upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-05 06:42:10 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge remote-tracking branch 'upstream/master' into ecdsa

Browse source
This commit is contained in:
Osiris Inferi 2016-08-04 18:14:36 +02:00
commit 8399b5fb73
No known key found for this signature in database
GPG key ID: 590297AD5FAE2134
306 changed files with 11424 additions and 799 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.coveragerc Normal file
View file

@ -0,0 +1,3 @@
[report]
# show lines missing coverage in output
show_missing = True

10
.gitattributes vendored
View file

@ -1,7 +1,15 @@
* text=auto eol=lf
#Default, normalize CRLF into LF in non-binary files
# Files identified as binary by Git are not changed
* crlf=auto
# special files
*.sh crlf=input
*.py crlf=input
*.bat text eol=crlf
*.der binary
*.gz binary
*.jpeg binary
*.jpg binary
*.png binary

172
README.rst
View file

@ -1,169 +1,19 @@
.. notice for github users
.. This file contains of a series of comments that are used to include sections of this README in other files. Do not modify these comments unless you know what you are doing. tag:intro-begin
Disclaimer
==========
Certbot is part of EFFs effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identify of web servers (e.g., is that really google.com?). Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.
Certbot (previously, the Let's Encrypt client) is **BETA SOFTWARE**. It
contains plenty of bugs and rough edges, and should be tested thoroughly in
staging environments before use on production systems.
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate is. Certbot and Lets Encrypt can automate away the pain and let you turn on and manage HTTPS with simple commands. Using Certbot and Let's Encrypt is free, so theres no need to arrange payment.
For more information regarding the status of the project, please see
https://letsencrypt.org. Be sure to checkout the
`Frequently Asked Questions (FAQ) <https://community.letsencrypt.org/t/frequently-asked-questions-faq/26#topic-title>`_.
How you use Certbot depends on the configuration of your web server. The best way to get started is to use our `interactive guide <https://certbot.eff.org>`_. It generates instructions based on your configuration settings. In most cases, youll need `root or administrator access <https://certbot.eff.org/faq/#does-certbot-require-root-privileges>`_ to your web server to run Certbot.
About Certbot
==============================
If youre using a hosted service and dont have direct access to your web server, you might not be able to use Certbot. Check with your hosting provider for documentation about uploading certificates or using certificates issues by Lets Encrypt.
Certbot is a fully-featured, extensible client for the Let's
Encrypt CA (or any other CA that speaks the `ACME
<https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md>`_
protocol) that can automate the tasks of obtaining certificates and
configuring webservers to use them. This client runs on Unix-based operating
systems.
Until May 2016, Certbot was named simply ``letsencrypt`` or ``letsencrypt-auto``,
depending on install method. Instructions on the Internet, and some pieces of the
software, may still refer to this older name.
Contributing
------------
If you'd like to contribute to this project please read `Developer Guide
<https://certbot.eff.org/docs/contributing.html>`_.
.. _installation:
Installation
------------
If ``certbot`` (or ``letsencrypt``) is packaged for your Unix OS (visit
certbot.eff.org_ to find out), you can install it
from there, and run it by typing ``certbot`` (or ``letsencrypt``). Because
not all operating systems have packages yet, we provide a temporary solution
via the ``certbot-auto`` wrapper script, which obtains some dependencies from
your OS and puts others in a python virtual environment::
user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help
.. hint:: The certbot-auto download is protected by HTTPS, which is pretty good, but if you'd like to
double check the integrity of the ``certbot-auto`` script, you can use these steps for verification before running it::
user@server:~$ wget -N https://dl.eff.org/certbot-auto.asc
user@server:~$ gpg2 --recv-key A2CFB51FA275A7286234E7B24D17C995CD9775F2
user@server:~$ gpg2 --trusted-key 4D17C995CD9775F2 --verify certbot-auto.asc certbot-auto
And for full command line help, you can type::
./certbot-auto --help all
``certbot-auto`` updates to the latest client release automatically. And
since ``certbot-auto`` is a wrapper to ``certbot``, it accepts exactly
the same command line flags and arguments. More details about this script and
