[CalendarServer-changes] [14771] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Thu May 7 12:14:38 PDT 2015
Revision: 14771
http://trac.calendarserver.org//changeset/14771
Author: sagen at apple.com
Date: 2015-05-07 12:14:38 -0700 (Thu, 07 May 2015)
Log Message:
-----------
Support two socket files, one for secured requests and a separate one for unsecured requests
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/twistedcaldav/stdconfig.py
CalendarServer/trunk/txweb2/channel/http.py
CalendarServer/trunk/txweb2/metafd.py
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2015-05-07 18:57:24 UTC (rev 14770)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2015-05-07 19:14:38 UTC (rev 14771)
@@ -1112,7 +1112,7 @@
# Inherit a single socket to receive accept()ed connections via
# recvmsg() and SCM_RIGHTS.
- if config.RequestSocket:
+ if config.UseSocketFiles:
# TLS will be handled by a front-end web proxy
contextFactory = None
else:
@@ -1129,7 +1129,8 @@
contextFactory = None
ReportingHTTPService(
- requestFactory, int(config.MetaFD), contextFactory
+ requestFactory, int(config.MetaFD), contextFactory,
+ usingSocketFile=config.UseSocketFiles
).setServiceParent(connectionService)
else: # Not inheriting, therefore we open our own:
@@ -1754,11 +1755,17 @@
s._inheritedSockets = []
dispatcher = None
- if config.RequestSocket:
- # Requests will arrive via Unix domain socket file
- cl.addSocketFileService(
- "TCP", config.RequestSocket, config.ListenBacklog
- )
+ if config.UseSocketFiles:
+ if config.SecuredRequestsSocket:
+ # TLS-secured requests will arrive via this Unix domain socket file
+ cl.addSocketFileService(
+ "SSL", config.SecuredRequestsSocket, config.ListenBacklog
+ )
+ if config.UnsecuredRequestsSocket:
+ # Unsecured requests will arrive via this Unix domain socket file
+ cl.addSocketFileService(
+ "TCP", config.UnsecuredRequestsSocket, config.ListenBacklog
+ )
else:
for bindAddress in self._allBindAddresses():
Modified: CalendarServer/trunk/twistedcaldav/stdconfig.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/stdconfig.py 2015-05-07 18:57:24 UTC (rev 14770)
+++ CalendarServer/trunk/twistedcaldav/stdconfig.py 2015-05-07 19:14:38 UTC (rev 14771)
@@ -174,8 +174,9 @@
# This configures the actual network address that the server binds to.
#
- "RequestSocket": "", # Socket file to listen for requests on; if set, the
- # server will not bind to any TCP ports
+ "UseSocketFiles" : False, # If True, server won't bind to any TCP sockets
+ "SecuredRequestsSocket": "", # Socket file to listen for secure requests on
+ "UnsecuredRequestsSocket": "", # Socket file to listen for insecure requests on
"BindAddresses": [], # List of IP addresses to bind to [empty = all]
"BindHTTPPorts": [], # List of port numbers to bind to for HTTP
Modified: CalendarServer/trunk/txweb2/channel/http.py
===================================================================
--- CalendarServer/trunk/txweb2/channel/http.py 2015-05-07 18:57:24 UTC (rev 14770)
+++ CalendarServer/trunk/txweb2/channel/http.py 2015-05-07 19:14:38 UTC (rev 14771)
@@ -99,6 +99,7 @@
"https://%s:%d%s"
% (config.ServerHostName, config.SSLPort, self.uri)
)
+ log.debug("Redirecting unsecured request")
return super(SSLRedirectRequest, self).writeResponse(
RedirectResponse(location)
)
Modified: CalendarServer/trunk/txweb2/metafd.py
===================================================================
--- CalendarServer/trunk/txweb2/metafd.py 2015-05-07 18:57:24 UTC (rev 14770)
+++ CalendarServer/trunk/txweb2/metafd.py 2015-05-07 19:14:38 UTC (rev 14771)
@@ -21,7 +21,8 @@
"""
from __future__ import print_function
-from zope.interface import implementer
+from zope.interface import implementer, directlyProvides
+from twisted.internet.interfaces import ISSLTransport
from twext.internet.sendfdport import (
InheritedPort, InheritedSocketDispatcher, InheritingProtocolFactory,
@@ -70,13 +71,18 @@
_connectionCount = 0
- def __init__(self, site, fd, contextFactory):
+ def __init__(self, site, fd, contextFactory, usingSocketFile=False):
self.contextFactory = contextFactory
# Unlike other 'factory' constructions, config.MaxRequests and
# config.MaxAccepts are dealt with in the master process, so we don't
# need to propagate them here.
self.site = site
self.fd = fd
+ # When usingSocketFile is True, any TLS will be handled by a proxy in
+ # front of us. When the master passes us an "SSL"-tagged request,
+ # we'll tweak the transport object enough to appear secure without
+ # actually doing startTLS ourselves.
+ self.usingSocketFile = usingSocketFile
def startService(self):
@@ -116,7 +122,13 @@
transport = Server(skt, protocol, peer, JustEnoughLikeAPort,
self._connectionCount, reactor)
if data == 'SSL':
- transport.startTLS(self.contextFactory)
+ if self.usingSocketFile:
+ # Mark the transport as "secure", enough for getHostInfo() to
+ # think so
+ transport.getPeerCertificate = lambda _ : None
+ directlyProvides(transport, ISSLTransport)
+ else:
+ transport.startTLS(self.contextFactory)
transport.startReading()
return transport
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20150507/6f73ddf9/attachment.html>
More information about the calendarserver-changes
mailing list