diff --git a/files/debs/tls-proxy b/files/debs/tls-proxy
index dce9c07d3f..5bd8e213a2 100644
--- a/files/debs/tls-proxy
+++ b/files/debs/tls-proxy
@@ -1 +1 @@
-stud
+apache2
diff --git a/functions-common b/functions-common
index 1a4a8f8eea..4716567be3 100644
--- a/functions-common
+++ b/functions-common
@@ -2304,6 +2304,16 @@ function stop_service {
fi
}
+# Service wrapper to stop services
+# reload_service service-name
+function reload_service {
+ if [ -x /bin/systemctl ]; then
+ sudo /bin/systemctl reload $1
+ else
+ sudo service $1 reload
+ fi
+}
+
# Test with a finite retry loop.
#
function test_with_retry {
diff --git a/lib/apache b/lib/apache
index 2c84c7a481..740f58835e 100644
--- a/lib/apache
+++ b/lib/apache
@@ -42,24 +42,40 @@ fi
# Functions
# ---------
+
+# Enable apache mod and restart apache if it isn't already enabled.
+function enable_apache_mod {
+ local mod=$1
+ # Apache installation, because we mark it NOPRIME
+ if is_ubuntu || is_suse ; then
+ if ! a2query -m $mod ; then
+ sudo a2enmod $mod
+ restart_apache_server
+ fi
+ elif is_fedora; then
+ # pass
+ true
+ else
+ exit_distro_not_supported "apache enable mod"
+ fi
+}
+
# install_apache_wsgi() - Install Apache server and wsgi module
function install_apache_wsgi {
# Apache installation, because we mark it NOPRIME
if is_ubuntu; then
# Install apache2, which is NOPRIME'd
install_package apache2 libapache2-mod-wsgi
- # WSGI isn't enabled by default, enable it
- sudo a2enmod wsgi
elif is_fedora; then
sudo rm -f /etc/httpd/conf.d/000-*
install_package httpd mod_wsgi
elif is_suse; then
install_package apache2 apache2-mod_wsgi
- # WSGI isn't enabled by default, enable it
- sudo a2enmod wsgi
else
- exit_distro_not_supported "apache installation"
+ exit_distro_not_supported "apache wsgi installation"
fi
+ # WSGI isn't enabled by default, enable it
+ enable_apache_mod wsgi
# ensure mod_version enabled for <IfVersion ...>. This is
# built-in statically on anything recent, but precise (2.2)
@@ -192,6 +208,11 @@ function restart_apache_server {
time_stop "restart_apache_server"
}
+# reload_apache_server
+function reload_apache_server {
+ reload_service $APACHE_NAME
+}
+
# Restore xtrace
$_XTRACE_LIB_APACHE
diff --git a/lib/cinder b/lib/cinder
index a87f395c8e..0fe950b6c2 100644
--- a/lib/cinder
+++ b/lib/cinder
@@ -305,8 +305,8 @@ function configure_cinder {
if is_service_enabled tls-proxy; then
# Set the service port for a proxy to take the original
iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT
-
iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
+ iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT
fi
if [ "$SYSLOG" != "False" ]; then
@@ -534,7 +534,7 @@ function start_cinder {
# Start proxies if enabled
if is_service_enabled c-api && is_service_enabled tls-proxy; then
- start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT &
+ start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT
fi
}
diff --git a/lib/glance b/lib/glance
index 8d95aad73f..a31e564104 100644
--- a/lib/glance
+++ b/lib/glance
@@ -383,8 +383,8 @@ function install_glance {
function start_glance {
local service_protocol=$GLANCE_SERVICE_PROTOCOL
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT &
- start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT &
+ start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT
+ start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT
fi
run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"
diff --git a/lib/keystone b/lib/keystone
index a8423bcb9e..851db042ba 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -611,8 +611,8 @@ function start_keystone {