other installation methods can be found `in the User Guide
<https://certbot.eff.org/docs/using.html#installation>`_.
How to run the client
---------------------
In many cases, you can just run ``certbot-auto`` or ``certbot``, and the
client will guide you through the process of obtaining and installing certs
interactively.
You can also tell it exactly what you want it to do from the command line.
For instance, if you want to obtain a cert for ``example.com``,
``www.example.com``, and ``other.example.net``, using the Apache plugin to both
obtain and install the certs, you could do this::
./certbot-auto --apache -d example.com -d www.example.com -d other.example.net
(The first time you run the command, it will make an account, and ask for an
email and agreement to the Let's Encrypt Subscriber Agreement; you can
automate those with ``--email`` and ``--agree-tos``)
If you want to use a webserver that doesn't have full plugin support yet, you
can still use "standalone" or "webroot" plugins to obtain a certificate::
./certbot-auto certonly --standalone --email admin@example.com -d example.com -d www.example.com -d other.example.net
Understanding the client in more depth
--------------------------------------
To understand what the client is doing in detail, it's important to
understand the way it uses plugins. Please see the `explanation of
plugins <https://certbot.eff.org/docs/using.html#plugins>`_ in
the User Guide.
Links
=====
Documentation: https://certbot.eff.org/docs
Software project: https://github.com/certbot/certbot
Notes for developers: https://certbot.eff.org/docs/contributing.html
Main Website: https://letsencrypt.org/
IRC Channel: #letsencrypt on `Freenode`_ or #certbot on `OFTC`_
Community: https://community.letsencrypt.org
ACME spec: http://ietf-wg-acme.github.io/acme/
ACME working area in github: https://github.com/ietf-wg-acme/acme
Mailing list: `client-dev`_ (to subscribe without a Google account, send an
email to client-dev+subscribe@letsencrypt.org)
|build-status| |coverage| |docs| |container|
.. |build-status| image:: https://travis-ci.org/certbot/certbot.svg?branch=master
:target: https://travis-ci.org/certbot/certbot
:alt: Travis CI status
.. |coverage| image:: https://coveralls.io/repos/certbot/certbot/badge.svg?branch=master
:target: https://coveralls.io/r/certbot/certbot
:alt: Coverage status
.. |docs| image:: https://readthedocs.org/projects/letsencrypt/badge/
:target: https://readthedocs.org/projects/letsencrypt/
:alt: Documentation status
.. |container| image:: https://quay.io/repository/letsencrypt/letsencrypt/status
:target: https://quay.io/repository/letsencrypt/letsencrypt
:alt: Docker Repository on Quay.io
.. _`installation instructions`:
https://letsencrypt.readthedocs.org/en/latest/using.html
.. _watch demo video: https://www.youtube.com/watch?v=Gas_sSB-5SU
System Requirements
===================
The Let's Encrypt Client presently only runs on Unix-ish OSes that include
Python 2.6 or 2.7; Python 3.x support will hopefully be added in the future. The
client requires root access in order to write to ``/etc/letsencrypt``,
``/var/log/letsencrypt``, ``/var/lib/letsencrypt``; to bind to ports 80 and 443
(if you use the ``standalone`` plugin) and to read and modify webserver
configurations (if you use the ``apache`` or ``nginx`` plugins). If none of
these apply to you, it is theoretically possible to run without root privileges,
but for most users who want to avoid running an ACME client as root, either
`letsencrypt-nosudo <https://github.com/diafygi/letsencrypt-nosudo>`_ or
`simp_le <https://github.com/kuba/simp_le>`_ are more appropriate choices.
The Apache plugin currently requires a Debian-based OS with augeas version
1.0; this includes Ubuntu 12.04+ and Debian 7+.
.. Do not modify this comment unless you know what you're doing. tag:intro-end
.. Do not modify this comment unless you know what you're doing. tag:features-begin
Current Features
================
=====================
* Supports multiple web servers:
@ -187,8 +37,6 @@ Current Features
command line.
* Free and Open Source Software, made with Python.
.. Do not modify this comment unless you know what you're doing. tag:features-end
.. _Freenode: https://webchat.freenode.net?channels=%23letsencrypt
.. _OFTC: https://webchat.oftc.net?channels=%23certbot
.. _client-dev: https://groups.google.com/a/letsencrypt.org/forum/#!forum/client-dev
.. _certbot.eff.org: https://certbot.eff.org/
For extensive documentation on using and contributing to Certbot, go to https://certbot.eff.org/docs. If you would like to contribute to the project or run the latest code from git, you should read our `developer guide <https://certbot.eff.org/docs/contributing.html>`_.

