Merge pull request #2773 from c-po/https-rework-t5766

https: T5902: remove virtual-host configuration
vyos · Jan 9, 2024 · 10f6eac · 10f6eac
2 parents 864524b + 07e802a
commit 10f6eac
Show file tree

Hide file tree

Showing 16 changed files with 348 additions and 367 deletions.
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
@@ -1,60 +1,65 @@
 ### Autogenerated by service_https.py ###
-# Default server configuration
 
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
 server {
-        # SSL configuration
-        #
-{%     if server.address == '*' %}
-        listen {{ server.port }} ssl;
-        listen [::]:{{ server.port }} ssl;
-{%     else %}
-        listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{%     endif %}
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
 
-{%     for name in server.name %}
-        server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
 {%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
 
-        root /srv/localui;
+    server_name {{ hostname }};
+    root /srv/localui;
 
-{%     if server.vyos_cert %}
-        ssl_certificate {{ server.vyos_cert.crt }};
-        ssl_certificate_key {{ server.vyos_cert.key }};
-{%     else %}
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        include snippets/snakeoil.conf;
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
 {%     endif %}
-        ssl_session_cache shared:le_nginx_SSL:10m;
-        ssl_session_timeout 1440m;
-        ssl_session_tickets off;
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
 
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
 
-        # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
-{%     if server.api %}
-                proxy_pass http://unix:/run/api.sock;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_read_timeout 600;
-                proxy_buffering off;
-{%     else %}
-                return 503;
-{%     endif %}
-{%     if server.allow_client %}
-{%         for client in server.allow_client %}
-                allow {{ client }};
-{%         endfor %}
-                deny all;
-{%     endif %}
-        }
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
-        error_page 497 =301 https://$host:{{ server.port }}$request_uri;
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
 }
-
-{% endfor %}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
@@ -3,6 +3,7 @@
 Description=VyOS HTTP API service
 After=vyos-router.service
 Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
 
 [Service]
 ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
@@ -20,4 +21,3 @@ Group=vyattacfg
 
 [Install]
 WantedBy=vyos.target
-
diff --git a/interface-definitions/include/pki/dh-params.xml.i b/interface-definitions/include/pki/dh-params.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from pki/certificate-multi.xml.i -->
+<leafNode name="dh-params">
+  <properties>
+    <help>Diffie Hellman parameters (server only)</help>
+    <completionHelp>
+      <path>pki dh</path>
+    </completionHelp>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in
@@ -720,14 +720,7 @@
               </leafNode>
               #include <include/pki/certificate.xml.i>
               #include <include/pki/ca-certificate-multi.xml.i>
-              <leafNode name="dh-params">
-                <properties>
-                  <help>Diffie Hellman parameters (server only)</help>
-                  <completionHelp>
-                    <path>pki dh</path>
-                  </completionHelp>
-                </properties>
-              </leafNode>
+              #include <include/pki/dh-params.xml.i>
               <leafNode name="crypt-key">
                 <properties>
                   <help>Static key to use to authenticate control channel</help>

