[CalendarServer-changes] [15673] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Tue Jun 14 19:12:33 PDT 2016
Revision: 15673
http://trac.calendarserver.org//changeset/15673
Author: sagen at apple.com
Date: 2016-06-14 19:12:33 -0700 (Tue, 14 Jun 2016)
Log Message:
-----------
When behind a TLS proxy, you no longer need EnableSSL=True, you can use BehindTLSProxy=True
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/provision/root.py
CalendarServer/trunk/calendarserver/push/notifier.py
CalendarServer/trunk/calendarserver/push/test/test_notifier.py
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/calendarserver/tap/util.py
CalendarServer/trunk/calendarserver/tools/config.py
CalendarServer/trunk/calendarserver/tools/notifications.py
CalendarServer/trunk/conf/caldavd-apple.plist
CalendarServer/trunk/conf/caldavd-stdconfig.plist
CalendarServer/trunk/twistedcaldav/stdconfig.py
CalendarServer/trunk/txdav/who/vcard.py
CalendarServer/trunk/txweb2/server.py
Modified: CalendarServer/trunk/calendarserver/provision/root.py
===================================================================
--- CalendarServer/trunk/calendarserver/provision/root.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/provision/root.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -287,7 +287,7 @@
"x-forwarded-host",
[config.ServerHostName]
)[-1].split(",")[-1].strip()
- port = 443 if config.EnableSSL else 80
+ port = 443 if (config.EnableSSL or config.BehindTLSProxy) else 80
scheme = "https" if config.EnableSSL else "http"
response = RedirectResponse(
Modified: CalendarServer/trunk/calendarserver/push/notifier.py
===================================================================
--- CalendarServer/trunk/calendarserver/push/notifier.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/push/notifier.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -230,7 +230,7 @@
if applePushSettings.Enabled:
settings = {}
settings["APSBundleID"] = applePushSettings[protocol]["Topic"]
- if config.EnableSSL:
+ if config.EnableSSL or config.BehindTLSProxy:
url = "https://%s:%s/%s" % (
config.ServerHostName, config.SSLPort,
applePushSettings.SubscriptionURL)
Modified: CalendarServer/trunk/calendarserver/push/test/test_notifier.py
===================================================================
--- CalendarServer/trunk/calendarserver/push/test/test_notifier.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/push/test/test_notifier.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -58,6 +58,7 @@
def test_getPubSubAPSConfiguration(self):
config = ConfigDict({
"EnableSSL" : True,
+ "BehindTLSProxy" : False,
"ServerHostName" : "calendars.example.com",
"SSLPort" : 8443,
"HTTPPort" : 8008,
@@ -75,6 +76,7 @@
},
},
})
+
result = getPubSubAPSConfiguration(("CalDAV", "foo",), config)
self.assertEquals(
result,
@@ -85,9 +87,81 @@
"APSEnvironment": "prod"
}
)
+ config = ConfigDict({
+ "EnableSSL" : False,
+ "BehindTLSProxy" : True,
+ "ServerHostName" : "calendars.example.com",
+ "SSLPort" : 8443,
+ "HTTPPort" : 8008,
+ "Notifications" : {
+ "Services" : {
+ "APNS" : {
+ "CalDAV" : {
+ "Topic" : "test topic",
+ },
+ "SubscriptionRefreshIntervalSeconds" : 42,
+ "SubscriptionURL" : "apns",
+ "Environment" : "prod",
+ "Enabled" : True,
+ },
+ },
+ },
+ })
+ result = getPubSubAPSConfiguration(("CalDAV", "foo",), config)
+ self.assertEquals(
+ result,
+ {
+ "SubscriptionRefreshIntervalSeconds": 42,
+ "SubscriptionURL": "https://calendars.example.com:8443/apns",
+ "APSBundleID": "test topic",
+ "APSEnvironment": "prod"
+ }
+ )
