Commit Graph

48 Commits

Author SHA1 Message Date
Clark Boylan 9998655fa9 Retire this project
OpenDev is no longer running an openstackid instance and the puppet
module isn't used by the folks running the current instance. We can go
ahead and clean this repo up.

Depends-On: https://review.opendev.org/c/openstack/project-config/+/818170
Change-Id: Ifab5aa7a839d8353aee9acacd5fd2eec525cc924
2021-11-16 14:41:11 -08:00
smarcet d806cb3155 Fixed typo ( extra =)
Change-Id: Ied4fdbc58defd6483a6848d522f6ff034afb30c7
Signed-off-by: smarcet <smarcet@gmail.com>
2020-09-22 00:27:13 -03:00
smarcet eb6547e446 Added cloud storage config
Change-Id: I6a9c67da18beacf4b6f67ed2ace8371ba3478fd8
Signed-off-by: smarcet <smarcet@gmail.com>
2020-09-21 09:25:11 -03:00
smarcet 437b6b776e Added message broker (RabbitMQ) settings
updated configuration for message broker

Change-Id: I3112fabafd1172129c5cdc4c3743b5c9685a9338
Signed-off-by: smarcet <smarcet@gmail.com>
Depends-on: https://review.opendev.org/#/c/752734
2020-09-18 15:08:02 -03:00
Jeremy Stanley 5fd8ea4c50 Add SSL options in www subdomain redirect vhost
The *:443 vhost for www needs ssl options set even though it only
hosts a redirect.

Change-Id: Ib9be4d3901a6abd4f55589e41bab363f066d747b
2020-03-27 21:56:21 +00:00
smarcet 24890661b8 added www. cname on vhost file
Change-Id: I0c81a5a4efd40c8fe53b843dae4543b6c31813a0
Signed-off-by: smarcet <smarcet@gmail.com>
2020-03-26 15:49:11 -03:00
smarcet a4d88dc494 Added config variables to support emails
* support
* user spam processor results

Change-Id: I27d34b40c1bf04e64340bc245da0f27517a319f3
Signed-off-by: smarcet <smarcet@gmail.com>
2020-03-25 11:20:17 -03:00
smarcet 954b03a75f Fixing results from ZAP Scanning Report
added header Strict-Transport-Security Header Not Set

Change-Id: I22b14e30738254ebd3e847003f16a4ad3863ed8a
Signed-off-by: smarcet <smarcet@gmail.com>
2020-03-24 17:39:57 -03:00
Jeremy Stanley e83ceadfe4 Update tarball publication URLs
With the OpenDev transition for static site content, the official
location for OpenStackID tarballs is now in
https://tarballs.opendev.org/osf/openstackid/ so update our template
accordingly.

Change-Id: I4939b5fde244777126497f707e362d1c28643a4e
2020-02-24 21:13:45 +00:00
smarcet d135337253 Fixed supervisor watchdog regex
corrected regex on watchdog script

Change-Id: Ifd7bbf23aaf4b858a88fe849188f95509de0eea8
2020-01-30 11:38:43 -03:00
smarcet f1f6e58ef8 Fixed broken deployment
Refactored to support Doctrine ORM
and Laravel Queues

Change-Id: Iea078ee1e7d2541872b3b6966825eb6988fd266e
2020-01-27 23:15:31 -03:00
smarcet 1806356c52 Updated Build
* Fix on supervisor launch script
* Refactoring on docroot variable

Change-Id: I65099e2ee2a0b3b153d70cb9ba6b7e96ec9baced
2020-01-24 14:51:58 +00:00
smarcet 24076bd286 Updated build
Updated puppet build to support new migration
for user management from IDP side

Change-Id: I633add5af8d96223d331a129f39956b1af4f8867
2020-01-22 04:07:17 +00:00
smarcet 8341bbfd32 Added missing double quotes for some config
variables on .env file

Change-Id: I37446306a31764af14d1339c3f3f568eccd46d90
2019-05-13 20:54:22 -03:00
smarcet 83c937e34a Fix on redirect urls regex
Change-Id: I705223d3b7c80cf482149b5eafa02a682cc8f5a6
2019-04-29 22:14:35 -03:00
Zuul 1a8fd41b3e Merge "Added rewriting rules" 2019-04-29 23:20:17 +00:00
smarcet d5b360bc02 Added rewriting rules
added rules to redirect registration/password lost
and resend verification to www site