# Start proxies if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &
- start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &
+ start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT
+ start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT
fi
# (re)start memcached to make sure we have a clean memcache.
diff --git a/lib/neutron b/lib/neutron
index 7442efd2c1..a715b4edf4 100644
--- a/lib/neutron
+++ b/lib/neutron
@@ -412,7 +412,7 @@ function start_neutron_api {
# Start proxy if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT &
+ start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT
fi
}
diff --git a/lib/neutron-legacy b/lib/neutron-legacy
index 1b7c4db507..123ba4238f 100644
--- a/lib/neutron-legacy
+++ b/lib/neutron-legacy
@@ -462,7 +462,7 @@ function start_neutron_service_and_check {
# Start proxy if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT &
+ start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT
fi
}
diff --git a/lib/nova b/lib/nova
index 670f605fd6..60c1f51b27 100644
--- a/lib/nova
+++ b/lib/nova
@@ -808,7 +808,7 @@ function start_nova_api {
# Start proxies if enabled
if is_service_enabled tls-proxy; then
- start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &
+ start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT
fi
export PATH=$old_path
diff --git a/lib/swift b/lib/swift
index 0c74411a9c..f9ea028cea 100644
--- a/lib/swift
+++ b/lib/swift
@@ -806,7 +806,7 @@ function start_swift {
done
if is_service_enabled tls-proxy; then
local proxy_port=${SWIFT_DEFAULT_BIND_PORT}
- start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT &
+ start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT
fi
run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"
if [[ ${SWIFT_REPLICAS} == 1 ]]; then
diff --git a/lib/tls b/lib/tls
index ca57ed44e0..2c4e18d388 100644
--- a/lib/tls
+++ b/lib/tls
@@ -16,7 +16,6 @@
#
# - configure_CA
# - init_CA
-# - cleanup_CA
# - configure_proxy
# - start_tls_proxy
@@ -221,19 +220,6 @@ function init_CA {
fi
}
-# Clean up the CA files
-# cleanup_CA
-function cleanup_CA {
- if is_fedora; then
- sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
- sudo update-ca-trust
- elif is_ubuntu; then
- sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
- sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
- sudo update-ca-certificates
- fi
-}
-
# Create an initial server cert
# init_cert
function init_cert {
@@ -455,26 +441,72 @@ function enable_mod_ssl {
# Starts the TLS proxy for the given IP/ports
# start_tls_proxy front-host front-port back-host back-port
function start_tls_proxy {
- local f_host=$1
- local f_port=$2
- local b_host=$3
- local b_port=$4
+ local b_service="$1-tls-proxy"
+ local f_host=$2
+ local f_port=$3
+ local b_host=$4
+ local b_port=$5
- stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null
+ local config_file
+ config_file=$(apache_site_config_for $b_service)
+ local listen_string
+ # Default apache configs on ubuntu and centos listen on 80 and 443
+ # newer apache seems fine with duplicate listen directive but older
+ # apache does not so special case 80 and 443.
+ if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then
+ listen_string=""
+ elif [[ "$f_host" == '*' ]] ; then
+ listen_string="Listen $f_port"
+ else
+ listen_string="Listen $f_host:$f_port"
+ fi
+ sudo bash -c "cat >$config_file" << EOF
+$listen_string
+
+<VirtualHost $f_host:$f_port>
+ SSLEngine On
+ SSLCertificateFile $DEVSTACK_CERT
+
+ <Location />
+ ProxyPass http://$b_host:$b_port/ retry=5 nocanon
+ ProxyPassReverse http://$b_host:$b_port/
+ </Location>
+</VirtualHost>
+EOF
+ for mod in ssl proxy proxy_http; do
+ enable_apache_mod $mod
+ done
+ enable_apache_site $b_service
+ # Only a reload is required to pull in new vhosts
+ # Note that a restart reliably fails on centos7 and trusty
+ # because apache can't open port 80 because the old apache
+ # still has it open. Using reload fixes trusty but centos7
+ # still doesn't work.
+ reload_apache_server
}
# Cleanup Functions
# =================
-# Stops all stud processes. This should be done only after all services
+# Stops the apache service. This should be done only after all services
# using tls configuration are down.
function stop_tls_proxy {
- killall stud
+ stop_apache_server
}
-# Remove CA along with configuration, as well as the local server certificate
+# Clean up the CA files
+# cleanup_CA
function cleanup_CA {
+ if is_fedora; then
+ sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem
+ sudo update-ca-trust
+ elif is_ubuntu; then
+ sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt
+ sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt
+ sudo update-ca-certificates
+ fi
+
rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"
}
diff --git a/stack.sh b/stack.sh
index f47842b90d..6a5a2a318f 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1052,6 +1052,7 @@ EOF
if is_service_enabled tls-proxy; then
echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+ start_tls_proxy http-services '*' 443 $SERVICE_HOST 80
fi
source $TOP_DIR/userrc_early