diff --git a/interface-definitions/service_https.xml.in b/interface-definitions/service_https.xml.in
@@ -8,52 +8,6 @@
           <priority>1001</priority>
         </properties>
         <children>
-          <tagNode name="virtual-host">
-            <properties>
-              <help>Identifier for virtual host</help>
-              <constraint>
-                <regex>[a-zA-Z0-9-_.:]{1,255}</regex>
-              </constraint>
-              <constraintErrorMessage>illegal characters in identifier or identifier longer than 255 characters</constraintErrorMessage>
-            </properties>
-            <children>
-              <leafNode name="listen-address">
-                <properties>
-                  <help>Address to listen for HTTPS requests</help>
-                  <completionHelp>
-                    <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
-                  </completionHelp>
-                  <valueHelp>
-                    <format>ipv4</format>
-                   <description>HTTPS IPv4 address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>ipv6</format>
-                    <description>HTTPS IPv6 address</description>
-                  </valueHelp>
-                  <valueHelp>
-                    <format>'*'</format>
-                    <description>any</description>
-                  </valueHelp>
-                  <constraint>
-                    <validator name="ip-address"/>
-                    <regex>\*</regex>
-                  </constraint>
-                </properties>
-              </leafNode>
-              #include <include/port-number.xml.i>
-              <leafNode name='port'>
-                <defaultValue>443</defaultValue>
-              </leafNode>
-              <leafNode name="server-name">
-                <properties>
-                  <help>Server names: exact, wildcard, or regex</help>
-                  <multi/>
-                </properties>
-              </leafNode>
-              #include <include/allow-client.xml.i>
-            </children>
-          </tagNode>
           <node name="api">
             <properties>
               <help>VyOS HTTP API configuration</help>
@@ -172,28 +126,49 @@
               </node>
             </children>
           </node>
-          <node name="api-restrict">
+          #include <include/allow-client.xml.i>
+          <leafNode name="enable-http-redirect">
             <properties>
-              <help>Restrict api proxy to subset of virtual hosts</help>
+              <help>Enable HTTP to HTTPS redirect</help>
+              <valueless/>
             </properties>
-            <children>
-              <leafNode name="virtual-host">
-                <properties>
-                  <help>Restrict proxy to virtual host(s)</help>
-                  <multi/>
-                </properties>
-              </leafNode>
-            </children>
-          </node>
+          </leafNode>
+          #include <include/listen-address.xml.i>
+          #include <include/port-number.xml.i>
+          <leafNode name='port'>
+            <defaultValue>443</defaultValue>
+          </leafNode>
           <node name="certificates">
             <properties>
               <help>TLS certificates</help>
             </properties>
             <children>
               #include <include/pki/ca-certificate.xml.i>
               #include <include/pki/certificate.xml.i>
+              #include <include/pki/dh-params.xml.i>
             </children>
           </node>
+          <leafNode name="tls-version">
+            <properties>
+              <help>Specify available TLS version(s)</help>
+              <completionHelp>
+                <list>1.2 1.3</list>
+              </completionHelp>
+              <valueHelp>
+                <format>1.2</format>
+                <description>TLSv1.2</description>
+              </valueHelp>
+              <valueHelp>
+                <format>1.3</format>
+                <description>TLSv1.3</description>
+              </valueHelp>
+              <constraint>
+                <regex>(1.2|1.3)</regex>
+              </constraint>
+              <multi/>
+            </properties>
+            <defaultValue>1.2 1.3</defaultValue>
+          </leafNode>
           #include <include/interface/vrf.xml.i>
         </children>
       </node>

diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
@@ -37,6 +37,7 @@
 }
 
 config_status = '/tmp/vyos-config-status'
+api_config_state = '/run/http-api-state'
 
 cfg_group = 'vyattacfg'
 
@@ -45,14 +46,3 @@
 commit_lock = '/opt/vyatta/config/.lock'
 
 component_version_json = os.path.join(directories['data'], 'component-versions.json')
-
-https_data = {
-    'listen_addresses' : { '*': ['_'] }
-}
-
-vyos_cert_data = {
-    'conf' : '/etc/nginx/snippets/vyos-cert.conf',
-    'crt' : '/etc/ssl/certs/vyos-selfsigned.crt',
-    'key' : '/etc/ssl/private/vyos-selfsign',
-    'lifetime' : '365',
-}
diff --git a/smoketest/config-tests/basic-api-service b/smoketest/config-tests/basic-api-service
@@ -4,15 +4,11 @@ set interfaces loopback lo
 set service ntp server time1.vyos.net
 set service ntp server time2.vyos.net
 set service ntp server time3.vyos.net
+set service https allow-client address '172.16.0.0/12'
+set service https allow-client address '192.168.0.0/16'
+set service https allow-client address '10.0.0.0/8'
+set service https allow-client address '2001:db8::/32'
 set service https api keys id 1 key 'S3cur3'
-set service https virtual-host bar allow-client address '172.16.0.0/12'
-set service https virtual-host bar port '5555'
-set service https virtual-host foo allow-client address '10.0.0.0/8'
-set service https virtual-host foo allow-client address '2001:db8::/32'
-set service https virtual-host foo port '7777'
-set service https virtual-host baz allow-client address '192.168.0.0/16'
-set service https virtual-host baz port '6666'
-set service https virtual-host baz server-name 'baz'
 set system config-management commit-revisions '100'
 set system host-name 'vyos'
 set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'

diff --git a/smoketest/configs/basic-api-service b/smoketest/configs/basic-api-service
@@ -29,6 +29,7 @@ service {
             allow-client {
                 address 192.168.0.0/16
             }
+            listen-address "*"
             listen-port 6666
             server-name baz
         }