75
acme/acme/challenges.py
View file

@ -14,7 +14,6 @@ from acme import crypto_util
from acme import fields
from acme import jose
logger = logging.getLogger(__name__)
@ -206,6 +205,74 @@ class KeyAuthorizationChallenge(_TokenChallenge):
self.validation(account_key, *args, **kwargs))
@ChallengeResponse.register
class DNS01Response(KeyAuthorizationChallengeResponse):
"""ACME dns-01 challenge response."""
typ = "dns-01"
def simple_verify(self, chall, domain, account_public_key):
"""Simple verify.
:param challenges.DNS01 chall: Corresponding challenge.
:param unicode domain: Domain name being verified.
:param JWK account_public_key: Public key for the key pair
being authorized.
:returns: ``True`` iff validation with the TXT records resolved from a
DNS server is successful.
:rtype: bool
"""
if not self.verify(chall, account_public_key):
logger.debug("Verification of key authorization in response failed")
return False
validation_domain_name = chall.validation_domain_name(domain)
validation = chall.validation(account_public_key)
logger.debug("Verifying %s at %s...", chall.typ, validation_domain_name)
try:
from acme import dns_resolver
except ImportError: # pragma: no cover
raise errors.Error("Local validation for 'dns-01' challenges "
"requires 'dnspython'")
txt_records = dns_resolver.txt_records_for_name(validation_domain_name)
exists = validation in txt_records
if not exists:
logger.debug("Key authorization from response (%r) doesn't match "
"any DNS response in %r", self.key_authorization,
txt_records)
return exists
@Challenge.register # pylint: disable=too-many-ancestors
class DNS01(KeyAuthorizationChallenge):
"""ACME dns-01 challenge."""
response_cls = DNS01Response
typ = response_cls.typ
LABEL = "_acme-challenge"
"""Label clients prepend to the domain name being validated."""
def validation(self, account_key, **unused_kwargs):
"""Generate validation.
:param JWK account_key:
:rtype: unicode
"""
return jose.b64encode(hashlib.sha256(self.key_authorization(
account_key).encode("utf-8")).digest()).decode()
def validation_domain_name(self, name):
"""Domain name for TXT validation record.
:param unicode name: Domain name being validated.
"""
return "{0}.{1}".format(self.LABEL, name)
@ChallengeResponse.register
class HTTP01Response(KeyAuthorizationChallengeResponse):
"""ACME http-01 challenge response."""
@ -231,8 +298,8 @@ class HTTP01Response(KeyAuthorizationChallengeResponse):
being authorized.
:param int port: Port used in the validation.
:returns: ``True`` iff validation is successful, ``False``
otherwise.
:returns: ``True`` iff validation with the files currently served by the
HTTP server is successful.
:rtype: bool
"""
@ -410,7 +477,7 @@ class TLSSNI01Response(KeyAuthorizationChallengeResponse):
:returns: ``True`` iff client's control of the domain has been
verified, ``False`` otherwise.
verified.
:rtype: bool
"""

87
acme/acme/challenges_test.py
View file

@ -77,6 +77,93 @@ class KeyAuthorizationChallengeResponseTest(unittest.TestCase):
self.assertFalse(response.verify(self.chall, KEY.public_key()))
class DNS01ResponseTest(unittest.TestCase):
# pylint: disable=too-many-instance-attributes
def setUp(self):
from acme.challenges import DNS01Response
self.msg = DNS01Response(key_authorization=u'foo')
self.jmsg = {
'resource': 'challenge',
'type': 'dns-01',
'keyAuthorization': u'foo',
}
from acme.challenges import DNS01
self.chall = DNS01(token=(b'x' * 16))
self.response = self.chall.response(KEY)
def test_to_partial_json(self):
self.assertEqual(self.jmsg, self.msg.to_partial_json())
def test_from_json(self):
from acme.challenges import DNS01Response
self.assertEqual(self.msg, DNS01Response.from_json(self.jmsg))
def test_from_json_hashable(self):
from acme.challenges import DNS01Response
hash(DNS01Response.from_json(self.jmsg))
def test_simple_verify_bad_key_authorization(self):
key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem'))
self.response.simple_verify(self.chall, "local", key2.public_key())
@mock.patch("acme.dns_resolver.txt_records_for_name")
def test_simple_verify_good_validation(self, mock_resolver):
mock_resolver.return_value = [self.chall.validation(KEY.public_key())]
self.assertTrue(self.response.simple_verify(
self.chall, "local", KEY.public_key()))
mock_resolver.assert_called_once_with(
self.chall.validation_domain_name("local"))
@mock.patch("acme.dns_resolver.txt_records_for_name")
def test_simple_verify_good_validation_multiple_txts(self, mock_resolver):
mock_resolver.return_value = [
"!", self.chall.validation(KEY.public_key())]
self.assertTrue(self.response.simple_verify(
self.chall, "local", KEY.public_key()))
mock_resolver.assert_called_once_with(
self.chall.validation_domain_name("local"))
@mock.patch("acme.dns_resolver.txt_records_for_name")
def test_simple_verify_bad_validation(self, mock_dns):
mock_dns.return_value = ["!"]
self.assertFalse(self.response.simple_verify(
self.chall, "local", KEY.public_key()))
class DNS01Test(unittest.TestCase):
def setUp(self):
from acme.challenges import DNS01
self.msg = DNS01(token=jose.decode_b64jose(
'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ+PCt92wr+oA'))
self.jmsg = {
'type': 'dns-01',
'token': 'evaGxfADs6pSRb2LAv9IZf17Dt3juxGJ-PCt92wr-oA',
}
def test_validation_domain_name(self):
self.assertEqual('_acme-challenge.www.example.com',
self.msg.validation_domain_name('www.example.com'))
def test_validation(self):
self.assertEqual(
"rAa7iIg4K2y63fvUhCfy8dP1Xl7wEhmQq0oChTcE3Zk",
self.msg.validation(KEY))
def test_to_partial_json(self):
self.assertEqual(self.jmsg, self.msg.to_partial_json())
def test_from_json(self):
from acme.challenges import DNS01
self.assertEqual(self.msg, DNS01.from_json(self.jmsg))
def test_from_json_hashable(self):
from acme.challenges import DNS01
hash(DNS01.from_json(self.jmsg))
class HTTP01ResponseTest(unittest.TestCase):
# pylint: disable=too-many-instance-attributes