Change-Id: I487a973826fb40675e5e9999be89d69481a7312e
Depends-On: https://review.opendev.org/#/c/656396/
2019-04-29 19:02:17 -03:00
smarcet f05f1b5a5f Added paranetrized urls
parametrized urls for registration
/reset password and verification

Change-Id: I2748957adc92776dddf32b15cb650d8446b8b8a6
Depends-On: https://review.opendev.org/#/c/656395/
2019-04-29 17:19:06 -03:00
smarcet 18261412e5 Add sendgrid support
added api sendgrid key on .env file

Depends-On: https://review.openstack.org/#/c/651794
Change-Id: I084d5f66138f15cf5d9b215a1cb9a304e70e4957
2019-04-11 11:42:24 -03:00
Sebastian Marcet 6336b6cdc7 Fix on mysql ssl certs
* added code to ensure that directory /etc/mysql-client-ssl exists
  before to create the certs
* fixed typo on .env

Change-Id: I89640b2d25b274bcc7205b6665c9930d695a003d
2019-02-15 08:09:01 -03:00
Sebastian Marcet 5ad10537b4 Updated script to support PHP7
Added php 7.x support and xenial support using external
ppa from andrej

Depends-On: https://review.openstack.org/611936

Change-Id: Ic30cc62216be3035c363fa0203a757df662acf47
2019-01-15 15:01:21 -03:00
Sebastian Marcet 9a044f8e00 Added configuration for MYSQL SSL connection
added config params to set up client certs for
PDO SSL connections ( mysql )

Change-Id: Idb04a5a97e5e461bc91508567ad27c1ded60049a
2018-08-23 15:21:21 -03:00
Sebastian Marcet deeb94c40f Fixed typo on session config
added missing =

Change-Id: I6b83e78b441e0f37c8d44dd147f6d53936a5445d
2017-06-02 18:20:10 -03:00
Sebastian Marcet e0374d97e6 Updated session cookie params
addeed more configuration params for
IDP cookie session. also set default value
for lifetime from 120 to 1440 minutes as
requested by Jimmy McArthur.

Change-Id: Iddca85712c98f88e11b2c872aaf1911bd6263c39
2017-06-02 16:38:41 -03:00
Sebastian Marcet 49e222aa4a Apache/PHP configuration tweaks
In order to improvee IDP responsiveness
follwing actions were taken:

* updated apache connection settings
* removed access log settings from apache2
* updated php pool settings
* added php.ini settings
** added zend opcode cache
** set php max memory limmit to 32MB
* added php-fpm.conf settings
** set emergency_restart settings

Change-Id: I52aafd41267aa46d4f481b7c91a24732c615632b
2017-04-05 12:24:49 -03:00
Sebastian Marcet 75c6ce708b Puppet script upgrade to LV 5.X
In order to allow IDP upgrade from
LV 4.x to LV 5.X
(https://review.openstack.org/#/c/305521/)
puppet and shell scripts
were update to support diferent versions
or laravel through config variable $laravel_version
( default value to version 4 so production would not
get affected ).

Change-Id: I76a7093f3c88c72256f638d5c56cc8799643b69d
2016-11-23 16:15:26 -03:00
Sebastian Marcet 274521cca5 Updated PHP settings to avoid 503 by timeouts
In order to avoid 503 by timeouts from
php-fpm service timeout values were increased
as also the max request nbr
per php child proccess.

Change-Id: I06d94b88716895987ea97cf86365b39caeafa385
2016-11-01 23:50:44 -03:00
Sebastian Marcet b70762da8b PHP 503 errors
Checking the apache2 log i saw a lots of timeout errors like
[proxy_fcgi:error] (70007)The timeout specified has expired: AH01075
so timeout setting of the proxy was increased to solve it.

Change-Id: I805fcd0e21259905e4db51283a708c9a54a0557b
2016-10-27 11:15:20 +00:00
Sebastian Marcet 6f938175e0 PHP www pool tunning ( http 503 )
In order to avoid http 503 errors and taking a look
at php fpm logs , its has been increased the
start_servers, min_spare_servers and max_spare_servers
values to avoid erros like WARNING: [pool www] seems busy
(you may need to increase pm.start_servers, or
pm.min/max_spare_servers).

