Skip to content

Commit

Permalink
acme (#26): documented draft of variables (also #25, local use of pro…
Browse files Browse the repository at this point in the history
…posed PR on upstream)
  • Loading branch information
fititnt committed Dec 2, 2019
1 parent d13ca61 commit 2b230c1
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 110 deletions.
20 changes: 20 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ humanitarian or commercial projects from who help we on Etica.AI.
- [Quickstart on how to hotfix/debug production servers](#quickstart-on-how-to-hotfixdebug-production-servers)
- [ALB components](#alb-components)
- [Shared options](#shared-options)
- [ACME](#acme)
- [Autentication Credentials](#autentication-credentials)
- [Bastion Hosts](#bastion-hosts)
- [DMZ (DeMilitarized Zone)](#dmz-demilitarized-zone)
Expand Down Expand Up @@ -293,6 +294,25 @@ alb_manange_logrotate: "{{ alb_manange_openresty or alb_manange_apps }}"
default option to improve more specific ALB Components or your own custom
implementation.

#### ACME

These options are re-used by components that manange Automatic Certificate
Management Environment (ACME). See [ACME on Wikipedia](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)
and [RFC 8555](https://tools.ietf.org/html/rfc8555).

```yaml
alb_acme_production: true
alb_acme_rule_whitelist: []
alb_acme_rule_whitelist_file: '' # not implemented... yet
alb_acme_rule_blacklist: [] # not implemented... yet
alb_acme_rule_blacklist_file: '' # not implemented... yet
alb_acme_rule_last: true
# This value is infered from alb_acme_production. But you can customize yourself
alb_acme_url: "{{ 'https://acme-v02.api.letsencrypt.org/directory' if alb_acme_production else 'https://acme-staging-v02.api.letsencrypt.org/directory' }}"
```


#### Autentication Credentials

- :information_source: `password` fields are expected to have plaintext when
Expand Down
4 changes: 2 additions & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,9 +80,9 @@ alb_jump_boxes: []

## @see https://github.com/fititnt/ap-application-load-balancer/issues/26
alb_acme_production: true
alb_acme_rule_whitelist: [] # not implemented... yet
alb_acme_rule_whitelist: []
alb_acme_rule_whitelist_file: '' # not implemented... yet
alb_acme_rule_blacklist: [] # not implemented... yet
alb_acme_rule_blacklist: [] # not implemented... yet
alb_acme_rule_blacklist_file: '' # not implemented... yet
alb_acme_rule_last: true

Expand Down
136 changes: 28 additions & 108 deletions files/resty/auto-ssl/storage_adapters/consul.lua
Original file line number Diff line number Diff line change
@@ -1,41 +1,7 @@
-- License: Public Domain

---
-- Requisites:
-- opm get hamishforbes/lua-resty-consul
--
-- @todo: implement expire. Different from Redis, Consul or will persist
-- keys forever or will have a maximum TTL of 24h. (fititnt, 2019-11-28 19:17 BRT)
--
-- @todo: remove dump functions and keep login at at resonable way (fititnt, 2019-11-28 19:17 BRT)
--
-- How to test:
-- Copy this file to /usr/local/share/lua/5.1/resty/auto-ssl/storage_adapters/consul.lua. With ansible would be:
-- ansible -m copy -a "src=./consul.lua dest=/usr/local/share/lua/5.1/resty/auto-ssl/storage_adapters/consul.lua" aguia-pescadora-delta.etica.ai,aguia-pescadora-echo.etica.ai,aguia-pescadora-foxtrot.etica.ai
-- ansible -m copy -a "src=/alligo/code/fititnt/lua-resty-auto-ssl/lib/resty/auto-ssl/storage_adapters/consul.lua dest=/usr/local/share/lua/5.1/resty/auto-ssl/storage_adapters/consul.lua" aguia-pescadora-delta.etica.ai,aguia-pescadora-echo.etica.ai,aguia-pescadora-foxtrot.etica.ai
-- Them set the following on your OpenResty, at http context
-- auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.consul")
--
-- How to document Lua code:
-- - https://stevedonovan.github.io/ldoc/manual/doc.md.html
-- - https://keplerproject.github.io/luadoc/manual.html
-- - http://lua-users.org/wiki/LuaStyleGuide
-- - http://sputnik.freewisdom.org/en/Coding_Standard
--
-- Using ldoc (https://github.com/stevedonovan/LDoc); the lua-doc from keplerproject says it is obsolete (https://github.com/keplerproject/luadoc)
-- sudo apt install lua-ldoc
-- Then validate documentation with
-- ldoc consul.lua

