Merge pull request #1805 from ProgrammeVitam/story_12777_reconfigure_…

…https_webapps Story #12777: Switch back certificates configuration to permit webapps in https
ProgrammeVitam · Apr 25, 2024 · 25eb98c · 25eb98c
2 parents 5775e51 + f94ffac
commit 25eb98c
Show file tree

Hide file tree

Showing 17 changed files with 67 additions and 131 deletions.
diff --git a/deployment/pki/scripts/generate_certs.sh b/deployment/pki/scripts/generate_certs.sh
@@ -40,14 +40,14 @@ function generateCerts {
     generateHostCertAndStorePassphrase   pastis-external         hosts_vitamui_pastis_external
 
     #Zone UI
-    generateClientCertAndStorePassphrase ui-portal               client-external
-    generateClientCertAndStorePassphrase ui-identity             client-external
-    generateClientCertAndStorePassphrase ui-identity-admin       client-external
-    generateClientCertAndStorePassphrase ui-referential          client-external
-    generateClientCertAndStorePassphrase ui-ingest               client-external
-    generateClientCertAndStorePassphrase ui-archive-search       client-external
-    generateClientCertAndStorePassphrase ui-collect              client-external
-    generateClientCertAndStorePassphrase ui-pastis               client-external
+    generateHostCertAndStorePassphrase   ui-portal               hosts_ui_portal
+    generateHostCertAndStorePassphrase   ui-identity             hosts_ui_identity
+    generateHostCertAndStorePassphrase   ui-identity-admin       hosts_ui_identity_admin
+    generateHostCertAndStorePassphrase   ui-referential          hosts_ui_referential
+    generateHostCertAndStorePassphrase   ui-ingest               hosts_ui_ingest
+    generateHostCertAndStorePassphrase   ui-archive-search       hosts_ui_archive_search
+    generateHostCertAndStorePassphrase   ui-collect              hosts_ui_collect
+    generateHostCertAndStorePassphrase   ui-pastis               hosts_ui_pastis
 
     #Reverse
     generateHostCertAndStorePassphrase   reverse                 hosts_vitamui_reverseproxy

diff --git a/deployment/roles/nginx_webapp/tasks/install.yml b/deployment/roles/nginx_webapp/tasks/install.yml
@@ -56,16 +56,26 @@
     mode: "{{ vitam_defaults.folder.conf_permission }}"
   notify: reload nginx
 
-- name: "Add UI certificate to reverse for {{ vitamui_struct.vitamui_component }}"
+- name: "Add UI certificates for {{ vitamui_struct.vitamui_component }}"
   copy:
     src: "{{ item }}"
     dest: "{{ nginx_ssl_dir }}"
     group: "{{ frontend_group }}"
     owner: "{{ frontend_user }}"
     mode: "{{ vitam_defaults.folder.conf_permission }}"
   with_fileglob:
-    - "{{ inventory_dir }}/certs/client-external/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.crt"
-    - "{{ inventory_dir }}/certs/client-external/clients/{{ vitamui_struct.vitamui_component }}/{{ vitamui_struct.vitamui_component }}.key"
+    - "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/{{ vitamui_struct.vitamui_component }}.crt"
+    - "{{ inventory_dir }}/certs/server/hosts/{{ inventory_hostname }}/{{ vitamui_struct.vitamui_component }}.key"
+  notify: reload nginx
+
+- name: Put ssl configuration when secure is enabled
+  template:
+    src: ssl-ui.conf.j2
+    dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf"
+    group: "{{ frontend_group }}"
+    owner: "{{ frontend_user }}"
+    mode: "{{ vitamui_defaults.folder.conf_permission }}"
+  when: vitamui_struct.secure | default(true) | bool
   notify: reload nginx
 
 - block:
@@ -87,13 +97,13 @@
 
 - name: "Selected key for {{ vitamui_struct.vitamui_component }}"
   set_fact:
-    selected_key: "{{ ui_keys['client_client_external_' + vitamui_struct.vitamui_component | regex_replace('-', '_') + '_key'] }}"
+    selected_key: "{{ ui_keys['server_' + vitamui_struct.vitamui_component | regex_replace('-', '_') + '_key'] }}"
   no_log: "{{ hide_passwords_during_deploy }}"
 