30
acme/acme/dns_resolver.py Normal file
View file

@ -0,0 +1,30 @@
"""DNS Resolver for ACME client.
Required only for local validation of 'dns-01' challenges.
"""
import logging
import dns.resolver
import dns.exception
logger = logging.getLogger(__name__)
def txt_records_for_name(name):
"""Resolve the name and return the TXT records.
:param unicode name: Domain name being verified.
:returns: A list of txt records, if empty the name could not be resolved
:rtype: list of unicode
"""
try:
dns_response = dns.resolver.query(name, 'TXT')
except dns.resolver.NXDOMAIN as error:
return []
except dns.exception.DNSException as error:
logger.error("Error resolving %s: %s", name, str(error))
return []
return [txt_rec.decode("utf-8") for rdata in dns_response
for txt_rec in rdata.strings]

53
acme/acme/dns_resolver_test.py Normal file
View file

@ -0,0 +1,53 @@
"""Tests for acme.dns_resolver."""
import unittest
import mock
from acme import dns_resolver
try:
import dns
except ImportError: # pragma: no cover
dns = None
def create_txt_response(name, txt_records):
"""
Returns an RRSet containing the 'txt_records' as the result of a DNS
query for 'name'.
This takes advantage of the fact that an Answer object mostly behaves
like an RRset.
"""
return dns.rrset.from_text_list(name, 60, "IN", "TXT", txt_records)
class TxtRecordsForNameTest(unittest.TestCase):
@mock.patch("acme.dns_resolver.dns.resolver.query")
def test_txt_records_for_name_with_single_response(self, mock_dns):
mock_dns.return_value = create_txt_response('name', ['response'])
self.assertEqual(['response'],
dns_resolver.txt_records_for_name('name'))
@mock.patch("acme.dns_resolver.dns.resolver.query")
def test_txt_records_for_name_with_multiple_responses(self, mock_dns):
mock_dns.return_value = create_txt_response(
'name', ['response1', 'response2'])
self.assertEqual(['response1', 'response2'],
dns_resolver.txt_records_for_name('name'))
@mock.patch("acme.dns_resolver.dns.resolver.query")
def test_txt_records_for_name_domain_not_found(self, mock_dns):
mock_dns.side_effect = dns.resolver.NXDOMAIN
self.assertEquals([], dns_resolver.txt_records_for_name('name'))
@mock.patch("acme.dns_resolver.dns.resolver.query")
def test_txt_records_for_name_domain_other_error(self, mock_dns):
mock_dns.side_effect = dns.exception.DNSException
self.assertEquals([], dns_resolver.txt_records_for_name('name'))
def run(self, result=None):
if dns is None: # pragma: no cover
print(self, "... SKIPPING, no dnspython available")
return
super(TxtRecordsForNameTest, self).run(result)

2
acme/acme/errors.py
View file

@ -49,7 +49,7 @@ class MissingNonce(NonceError):
def __str__(self):
return ('Server {0} response did not include a replay '
'nonce, headers: {1}'.format(
'nonce, headers: {1} (This may be a service outage)'.format(
self.response.request.method, self.response.headers))

2
acme/acme/fields.py
View file

@ -24,7 +24,7 @@ class Fixed(jose.Field):
def encode(self, value):
if value != self.value:
logger.warn(
logger.warning(
'Overriding fixed field (%s) with %r', self.json_name, value)
return value

6
acme/setup.py
View file

@ -35,6 +35,11 @@ if sys.version_info < (2, 7):
else:
install_requires.append('mock')
# dnspython 1.12 is required to support both Python 2 and Python 3.
dns_extras = [
'dnspython>=1.12',
]
dev_extras = [
'nose',
'pep8',
@ -76,6 +81,7 @@ setup(
include_package_data=True,
install_requires=install_requires,
extras_require={
'dns': dns_extras,
'dev': dev_extras,
'docs': docs_extras,
},

