From b33c0ca5749a0c44a6d2d311cfd5ecfdbec07dcb Mon Sep 17 00:00:00 2001 From: Christoph Albers Date: Fri, 25 Nov 2016 15:56:20 +0100 Subject: [PATCH] Ceilometer-api / Gnocchi-api WSGI refactor - now using wsgi apps for both apis - bumped gnocchi package version due to python-openssl bugs Change-Id: I63636ca8c08660f44433e701c55e1e0e7db5465f --- attributes/default.rb | 31 ++++++++- metadata.rb | 1 + recipes/api.rb | 66 ++++++++++++++++-- recipes/gnocchi_configure.rb | 60 ++++++++++++++-- recipes/gnocchi_install.rb | 2 +- spec/api-rhel_spec.rb | 7 +- spec/api_spec.rb | 106 +++++++++++++++++++++++++++-- spec/gnocchi_configure_spec.rb | 113 +++++++++++++++++++++++++++++-- spec/gnocchi_install_spec.rb | 4 +- spec/spec_helper.rb | 6 ++ templates/wsgi-template.conf.erb | 37 ++++++++++ 11 files changed, 400 insertions(+), 33 deletions(-) create mode 100644 templates/wsgi-template.conf.erb diff --git a/attributes/default.rb b/attributes/default.rb index 6988de9..fa19c39 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -18,7 +18,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # - +# Set to some text value if you want templated config files +# to contain a custom banner at the top of the written file +default['openstack']['telemetry']['custom_template_banner'] = + '# This file autogenerated by Chef, changes will be overwritten' # Set the endpoints for the telemetry services to allow all other cookbooks to # access and use them %w(telemetry telemetry-metric).each do |ts| @@ -58,6 +61,28 @@ default['openstack']['telemetry']['identity-api']['auth']['version'] = default['openstack']['telemetry-metric']['identity-api']['auth']['version'] = node['openstack']['api']['auth']['version'] +%w(telemetry telemetry-metric).each do |ts| + # specify whether to enable SSL for ceilometer API endpoint + default['openstack'][ts]['ssl']['enabled'] = false + # specify server whether to enforce client certificate requirement + default['openstack'][ts]['ssl']['cert_required'] = false + # SSL certificate, keyfile and CA certficate file locations + default['openstack'][ts]['ssl']['basedir'] = '/etc/ceilometer/ssl' + # Protocol for SSL (Apache) + default['openstack'][ts]['ssl']['protocol'] = 'All -SSLv2 -SSLv3' + # Which ciphers to use with the SSL/TLS protocol (Apache) + # Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' + default['openstack'][ts]['ssl']['ciphers'] = nil + # path of the cert file for SSL. + default['openstack'][ts]['ssl']['certfile'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/sslcert.pem" + # path of the keyfile for SSL. + default['openstack'][ts]['ssl']['keyfile'] = "#{node['openstack'][ts]['ssl']['basedir']}/private/sslkey.pem" + default['openstack'][ts]['ssl']['chainfile'] = nil + # path of the CA cert file for SSL. + default['openstack'][ts]['ssl']['ca_certs'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/sslca.pem" + # path of the CA cert files for SSL (Apache) + default['openstack'][ts]['ssl']['ca_certs_path'] = "#{node['openstack'][ts]['ssl']['basedir']}/certs/" +end case platform_family when 'rhel' default['openstack']['telemetry']['platform'] = { @@ -82,7 +107,7 @@ when 'rhel' when 'debian' default['openstack']['telemetry']['platform'] = { 'common_packages' => ['ceilometer-common'], - 'gnocchi_packages' => ['gnocchi-api', 'gnocchi-metricd'], + 'gnocchi_packages' => ['python-gnocchi', 'gnocchi-common', 'gnocchi-api', 'gnocchi-metricd'], 'gnocchi-api_service' => 'gnocchi-api', 'gnocchi-metricd_service' => 'gnocchi-metricd', 'agent_central_packages' => ['ceilometer-agent-central'], @@ -91,6 +116,8 @@ when 'debian' 'agent_compute_service' => 'ceilometer-agent-compute', 'agent_notification_packages' => ['ceilometer-agent-notification'], 'agent_notification_service' => 