[CalendarServer-users] MacPorts port of calendarserver
Steven Smith
steve.t.smith at gmail.com
Fri Aug 9 03:21:10 PDT 2019
Thanks for your comments.
For TLS and the reverse proxy, I’m referring to three things:
1. I do not see how to enable or configure TLSv1.2 or 1.3 in the ccs-calendarserver configuration code. See, for example, the default configuration plist and the associated Python code:
<!-- SSL method: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD -->
<key>SSLMethod</key>
<string>SSLv23_METHOD</string>
https://github.com/apple/ccs-calendarserver/blob/15561ced74a7a45cfffa0610201b43179f6afa5c/contrib/conf/calendarserver.plist#L53-L55
2. I do not see how to specify Diffie-Hellman parameters for PFS. A search through the code doesn’t yield any hits, and it doesn’t appear to be a configuration key:
https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam <https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam>
3. In my own Server.app version 3.7, Apache was used as a reverse proxy for Calendar and Contacts Server. I do not know what went into this design decision, but I inferred that this is related to configuring a central web server for Server.app that also provides the benefits of a reverse proxy.
Because of the issues mentioned above, I configured an nginx reverse proxy for a MacPorts port of Calendar and Contacts Server. Here’s the nginx.conf:
https://github.com/macports/macports-ports/pull/4978/files#diff-ec7e62c591a23b72c54b4eb10b089440
Yes, “isolate” is too strong for a reverse proxy (should say “help isolate”), but they do have several benefits, which may or may not also be a part of the ccs-calendarserver backend: mod_security, rate limiting, routing through a single exposed http/https port, and the like. I don’t know how to do any of this with the ccs-calendarserver code, but a lot of reasonable features like these are used in Server.app’s apache2 .conf files in its reverse proxy design.
If there’s a way to configure ccs-calendarserver to use native twisted capabilities, that would be good to have a for simplified setup without using an nginx front-end.
I also see that Twisted has already migrated to python3—ccs-calendarserver is still on Python 2.7 which is EOL in four months!—so python3 migration could be part of this.
Should ccs-calendarserver’s Twisted TLS config be raised as an issue at https://github.com/apple/ccs-calendarserver/issues <https://github.com/apple/ccs-calendarserver/issues> ?
> On Aug 8, 2019, at 11:31 PM, Glyph <glyph at twistedmatrix.com> wrote:
>
>
>
>> On Aug 8, 2019, at 4:33 AM, Steven Smith <steve.t.smith at gmail.com <mailto:steve.t.smith at gmail.com>> wrote:
>>
>> This port is completely independent of Server.app, and uses an nginx reverse proxy for modern crypto and to isolate the backend server. I have it deployed and it’s working well.
>
> What 'modern crypto' are you referring to? Twisted (upon which CalendarServer is based) ought to be able to get an A+ on SSLLabs and use all the most modern ciphersuites (including TLS 1.3). I'm not up on CalendarServer's configuration these days, but it should be possible to adjust it to be as fancy and modern as it needs to be...
>
> (I'm not sure what you mean by "isolating" the server?)
>
> -glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-users/attachments/20190809/89d93528/attachment.html>
More information about the calendarserver-users
mailing list