Change-Id: I5d47625ac4702c1b6704c66967d76fac2a895907
2016-10-25 13:43:43 +00:00
Sebastian Marcet 5efa3a5928 Fix on vhost config
added rewrite rule to pass the HTTP auth header to web app

Change-Id: I62f367f55aecf35eccbf2e10f7626f06843efc69
2016-04-05 14:23:36 -03:00
Sebastian Marcet 13c1777dc0 Fix Vhost (Apache2.4)
* fixed fastcgi configuration(changed to be compatible with < 2.4.10)
* fixed directory permissions

Change-Id: I789d67947b33d05409460c4b26e8c6a595d58694
2016-03-31 00:51:15 -03:00
Sebastian Marcet 6cb41de782 Update Configuration for Precise
added conditional logic to support fastcgi apache 2.2 mod on Precise

Change-Id: Ice7a2f9d802fe4fa65589456eb376bafe85ba448
2016-03-30 16:16:50 -03:00
Sebastian Marcet a1c7cc4ed7 Apache MPM events + php5 fpm
* Updated site config to change MPM from fork to event model
  and to start using php5-fpm (fast cgi) to get a better site
  performance and a better use or server resources.
* Updated mysql php driver to newer one (php5-mysqlnd).
* Added missing dependencies : php5-json (json functions) and
  php5-gmp( big number functions used by jose4php).
* Replaced puppet-httpd with puppetlabs-apache.
* added www.conf to tweak php5-fpm connection settings
* update vhost template to support proxy_fcgi.
* updated apache connections settings to improve performance on
  mpm events.
* updated dependency to puppetlabs/apache (1.8.1)
Change-Id: I66c6ad413a6b0c31a19cc663058a53edc3bec5cc
2016-03-30 11:18:59 -03:00
Sebastian Marcet 79e17cabef Added DB seeding support
added db seeding support configuration on install site command
by default is disabled to avoid overwriten existent db

Change-Id: Iba74a5f6f8a08f73d73bc0ca2d499ea215cf8c8a
2016-03-21 20:41:20 -03:00
Sebastian Marcet 0bd2988d1c Update Email Configuration file
added a template to parametrize the email configuration sending
process

Change-Id: If640f30f569a77461ba396f07fd07aad1f356587
2016-03-15 08:40:01 -03:00
Sebastian Marcet b94c6b2445 Update App Configuration
Added version variable
updated provider on app.php template

Change-Id: I7e7c38925ff5152e3595202743e32aa296bd2c16
2016-02-26 15:06:07 -03:00
Sebastian Marcet bd1f2efd39 Updated configuration for OIDC
added app.php as template, bc now we need the app key set by default
on hiera.

Change-Id: I2d4678f36af911df33d0c334a76eb759aa2f725b
2015-08-18 17:34:27 -03:00
Paul Belanger b802d5f4a0 Fix variable access warnings
Change-Id: If5d0b9945c90d00967414d9dd745ce8dbeb6f3b6
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2015-07-09 16:39:59 -04:00
Donald Stufft 489b7ba022 Specify ciphers that optimize for security and performance
* Prefer the ECDHE + AESGCM ciper suites first, these represent the
  best performance and the best security.
* Then, prefer the DH + AESGCM, these are equivilant to the first in
  terms of security, however they are slower.
* Then, we'll prefer any AES cipher that supports PFS, sorting by
  strength, then performance.
* Then we'll prefer any non PFS cipher, with AESGCM first, but finally
  any another non PFS cipher.
* We then exclude any AES256 ciphers, we exclude there here instead of
  just not mentioning them so that they can be renabled simply by
  removing the !AES256. We exclude them because they are not
  meaningfully more secure than AES128, however they are slower.
* We then exclude !aNULL, this is needed because we're not manually
  specifying every cipher by name, and we're not specifying any
  authentication. This will ensure that no matter what we'll always
  have *some* authentication.
* We then exclude !eNULL, this isn't really needed since all of our
  included ciphers have encryption specified. It exists primarily for
  symmetry with !aNULL.
* We then exclude !MD5, much like !aNULL this is done because we don't
  specify a digest anywhere, so we want to make sure we don't support
  MD5.
* Finally we exclude DSS, PSK, and SRP. These are just to make
  debugging the list easier. It's basically impossible to get a DSS
  certificate issued instead of a RSA certificate and nobody really
  uses PSK or SRP.

