Merge pull request #83 from frappe/nginx-https

Nginx https
2024-09-23 04:29:02 +00:00 · 2014-11-26 11:48:46 +05:30 · 2014-11-26 11:48:46 +05:30 · 9c72d0a552
commit 9c72d0a552
parent 59eb9fd9b3 dd36e4f700
5 changed files with 84 additions and 19 deletions
--- a/bench/cli.py
+++ b/bench/cli.py
@ -13,7 +13,7 @@ from .utils import set_default_site as _set_default_site
 from .utils import (build_assets, patch_sites, exec_cmd, update_bench, get_frappe, setup_logging,
 					get_config, update_config, restart_supervisor_processes, put_config, default_config, update_requirements,
 					backup_all_sites, backup_site, get_sites, prime_wheel_cache, is_root, set_mariadb_host, drop_privileges,
-					fix_file_perms)
+					fix_file_perms, set_ssl_certificate, set_ssl_certificate_key)
 from .app import get_app as _get_app
 from .app import new_app as _new_app
 from .app import pull_all_apps
@ -213,6 +213,20 @@ def set_nginx_port(site, port):
 	"Set nginx port for site"
 	_set_nginx_port(site, port)

+@click.command('set-ssl-certificate')
+@click.argument('site')
+@click.argument('ssl-certificate-path')
+def _set_ssl_certificate(site, ssl_certificate_path):
+	"Set ssl certificate path for site"
+	set_ssl_certificate(site, ssl_certificate_path)
+
+@click.command('set-ssl-key')
+@click.argument('site')
+@click.argument('ssl-certificate-key-path')
+def _set_ssl_certificate_key(site, ssl_certificate_key_path):
+	"Set ssl certificate private key path for site"
+	set_ssl_certificate_key(site, ssl_certificate_key_path)
+
@click.command('set-url-root')
@click.argument('site')
@click.argument('url-root')
@ -422,6 +436,8 @@ bench.add_command(restart)
 bench.add_command(config)
 bench.add_command(start)
 bench.add_command(set_nginx_port)
+bench.add_command(_set_ssl_certificate)
+bench.add_command(_set_ssl_certificate_key)
 bench.add_command(_set_mariadb_host)
 bench.add_command(set_default_site)
 bench.add_command(migrate_3to4)
--- a/bench/config.py
+++ b/bench/config.py
@ -31,10 +31,16 @@ def get_site_config(site, bench='.'):

 def get_sites_with_config(bench='.'):
 	sites = get_sites()
-	return [{
+	ret = []
+	for site in sites:
+		site_config = get_site_config(site, bench=bench)
+		ret.append({
 			"name": site,
-		"port": get_site_config(site, bench=bench).get('nginx_port')
-	} for site in sites]
+			"port": site_config.get('nginx_port'),
+			"ssl_certificate": site_config.get('ssl_certificate'),
+			"ssl_certificate_key": site_config.get('ssl_certificate_key')
+		})
+	return ret

 def generate_nginx_config(bench='.'):
 	template = env.get_template('nginx.conf')
--- a/bench/templates/nginx.conf
+++ b/bench/templates/nginx.conf
@ -5,15 +5,7 @@ upstream frappe {
    server 127.0.0.1:8000 fail_timeout=0;
 }

-{% macro server_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
-	server {
-		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
-		client_max_body_size 4G;
-		{% if dns_multitenant and sites %}
-			server_name {% for site in sites %} {{ site.name }} {% endfor %};
-		{% else %}
-			server_name {{ site.name if not server_name else server_name }};
-		{% endif %}
+{% macro location_block(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
 		keepalive_timeout 5;
 		sendfile on;
 		root {{ sites_dir }};
@ -43,21 +35,58 @@ upstream frappe {
 			proxy_redirect off;
 			proxy_pass  http://frappe;
 		}
+{%- endmacro %}
+
+{% macro server_name_block(site, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+		client_max_body_size 4G;
+		{% if dns_multitenant and sites %}
+			server_name {% for site in sites %} {{ site.name }} {% endfor %};
+		{% else %}
+			server_name {{ site.name if not server_name else server_name }};
+		{% endif %}
+{%- endmacro %}
+
+{% macro server_block_http(site, port=80, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.port if not default and site.port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+	}
+{%- endmacro %}
+
+{% macro server_block_https(site, port=443, default=False, server_name=None, sites=None, dns_multitenant=False) -%}
+	server {
+		listen {{ site.ssl_port if not default and site.ssl_port else port }} {% if default %} default {% endif %};
+		{{ server_name_block(site, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
+
+		ssl on;
+		ssl_certificate      {{ site.ssl_certificate }};
+		ssl_certificate_key  {{ site.ssl_certificate_key }};
+		ssl_session_timeout  5m;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+		ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
+		ssl_prefer_server_ciphers   on;
+
+		{{ location_block(site, port=port, default=default, server_name=server_name, sites=sites, dns_multitenant=dns_multitenant) }}
 	}
 {%- endmacro %}