'ceilometer-agent-notification', + 'ceilometer-api_wsgi_file' => '/usr/lib/python2.7/dist-packages/ceilometer/api/app.wsgi', + 'gnocchi-api_wsgi_file' => '/usr/share/gnocchi-common/app.wsgi', 'api_packages' => ['ceilometer-api'], 'api_service' => 'ceilometer-api', 'client_packages' => ['python-ceilometerclient', 'python-gnocchiclient'], diff --git a/metadata.rb b/metadata.rb index b0bae68..a53fb63 100644 --- a/metadata.rb +++ b/metadata.rb @@ -26,3 +26,4 @@ end depends 'openstack-common', '>= 14.0.0' depends 'openstack-identity', '>= 14.0.0' depends 'openstackclient' +depends 'apache2', '~> 3.2' diff --git a/recipes/api.rb b/recipes/api.rb index ecfe8db..d5d265f 100644 --- a/recipes/api.rb +++ b/recipes/api.rb @@ -20,7 +20,14 @@ # limitations under the License. # -include_recipe 'openstack-telemetry::common' +require 'uri' + +# load the methods defined in cookbook-openstack-common libraries +class ::Chef::Recipe + include ::Openstack +end + +# include_recipe 'openstack-telemetry::common' platform = node['openstack']['telemetry']['platform'] platform['api_packages'].each do |pkg| @@ -29,9 +36,58 @@ platform['api_packages'].each do |pkg| action :upgrade end end +bind_service = node['openstack']['bind_service']['all']['telemetry'] +bind_service_address = bind_address bind_service +#### Start of Apache specific work -service 'ceilometer-api' do - service_name platform['api_service'] - subscribes :restart, "template[#{node['openstack']['telemetry']['conf_file']}]" - action [:enable, :start] +# configure attributes for apache2 cookbook to align with openstack settings +apache_listen = Array(node['apache']['listen']) # include already defined listen attributes +# Remove the default apache2 cookbook port, as that is also the default for horizon, but with +# a different address syntax. *:80 vs 0.0.0.0:80 +apache_listen -= ['*:80'] +apache_listen += ["#{bind_service_address}:#{bind_service.port}"] +node.normal['apache']['listen'] = apache_listen.uniq + +# include the apache2 default recipe and the recipes for mod_wsgi +include_recipe 'apache2' +include_recipe 'apache2::mod_wsgi' +# include the apache2 mod_ssl recipe if ssl is enabled for identity +include_recipe 'apache2::mod_ssl' if node['openstack']['telemetry']['ssl']['enabled'] + +# create the ceilometer-api apache directory +ceilometer_apache_dir = "#{node['apache']['docroot_dir']}/ceilometer" +directory ceilometer_apache_dir do + owner 'root' + group 'root' + mode 00755 +end + +ceilometer_server_entry = "#{ceilometer_apache_dir}/app" +# Note: Using lazy here as the wsgi file is not available until after +# the ceilometer-api package is installed during execution phase. +file ceilometer_server_entry do + content lazy { IO.read(platform['ceilometer-api_wsgi_file']) } + owner 'root' + group 'root' + mode 00755 +end + +web_app 'ceilometer-api' do + template 'wsgi-template.conf.erb' + deamon_process 'ceilometer-api' + server_host node['openstack']['telemetry']['conf']['api']['host'] + server_port node['openstack']['telemetry']['conf']['api']['port'] + server_entry ceilometer_server_entry + log_dir node['apache']['log_dir'] + log_debug node['openstack']['telemetry']['debug'] + user node['openstack']['telemetry']['user'] + group node['openstack']['telemetry']['group'] + use_ssl node['openstack']['telemetry']['ssl']['enabled'] + cert_file node['openstack']['telemetry']['ssl']['certfile'] + chain_file node['openstack']['telemetry']['ssl']['chainfile'] + key_file node['openstack']['telemetry']['ssl']['keyfile'] + ca_certs_path node['openstack']['telemetry']['ssl']['ca_certs_path'] + cert_required node['openstack']['telemetry']['ssl']['cert_required'] + protocol node['openstack']['telemetry']['ssl']['protocol'] + ciphers