5
certbot-apache/certbot_apache/augeas_lens/httpd.aug
View file

@ -52,11 +52,14 @@ let sep_eq = del /[ \t]*=[ \t]*/ "="
let nmtoken = /[a-zA-Z:_][a-zA-Z0-9:_.-]*/
let word = /[a-z][a-z0-9._-]*/i
let comment = Util.comment
let eol = Util.doseol
let empty = Util.empty_dos
let indent = Util.indent
let comment_val_re = /([^ \t\r\n](.|\\\\\r?\n)*[^ \\\t\r\n]|[^ \t\r\n])/
let comment = [ label "#comment" . del /[ \t]*#[ \t]*/ "# "
. store comment_val_re . eol ]
(* borrowed from shellvars.aug *)
let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'|\\\\ /
let char_arg_sec = /([^\\ '"\t\r\n>]|[^ '"\t\r\n>]+[^\\ \t\r\n>])|\\\\"|\\\\'|\\\\ /

214
certbot-apache/certbot_apache/configurator.py
View file

@ -18,6 +18,7 @@ from certbot import interfaces
from certbot import util
from certbot.plugins import common
from certbot.plugins.util import path_surgery
from certbot_apache import augeas_configurator
from certbot_apache import constants
@ -141,6 +142,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
return os.path.join(self.config.config_dir,
constants.MOD_SSL_CONF_DEST)
def prepare(self):
"""Prepare the authenticator/installer.
@ -157,8 +159,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
raise errors.NoInstallationError("Problem in Augeas installation")
# Verify Apache is installed
if not util.exe_exists(constants.os_constant("restart_cmd")[0]):
raise errors.NoInstallationError
restart_cmd = constants.os_constant("restart_cmd")[0]
if not util.exe_exists(restart_cmd):
if not path_surgery(restart_cmd):
raise errors.NoInstallationError(
'Cannot find Apache control command {0}'.format(restart_cmd))
# Make sure configuration is valid
self.config_test()
@ -239,7 +244,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
if not path["cert_path"] or not path["cert_key"]:
# Throw some can't find all of the directives error"
logger.warn(
logger.warning(
"Cannot find a cert or key directive in %s. "
"VirtualHost was not modified", vhost.path)
# Presumably break here so that the virtualhost is not modified
@ -327,9 +332,12 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
vhost = display_ops.select_vhost(target_name, self.vhosts)
if vhost is None:
logger.error(
"No vhost exists with servername or alias of: %s. "
"No vhost was selected. Please specify servernames "
"in the Apache config", target_name)
"No vhost exists with servername or alias of: %s "
"(or it's in a file with multiple vhosts, which Certbot "
"can't parse yet). "
"No vhost was selected. Please specify ServerName or ServerAlias "
"in the Apache config, or split vhosts into separate files.",
target_name)
raise errors.PluginError("No vhost selected")
elif temp:
return vhost
@ -511,7 +519,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
"""
addrs = set()
args = self.aug.match(path + "/arg")
try:
args = self.aug.match(path + "/arg")
except RuntimeError:
logger.warning("Encountered a problem while parsing file: %s, skipping", path)
return None
for arg in args:
addrs.add(obj.Addr.fromstring(self.parser.get_arg(arg)))
is_ssl = False
@ -525,7 +537,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
if addr.get_port() == "443":
is_ssl = True
filename = get_file_path(path)
filename = get_file_path(self.aug.get("/augeas/files%s/path" % get_file_path(path)))
if self.conf("handle-sites"):
is_enabled = self.is_site_enabled(filename)
else:
@ -559,6 +571,8 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
os.path.basename(path) == "VirtualHost"]
for path in paths:
new_vhost = self._create_vhost(path)
if not new_vhost:
continue
realpath = os.path.realpath(new_vhost.filep)
if realpath not in vhost_paths.keys():
vhs.append(new_vhost)
@ -625,50 +639,93 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
"""
# If nonstandard port, add service definition for matching
if port != "443":
port_service = "%s %s" % (port, "https")
else:
port_service = port
self.prepare_https_modules(temp)
# Check for Listen <port>
# Note: This could be made to also look for ip:443 combo
listens = [self.parser.get_arg(x).split()[0] for
x in self.parser.find_dir("Listen")]
# In case no Listens are set (which really is a broken apache config)
if not listens:
listens = ["80"]
if port in listens:
# Listen already in place
if self._has_port_already(listens, port):
return
listen_dirs = set(listens)
for listen in listens:
# For any listen statement, check if the machine also listens on
# Port 443. If not, add such a listen statement.
if len(listen.split(":")) == 1:
# Its listening to all interfaces
if port not in listens:
if port == "443":
args = [port]
else:
# Non-standard ports should specify https protocol
args = [port, "https"]
self.parser.add_dir_to_ifmodssl(
parser.get_aug_path(
self.parser.loc["listen"]), "Listen", args)
self.save_notes += "Added Listen %s directive to %s\n" % (
port, self.parser.loc["listen"])
listens.append(port)
if port not in listen_dirs and port_service not in listen_dirs:
listen_dirs.add(port_service)
else:
# The Listen statement specifies an ip
_, ip = listen[::-1].split(":", 1)
ip = ip[::-1]
if "%s:%s" % (ip, port) not in listens:
if port == "443":
args = ["%s:%s" % (ip, port)]
else:
# Non-standard ports should specify https protocol
args = ["%s:%s" % (ip, port), "https"]
self.parser.add_dir_to_ifmodssl(
parser.get_aug_path(
self.parser.loc["listen"]), "Listen", args)
self.save_notes += ("Added Listen %s:%s directive to "
"%s\n") % (ip, port,
self.parser.loc["listen"])
listens.append("%s:%s" % (ip, port))
if "%s:%s" % (ip, port_service) not in listen_dirs and (
"%s:%s" % (ip, port_service) not in listen_dirs):
listen_dirs.add("%s:%s" % (ip, port_service))
self._add_listens(listen_dirs, listens, port)
def _add_listens(self, listens, listens_orig, port):
"""Helper method for prepare_server_https to figure out which new
listen statements need adding
:param set listens: Set of all needed Listen statements
:param list listens_orig: List of existing listen statements
:param string port: Port number we're adding
"""
# Add service definition for non-standard ports
if port != "443":
port_service = "%s %s" % (port, "https")
else:
port_service = port
new_listens = listens.difference(listens_orig)
