr(-,%{rmt_user},%{rmt_group}) %{app_dir}
 %attr(-,%{rmt_user},%{rmt_group}) %{data_dir}
 %config(noreplace) %{_sysconfdir}/rmt.conf
-%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/rmt-server.conf
+%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/rmt-server-http.conf
+%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/rmt-server-https.conf
 %doc %{_mandir}/man8/rmt.8.gz
 %{_sysconfdir}/nginx
 %{_sysconfdir}/nginx/vhosts.d

package/rmt.service

@@ -2,6 +2,7 @@
 Description=RMT API server
 Requires=mysql.service
 Requires=rmt-migration.service
+Requires=nginx.service
 After=rmt-migration.service
 
 [Service]