upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-04 14:26:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
certbot/certbot-nginx/certbot_nginx/_internal/constants.py

78 lines
3.2 KiB
Python
Raw Permalink Normal View History

merge github/letsencrypt/master
2015-04-22 05:16:13 -04:00
"""nginx plugin constants."""
Update constants.py On FreeBSD or MacOS, "certbot --nginx" fails. The reason is, at these op. systems, nginx directory is different than linux.
2018-04-12 19:33:10 -04:00
import platform
Deprecate acme.typing_magic module, stop using it in certbot (#8643) * Deprecate acme.magic_typing, stop to use it in certbot * Isort * Add a changelog entry Co-authored-by: Brad Warren <bmw@users.noreply.github.com>
2021-03-09 19:12:32 -05:00
from typing import Any
from typing import Dict
nginx: add --nginx-sleep-seconds (#8163) * nginx: add --nginx-sleep-seconds As described in #7422, reloading nginx is an asynchronous process and Certbot does not know when it is complete. In an environment where this reload takes a long time, the nginx plugin suffers from an issue where it responds to and fails the ACME challenge before the nginx server is ready to serve it. Following the discussion in a previous PR #7740, this commit introduces a new flag, --nginx-sleep-seconds, which may be used to increase the duration that Certbot will wait for nginx to reload, from its previously hard-coded value of 1s. Fixes #7422 * update CHANGELOG * nginx: update docstring for nginx_restart
2020-07-27 15:52:12 -04:00
Show both possible Nginx default server root values in docs (#6137) See https://github.com/certbot/website/pull/348#issuecomment-399257703. ``` $ certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and ``` ``` $ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL ``` * Show both possible Nginx default server root values in docs * add test * check that exactly one server root is in the default * use default magic
2018-06-25 21:09:30 -04:00
FREEBSD_DARWIN_SERVER_ROOT = "/usr/local/etc/nginx"
LINUX_SERVER_ROOT = "/etc/nginx"
Add support for NetBSD (#8033) * Add support for NetBSD by telling certbot-nginx where the nginx configuration directory is. * Update the CHANGELOG. * Pass the right type of sequence to "in". Thanks lint. * Adjust the CHANGELOG.md entry following feedback from ohemorange. Co-authored-by: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
2020-06-08 15:06:38 -04:00
PKGSRC_SERVER_ROOT = "/usr/pkg/etc/nginx"
Show both possible Nginx default server root values in docs (#6137) See https://github.com/certbot/website/pull/348#issuecomment-399257703. ``` $ certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and ``` ``` $ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL ``` * Show both possible Nginx default server root values in docs * add test * check that exactly one server root is in the default * use default magic
2018-06-25 21:09:30 -04:00
check platform with correct python
2018-05-17 23:02:27 -04:00
if platform.system() in ('FreeBSD', 'Darwin'):
Show both possible Nginx default server root values in docs (#6137) See https://github.com/certbot/website/pull/348#issuecomment-399257703. ``` $ certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and ``` ``` $ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL ``` * Show both possible Nginx default server root values in docs * add test * check that exactly one server root is in the default * use default magic
2018-06-25 21:09:30 -04:00
server_root_tmp = FREEBSD_DARWIN_SERVER_ROOT
Add support for NetBSD (#8033) * Add support for NetBSD by telling certbot-nginx where the nginx configuration directory is. * Update the CHANGELOG. * Pass the right type of sequence to "in". Thanks lint. * Adjust the CHANGELOG.md entry following feedback from ohemorange. Co-authored-by: Lloyd Parkes <lloyd@must-have-coffee.gen.nz>
2020-06-08 15:06:38 -04:00
elif platform.system() in ('NetBSD',):
server_root_tmp = PKGSRC_SERVER_ROOT
Update constants.py On FreeBSD or MacOS, "certbot --nginx" fails. The reason is, at these op. systems, nginx directory is different than linux.