if port in new_listens or port_service in new_listens:
# We have wildcard, skip the rest
self.parser.add_dir_to_ifmodssl(
parser.get_aug_path(self.parser.loc["listen"]),
"Listen", port_service.split(" "))
self.save_notes += "Added Listen %s directive to %s\n" % (
port_service, self.parser.loc["listen"])
else:
for listen in new_listens:
self.parser.add_dir_to_ifmodssl(
parser.get_aug_path(self.parser.loc["listen"]),
"Listen", listen.split(" "))
self.save_notes += ("Added Listen %s directive to "
"%s\n") % (listen,
self.parser.loc["listen"])
def _has_port_already(self, listens, port):
"""Helper method for prepare_server_https to find out if user
already has an active Listen statement for the port we need
:param list listens: List of listen variables
:param string port: Port in question
"""
if port in listens:
return True
# Check if Apache is already listening on a specific IP
for listen in listens:
if len(listen.split(":")) > 1:
# Ugly but takes care of protocol def, eg: 1.1.1.1:443 https
if listen.split(":")[-1].split(" ")[0] == port:
return True
def prepare_https_modules(self, temp):
"""Helper method for prepare_server_https, taking care of enabling
@ -729,7 +786,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
self.aug.load()
# Get Vhost augeas path for new vhost
vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" %
(ssl_fp, parser.case_i("VirtualHost")))
(self._escape(ssl_fp), parser.case_i("VirtualHost")))
if len(vh_p) != 1:
logger.error("Error: should only be one vhost in %s", avail_fp)
raise errors.PluginError("Currently, we only support "
@ -773,7 +830,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
else:
return non_ssl_vh_fp + self.conf("le_vhost_ext")
def _sift_line(self, line):
def _sift_rewrite_rule(self, line):
"""Decides whether a line should be copied to a SSL vhost.
A canonical example of when sifting a line is required:
@ -824,18 +881,62 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
with open(avail_fp, "r") as orig_file:
with open(ssl_fp, "w") as new_file:
new_file.write("<IfModule mod_ssl.c>\n")
comment = ("# Some rewrite rules in this file were "
"disabled on your HTTPS site,\n"
"# because they have the potential to create "
"redirection loops.\n")
for line in orig_file:
if self._sift_line(line):
A = line.lstrip().startswith("RewriteCond")
B = line.lstrip().startswith("RewriteRule")
if not (A or B):
new_file.write(line)
continue
# A RewriteRule that doesn't need filtering
if B and not self._sift_rewrite_rule(line):
new_file.write(line)
continue
# A RewriteRule that does need filtering
if B and self._sift_rewrite_rule(line):
if not sift:
new_file.write(
"# Some rewrite rules in this file were "
"were disabled on your HTTPS site,\n"
"# because they have the potential to "
"create redirection loops.\n")
new_file.write(comment)
sift = True
new_file.write("# " + line)
else:
new_file.write(line)
continue
# We save RewriteCond(s) and their corresponding
# RewriteRule in 'chunk'.
# We then decide whether we comment out the entire
# chunk based on its RewriteRule.
chunk = []
if A:
chunk.append(line)
line = next(orig_file)
# RewriteCond(s) must be followed by one RewriteRule
while not line.lstrip().startswith("RewriteRule"):
chunk.append(line)
line = next(orig_file)
# Now, current line must start with a RewriteRule
chunk.append(line)
if self._sift_rewrite_rule(line):
if not sift:
new_file.write(comment)
sift = True
new_file.write(''.join(
['# ' + l for l in chunk]))
continue
else:
new_file.write(''.join(chunk))
continue
new_file.write("</IfModule>\n")
except IOError:
logger.fatal("Error writing/reading to file in make_vhost_ssl")
@ -895,7 +996,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
self.parser.add_dir(vh_path, "Include", self.mod_ssl_conf)
def _add_servername_alias(self, target_name, vhost):
fp = vhost.filep
fp = self._escape(vhost.filep)
vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" %
(fp, parser.case_i("VirtualHost")))
if not vh_p:
@ -948,6 +1049,17 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
if need_to_save:
self.save()
def _escape(self, fp):
fp = fp.replace(",", "\\,")
fp = fp.replace("[", "\\[")
fp = fp.replace("]", "\\]")
fp = fp.replace("|", "\\|")
fp = fp.replace("=", "\\=")
fp = fp.replace("(", "\\(")
fp = fp.replace(")", "\\)")
fp = fp.replace("!", "\\!")
return fp
######################################################################
# Enhancements
######################################################################
@ -977,7 +1089,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
try:
func(self.choose_vhost(domain), options)
except errors.PluginError:
logger.warn("Failed %s for %s", enhancement, domain)
logger.warning("Failed %s for %s", enhancement, domain)
raise
def _enable_ocsp_stapling(self, ssl_vhost, unused_options):
@ -1020,7 +1132,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
if not use_stapling_aug_path:
self.parser.add_dir(ssl_vhost.path, "SSLUseStapling", "on")
ssl_vhost_aug_path = parser.get_aug_path(ssl_vhost.filep)
ssl_vhost_aug_path = self._escape(parser.get_aug_path(ssl_vhost.filep))
# Check if there's an existing SSLStaplingCache directive.
stapling_cache_aug_path = self.parser.find_dir('SSLStaplingCache',
@ -1164,9 +1276,9 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
# but redirect loops are possible in very obscure cases; see #1620
# for reasoning.
if self._is_rewrite_exists(general_vh):
logger.warn("Added an HTTP->HTTPS rewrite in addition to "
"other RewriteRules; you may wish to check for "
"overall consistency.")
logger.warning("Added an HTTP->HTTPS rewrite in addition to "
"other RewriteRules; you may wish to check for "
"overall consistency.")
# Add directives to server
# Note: These are not immediately searchable in sites-enabled
@ -1277,7 +1389,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator):
self.aug.load()
# Make a new vhost data structure and add it to the lists
new_vhost = self._create_vhost(parser.get_aug_path(redirect_filepath))
new_vhost = self._create_vhost(parser.get_aug_path(self._escape(redirect_filepath)))
self.vhosts.append(new_vhost)
self._enhanced_vhosts["redirect"].add(new_vhost)

