From 198519ee27f9626beb59f77352d47d8f5225b7f2 Mon Sep 17 00:00:00 2001
From: Pratik Vyas <m@pd.io>
Date: Wed, 26 Nov 2014 00:09:09 +0530
Subject: [PATCH 1/4] add https to nginx config

---
 bench/config.py            | 14 +++++++---
 bench/templates/nginx.conf | 53 +++++++++++++++++++++++++++++---------
 2 files changed, 51 insertions(+), 16 deletions(-)

diff --git a/bench/config.py b/bench/config.py
index 90231b47..fda2688b 100644
--- a/bench/config.py
+++ b/bench/config.py
@@ -31,10 +31,16 @@ def get_site_config(site, bench='.'):
 
 def get_sites_with_config(bench='.'):
 	sites = get_sites()
-	return [{
-		"name": site, 
-		"port": get_site_config(site, bench=bench).get('nginx_port')
-	} for site in sites]
+	ret = []
+	for site in sites:
+		site_config = get_site_config(site, bench=bench)
+		ret.append({
+			"name": site,
+			"port": site_config.get('nginx_port'),
+			"ssl_certificate": site_config.get('ssl_certificate'),
+			"ssl_certificate_key": site_config.get('ssl_certificate_key')
+		})
+	return ret
 
 def generate_nginx_config(bench='.'):
 	template = env.get_template('nginx.conf')
diff --git a/bench/templates/nginx.conf b/bench/templates/nginx.conf
index e0fe801a..68489917 100644
--- a/bench/templates/nginx.conf
+++ b/bench/templates/nginx.conf
@@ -5,15 +5,7 @@ upstream frappe {
     server 127.0.0.1:8000 fail_timeout=0;
 }
 
-{% macro server_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
-	server {
-		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
-		client_max_body_size 4G;
-		{% if dns_multitenant and sites %}
-			server_name {% for site in sites %} {{ site.name }} {% endfor %};
-		{% else %}
-			server_name {{ site.name if not server_name else server_name }};
-		{% endif %}
+{% macro location_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
 		keepalive_timeout 5;
 		sendfile on;
 		root {{ sites_dir }};
@@ -43,21 +35,58 @@ upstream frappe {
 			proxy_redirect off;
 			proxy_pass  http://frappe;
 		}
+{%- endmacro %}
+
+{% macro server_name_block(site, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+		client_max_body_size 4G;
+		{% if dns_multitenant and sites %}
+			server_name {% for site in sites %} {{ site.name }} {% endfor %};
+		{% else %}
+			server_name {{ site.name if not server_name else server_name }};
+		{% endif %}
+{%- endmacro %}
+
+{% macro server_block_http(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+	}
+{%- endmacro %}
+
+{% macro server_block_https(site, port=443, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.ssl_port if not default and site.ssl_port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+
+		ssl on;
+		ssl_certificate      {{ site.ssl_certificate }};
+		ssl_certificate_key  {{ site.ssl_certificate_key }};
+		ssl_session_timeout  5m;
+		ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+		ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+		ssl_prefer_server_ciphers   on;
+
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
 	}
 {%- endmacro %}
 
 {% for site in sites %}
 
 {% if site.port %}
-{{ server_block(site) }}
+{{ server_block_http(site) }}
+{% endif %}
+
+{% if site.ssl_certificate_key and site.ssl_certificate %}
+{{ server_block_https(site) }}
 {% endif %}
 
 {% endfor %}
 
 {% if default_site %}
-{{ server_block(default_site, default=True, server_name="frappe_default_site") }}
+{{ server_block_http(default_site, default=True, server_name="frappe_default_site") }}
 {% endif %}
 
 {% if dns_multitenant and sites %}
-{{ server_block(None, default=False, sites=sites, dns_multitenant=True) }}
+{{ server_block_http(None, default=False, sites=sites, dns_multitenant=True) }}
 {% endif %}

From 17f7aa0b7259379911359bc5a13620b2f027f3a0 Mon Sep 17 00:00:00 2001
From: Pratik Vyas <m@pd.io>
Date: Wed, 26 Nov 2014 00:09:35 +0530
Subject: [PATCH 2/4] add --bench-branch to easy install script

---
 install_scripts/setup_frappe.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install_scripts/setup_frappe.sh b/install_scripts/setup_frappe.sh
index f5128249..5520db7c 100644
--- a/install_scripts/setup_frappe.sh
+++ b/install_scripts/setup_frappe.sh
@@ -25,6 +25,7 @@ set_opts () {
 	VERBOSE=false
 	HELP=false
 	FRAPPE_USER=false
+	BENCH_BRANCH="master"
 	FRAPPE_USER_PASS=`get_passwd`
 	MSQ_PASS=`get_passwd`
 	ADMIN_PASS=`get_passwd`
@@ -37,6 +38,7 @@ set_opts () {
 	--mysql-root-password ) MSQ_PASS="$2"; shift; shift ;;
 	--frappe-user ) FRAPPE_USER="$2"; shift; shift ;;
 	--setup-production ) SETUP_PROD=true; shift;;
+	--bench-branch ) BENCH_BRANCH="$2"; shift;;
 	-- ) shift; break ;;
 	* ) break ;;
 	esac
@@ -298,7 +300,7 @@ setup_debconf() {
 }
 
 install_bench() {
-	run_cmd sudo su $FRAPPE_USER -c "cd /home/$FRAPPE_USER && git clone https://github.com/frappe/bench bench-repo"
+	run_cmd sudo su $FRAPPE_USER -c "cd /home/$FRAPPE_USER && git clone https://github.com/frappe/bench --branch $BENCH_BRANCH bench-repo"
 	if hash pip-2.7 &> /dev/null; then
 		PIP="pip-2.7"
 	elif hash pip2.7 &> /dev/null; then

