From e7980db6851dbe67ced230ff7003014d6a639c92 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Tue, 15 Mar 2022 12:01:51 +0100
Subject: [PATCH] separate internal and external certificates from the reverse
 proxy

---
 .gitignore                                    |  1 +
 .../2022.03.08/apache/dictionaries/20_web.xml |  2 +-
 .../2022.03.08/apache/templates/server.crt    |  2 +-
 .../2022.03.08/apache/templates/server.key    |  2 +-
 .../dovecot/dictionaries/22_dovecot.xml       |  4 ++--
 .../templates/ca_InternalReverseProxy.crt     |  1 +
 .../dovecot/templates/ca_ReverseProxy.crt     |  1 -
 .../dictionaries/25_nginx.xml                 | 20 ++-----------------
 ...eProxy.crt => ca_InternalReverseProxy.crt} |  0
 .../templates/certificate.crt                 |  6 +-----
 .../templates/private.key                     |  2 +-
 .../templates/revprox-nginx.conf              | 11 ++--------
 .../dictionaries/20_nginx_client.xml          |  4 ++--
 ...eProxy.crt => ca_InternalReverseProxy.crt} |  2 +-
 .../templates/revprox.crt                     |  4 ++--
 .../templates/revprox.key                     |  2 +-
 16 files changed, 19 insertions(+), 45 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
 delete mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt
 rename seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/{ca_ReverseProxy.crt => ca_InternalReverseProxy.crt} (100%)
 rename seed/applicationservice/2022.03.08/reverse-proxy-client/templates/{ca_ReverseProxy.crt => ca_InternalReverseProxy.crt} (73%)

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..bee8a64b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+__pycache__
diff --git a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
index e51a2dae..7cb15a82 100644
--- a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
+++ b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
@@ -24,7 +24,7 @@
   <constraints>
     <fill name="get_chain">
       <param name="authority_cn" type="variable">revprox_client_server_domainname</param>
-      <param name="authority_name">ReverseProxy</param>
+      <param name="authority_name">InternalReverseProxy</param>
       <target>server_ca</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.crt b/seed/applicationservice/2022.03.08/apache/templates/server.crt
index a07a55fc..36e5562b 100644
--- a/seed/applicationservice/2022.03.08/apache/templates/server.crt
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.crt
@@ -1 +1 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.key b/seed/applicationservice/2022.03.08/apache/templates/server.key
index 3855f574..53e9ce02 100644
--- a/seed/applicationservice/2022.03.08/apache/templates/server.key
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
index 3e72304f..e82fbafc 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
@@ -17,7 +17,7 @@
       <override/>
     </service>
     <service name="dovecot" target="multi-user">
-      <file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
+      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
       <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
       <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
@@ -99,7 +99,7 @@
     </check>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
-      <param>ca_ReverseProxy.crt</param>
+      <param>ca_InternalReverseProxy.crt</param>
       <param name="join">/</param>
       <target>revprox_ca_file</target>
     </fill>
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
new file mode 100644
index 00000000..172e3cd2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
@@ -0,0 +1 @@
+%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt
deleted file mode 100644
index e0bc5f99..00000000
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt
+++ /dev/null
@@ -1 +0,0 @@
-%%get_chain(%%revprox_server_domainname, authority_name='ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml
index 328d849b..08161b53 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml
@@ -5,8 +5,7 @@
       <override engine="creole"/>
       <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
       <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
-      <file source="ca.crt" file_type="variable" mode="600">nginx_chain_filename</file>
-      <file>/etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
       <file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
     </service>
@@ -26,8 +25,6 @@
       <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
       <variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
       <variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
-      <variable name='nginx_chain_filename' type="filename" description="Chain filename" hidden='True' multi='True'/>
-      <variable name='nginx_chain' type="string" description="Certificate" hidden='True' multi='True'/>
       <variable name='internal_nginx_chain' type="string" description="Certificate" hidden='True'/>
     </family>
   </variables>
@@ -53,22 +50,9 @@
       <param name="multi" type="boolean">True</param>
       <target>nginx_private_key_filename</target>
     </fill>
-    <fill name="calc_value">
-      <param>/etc/nginx/</param>
-      <param type="variable">revprox_domainnames_all</param>
-      <param>.ca</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>nginx_chain_filename</target>
-    </fill>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">revprox_domainnames_all</param> 
-      <param name="authority_name">ReverseProxy</param>
-      <target>nginx_chain</target>
-    </fill>
     <fill name="get_chain">
       <param name="authority_cn" type="variable">domain_name_eth0</param> 
-      <param name="authority_name">ReverseProxy</param>
+      <param name="authority_name">InternalReverseProxy</param>
       <target>internal_nginx_chain</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_InternalReverseProxy.crt
similarity index 100%
rename from seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_ReverseProxy.crt
rename to seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_InternalReverseProxy.crt
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
index 95220f6c..9e4b28f5 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
@@ -1,5 +1 @@
-%set %%extra_domainnames = []
-%for %%idx in %%range(1, %%number_of_interfaces)
-  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
-%end for
-%%get_certificate(%%domain_name_eth0, 'ReverseProxy', extra_domainnames=%%extra_domainnames)
+%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
index 1dc49e5d..9e2828c8 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'ReverseProxy')
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf
index 63bccae7..72a00b24 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf
@@ -6,13 +6,7 @@
 server {
     listen 80;
     server_name %%domainname;
-    error_page   403 404 502 503 504  /error.html;
-
-    location / {
-        rewrite     ^(.*)  https://$host$1 permanent;
-        break;
-    }
-# FIXME     return 301 https://www.domain.com$request_uri; => https://www.nginx.com/blog/creating-nginx-rewrite-rules/
+    return 301 https://www.domain.com$request_uri;
 }
 
 # Configuration HTTPS %%domainname
@@ -20,7 +14,6 @@ server {
     listen 443 ssl http2;
     ssl_certificate    %%nginx_certificate_filename[%%idx];
     ssl_certificate_key     %%nginx_private_key_filename[%%idx];
-    ssl_client_certificate    %%nginx_chain_filename[%%idx];
     server_name %%domainname;
     error_page   403 404 502 503 504  /error.html;
     location = /error.html{
@@ -44,7 +37,7 @@ server {
         proxy_set_header        X-Forwarded-Proto       $scheme;
         proxy_set_header        Destination             $dest;
   %end if
-        proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt;
+        proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
         proxy_ssl_verify       on;
         proxy_ssl_verify_depth 2;
         proxy_ssl_session_reuse on;
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml
index 194346ad..1b2e45ed 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="nginx" manage="False">
-      <file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
+      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
       <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
       <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
     </service>
@@ -45,7 +45,7 @@
     </fill>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
-      <param>ca_ReverseProxy.crt</param>
+      <param>ca_InternalReverseProxy.crt</param>
       <param name="join">/</param>
       <target>revprox_ca_file</target>
     </fill>
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
similarity index 73%
rename from seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt
rename to seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
index e39381c9..64f7daca 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
@@ -1 +1 @@
-%%get_chain(%%revprox_client_server_domainname, authority_name='ReverseProxy')
+%%get_chain(%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
index 8d74a363..4ea9946c 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
@@ -1,2 +1,2 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type="server")
-%%get_chain(%%revprox_client_server_domainname, 'ReverseProxy')
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
+%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
index 4f3837a7..a02eba1e 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type='server')
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')