This will drop support for IE8 on Windows XP, essentially dropping
support for all versions of IE on Windows XP. Windows XP users
would need to use Firefox or Chrome to use the service.

Change-Id: I4744a6f42b8f7ab4a4b41ad856ecaa424d8ce3fc
2015-03-13 13:35:24 -04:00
Jenkins 3be00405e4 Merge "Fix vhost configuration sections" 2015-01-24 21:26:37 +00:00
Marton Kiss 65255adaf0 Enable oauth2 in openstackid configuration
Add oauth2_enable and ssl_enable options to openstackid's server.php
configuration file.

Change-Id: Ib613ffeb550b682940e67273fbeaa8a101796f57
2014-12-19 09:46:25 +01:00
Dmitry Teselkin 8ed5baedad Fix vhost configuration sections
According to https://wiki.apache.org/httpd/CommonMisconfigurations
is is wrong to specify server name in opening tag. ServerName
should be used instead.

Indentations also fixed in some files.

Change-Id: Id9d20a672103221efa01be61a174b62706036e57
2014-12-18 19:33:01 +03:00
Timothy Chavez 70b9326528 Use the SSLProtocol blacklist approach
It turns out that specifying the ciphers we want to use leads to
breakage.  So instead we'll explicitly tell Apache which ciphers
we don't want to use.

Change-Id: I0f8211533495a6a4340c01dadb8069ccf9be429c
2014-10-16 11:41:04 -05:00
Clark Boylan 7e63b0ed57 Use only TLSv1 and greater to depoodle
The poodle SSLv3 vulnerability is a good reason to stop using SSLv3.
Switch to TLS everywhere in our apache vhost configs.

Change-Id: If7b18174253b6f185e029f97bfa77d8ad4941385
2014-10-14 17:07:06 -07:00
Marton Kiss 09e45fbda1 Openstackid.org openid instance
Create a productive instance of openid service at openstackid.org. This
domain was bought by the Foundation to avoid *.openstack.org cross-domain
issues.

Related tasks:
- create trove database for openid service (openstackid_id_mysql* variables)
- setup connection string to openstack.org profile db
  (openstackid_ss_mysql_* variables)
- issue openstackid.org x509 certificate
  (openstackid_ssl* variables)
- setup openstackid_redis_password and openstackid_site_admin_password
  hiera variables.

Change-Id: Iaf198d004d0c9cad10668405b0e5b2537b791a7f
2014-10-08 14:03:50 +00:00
Marton Kiss 2893d81266 Openstackid track site version
Openstackid deploy tool now tracks the deployed site version
from tarballs.openstack.org and deploy.sh status command display
UPDATE AVAILABLE when a new release is available.

Change-Id: I8bbc3bfceca37d00c3bba78995e3aff01b671aa4
2014-03-17 16:30:32 +01:00
smarcet 0c6631eeb7 Clean up puppet (deploy LAMP / setup app config)
Implements: blueprint openid-oauth2-infra-implementation-puppet-script

Prepares a raw server with all software stack needed to run
openstackid project:

* installs PHP
* installs Apache
* installs Redis Server
* creates a initial environment configuration for laravel application
  (using *.erb templates)

Change-Id: If6216da0d70a45609076e8111a67055dbc87c9e4
2014-02-21 11:33:40 -03:00
Jeremy Stanley e7e07ad1f5 Set up openstackid module
Refactor the openstack_project::openstackid_dev module out into a
top-level openstackid module in preparation for multiple servers,
set up Apache to serve content out of /srv/openstackid, add an
/etc/openstackid/database.php file with connection details injected
from hiera and keep an updated clone of openstack-infra/openstackid
in /opt/openstackid.

Change-Id: Icdde594384e3af27c8dd185a51b9e5a71619fb7b
2013-12-27 22:56:55 +00:00