2018-04-12 19:33:10 -04:00
else:
Show both possible Nginx default server root values in docs (#6137) See https://github.com/certbot/website/pull/348#issuecomment-399257703. ``` $ certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and ``` ``` $ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL ``` * Show both possible Nginx default server root values in docs * add test * check that exactly one server root is in the default * use default magic
2018-06-25 21:09:30 -04:00
server_root_tmp = LINUX_SERVER_ROOT
check platform with correct python
2018-05-17 23:02:27 -04:00
Use literals wherever possible. (#9194) * Use literals wherever possible. These were found with flake8-comprehensions.
2022-02-14 17:54:03 -05:00
CLI_DEFAULTS: Dict[str, Any] = {
"server_root": server_root_tmp,
"ctl": "nginx",
"sleep_seconds": 1
}
Use CLI_DEFAULTS in plugins
2015-05-08 17:32:13 -04:00
"""CLI defaults."""
merge github/letsencrypt/master
2015-04-22 05:16:13 -04:00
Don't allow user supplied mod_ssl conf destination (fixes #451).
2015-06-01 20:14:10 -04:00
MOD_SSL_CONF_DEST = "options-ssl-nginx.conf"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the mod_ssl config file as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Don't allow user supplied mod_ssl conf destination (fixes #451).
2015-06-01 20:14:10 -04:00
Update options-ssl-nginx.conf in`prepare` if it hasn't been manually modified (#4689) Fixes #4559. * Update options-ssl-nginx.conf in prepare, if it hasn't been modified. * add previous options-ssl-nginx.conf hashes * InstallSslOptionsConfTest * remove .new file and only print warning once * save digest to /etc/letsencrypt * add comment reminding devs to update hashes * add comment and test for sha256sum * treat hash file as text file because python3 * move constants and rename hidden digest file
2017-05-23 16:18:50 -04:00
UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-nginx-conf-digest.txt"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the hash of the updated or informed mod_ssl_conf as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Update options-ssl-nginx.conf in`prepare` if it hasn't been manually modified (#4689) Fixes #4559. * Update options-ssl-nginx.conf in prepare, if it hasn't been modified. * add previous options-ssl-nginx.conf hashes * InstallSslOptionsConfTest * remove .new file and only print warning once * save digest to /etc/letsencrypt * add comment reminding devs to update hashes * add comment and test for sha256sum * treat hash file as text file because python3 * move constants and rename hidden digest file
2017-05-23 16:18:50 -04:00
Refactor nginx file update mechanism in preparation for working with apache plugin (#4720) * move install_ssl_options_conf functionality to common * add no cover * compute current hash instead of saving * make current hash be computed; switch to list of all canonical hashes * put message directly into assertion * don't pass logger * add docstring * Add unit tests for certbot.plugins.common.install_ssl_options_conf
2017-06-01 12:04:48 -04:00
ALL_SSL_OPTIONS_HASHES = [
Update options-ssl-nginx.conf in`prepare` if it hasn't been manually modified (#4689) Fixes #4559. * Update options-ssl-nginx.conf in prepare, if it hasn't been modified. * add previous options-ssl-nginx.conf hashes * InstallSslOptionsConfTest * remove .new file and only print warning once * save digest to /etc/letsencrypt * add comment reminding devs to update hashes * add comment and test for sha256sum * treat hash file as text file because python3 * move constants and rename hidden digest file
2017-05-23 16:18:50 -04:00
'0f81093a1465e3d4eaa8b0c14e77b2a2e93568b0fc1351c2b87893a95f0de87c',