 - name: "Add keypass for {{ vitamui_struct.vitamui_component }}"
   template:
     src: certificate.key_pass.j2
-    dest: "{{ nginx_ssl_dir }}/{{vitamui_struct.vitamui_component}}.key_pass"
+    dest: "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key_pass"
     group: "{{ frontend_group }}"
     owner: "{{ frontend_user }}"
     mode: "{{ vitamui_defaults.folder.conf_permission }}"

diff --git a/deployment/roles/nginx_webapp/tasks/uninstall.yml b/deployment/roles/nginx_webapp/tasks/uninstall.yml
@@ -18,6 +18,7 @@
     - "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.crt"
     - "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key"
     - "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key_pass"
+    - "{{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf"
     - "{{ nginx_conf_dir }}/{{ vitamui_struct.vitamui_component }}.conf"
     - "{{ frontend_data_dir }}/{{ vitamui_struct.vitamui_component | regex_replace('^ui-', '') }}/assets/config.json"
   notify: reload nginx
diff --git a/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2 b/deployment/roles/nginx_webapp/templates/frontend/vhost.conf.j2
@@ -1,6 +1,11 @@
 #jinja2: lstrip_blocks: True
 server {
+  {% if vitamui_struct.secure | default(true) | bool %}
+  listen  {{ ip_service }}:{{ vitamui_struct.port_service }} ssl;
+  include {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}-ssl.conf;
+  {% else %}
   listen  {{ ip_service }}:{{ vitamui_struct.port_service }};
+  {% endif %}
 
   root    {{ frontend_data_dir }}/{{ vitamui_struct.vitamui_component | regex_replace('^ui-', '') }};
 

diff --git a/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2 b/deployment/roles/nginx_webapp/templates/ssl-ui.conf.j2
@@ -0,0 +1,13 @@
+ssl_certificate {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.crt;
+ssl_certificate_key {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key;
+# Password file for ssl cert
+ssl_password_file {{ nginx_ssl_dir }}/{{ vitamui_struct.vitamui_component }}.key_pass;
+
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+
+# ssl_dhparam {{ nginx_ssl_dir }}/dhparam.pem;
+ssl_ecdh_curve secp384r1;
diff --git a/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2 b/deployment/roles/reinit_security_certificates/templates/security.populate_certificates.js.j2
@@ -28,13 +28,13 @@ db.certificates.insertOne({
 {{ process('{{ pki_dir }}/server/hosts/%host%/cas-server.pem', 'cas_context', 'hosts_cas_server') }}
 {{ process('{{ pki_dir }}/server/hosts/%host%/iam-internal.pem', 'iam_internal_context', 'hosts_vitamui_iam_internal') }}
 
-{{ process('{{ pki_dir }}/client-external/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
 
 print("END security.populate_certificates.js");
diff --git a/deployment/roles/reverse/tasks/nginx/nginx.yml b/deployment/roles/reverse/tasks/nginx/nginx.yml
@@ -18,7 +18,7 @@
 - name: 'Tasks > reverse > configure_nginx.yml | Put ssl conf'
   template:
     src: "nginx/ssl/{{ item }}.j2"
-    dest: "{{ nginx_ssl_dir }}/{{ item  }}"
+    dest: "{{ nginx_ssl_dir }}/{{ item }}"
     group: "{{ reverse_group }}"
     owner: "{{ reverse_user }}"
     mode: "{{ vitamui_defaults.folder.conf_permission }}"

diff --git a/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2 b/deployment/roles/reverse/templates/nginx/conf.d/vhosts.conf.j2
@@ -13,7 +13,7 @@ server {
   # UI IDENTITY_ADMIN
   location /identity-admin {
     rewrite /identity-admin/(.*) /$1  break;
-    proxy_pass http://IDENTITY_ADMIN;
+    proxy_pass {{ 'https' if vitamui.identity_admin.secure | default(true) | bool else 'http' }}://IDENTITY_ADMIN;
     sub_filter '/identity/' '{{ url_prefix }}/identity-admin/';
     sub_filter_types text/html text/css;
     sub_filter_once off;
@@ -24,15 +24,15 @@ server {
   # UI IDENTITY
   location /identity {
     rewrite /identity/(.*) /$1  break;
-    proxy_pass http://IDENTITY;
+    proxy_pass {{ 'https' if vitamui.identity.secure | default(true) | bool else 'http' }}://IDENTITY;
     include {{ nginx_conf_dir }}/proxy_params;
   }
 
 {% if groups['hosts_ui_referential']|length > 0 %}
   # UI REFERENTIAL
   location /referential {
     rewrite /referential/(.*) /$1  break;
-    proxy_pass http://REFERENTIAL;
+    proxy_pass {{ 'https' if vitamui.referential.secure | default(true) | bool else 'http' }}://REFERENTIAL;
 
     include {{ nginx_conf_dir }}/proxy_params;
   }
@@ -42,7 +42,7 @@ server {
   # UI INGEST
   location /ingest {
     rewrite /ingest/(.*) /$1  break;
-    proxy_pass http://INGEST;
+    proxy_pass {{ 'https' if vitamui.ingest.secure | default(true) | bool else 'http' }}://INGEST;
 
     include {{ nginx_conf_dir }}/proxy_params;
 