-- I think the path would be /usr/local/share/lua/5.1/resty/auto-ssl/storage_adapters/consul.lua
-- to work with resty/auto-ssl
-- And then use this as reference https://github.com/GUI/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/storage_adapters/redis.lua

-- Lean lua in an Hour https://www.youtube.com/watch?v=S4eNl1rA1Ns
-- Definitely an openresty guide/ Hello world https://www.staticshin.com/programming/definitely-an-open-resty-guide/#hello_world
-- Lua in 15 minutes http://tylerneylon.com/a/learn-lua/

-- Redis equivalent: local redis = require "resty.redis"

local consul = require('resty.consul')

--------------------------------------------------------------------------------
Expand Down Expand Up @@ -102,7 +68,6 @@ dump({'started', os.date("!%Y-%m-%dT%TZ")})
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


-- @module storage_adapter_consul
local _M = {}

Expand Down Expand Up @@ -155,9 +120,6 @@ function _M.new(auto_ssl_instance)
options["ssl_verify"] = true
end

-- local cjson = require "cjson"
-- ngx.log(ngx.ERR, '_M.new')
-- ngx.log(ngx.ERR, cjson.encode(options))
dump({fn = '_M.new', options = options}, '_M.new')

return setmetatable({ options = options }, { __index = _M })
Expand All @@ -174,47 +136,8 @@ function _M.get_connection(self)

connection = consul:new(self.options)

-- local cjson = require "cjson"
-- ngx.log(ngx.ERR, '_M.get_connection')
-- ngx.log(ngx.ERR, cjson.encode(connection))
dump({fn = '_M.get_connection', connection = connection}, '_M.get_connection')

-- NOTE: From https://github.com/hamishforbes/lua-resty-consul documentation:
-- "port Defaults to 8500. Set to 0 if using a unix socket as host."
-- redis.lua validate the connection at start, but resty.consul seems
-- to validate only on the first request. I will leave this note
-- here for now (fititnt, 2019-11-27 23:41 BRT)

-- local ok, err
-- local connect_options = self.options["connect_options"] or {}
-- if self.options["socket"] then
-- ok, err = connection:connect(self.options["socket"], connect_options)
-- else
-- ok, err = connection:connect(self.options["host"], self.options["port"], connect_options)
-- end
-- if not ok then
-- return false, err
-- end

-- if self.options["auth"] then
-- ok, err = connection:auth(self.options["auth"])
-- if not ok then
-- return false, err
-- end
-- end

-- if self.options["db"] then
-- ok, err = connection:select(self.options["db"])
-- if not ok then
-- return false, err
-- end
-- end

-- if not res then
-- ngx.log(ngx.ERR, err)
-- return
-- end

ngx.ctx.auto_ssl_consul_connection = connection
return connection
end
Expand All @@ -237,15 +160,11 @@ function _M.get(self, key)
-- Redis use get, Consul use get_key
-- Redis 'res' is value or nil; Consul is a lua-resty-http response object
local res, err = connection:get_key(prefixed_key(self, key))
-- if res == ngx.null then
-- if res.status == 404 then
-- -- ngx.log(ngx.ERR, 'storage_adapter.consul._M.get: connection error:', err)
-- value = nil
--else

if res.status ~= 404 and res.body[1] ~= nil and res.body[1]['Value'] ~= nil then
value = res.body[1]['Value']
else
dump({fn = '_M.get fail', res.body[1]['Value']})
dump({fn = '_M.get fail', res})
end

dump({fn = '_M.get', key=key, res=res, err=err, value=value}, '_M.get')
Expand All @@ -254,12 +173,6 @@ function _M.get(self, key)
end