'9a7b32c49001fed4cff8ad24353329472a50e86ade1ef9b2b9e43566a619612e',
'a6d9f1c7d6b36749b52ba061fff1421f9a0a3d2cfdafbd63c05d06f65b990937',
'7f95624dd95cf5afc708b9f967ee83a24b8025dc7c8d9df2b556bbc64256b3ff',
Refactor nginx file update mechanism in preparation for working with apache plugin (#4720) * move install_ssl_options_conf functionality to common * add no cover * compute current hash instead of saving * make current hash be computed; switch to list of all canonical hashes * put message directly into assertion * don't pass logger * add docstring * Add unit tests for certbot.plugins.common.install_ssl_options_conf
2017-06-01 12:04:48 -04:00
'394732f2bbe3e5e637c3fb5c6e980a1f1b90b01e2e8d6b7cff41dde16e2a756d',
Remove reference to .new in Nginx's SSL options. (#4769)
2017-06-01 18:26:54 -04:00
'4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16',
Update Nginx conf file to match Mozilla's security recommendations (#7163) Fixes #7089
2019-06-28 15:16:52 -04:00
'c052ffff0ad683f43bffe105f7c606b339536163490930e2632a335c8d191cc4',
Follow Mozilla recs for Nginx ssl_protocols, ssl_ciphers, and ssl_prefer_server_ciphers (#7274) * Follow Mozilla recs for Nginx ssl_protocols, ssl_ciphers, and ssl_prefer_server_ciphers * Add tests and fix if statement * Update CHANGELOG.md Co-Authored-By: Brad Warren <bmw@users.noreply.github.com> * Test that the hashes of all of the current configuration files are in ALL_SSL_OPTIONS_HASHES * Remove conditioning on OpenSSL version, since Nginx behaves cleanly if its linked OpenSSL doesn't support TLS1.3
2019-08-02 15:25:40 -04:00
'02329eb19930af73c54b3632b3165d84571383b8c8c73361df940cb3894dd426',
Disable TLS session tickets in Nginx (#7355) * Find OpenSSL version * Create and update various config files * Update logic to use new version constraints * SSL_OPTIONS_HASHES_NEW and SSL_OPTIONS_HASHES_MEDIUM were just being used for testing, and maintaining them is becoming untenable, so remove them. * if we don't know the openssl version, we can't turn off session tickets * add unit test for _get_openssl_version * add unit tests * placate lint * Fix docs and tests and clean up code * use python correctly * update changelog * Lint * make comment a comment
2019-09-05 16:51:56 -04:00
'63e2bddebb174a05c9d8a7cf2adf72f7af04349ba59a1a925fe447f73b2f1abf',
'2901debc7ecbc10917edd9084c05464c9c5930b463677571eaf8c94bffd11ae2',
'30baca73ed9a5b0e9a69ea40e30482241d8b1a7343aa79b49dc5d7db0bf53b6c',
'02329eb19930af73c54b3632b3165d84571383b8c8c73361df940cb3894dd426',
'108c4555058a087496a3893aea5d9e1cee0f20a3085d44a52dc1a66522299ac3',
'd5e021706ecdccc7090111b0ae9a29ef61523e927f020e410caf0a1fd7063981',
Keep compatibility with IE11 in the Nginx plugin (#7414) As discussed at https://github.com/mozilla/server-side-tls/issues/263, Mozilla's current intermediate recommendations drop support for some non-EOL'd versions of IE. [Their TLS recommendations were updated to suggest a couple possible workarounds for people who need this support](https://github.com/mozilla/server-side-tls/pull/264) and [April suggested that we make this change in Certbot](https://github.com/mozilla/server-side-tls/issues/263#issuecomment-537085728). We know `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` translates to `ECDHE-RSA-AES128-SHA` because [nginx uses the same cipher format as OpenSSL](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers) and the translation is shown in the table at https://github.com/mozilla/server-side-tls/blob/gh-pages/Cipher_Suites.mediawiki. The risk of regressions making this change is low as we always had this ciphersuite enabled just a few releases ago: https://github.com/certbot/certbot/tree/v0.36.0/certbot-nginx/certbot_nginx * Keep compatibility with IE11 * update changelog