node['openstack']['telemetry']['ssl']['ciphers'] end diff --git a/recipes/gnocchi_configure.rb b/recipes/gnocchi_configure.rb index 52f46af..7131a47 100644 --- a/recipes/gnocchi_configure.rb +++ b/recipes/gnocchi_configure.rb @@ -15,7 +15,9 @@ # See the License for the specific language governing permissions and # limitations under the License. # - +class ::Chef::Recipe + include ::Openstack +end platform = node['openstack']['telemetry']['platform'] db_user = node['openstack']['db']['telemetry-metric']['username'] db_pass = get_password 'db', 'gnocchi' @@ -95,10 +97,58 @@ execute 'gnocchi-upgrade' do user node['openstack']['telemetry-metric']['user'] end -service 'gnocchi-api' do - service_name platform['gnocchi-api_service'] - subscribes :restart, "template[#{node['openstack']['telemetry-metric']['conf_file']}]" - action [:enable, :start] +#### Start of Apache specific work + +# configure attributes for apache2 cookbook to align with openstack settings +apache_listen = Array(node['apache']['listen']) # include already defined listen attributes +# Remove the default apache2 cookbook port, as that is also the default for horizon, but with +# a different address syntax. *:80 vs 0.0.0.0:80 +apache_listen -= ['*:80'] +apache_listen += ["#{bind_service_address}:#{bind_service.port}"] +node.normal['apache']['listen'] = apache_listen.uniq + +# include the apache2 default recipe and the recipes for mod_wsgi +include_recipe 'apache2' +include_recipe 'apache2::mod_wsgi' +# include the apache2 mod_ssl recipe if ssl is enabled for identity +include_recipe 'apache2::mod_ssl' if node['openstack']['identity']['ssl']['enabled'] + +# create the gnocchi-api apache directory +gnocchi_apache_dir = "#{node['apache']['docroot_dir']}/gnocchi" +directory gnocchi_apache_dir do + owner 'root' + group 'root' + mode 00755 +end + +gnocchi_server_entry = "#{gnocchi_apache_dir}/app" +# Note: Using lazy here as the wsgi file is not available until after +# the gnocchik-api package is installed during execution phase. +file gnocchi_server_entry do + content lazy { IO.read(platform['gnocchi-api_wsgi_file']) } + owner 'root' + group 'root' + mode 00755 +end + +web_app 'gnocchi-api' do + template 'wsgi-template.conf.erb' + deamon_process 'gnocchi-api' + server_host node['openstack']['telemetry-metric']['conf']['api']['host'] + server_port node['openstack']['telemetry-metric']['conf']['api']['port'] + server_entry gnocchi_server_entry + log_dir node['apache']['log_dir'] + log_debug node['openstack']['telemetry-metric']['debug'] + user node['openstack']['telemetry-metric']['user'] + group node['openstack']['telemetry-metric']['group'] + use_ssl node['openstack']['telemetry-metric']['ssl']['enabled'] + cert_file node['openstack']['telemetry-metric']['ssl']['certfile'] + chain_file node['openstack']['telemetry-metric']['ssl']['chainfile'] + key_file node['openstack']['telemetry-metric']['ssl']['keyfile'] + ca_certs_path node['openstack']['telemetry-metric']['ssl']['ca_certs_path'] + cert_required node['openstack']['telemetry-metric']['ssl']['cert_required'] + protocol node['openstack']['telemetry-metric']['ssl']['protocol'] + ciphers node['openstack']['telemetry-metric']['ssl']['ciphers'] end service 'gnocchi-metricd' do diff --git a/recipes/gnocchi_install.rb b/recipes/gnocchi_install.rb index 0765618..abc5422 100644 --- a/recipes/gnocchi_install.rb +++ b/recipes/gnocchi_install.rb @@ -22,6 +22,6 @@ platform = node['openstack']['telemetry']['platform'] platform['gnocchi_packages'].each do |pkg| package pkg do options platform['package_overrides'] - action :upgrade + version '2.0.2-4' end end diff --git a/spec/api-rhel_spec.rb b/spec/api-rhel_spec.rb index 1ce09bc..eaafa15 100644 --- a/spec/api-rhel_spec.rb +++ b/spec/api-rhel_spec.rb @@ -9,14 +9,9 @@ describe 'openstack-telemetry::api' do let(:chef_run) { runner.converge(described_recipe) } include_context 'telemetry-stubs' - include_examples 'expect-runs-common-recipe' it 'installs the api package' do - expect(chef_run).to upgrade_package('openstack-ceilometer-api') - end - - it 'starts api service' do - expect(chef_run).to start_service('openstack-ceilometer-api') + expect(chef_run).to upgrade_package 'openstack-ceilometer-api' end end end diff --git a/spec/api_spec.rb b/spec/api_spec.rb index f55248c..86ba7c1 100644 --- a/spec/api_spec.rb +++ b/spec/api_spec.rb @@ -9,20 +9,112 @@ describe 'openstack-telemetry::api' do let(:chef_run) { runner.converge(described_recipe) } include_context 'telemetry-stubs' - include_examples 'expect-runs-common-recipe' it 'installs the api package' do expect(chef_run).to upgrade_package 'ceilometer-api' end - it 'enables and starts the api service' do - expect(chef_run).to enable_service('ceilometer-api') - expect(chef_run).to start_service('ceilometer-api') + describe 'apache recipes' do + it 'include apache recipes' do + expect(chef_run).to include_recipe('apache2') + expect(chef_run).to include_recipe('apache2::mod_wsgi') + expect(chef_run).not_to include_recipe('apache2::mod_ssl') + end + + it 'include apache recipes' do + node.set['openstack']['telemetry']['ssl']['enabled'] = true + expect(chef_run).to include_recipe('apache2::mod_ssl') + end end - describe 'ceilometer-api' do - it 'subscribes to its config file' do - expect(chef_run.service('ceilometer-api')).to subscribe_to('template[/etc/ceilometer/ceilometer.conf]').delayed + it 'creates directory /var/www/html/ceilometer' do + expect(chef_run).to create_directory('/var/www/html/ceilometer').with( + user: 'root', + group: 'root', + mode: 00755 + ) + end + + it 'creates wsgi file' do + expect(chef_run).to create_file('/var/www/html/ceilometer/app').with( + user: 'root', + group: 'root', + mode: 00755 + ) + end + + describe 'apache wsgi' do + file = '/etc/apache2/sites-available/ceilometer-api.conf' + it "creates #{file}" do + expect(chef_run).to create_template(file).with( + user: 'root', + group: 'root', + mode: '0644' + ) + end + + it "configures #{file} common lines" do + node.set['openstack']['telemetry']['custom_template_banner'] = 'custom_template_banner_value' + [/user=ceilometer/, + /group=ceilometer/, + %r{^ ErrorLog /var/log/apache2/ceilometer-api_error.log$}, + %r{^ CustomLog /var/log/apache2/ceilometer-api_access.log}].each do |line| + expect(chef_run).to render_file(file).with_content(line) + end + end + + it "does not configure #{file} triggered common lines" do + [/^ LogLevel/, + /^ SSL/].each do |line| + expect(chef_run).not_to render_file(file).with_content(line) + end + end + context 'Enable SSL' do + before do + node.set['openstack']['telemetry']['ssl']['enabled'] = true + end + it "configures #{file} common ssl lines" do + [/^ SSLEngine On$/, + %r{^ SSLCertificateFile /etc/ceilometer/ssl/certs/sslcert.pem$}, + %r{^ SSLCertificateKeyFile /etc/ceilometer/ssl/private/sslkey.pem$}, + %r{^ SSLCACertificatePath /etc/ceilometer/ssl/certs/$}, + /^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line| + expect(chef_run).to render_file(file).with_content(line) + end + end + it "does not configure #{file} common ssl lines" do + [/^ SSLCertificateChainFile/, + /^ SSLCipherSuite/, + /^ SSLVerifyClient require/].each do |line| + expect(chef_run).not_to render_file(file).with_content(line) + end + end + it "configures #{file} chainfile when set" do + node.set['openstack']['telemetry']['ssl']['chainfile'] = '/etc/ceilometer/ssl/certs/chainfile.pem' + expect(chef_run).to render_file(file) + .with_content(%r{^ SSLCertificateChainFile /etc/ceilometer/ssl/certs/chainfile.pem$}) + end + it "configures #{file} ciphers when set" do + node.set['openstack']['telemetry']['ssl']['ciphers'] = 'ciphers_value' + expect(chef_run).to render_file(file) + .with_content(/^ SSLCipherSuite ciphers_value$/) + end + it "configures #{file} cert_required set" do + node.set['openstack']['telemetry']['ssl']['cert_required'] = true + expect(chef_run).to render_file(file) + .with_content(/^ SSLVerifyClient require$/) + end + end + + describe 'ceilometer-api WSGI app' do + it 'configures required lines' do + [/^$/, + /^ WSGIDaemonProcess ceilometer-api/, + /^ WSGIProcessGroup ceilometer-api$/, + %r{^ WSGIScriptAlias / /var/www/html/ceilometer/app$}].each do |line| + expect(chef_run).to render_file('/etc/apache2/sites-available/ceilometer-api.conf').with_content(line) + end + end end end end diff --git a/spec/gnocchi_configure_spec.rb b/spec/gnocchi_configure_spec.rb index 68f6b0d..f944f9c 100644 --- a/spec/gnocchi_configure_spec.rb +++ b/spec/gnocchi_configure_spec.rb @@ -115,12 +115,115 @@ describe 'openstack-telemetry::gnocchi_configure' do .with(user: 'gnocchi') end - %w(gnocchi-api gnocchi-metricd).each do |service| - it do - expect(chef_run).to enable_service(service) + it do + expect(chef_run).to enable_service('gnocchi-metricd') + end + + it do + expect(chef_run).to start_service('gnocchi-metricd') + end + + describe 'apache recipes' do + it 'include apache recipes' do + expect(chef_run).to include_recipe('apache2') + expect(chef_run).to include_recipe('apache2::mod_wsgi') + expect(chef_run).not_to include_recipe('apache2::mod_ssl') end - it do - expect(chef_run).to start_service(service) + + it 'include apache recipes' do + node.set['openstack']['identity']['ssl']['enabled'] = true + expect(chef_run).to include_recipe('apache2::mod_ssl') + end + end + + it 'creates directory /var/www/html/gnocchi' do + expect(chef_run).to create_directory('/var/www/html/gnocchi').with( + user: 'root', + group: 'root', + mode: 00755 + ) + end + + it 'creates wsgi file' do + expect(chef_run).to create_file('/var/www/html/gnocchi/app').with( + user: 'root', + group: 'root', + mode: 00755 + ) + end + + describe 'apache wsgi' do + file = '/etc/apache2/sites-available/gnocchi-api.conf' + it "creates #{file}" do + expect(chef_run).to create_template(file).with( + user: 'root', + group: 'root', + mode: '0644' + ) + end + + it "configures #{file} common lines" do + node.set['openstack']['telemetry-metric']['custom_template_banner'] = 'custom_template_banner_value' + [/user=gnocchi/, + /group=gnocchi/, + %r{^ ErrorLog /var/log/apache2/gnocchi-api_error.log$}, + %r{^ CustomLog /var/log/apache2/gnocchi-api_access.log combined$}].each do |line| + expect(chef_run).to render_file(file).with_content(line) + end + end + + it "does not configure #{file} triggered common lines" do + [/^ LogLevel/, + /^ SSL/].each do |line| + expect(chef_run).not_to render_file(file).with_content(line) + end + end + context 'Enable SSL' do + before do + node.set['openstack']['telemetry-metric']['ssl']['enabled'] = true + end + it "configures #{file} common ssl lines" do + [/^ SSLEngine On$/, + %r{^ SSLCertificateFile /etc/ceilometer/ssl/certs/sslcert.pem$}, + %r{^ SSLCertificateKeyFile /etc/ceilometer/ssl/private/sslkey.pem$}, + %r{^ SSLCACertificatePath /etc/ceilometer/ssl/certs/$}, + /^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line| + expect(chef_run).to render_file(file).with_content(line) + end + end + it "does not configure #{file} common ssl lines" do + [/^ SSLCertificateChainFile/, + /^ SSLCipherSuite/, + /^ SSLVerifyClient require/].each do |line| + expect(chef_run).not_to render_file(file).with_content(line) + end + end + it "configures #{file} chainfile when set" do + node.set['openstack']['telemetry-metric']['ssl']['chainfile'] = '/etc/ceilometer/ssl/certs/chainfile.pem' + expect(chef_run).to render_file(file) + .with_content(%r{^ SSLCertificateChainFile /etc/ceilometer/ssl/certs/chainfile.pem$}) + end + it "configures #{file} ciphers when set" do + node.set['openstack']['telemetry-metric']['ssl']['ciphers'] = 'ciphers_value' + expect(chef_run).to render_file(file) + .with_content(/^ SSLCipherSuite ciphers_value$/) + end + it "configures #{file} cert_required set" do + node.set['openstack']['telemetry-metric']['ssl']['cert_required'] = true + expect(chef_run).to render_file(file) + .with_content(/^ SSLVerifyClient require$/) + end + end + + describe 'gnocchi-api WSGI app' do + it 'configures required lines' do + [/^$/, + /^ WSGIDaemonProcess gnocchi-api/, + /^ WSGIProcessGroup gnocchi-api$/, + %r{^ WSGIScriptAlias / /var/www/html/gnocchi/app$}].each do |line| + expect(chef_run).to render_file('/etc/apache2/sites-available/gnocchi-api.conf').with_content(line) + end + end end end end diff --git a/spec/gnocchi_install_spec.rb b/spec/gnocchi_install_spec.rb index c656306..96792de 100644 --- a/spec/gnocchi_install_spec.rb +++ b/spec/gnocchi_install_spec.rb @@ -11,11 +11,11 @@ describe 'openstack-telemetry::gnocchi_install' do include_context 'telemetry-stubs' it do - expect(chef_run).to upgrade_package 'gnocchi-api' + expect(chef_run).to install_package 'gnocchi-api' end it do - expect(chef_run).to upgrade_package 'gnocchi-metricd' + expect(chef_run).to install_package 'gnocchi-metricd' end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 097e72b..92b1b38 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -42,6 +42,12 @@ shared_context 'telemetry-stubs' do .with('user', 'admin') .and_return('admin-pass') allow(Chef::Application).to receive(:fatal!) + node.set['openstack']['telemetry']['conf']['api']['host'] = '127.0.0.1' + node.set['openstack']['telemetry']['conf']['api']['port'] = '8777' + node.set['openstack']['telemetry-metric']['conf']['api']['host'] = '127.0.0.1' + node.set['openstack']['telemetry-metric']['conf']['api']['port'] = '8041' + stub_command('/usr/sbin/apache2 -t') + stub_command('/usr/sbin/httpd -t') end end diff --git a/templates/wsgi-template.conf.erb b/templates/wsgi-template.conf.erb new file mode 100644 index 0000000..19a96d5 --- /dev/null +++ b/templates/wsgi-template.conf.erb @@ -0,0 +1,37 @@ +<%= node["openstack"]["telemetry"]["custom_template_banner"] %> + +Listen <%= @params[:server_host] %>:<%= @params[:server_port] %> + +:<%= @params[:server_port] %>> + WSGIDaemonProcess <%= @params[:deamon_process] %> processes=2 threads=10 user=<%= @params[:user] %> group=<%= @params[:group] %> display-name=%{GROUP} + WSGIProcessGroup <%= @params[:deamon_process] %> + WSGIScriptAlias / <%= @params[:server_entry] %> + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + ErrorLogFormat "%{cu}t %M" + ErrorLog <%= @params[:log_dir] %>/<%= @params[:deamon_process] %>_error.log + CustomLog <%= @params[:log_dir] %>/<%= @params[:deamon_process] %>_access.log combined + <% if [true, 'true', 'True'].include?(@params[:log_debug]) -%> + LogLevel debug + <% end -%> + + <% if @params[:use_ssl] -%> + SSLEngine On + SSLCertificateFile <%= @params[:cert_file] %> + SSLCertificateKeyFile <%= @params[:key_file] %> + SSLCACertificatePath <%= @params[:ca_certs_path] %> + <% if @params[:chain_file] %> + SSLCertificateChainFile <%= @params[:chain_file] %> + <% end -%> + SSLProtocol <%= @params[:protocol] %> + <% if @params[:ciphers] -%> + SSLCipherSuite <%= @params[:ciphers] %> + <% end -%> + <% if @params[:cert_required] -%> + SSLVerifyClient require + <% end -%> + <% end -%> + + +WSGISocketPrefix /var/run/apache2 \ No newline at end of file