summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrew Geissler <geissonator@yahoo.com>2018-04-05 09:45:45 -0700
committerBrad Bishop <bradleyb@fuzziesquirrel.com>2018-04-10 00:20:46 +0000
commitfe3a099b901cf376f3b965246aa337c6035d75f0 (patch)
tree828c62e29614df89f17632104643fd4c8c3926b2
parent313aadb3277ee0d19da05834e223ac7b379c706a (diff)
downloadphosphor-rest-server-fe3a099b901cf376f3b965246aa337c6035d75f0.zip
phosphor-rest-server-fe3a099b901cf376f3b965246aa337c6035d75f0.tar.gz
Support optional parameter to not enable ssl
This server can be started in two different ways: 1. Via systemd socket, which can itself come in two different paths: a. Direct bind to external HTTPS port 443 b. Reverse proxy to local port like 8081 2. Via command line call This commit keeps backward compatibility and allows this new --no-ssl option to be passed in when using a proxy. Change-Id: I713b53e492862684eb6db45c602ce3c9e8e2f453 Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
-rw-r--r--servers/gevent/phosphor-gevent59
1 files changed, 40 insertions, 19 deletions
diff --git a/servers/gevent/phosphor-gevent b/servers/gevent/phosphor-gevent
index 5fa26fd..54e788b 100644
--- a/servers/gevent/phosphor-gevent
+++ b/servers/gevent/phosphor-gevent
@@ -27,11 +27,23 @@ try:
except ImportError:
have_wsock = False
+# Parameters
+# <wsgi application> REQUIRED Application to import and run (e.g. rest_dbus)
+# <--no-ssl> OPTIONAL Don't use SSL
+#
+# NOTE: If not activated via a systemd socket then this server will bind
+# by default to all address's at port 443 or 80(--no-ssl)
if __name__ == '__main__':
+
if len(sys.argv) < 2:
sys.stderr.write('WSGI application required!')
sys.exit(1)
+ if (len(sys.argv) > 2) and (sys.argv[2] == "--no-ssl"):
+ use_ssl = False
+ else:
+ use_ssl = True
+
exec('from obmc.wsgi.apps.%s import App' % sys.argv[1])
default_cert = os.path.join(
@@ -42,20 +54,27 @@ if __name__ == '__main__':
kw['have_wsock'] = True
app = App(**kw)
- # ECDH - Allow Elliptic Curve Diffie Hellman
- # kDH - Allow Key Exchange algorithm as Diffie Hellman
- # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
- # kRSA - Allow Key Exchange algorithm as RSA
- # !SSLv3 - Disallows any ciphers specific to SSLv3
- # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
- # !aNULL - Disallows anonymous authentication or no authentication
- # !eNULL - Disallows connection with NULL encryption
- # !LOW - Disallows any low strength ciphers
- # !MEDIUM- Disallows medium strength ciphers
-
- ssl_ciphers = (
- 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
- )
+ # repurpose for WSGIServer usage below
+ kw = {}
+
+ if use_ssl:
+ # ECDH - Allow Elliptic Curve Diffie Hellman
+ # kDH - Allow Key Exchange algorithm as Diffie Hellman
+ # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
+ # kRSA - Allow Key Exchange algorithm as RSA
+ # !SSLv3 - Disallows any ciphers specific to SSLv3
+ # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
+ # !aNULL - Disallows anonymous authentication or no authentication
+ # !eNULL - Disallows connection with NULL encryption
+ # !LOW - Disallows any low strength ciphers
+ # !MEDIUM- Disallows medium strength ciphers
+
+ kw['ciphers'] = (
+ 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
+ )
+
+ kw['keyfile'] = default_cert
+ kw['certfile'] = default_cert
if os.environ.get('LISTEN_PID', None) == str(os.getpid()):
FIRST_SYSTEMD_SOCKET_FD = 3
@@ -63,12 +82,14 @@ if __name__ == '__main__':
gevent.socket.AF_INET,
gevent.socket.SOCK_STREAM)
else:
- bind = ('', 443)
+ if use_ssl:
+ bind = ('', 443)
+ else:
+ bind = ('', 80)
- kw = {}
if have_wsock:
kw['handler_class'] = WebSocketHandler
- server = WSGIServer(
- bind, app, keyfile=default_cert, certfile=default_cert,
- ciphers=ssl_ciphers, **kw)
+
+ server = WSGIServer( bind, app, **kw )
+
server.serve_forever()
OpenPOWER on IntegriCloud