--- Store a key-value on the Consul
--
-- @todo There is a difference betwen connection:put (Redis) and from consul
-- from the first parameter. This should be checked
--
-- @todo options param still not used, but will leave it here for now (fititnt, 2019-11-28 20:15 BRT)
--
-- @param self
-- @param key The umprefixed key name
-- @param value The values
Expand All @@ -269,29 +182,38 @@ end
-- @return err On error returns an error message
function _M.set(self, key, value, options)
local connection, connection_err = self:get_connection()
local ok = false

if connection_err then
return false, connection_err
end

key = prefixed_key(self, key)

-- Redis use set, Consul use put_key:
-- local ok, err = connection:put_key(key, value)
local res, err = connection:put_key(key, value)

-- Know issue: not implemented way to expire key at this moment.
-- The following was from redis.lua
-- if ok then
-- if options and options["exptime"] then
-- local _, expire_err = connection:expire(key, options["exptime"])
-- if expire_err then
-- ngx.log(ngx.ERR, "auto-ssl: failed to set expire: ", expire_err)
-- end
-- end
-- end

dump({fn = '_M.set', key=key, value=value, res=res, err=err}, '_M.set')
return res, err
if res.status == 200 then
ok = true

-- This expire strategy is based on file.lua and not on redis.lua and
-- at the moment is not using Consul native way to expire keys. Since the
-- version resty.consul v0.3.2 does not implement Expire, even if is
-- possible to do with more RAW HTTP methods, we initialy will the ngx.timer
-- Not ideal, but it works for and functional MVP (fititnt, 2019-11-30 22:14 BRT)
if options and options["exptime"] then
ngx.timer.at(options["exptime"], function()
local _, delete_err = _M.delete(self, key)
if delete_err then
ngx.log(ngx.ERR, "auto-ss.lstorage_adapter.consul._M.delete: failed to remove the key from Consul after the expiretime ", delete_err)
else
dump({fn = '_M.set', _=_, delete_err=delete_err, 'ngx.timer worked!'})
end
end)
end
end

dump({fn = '_M.set', ok=ok, key=key, value=value, options=options, res=res, err=err}, '_M.set')
return ok, err
end

--- Delete a value from Consul based on the unprefixed key
Expand All @@ -303,7 +225,7 @@ function _M.delete(self, key)
local connection, connection_err = self:get_connection()
if connection_err then
-- ngx.log(ngx.EMERG, '_M.delete: ', connection_err)
ngx.log(ngx.EMERG, 'storage_adapter.consul._M.delete: connection error:', err)
ngx.log(ngx.EMERG, 'storage_adapter.consul._M.delete: connection error:', connection_err)
return false, connection_err
end

Expand All @@ -328,8 +250,6 @@ function _M.keys_with_suffix(self, suffix)
return false, connection_err
end

-- Redis use keys, Consul uses list_keys
-- local keys, err = connection:keys(prefixed_key(self, "*" .. suffix))
local keys, err = connection:list_keys(prefixed_key(self, "*" .. suffix))

if keys and self.options["prefix"] then
Expand Down
7 changes: 7 additions & 0 deletions templates/openresty/nginx/conf/nginx.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,13 @@ http {

ngx.log(ngx.WARN, "allow_domain started. Will evaluate if should or not obtain certificates to ", domain)

{% if ((alb_acme_rule_whitelist is defined) and (alb_acme_rule_whitelist|length > 0)) %}
if ngx.re.match(domain, "^({{ alb_acme_rule_whitelist | join('|') }})$", "ijo") then
ngx.log(ngx.INFO, "allow_domain whitelisted domain ", domain)
return true
end
{% endif %}

-- Fail first if domain seems to be an IP.
-- @see https://github.com/GUI/lua-resty-auto-ssl/issues/26#issuecomment-366919522
if string.match(domain, "(%d+).(%d+).(%d+).(%d+)") or string.find(domain, ":", 1, true) then
Expand Down

0 comments on commit 2b230c1

Please sign in to comment.