+ result = getPubSubAPSConfiguration(("CalDAV", "foo",), config)
+ self.assertEquals(
+ result,
+ {
+ "SubscriptionRefreshIntervalSeconds": 42,
+ "SubscriptionURL": "https://calendars.example.com:8443/apns",
+ "APSBundleID": "test topic",
+ "APSEnvironment": "prod"
+ }
+ )
+ config = ConfigDict({
+ "EnableSSL" : False,
+ "BehindTLSProxy" : False,
+ "ServerHostName" : "calendars.example.com",
+ "SSLPort" : 8443,
+ "HTTPPort" : 8008,
+ "Notifications" : {
+ "Services" : {
+ "APNS" : {
+ "CalDAV" : {
+ "Topic" : "test topic",
+ },
+ "SubscriptionRefreshIntervalSeconds" : 42,
+ "SubscriptionURL" : "apns",
+ "Environment" : "prod",
+ "Enabled" : True,
+ },
+ },
+ },
+ })
+ result = getPubSubAPSConfiguration(("CalDAV", "foo",), config)
+ self.assertEquals(
+ result,
+ {
+ "SubscriptionRefreshIntervalSeconds": 42,
+ "SubscriptionURL": "http://calendars.example.com:8008/apns",
+ "APSBundleID": "test topic",
+ "APSEnvironment": "prod"
+ }
+ )
+
+
class StubDistributor(object):
def __init__(self):
self.reset()
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -1060,12 +1060,13 @@
# Need to cache SSL port info here so we can access it in a Request to
# deal with the possibility of being behind an SSL decoder
underlyingSite.EnableSSL = config.EnableSSL
+ underlyingSite.BehindTLSProxy = config.BehindTLSProxy
underlyingSite.SSLPort = config.SSLPort
underlyingSite.BindSSLPorts = config.BindSSLPorts
requestFactory = underlyingSite
- if config.EnableSSL and config.RedirectHTTPToHTTPS:
+ if (config.EnableSSL or config.BehindTLSProxy) and config.RedirectHTTPToHTTPS:
self.log.info(
"Redirecting to HTTPS port {port}", port=config.SSLPort
)
Modified: CalendarServer/trunk/calendarserver/tap/util.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/util.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/tap/util.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -286,7 +286,7 @@
if quota == 0:
quota = None
if txnFactory is not None:
- if config.EnableSSL:
+ if config.EnableSSL or config.BehindTLSProxy:
uri = "https://{config.ServerHostName}:{config.SSLPort}".format(config=config)
else:
uri = "https://{config.ServerHostName}:{config.HTTPPort}".format(config=config)
@@ -586,7 +586,7 @@
(config.Scheduling.iSchedule.Enabled, "ischedule", "/ischedule"),
):
if enabled:
- if config.EnableSSL:
+ if config.EnableSSL or config.BehindTLSProxy:
scheme = "https"
port = config.SSLPort
else:
Modified: CalendarServer/trunk/calendarserver/tools/config.py
===================================================================
--- CalendarServer/trunk/calendarserver/tools/config.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/tools/config.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -51,6 +51,7 @@
"Authentication.Kerberos.AllowedOverWireUnencrypted",
"Authentication.Kerberos.Enabled",
"Authentication.Wiki.Enabled",
+ "BehindTLSProxy",
"DefaultLogLevel",
"DirectoryAddressBook.params.queryPeopleRecords",
"DirectoryAddressBook.params.queryUserRecords",
Modified: CalendarServer/trunk/calendarserver/tools/notifications.py
===================================================================
--- CalendarServer/trunk/calendarserver/tools/notifications.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/calendarserver/tools/notifications.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -130,7 +130,7 @@
print("Error in configuration: %s" % (e,))
sys.exit(1)
- useSSL = config.EnableSSL
+ useSSL = config.EnableSSL or config.BehindTLSProxy
host = config.ServerHostName
port = config.SSLPort if useSSL else config.HTTPPort
