OpenDev is no longer running an openstackid instance and the puppet
module isn't used by the folks running the current instance. We can go
ahead and clean this repo up.
Depends-On: https://review.opendev.org/c/openstack/project-config/+/818170
Change-Id: Ifab5aa7a839d8353aee9acacd5fd2eec525cc924
With the OpenDev transition for static site content, the official
location for OpenStackID tarballs is now in
https://tarballs.opendev.org/osf/openstackid/ so update our template
accordingly.
Change-Id: I4939b5fde244777126497f707e362d1c28643a4e
added rules to redirect registration/password lost
and resend verification to www site
Change-Id: I487a973826fb40675e5e9999be89d69481a7312e
Depends-On: https://review.opendev.org/#/c/656396/
* added code to ensure that directory /etc/mysql-client-ssl exists
before to create the certs
* fixed typo on .env
Change-Id: I89640b2d25b274bcc7205b6665c9930d695a003d
Added php 7.x support and xenial support using external
ppa from andrej
Depends-On: https://review.openstack.org/611936
Change-Id: Ic30cc62216be3035c363fa0203a757df662acf47
addeed more configuration params for
IDP cookie session. also set default value
for lifetime from 120 to 1440 minutes as
requested by Jimmy McArthur.
Change-Id: Iddca85712c98f88e11b2c872aaf1911bd6263c39
In order to allow IDP upgrade from
LV 4.x to LV 5.X
(https://review.openstack.org/#/c/305521/)
puppet and shell scripts
were update to support diferent versions
or laravel through config variable $laravel_version
( default value to version 4 so production would not
get affected ).
Change-Id: I76a7093f3c88c72256f638d5c56cc8799643b69d
In order to avoid 503 by timeouts from
php-fpm service timeout values were increased
as also the max request nbr
per php child proccess.
Change-Id: I06d94b88716895987ea97cf86365b39caeafa385
Checking the apache2 log i saw a lots of timeout errors like
[proxy_fcgi:error] (70007)The timeout specified has expired: AH01075
so timeout setting of the proxy was increased to solve it.
Change-Id: I805fcd0e21259905e4db51283a708c9a54a0557b
In order to avoid http 503 errors and taking a look
at php fpm logs , its has been increased the
start_servers, min_spare_servers and max_spare_servers
values to avoid erros like WARNING: [pool www] seems busy
(you may need to increase pm.start_servers, or
pm.min/max_spare_servers).
Change-Id: I5d47625ac4702c1b6704c66967d76fac2a895907
* Updated site config to change MPM from fork to event model
and to start using php5-fpm (fast cgi) to get a better site
performance and a better use or server resources.
* Updated mysql php driver to newer one (php5-mysqlnd).
* Added missing dependencies : php5-json (json functions) and
php5-gmp( big number functions used by jose4php).
* Replaced puppet-httpd with puppetlabs-apache.
* added www.conf to tweak php5-fpm connection settings
* update vhost template to support proxy_fcgi.
* updated apache connections settings to improve performance on
mpm events.
* updated dependency to puppetlabs/apache (1.8.1)
Change-Id: I66c6ad413a6b0c31a19cc663058a53edc3bec5cc
added db seeding support configuration on install site command
by default is disabled to avoid overwriten existent db
Change-Id: Iba74a5f6f8a08f73d73bc0ca2d499ea215cf8c8a
* Prefer the ECDHE + AESGCM ciper suites first, these represent the
best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
just not mentioning them so that they can be renabled simply by
removing the !AES256. We exclude them because they are not
meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
specifying every cipher by name, and we're not specifying any
authentication. This will ensure that no matter what we'll always
have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
included ciphers have encryption specified. It exists primarily for
symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
specify a digest anywhere, so we want to make sure we don't support
MD5.
* Finally we exclude DSS, PSK, and SRP. These are just to make
debugging the list easier. It's basically impossible to get a DSS
certificate issued instead of a RSA certificate and nobody really
uses PSK or SRP.
This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.
Change-Id: I4744a6f42b8f7ab4a4b41ad856ecaa424d8ce3fc
According to https://wiki.apache.org/httpd/CommonMisconfigurations
is is wrong to specify server name in opening tag. ServerName
should be used instead.
Indentations also fixed in some files.
Change-Id: Id9d20a672103221efa01be61a174b62706036e57
It turns out that specifying the ciphers we want to use leads to
breakage. So instead we'll explicitly tell Apache which ciphers
we don't want to use.
Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
The poodle SSLv3 vulnerability is a good reason to stop using SSLv3.
Switch to TLS everywhere in our apache vhost configs.
Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
Create a productive instance of openid service at openstackid.org. This
domain was bought by the Foundation to avoid *.openstack.org cross-domain
issues.
Related tasks:
- create trove database for openid service (openstackid_id_mysql* variables)
- setup connection string to openstack.org profile db
(openstackid_ss_mysql_* variables)
- issue openstackid.org x509 certificate
(openstackid_ssl* variables)
- setup openstackid_redis_password and openstackid_site_admin_password
hiera variables.
Change-Id: Iaf198d004d0c9cad10668405b0e5b2537b791a7f
Openstackid deploy tool now tracks the deployed site version
from tarballs.openstack.org and deploy.sh status command display
UPDATE AVAILABLE when a new release is available.
Change-Id: I8bbc3bfceca37d00c3bba78995e3aff01b671aa4
Implements: blueprint openid-oauth2-infra-implementation-puppet-script
Prepares a raw server with all software stack needed to run
openstackid project:
* installs PHP
* installs Apache
* installs Redis Server
* creates a initial environment configuration for laravel application
(using *.erb templates)
Change-Id: If6216da0d70a45609076e8111a67055dbc87c9e4
Refactor the openstack_project::openstackid_dev module out into a
top-level openstackid module in preparation for multiple servers,
set up Apache to serve content out of /srv/openstackid, add an
/etc/openstackid/database.php file with connection details injected
from hiera and keep an updated clone of openstack-infra/openstackid
in /opt/openstackid.
Change-Id: Icdde594384e3af27c8dd185a51b9e5a71619fb7b