From 235e8508febd483b53cc7daa5d91df87c62da3c4 Mon Sep 17 00:00:00 2001
From: Pratik Vyas <m@pd.io>
Date: Wed, 26 Nov 2014 00:18:15 +0530
Subject: [PATCH 3/4] remove SSLv3 #poodle

---
 bench/templates/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bench/templates/nginx.conf b/bench/templates/nginx.conf
index 68489917..33d56ea5 100644
--- a/bench/templates/nginx.conf
+++ b/bench/templates/nginx.conf
@@ -63,7 +63,7 @@ upstream frappe {
 		ssl_certificate      {{ site.ssl_certificate }};
 		ssl_certificate_key  {{ site.ssl_certificate_key }};
 		ssl_session_timeout  5m;
-		ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 		ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
 		ssl_prefer_server_ciphers   on;
 

From dd36e4f700aceceda675ac85218c87018126ac32 Mon Sep 17 00:00:00 2001
From: Pratik Vyas <m@pd.io>
Date: Wed, 26 Nov 2014 11:19:01 +0530
Subject: [PATCH 4/4] add cli for ssl

---
 bench/cli.py   | 18 +++++++++++++++++-
 bench/utils.py | 14 +++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/bench/cli.py b/bench/cli.py
index 0ec8bdf5..fa843192 100644
--- a/bench/cli.py
+++ b/bench/cli.py
@@ -13,7 +13,7 @@ from .utils import set_default_site as _set_default_site
 from .utils import (build_assets, patch_sites, exec_cmd, update_bench, get_frappe, setup_logging,
 					get_config, update_config, restart_supervisor_processes, put_config, default_config, update_requirements,
 					backup_all_sites, backup_site, get_sites, prime_wheel_cache, is_root, set_mariadb_host, drop_privileges,
-					fix_file_perms)
+					fix_file_perms, set_ssl_certificate, set_ssl_certificate_key)
 from .app import get_app as _get_app
 from .app import new_app as _new_app
 from .app import pull_all_apps
@@ -213,6 +213,20 @@ def set_nginx_port(site, port):
 	"Set nginx port for site"
 	_set_nginx_port(site, port)
 
+@click.command('set-ssl-certificate')
+@click.argument('site')
+@click.argument('ssl-certificate-path')
+def _set_ssl_certificate(site, ssl_certificate_path):
+	"Set ssl certificate path for site"
+	set_ssl_certificate(site, ssl_certificate_path)
+
+@click.command('set-ssl-key')
+@click.argument('site')
+@click.argument('ssl-certificate-key-path')
+def _set_ssl_certificate_key(site, ssl_certificate_key_path):
+	"Set ssl certificate private key path for site"
+	set_ssl_certificate_key(site, ssl_certificate_key_path)
+
 @click.command('set-url-root')
 @click.argument('site')
 @click.argument('url-root')
@@ -422,6 +436,8 @@ bench.add_command(restart)
 bench.add_command(config)
 bench.add_command(start)
 bench.add_command(set_nginx_port)
+bench.add_command(_set_ssl_certificate)
+bench.add_command(_set_ssl_certificate_key)
 bench.add_command(_set_mariadb_host)
 bench.add_command(set_default_site)
 bench.add_command(migrate_3to4)
diff --git a/bench/utils.py b/bench/utils.py
index ea114694..6ba9e2e7 100644
--- a/bench/utils.py
+++ b/bench/utils.py
@@ -236,10 +236,22 @@ def update_site_config(site, new_config, bench='.'):
 	put_site_config(site, config, bench=bench)
 
 def set_nginx_port(site, port, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"nginx_port": port}, bench=bench)
+
+def set_ssl_certificate(site, ssl_certificate, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"ssl_certificate": ssl_certificate}, bench=bench)
+
+def set_ssl_certificate_key(site, ssl_certificate_key, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"ssl_certificate_key": ssl_certificate_key}, bench=bench)
+
+def set_nginx_port(site, port, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"nginx_port": port}, bench=bench)
+
+def set_site_config_nginx_property(site, config, bench='.', gen_config=True):
 	from .config import generate_nginx_config
 	if site not in get_sites(bench=bench):
 		raise Exception("No such site")
-	update_site_config(site, {"nginx_port": port}, bench=bench)
+	update_site_config(site, config, bench=bench)
 	if gen_config:
 		generate_nginx_config()