 {% for site in sites %}

 {% if site.port %}
-{{ server_block(site) }}
+{{ server_block_http(site) }}
+{% endif %}
+
+{% if site.ssl_certificate_key and site.ssl_certificate %}
+{{ server_block_https(site) }}
 {% endif %}

 {% endfor %}

 {% if default_site %}
-{{ server_block(default_site, default=True, server_name="frappe_default_site") }}
+{{ server_block_http(default_site, default=True, server_name="frappe_default_site") }}
 {% endif %}

 {% if dns_multitenant and sites %}
-{{ server_block(None, default=False, sites=sites, dns_multitenant=True) }}
+{{ server_block_http(None, default=False, sites=sites, dns_multitenant=True) }}
 {% endif %}
--- a/bench/utils.py
+++ b/bench/utils.py
@ -236,10 +236,22 @@ def update_site_config(site, new_config, bench='.'):
 	put_site_config(site, config, bench=bench)

 def set_nginx_port(site, port, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"nginx_port": port}, bench=bench)
+
+def set_ssl_certificate(site, ssl_certificate, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"ssl_certificate": ssl_certificate}, bench=bench)
+
+def set_ssl_certificate_key(site, ssl_certificate_key, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"ssl_certificate_key": ssl_certificate_key}, bench=bench)
+
+def set_nginx_port(site, port, bench='.', gen_config=True):
+	set_site_config_nginx_property(site, {"nginx_port": port}, bench=bench)
+
+def set_site_config_nginx_property(site, config, bench='.', gen_config=True):
 	from .config import generate_nginx_config
 	if site not in get_sites(bench=bench):
 		raise Exception("No such site")
-	update_site_config(site, {"nginx_port": port}, bench=bench)
+	update_site_config(site, config, bench=bench)
 	if gen_config:
 		generate_nginx_config()

--- a/install_scripts/setup_frappe.sh
+++ b/install_scripts/setup_frappe.sh
@ -25,6 +25,7 @@ set_opts () {
 	VERBOSE=false
 	HELP=false
 	FRAPPE_USER=false
+	BENCH_BRANCH="master"
 	FRAPPE_USER_PASS=`get_passwd`
 	MSQ_PASS=`get_passwd`
 	ADMIN_PASS=`get_passwd`
@ -37,6 +38,7 @@ set_opts () {
 	--mysql-root-password ) MSQ_PASS="$2"; shift; shift ;;
 	--frappe-user ) FRAPPE_USER="$2"; shift; shift ;;
 	--setup-production ) SETUP_PROD=true; shift;;
+	--bench-branch ) BENCH_BRANCH="$2"; shift;;
 	-- ) shift; break ;;
 	* ) break ;;
 	esac
@ -298,7 +300,7 @@ setup_debconf() {
 }

 install_bench() {
-	run_cmd sudo su $FRAPPE_USER -c "cd /home/$FRAPPE_USER && git clone https://github.com/frappe/bench bench-repo"
+	run_cmd sudo su $FRAPPE_USER -c "cd /home/$FRAPPE_USER && git clone https://github.com/frappe/bench --branch $BENCH_BRANCH bench-repo"
 	if hash pip-2.7 &> /dev/null; then
 		PIP="pip-2.7"
 	elif hash pip2.7 &> /dev/null; then