11
certbot-apache/certbot_apache/display_ops.py
View file

@ -86,11 +86,12 @@ def _vhost_menu(domain, vhosts):
"like to choose?\n(note: conf files with multiple "
"vhosts are not yet supported)".format(domain, os.linesep),
choices, help_label="More Info", ok_label="Select")
except errors.MissingCommandlineFlag as e:
msg = ("Failed to run Apache plugin non-interactively{1}{0}{1}"
"(The best solution is to add ServerName or ServerAlias "
"entries to the VirtualHost directives of your apache "
"configuration files.)".format(e, os.linesep))
except errors.MissingCommandlineFlag:
msg = ("Encountered vhost ambiguity but unable to ask for user guidance in "
"non-interactive mode. Currently Certbot needs each vhost to be "
"in its own conf file, and may need vhosts to be explicitly "
"labelled with ServerName or ServerAlias directories.")
logger.warning(msg)
raise errors.MissingCommandlineFlag(msg)
return code, tag

4
certbot-apache/certbot_apache/obj.py
View file

@ -6,6 +6,7 @@ from certbot.plugins import common
class Addr(common.Addr):
"""Represents an Apache address."""
def __eq__(self, other):
"""This is defined as equalivalent within Apache.
@ -21,6 +22,9 @@ class Addr(common.Addr):
def __ne__(self, other):
return not self.__eq__(other)
def __repr__(self):
return "certbot_apache.obj.Addr(" + repr(self.tup) + ")"
def _addr_less_specific(self, addr):
"""Returns if addr.get_addr() is more specific than self.get_addr()."""
# pylint: disable=protected-access

2
certbot-apache/certbot_apache/parser.py
View file

@ -146,7 +146,7 @@ class ApacheParser(object):
constants.os_constant("define_cmd"))
# Small errors that do not impede
if proc.returncode != 0:
logger.warn("Error in checking parameter list: %s", stderr)
logger.warning("Error in checking parameter list: %s", stderr)
raise errors.MisconfigurationError(
"Apache is unable to check whether or not the module is "
"loaded because Apache is misconfigured.")