Modified: CalendarServer/trunk/conf/caldavd-apple.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-apple.plist 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/conf/caldavd-apple.plist 2016-06-15 02:12:33 UTC (rev 15673)
@@ -59,20 +59,22 @@
<key>HTTPPort</key>
<integer>80</integer>
- <!-- SSL port -->
- <!-- (Must also configure SSLCertificate and SSLPrivateKey below) -->
+ <!-- SSL port the front end proxy is listening on -->
<key>SSLPort</key>
<integer>443</integer>
- <!-- Enable listening on SSL port(s) -->
+ <!-- Disable listening on SSL port(s), the proxy will handle it -->
<key>EnableSSL</key>
+ <false/>
+
+ <!-- We're behind a proxy -->
+ <key>BehindTLSProxy</key>
<true/>
<!-- Redirect non-SSL ports to an SSL port (if configured for SSL) -->
<key>RedirectHTTPToHTTPS</key>
<true/>
-
<!--
Network address configuration information
Modified: CalendarServer/trunk/conf/caldavd-stdconfig.plist
===================================================================
--- CalendarServer/trunk/conf/caldavd-stdconfig.plist 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/conf/caldavd-stdconfig.plist 2016-06-15 02:12:33 UTC (rev 15673)
@@ -43,6 +43,10 @@
<key>EnableSSL</key>
<false/>
+ <!-- Whether the service is offloading TLS duty to a proxy -->
+ <key>BehindTLSProxy</key>
+ <false/>
+
<!-- If True, all nonSSL requests redirected to an SSL Port -->
<key>RedirectHTTPToHTTPS</key>
<false/>
Modified: CalendarServer/trunk/twistedcaldav/stdconfig.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/stdconfig.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/twistedcaldav/stdconfig.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -165,6 +165,7 @@
"HTTPPort": 0, # HTTP port (0 to disable HTTP)
"SSLPort": 0, # SSL port (0 to disable HTTPS)
"EnableSSL": False, # Whether to listen on SSL port(s)
+ "BehindTLSProxy": False, # Whether the service is offloading TLS duty to a proxy
"RedirectHTTPToHTTPS": False, # If True, all nonSSL requests redirected to an SSL Port
"SSLMethod": "SSLv23_METHOD", # SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD
"SSLCiphers": "RC4-SHA:HIGH:!ADH",
Modified: CalendarServer/trunk/txdav/who/vcard.py
===================================================================
--- CalendarServer/trunk/txdav/who/vcard.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/txdav/who/vcard.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -141,7 +141,7 @@
uri = joinURL(parentURI, record.fields[FieldName.uid].encode("utf-8") + ".vcf")
# seems like this should be in some standard place.
- if config.EnableSSL and config.SSLPort:
+ if (config.EnableSSL or config.BehindTLSProxy) and config.SSLPort:
if config.SSLPort == 443:
source = "https://{server}{uri}".format(server=config.ServerHostName, uri=uri)
else:
Modified: CalendarServer/trunk/txweb2/server.py
===================================================================
--- CalendarServer/trunk/txweb2/server.py 2016-06-14 22:39:26 UTC (rev 15672)
+++ CalendarServer/trunk/txweb2/server.py 2016-06-15 02:12:33 UTC (rev 15673)
@@ -347,8 +347,10 @@
@rtype: C{bool}
"""
- # from twistedcaldav.config import config
- if hasattr(self.site, "EnableSSL") and self.site.EnableSSL:
+ if (
+ (hasattr(self.site, "EnableSSL") and self.site.EnableSSL) or
+ (hasattr(self.site, "BehindTLSProxy") and self.site.BehindTLSProxy)
+ ):
if port == self.site.SSLPort:
return True
elif port in self.site.BindSSLPorts:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20160614/67fd25b2/attachment-0001.html>
More information about the calendarserver-changes
mailing list