2019-10-01 13:34:11 -04:00
'ef11e3fb17213e74d3e1816cde0ec37b8b95b4167cf21e7b8ff1eaa9c6f918ee',
'af85f6193808a44789a1d293e6cffa249cad9a21135940800958b8e3c72dbc69',
'a2a612fd21b02abaa32d9d11ac63d987d6e3054dbfa356de5800eea0d7ce17f3',
'2d9648302e3588a172c318e46bff88ade46fc7a16d6afc85322776a04800d473',
Cite Mozilla ssl-config in Apache/NGINX TLS configs (#8670) (#9295) * Cite Mozilla ssl-config in Apache/nginx TLS configs (certbot#8670) * Update CHANGELOG * Add TLS config hashes to ALL_SSL_OPTIONS_HASHES * Update wording in CHANGELOG
2022-05-13 13:59:49 -04:00
'5e21cc66989f26ec46116d979421e538131cf8ab33ffff3f682fbfe491b0ace8',
'f5615544105c4eee44f02a604e3e9ae55b3d5bad247160bb18731a0ac531af02',
'05a799c4db12f8e15e68219c98056824cbd5ae7b05863225318ae112f343880b',
'dc81acfd9670f137d5abbccfe3438d9306d4b6a906439b0fbf6a6756272e7cc7',
Disable TLS session tickets in Nginx (#7355) * Find OpenSSL version * Create and update various config files * Update logic to use new version constraints * SSL_OPTIONS_HASHES_NEW and SSL_OPTIONS_HASHES_MEDIUM were just being used for testing, and maintaining them is becoming untenable, so remove them. * if we don't know the openssl version, we can't turn off session tickets * add unit test for _get_openssl_version * add unit tests * placate lint * Fix docs and tests and clean up code * use python correctly * update changelog * Lint * make comment a comment
2019-09-05 16:51:56 -04:00
]
Refactor nginx file update mechanism in preparation for working with apache plugin (#4720) * move install_ssl_options_conf functionality to common * add no cover * compute current hash instead of saving * make current hash be computed; switch to list of all canonical hashes * put message directly into assertion * don't pass logger * add docstring * Add unit tests for certbot.plugins.common.install_ssl_options_conf
2017-06-01 12:04:48 -04:00
"""SHA256 hashes of the contents of all versions of MOD_SSL_CONF_SRC"""
Update options-ssl-nginx.conf in`prepare` if it hasn't been manually modified (#4689) Fixes #4559. * Update options-ssl-nginx.conf in prepare, if it hasn't been modified. * add previous options-ssl-nginx.conf hashes * InstallSslOptionsConfTest * remove .new file and only print warning once * save digest to /etc/letsencrypt * add comment reminding devs to update hashes * add comment and test for sha256sum * treat hash file as text file because python3 * move constants and rename hidden digest file
2017-05-23 16:18:50 -04:00
Fully type certbot-nginx module (#9124) * Work in progress * Fix type * Work in progress * Work in progress * Work in progress * Work in progress * Work in progress * Oups. * Fix typing in UnspacedList * Fix logic * Finish typing * List certbot-nginx as fully typed in tox * Fix lint * Fix checks * Organize imports * Fix typing for Python 3.6 * Fix checks * Fix lint * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Fix signature of deploy_cert regarding the installer interface * Update certbot-nginx/certbot_nginx/_internal/obj.py Co-authored-by: alexzorin <alex@zor.io> * Fix types * Update certbot-nginx/certbot_nginx/_internal/parser.py Co-authored-by: alexzorin <alex@zor.io> * Precise type * Precise _coerce possible inputs/outputs * Fix type * Update certbot-nginx/certbot_nginx/_internal/http_01.py Co-authored-by: ohemorange <ebportnoy@gmail.com> * Fix type * Remove an undesirable implementation. * Fix type Co-authored-by: alexzorin <alex@zor.io> Co-authored-by: ohemorange <ebportnoy@gmail.com>
2022-01-12 19:36:51 -05:00
def os_constant(key: str) -> Any:
Minimal fake os_constant() for nginx constants.py
2016-08-05 18:13:04 -04:00
# XXX TODO: In the future, this could return different constants
# based on what OS we are running under. To see an
# approach to how to handle different OSes, see the
Add function docstring
2016-08-10 20:01:34 -04:00
# apache version of this file. Currently, we do not
# actually have any OS-specific constants on Nginx.
"""
Get a constant value for operating system
Fully type certbot-nginx module (#9124) * Work in progress * Fix type * Work in progress * Work in progress * Work in progress * Work in progress * Work in progress * Oups. * Fix typing in UnspacedList * Fix logic * Finish typing * List certbot-nginx as fully typed in tox * Fix lint * Fix checks * Organize imports * Fix typing for Python 3.6 * Fix checks * Fix lint * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Fix signature of deploy_cert regarding the installer interface * Update certbot-nginx/certbot_nginx/_internal/obj.py Co-authored-by: alexzorin <alex@zor.io> * Fix types * Update certbot-nginx/certbot_nginx/_internal/parser.py Co-authored-by: alexzorin <alex@zor.io> * Precise type * Precise _coerce possible inputs/outputs * Fix type * Update certbot-nginx/certbot_nginx/_internal/http_01.py Co-authored-by: ohemorange <ebportnoy@gmail.com> * Fix type * Remove an undesirable implementation. * Fix type Co-authored-by: alexzorin <alex@zor.io> Co-authored-by: ohemorange <ebportnoy@gmail.com>
2022-01-12 19:36:51 -05:00
:param str key: name of cli constant
Add function docstring
2016-08-10 20:01:34 -04:00
:return: value of constant for active os
"""
Return individual key, not entire config dictionary!
2016-08-08 20:22:53 -04:00
return CLI_DEFAULTS[key]
feat(nginx plugin): add HSTS enhancement (#5463) * feat(nginx plugin): add HSTS enhancement * chore(nginx): factor out block-splitting code from redirect & hsts enhancements! * chore(nginx): merge fixes * address comments * fix linter: remove a space * fix(config): remove SSL directives in HTTP block after block split, and remove_directive removes 'Managed by certbot' comment * chore(nginx-hsts): Move added SSL directives to a constant on Configurator class * fix(nginx-hsts): rebase on wildcard cert changes
2018-03-16 18:27:39 -04:00
Fully type certbot-nginx module (#9124) * Work in progress * Fix type * Work in progress * Work in progress * Work in progress * Work in progress * Work in progress * Oups. * Fix typing in UnspacedList * Fix logic * Finish typing * List certbot-nginx as fully typed in tox * Fix lint * Fix checks * Organize imports * Fix typing for Python 3.6 * Fix checks * Fix lint * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Update certbot-nginx/certbot_nginx/_internal/configurator.py Co-authored-by: alexzorin <alex@zor.io> * Fix signature of deploy_cert regarding the installer interface * Update certbot-nginx/certbot_nginx/_internal/obj.py Co-authored-by: alexzorin <alex@zor.io> * Fix types * Update certbot-nginx/certbot_nginx/_internal/parser.py Co-authored-by: alexzorin <alex@zor.io> * Precise type * Precise _coerce possible inputs/outputs * Fix type * Update certbot-nginx/certbot_nginx/_internal/http_01.py Co-authored-by: ohemorange <ebportnoy@gmail.com> * Fix type * Remove an undesirable implementation. * Fix type Co-authored-by: alexzorin <alex@zor.io> Co-authored-by: ohemorange <ebportnoy@gmail.com>
2022-01-12 19:36:51 -05:00
feat(nginx plugin): add HSTS enhancement (#5463) * feat(nginx plugin): add HSTS enhancement * chore(nginx): factor out block-splitting code from redirect & hsts enhancements! * chore(nginx): merge fixes * address comments * fix linter: remove a space * fix(config): remove SSL directives in HTTP block after block split, and remove_directive removes 'Managed by certbot' comment * chore(nginx-hsts): Move added SSL directives to a constant on Configurator class * fix(nginx-hsts): rebase on wildcard cert changes
2018-03-16 18:27:39 -04:00
HSTS_ARGS = ['\"max-age=31536000\"', ' ', 'always']
HEADER_ARGS = {'Strict-Transport-Security': HSTS_ARGS}
Reference in a new issue Copy permalink