@@ -63,7 +63,7 @@ server {
   # UI ARCHIVE_SEARCH
   location /archive-search {
     rewrite /archive-search/(.*) /$1  break;
-    proxy_pass http://ARCHIVE_SEARCH;
+    proxy_pass {{ 'https' if vitamui.archive_search.secure | default(true) | bool else 'http' }}://ARCHIVE_SEARCH;
 
     include {{ nginx_conf_dir }}/proxy_params;
   }
@@ -73,7 +73,7 @@ server {
   # UI PASTIS
   location /pastis {
     rewrite /pastis/(.*) /$1  break;
-    proxy_pass http://PASTIS;
+    proxy_pass {{ 'https' if vitamui.pastis.secure | default(true) | bool else 'http' }}://PASTIS;
 
     include {{ nginx_conf_dir }}/proxy_params;
   }
@@ -83,7 +83,7 @@ server {
   # UI COLLECT
   location /collect {
     rewrite /collect/(.*) /$1  break;
-    proxy_pass http://COLLECT;
+    proxy_pass {{ 'https' if vitamui.collect.secure | default(true) | bool else 'http' }}://COLLECT;
 
     include {{ nginx_conf_dir }}/proxy_params;
 
@@ -112,7 +112,7 @@ server {
 
   # PORTAL
   location / {
-    proxy_pass http://PORTAL;
+    proxy_pass {{ 'https' if vitamui.portal.secure | default(true) | bool else 'http' }}://PORTAL;
     include {{ nginx_conf_dir }}/proxy_params;
   }
 

diff --git a/deployment/scripts/mongod/v7.1/000_security.populate_certificates.js.j2 b/deployment/scripts/mongod/v7.1/000_security.populate_certificates.js.j2
@@ -28,13 +28,13 @@ db.certificates.insertOne({
 {{ process('{{ pki_dir }}/server/hosts/%host%/cas-server.pem', 'cas_context', 'hosts_cas_server') }}
 {{ process('{{ pki_dir }}/server/hosts/%host%/iam-internal.pem', 'iam_internal_context', 'hosts_vitamui_iam_internal') }}
 
-{{ process('{{ pki_dir }}/client-external/clients/ui-portal/ui-portal.pem', 'ui_portal_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-identity/ui-identity.pem', 'ui_identity_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-identity-admin/ui-identity-admin.pem', 'ui_admin_identity_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-referential/ui-referential.pem', 'ui_referential_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-archive-search/ui-archive-search.pem', 'ui_archive_search_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-ingest/ui-ingest.pem', 'ui_ingest_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-pastis/ui-pastis.pem', 'ui_pastis_context') }}
-{{ process('{{ pki_dir }}/client-external/clients/ui-collect/ui-collect.pem', 'ui_collect_context') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-portal.pem', 'ui_portal_context', 'hosts_ui_portal') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity.pem', 'ui_identity_context', 'hosts_ui_identity') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-identity-admin.pem', 'ui_admin_identity_context', 'hosts_ui_identity_admin') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-referential.pem', 'ui_referential_context', 'hosts_ui_referential') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-archive-search.pem', 'ui_archive_search_context', 'hosts_ui_archive_search') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-ingest.pem', 'ui_ingest_context', 'hosts_ui_ingest') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-pastis.pem', 'ui_pastis_context', 'hosts_ui_pastis') }}
+{{ process('{{ pki_dir }}/server/hosts/%host%/ui-collect.pem', 'ui_collect_context', 'hosts_ui_collect') }}
 
 print("END security.populate_certificates.js");
diff --git a/...oyment/environments/certs/client-external/clients/ui-archive-search/ui-archive-search.pem b/...oyment/environments/certs/client-external/clients/ui-archive-search/ui-archive-search.pem
diff --git a/dev-deployment/environments/certs/client-external/clients/ui-ingest/ui-ingest.pem b/dev-deployment/environments/certs/client-external/clients/ui-ingest/ui-ingest.pem
diff --git a/dev-deployment/environments/certs/client-external/clients/ui-referential/ui-referential.pem b/dev-deployment/environments/certs/client-external/clients/ui-referential/ui-referential.pem
diff --git a/...xternal/clients/ui-collect/ui-collect.pem → ...rts/server/hosts/localhost/ui-collect.pem b/...xternal/clients/ui-collect/ui-collect.pem → ...rts/server/hosts/localhost/ui-collect.pem
diff --git a/...s/ui-identity-admin/ui-identity-admin.pem → ...ver/hosts/localhost/ui-identity-admin.pem b/...s/ui-identity-admin/ui-identity-admin.pem → ...ver/hosts/localhost/ui-identity-admin.pem
diff --git a/...ernal/clients/ui-identity/ui-identity.pem → ...ts/server/hosts/localhost/ui-identity.pem b/...ernal/clients/ui-identity/ui-identity.pem → ...ts/server/hosts/localhost/ui-identity.pem
diff --git a/...-external/clients/ui-pastis/ui-pastis.pem → ...erts/server/hosts/localhost/ui-pastis.pem b/...-external/clients/ui-pastis/ui-pastis.pem → ...erts/server/hosts/localhost/ui-pastis.pem
diff --git a/...-external/clients/ui-portal/ui-portal.pem → ...erts/server/hosts/localhost/ui-portal.pem b/...-external/clients/ui-portal/ui-portal.pem → ...erts/server/hosts/localhost/ui-portal.pem