From fe3a099b901cf376f3b965246aa337c6035d75f0 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Thu, 5 Apr 2018 09:45:45 -0700 Subject: Support optional parameter to not enable ssl This server can be started in two different ways: 1. Via systemd socket, which can itself come in two different paths: a. Direct bind to external HTTPS port 443 b. Reverse proxy to local port like 8081 2. Via command line call This commit keeps backward compatibility and allows this new --no-ssl option to be passed in when using a proxy. Change-Id: I713b53e492862684eb6db45c602ce3c9e8e2f453 Signed-off-by: Andrew Geissler --- servers/gevent/phosphor-gevent | 59 ++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/servers/gevent/phosphor-gevent b/servers/gevent/phosphor-gevent index 5fa26fd..54e788b 100644 --- a/servers/gevent/phosphor-gevent +++ b/servers/gevent/phosphor-gevent @@ -27,11 +27,23 @@ try: except ImportError: have_wsock = False +# Parameters +# REQUIRED Application to import and run (e.g. rest_dbus) +# <--no-ssl> OPTIONAL Don't use SSL +# +# NOTE: If not activated via a systemd socket then this server will bind +# by default to all address's at port 443 or 80(--no-ssl) if __name__ == '__main__': + if len(sys.argv) < 2: sys.stderr.write('WSGI application required!') sys.exit(1) + if (len(sys.argv) > 2) and (sys.argv[2] == "--no-ssl"): + use_ssl = False + else: + use_ssl = True + exec('from obmc.wsgi.apps.%s import App' % sys.argv[1]) default_cert = os.path.join( @@ -42,20 +54,27 @@ if __name__ == '__main__': kw['have_wsock'] = True app = App(**kw) - # ECDH - Allow Elliptic Curve Diffie Hellman - # kDH - Allow Key Exchange algorithm as Diffie Hellman - # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman - # kRSA - Allow Key Exchange algorithm as RSA - # !SSLv3 - Disallows any ciphers specific to SSLv3 - # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol - # !aNULL - Disallows anonymous authentication or no authentication - # !eNULL - Disallows connection with NULL encryption - # !LOW - Disallows any low strength ciphers - # !MEDIUM- Disallows medium strength ciphers - - ssl_ciphers = ( - 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH' - ) + # repurpose for WSGIServer usage below + kw = {} + + if use_ssl: + # ECDH - Allow Elliptic Curve Diffie Hellman + # kDH - Allow Key Exchange algorithm as Diffie Hellman + # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman + # kRSA - Allow Key Exchange algorithm as RSA + # !SSLv3 - Disallows any ciphers specific to SSLv3 + # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol + # !aNULL - Disallows anonymous authentication or no authentication + # !eNULL - Disallows connection with NULL encryption + # !LOW - Disallows any low strength ciphers + # !MEDIUM- Disallows medium strength ciphers + + kw['ciphers'] = ( + 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH' + ) + + kw['keyfile'] = default_cert + kw['certfile'] = default_cert if os.environ.get('LISTEN_PID', None) == str(os.getpid()): FIRST_SYSTEMD_SOCKET_FD = 3 @@ -63,12 +82,14 @@ if __name__ == '__main__': gevent.socket.AF_INET, gevent.socket.SOCK_STREAM) else: - bind = ('', 443) + if use_ssl: + bind = ('', 443) + else: + bind = ('', 80) - kw = {} if have_wsock: kw['handler_class'] = WebSocketHandler - server = WSGIServer( - bind, app, keyfile=default_cert, certfile=default_cert, - ciphers=ssl_ciphers, **kw) + + server = WSGIServer( bind, app, **kw ) + server.serve_forever() -- cgit v1.2.1