yellow team mailing list archive

[Nicola Larosa <nicola.larosa@xxxxxxxxxxxxx>]

Nicola Larosa has proposed merging lp:~teknico/charms/precise/juju-gui/serve-via-https into lp:~juju-gui/charms/precise/juju-gui/trunk.

Requested reviews:
  Juju GUI Hackers (juju-gui)
Related bugs:
  Bug #1083920 in juju-gui: "Charm should serve the GUI assets over HTTPS"
  https://bugs.launchpad.net/juju-gui/+bug/1083920

For more details, see:
https://code.launchpad.net/~teknico/charms/precise/juju-gui/serve-via-https/+merge/140511

Serve the GUI assets over HTTPS

Generate and install a passphrase-less SSL certificate and private
key, and configure nginx to use it to serve the GUI via HTTPS.

https://codereview.appspot.com/6940084/

-- 
https://code.launchpad.net/~teknico/charms/precise/juju-gui/serve-via-https/+merge/140511
Your team Juju GUI Hackers is requested to review the proposed merge of lp:~teknico/charms/precise/juju-gui/serve-via-https into lp:~juju-gui/charms/precise/juju-gui/trunk.

=== modified file 'README.md'
--- README.md	2012-12-17 22:10:45 +0000
+++ README.md	2012-12-18 18:05:22 +0000
@@ -61,8 +61,8 @@
             - 8080/tcp
             public-address: ec2-204-236-250-8.compute-1.amazonaws.com
 
-That tells me I can go to the public-address in my browser
-(http://ec2-204-236-250-8.compute-1.amazonaws.com/ in this example), and start
+That tells me I can go to the public-address in my browser via HTTPS
+(https://ec2-204-236-250-8.compute-1.amazonaws.com/ in this example), and start
 configuring the rest of Juju with the GUI.  You should see something similar.
 
 Again, until we switch to releases, the charm is fragile.  As I write this,

=== modified file 'config.yaml'
--- config.yaml	2012-12-07 18:39:00 +0000
+++ config.yaml	2012-12-18 18:05:22 +0000
@@ -38,4 +38,8 @@
       commands that are run by charm hooks.
     type: string
     default: /var/log/juju/juju-gui.log
-
+  ssl-cert-path:
+    description: |
+      The path to the directory where the SSL certificates are stored.
+    type: string
+    default: /etc/ssl/private/juju-gui

=== modified file 'config/nginx.conf.template'
--- config/nginx.conf.template	2012-12-06 17:45:31 +0000
+++ config/nginx.conf.template	2012-12-18 18:05:22 +0000
@@ -1,9 +1,10 @@
 server {
-    listen 80;
+    listen 443 default_server ssl;
     server_name _;
     root %(server_root)s;
-
     index index.html;
+    ssl_certificate /etc/ssl/private/juju-gui/server.pem
+    ssl_certificate_key /etc/ssl/private/juju-gui/server.key
 
     # Serve static assets.
     location ^~ /juju-ui/ {

=== modified file 'hooks/install'
--- hooks/install	2012-12-18 13:23:42 +0000
+++ hooks/install	2012-12-18 18:05:22 +0000
@@ -32,7 +32,8 @@
 
 
 DEB_DEPENDENCIES = (
-    'bzr', 'imagemagick', 'make', 'nginx', 'nodejs', 'npm', 'zookeeper')
+    'bzr', 'imagemagick', 'make', 'nginx', 'nodejs', 'npm', 'openssl',
+    'zookeeper')
 
 
 def get_dependencies():
@@ -45,7 +46,7 @@
     config = get_config()
     get_dependencies()
     fetch(config['juju-gui-branch'], config['juju-api-branch'])
-    build(config['command-log-file'])
+    build(config['command-log-file'], config['ssl-cert-path'])
     config_json.set(config)
 
 

=== modified file 'hooks/utils.py'
--- hooks/utils.py	2012-12-18 13:23:42 +0000
+++ hooks/utils.py	2012-12-18 18:05:22 +0000
@@ -17,6 +17,7 @@
 import json
 import os
 import logging
+import shutil
 import tempfile
 
 from shelltoolbox import (
@@ -201,7 +202,7 @@
         cmd_log(bzr_checkout(juju_api_branch, 'juju'))
 
 
-def build(logpath):
+def build(logpath, ssl_cert_path):
     """Set up Juju GUI and nginx."""
     log('Building Juju GUI.')
     with cd('juju-gui'):
@@ -220,3 +221,21 @@
         cmd_log(
             run('ln', '-s', juju_gui_site,
                 '/etc/nginx/sites-enabled/juju-gui'))
+    # Generate the nginx SSL certificates, if needed.
+    pem_path = os.path.join(ssl_cert_path, 'server.pem')
+    key_path = os.path.join(ssl_cert_path, 'server.key')
+    if not (os.path.exists(pem_path) and os.path.exists(pem_path)):
+        os.mkdirs(ssl_cert_path)
+        # Create the server private key.
+        cmd_log(run('openssl', 'genrsa', '-des3', '-out', key_path, '1024'))
+        # Create the Certificate Signing Request.
+        csr_path = os.path.join(ssl_cert_path, 'server.csr')
+        cmd_log(run('openssl', 'req', '-new', '-key', key_path, '-out',
+            csr_path))
+        # Avoid passphrase request at nginx startup.
+        orig_key_path = os.path.join(ssl_cert_path, 'server.key.orig')
+        shutil.copyfile(key_path, orig_key_path)
+        cmd_log(run('openssl', 'rsa', '-in', orig_key_path, '-out', key_path))
+        # Sign the certificate using the private key and the CSR.
+        cmd_log(run('openssl', 'x509', '-req', '-days', '365', '-in',
+            csr_path, '-signkey', key_path, '-out', pem_path))