428
certbot-apache/certbot_apache/tests/apache-conf-files/passing/comment-continuations-2050.conf Normal file
View file

@ -0,0 +1,428 @@
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.2.6
# Copyright (C) 2006-2012 Trustwave All rights reserved.
#
# The OWASP ModSecurity Core Rule Set is distributed under
# Apache Software License (ASL) version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
#
# -- [[ Recommended Base Configuration ]] -------------------------------------------------
#
# The configuration directives/settings in this file are used to control
# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
# ModSecurity settings such as:
#
# - SecRuleEngine
# - SecRequestBodyAccess
# - SecAuditEngine
# - SecDebugLog
#
# You should use the modsecurity.conf-recommended file that comes with the
# ModSecurity source code archive.
#
# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
#
#
# -- [[ Rule Version ]] -------------------------------------------------------------------
#
# Rule version data is added to the "Producer" line of Section H of the Audit log:
#
# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
#
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
#
#SecComponentSignature "OWASP_CRS/2.2.6"
#
# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
#
# Each detection rule uses the "block" action which will inherit the SecDefaultAction
# specified below. Your settings here will determine which mode of operation you use.
#
# -- [[ Self-Contained Mode ]] --
# Rules inherit the "deny" disruptive action. The first rule that matches will block.
#
# -- [[ Collaborative Detection Mode ]] --
# This is a "delayed blocking" mode of operation where each matching rule will inherit
# the "pass" action and will only contribute to anomaly scores. Transactional blocking
# can be applied
#
# -- [[ Alert Logging Control ]] --
# You have three options -
#
# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
# - To log *only* to the Apache error_log file use: "log,noauditlog"
#
# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
#
#SecDefaultAction "phase:1,deny,log"
#
# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 5.
# Is the highest severity level possible without correlation. It is
# normally generated by the web attack rules (40 level files).
# - 3: Error - Anomaly Score of 4.
# Is generated mostly from outbound leakage rules (50 level files).
# - 4: Warning - Anomaly Score of 3.
# Is generated by malicious client rules (35 level files).
# - 5: Notice - Anomaly Score of 2.
# Is generated by the Protocol policy and anomaly files.
#
#SecAction \
"id:'900001', \
phase:1, \
t:none, \
setvar:tx.critical_anomaly_score=5, \
setvar:tx.error_anomaly_score=4, \
setvar:tx.warning_anomaly_score=3, \
setvar:tx.notice_anomaly_score=2, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
#SecAction \
"id:'900002', \
phase:1, \
t:none, \
setvar:tx.inbound_anomaly_score_level=5, \
nolog, \
pass"
#SecAction \
"id:'900003', \
phase:1, \
t:none, \
setvar:tx.outbound_anomaly_score_level=4, \
nolog, \
pass"
#
# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
#
# This is a collaborative detection mode where each rule will increment an overall
# anomaly score for the transaction. The scores are then evaluated in the following files:
#
# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
#
# If you want to use anomaly scoring mode, then uncomment this line.
#
#SecAction \
"id:'900004', \
phase:1, \
t:none, \
setvar:tx.anomaly_score_blocking=on, \
nolog, \
pass"
#
# -- [[ GeoIP Database ]] -----------------------------------------------------------------
#
# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
#
# You must first download the MaxMind GeoIP Lite City DB -
#
# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
#
# You then need to define the proper path for the SecGeoLookupDb directive
#
# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
#
#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
#
# -- [[ Regression Testing Mode ]] --------------------------------------------------------
#
# If you are going to run the regression testing mode, you should uncomment the
# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
# will enable Response Header tagging so that the client testing script can see
# which rule IDs have matched.
#
# You must specify the your source IP address where you will be running the tests
# from.
#
#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
"id:'900005', \
phase:1, \
t:none, \
ctl:ruleEngine=DetectionOnly, \
setvar:tx.regression_testing=1, \
nolog, \
pass"
#
# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
#
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
#
# -- Maximum number of arguments in request limited
#SecAction \
"id:'900006', \
phase:1, \
t:none, \
setvar:tx.max_num_args=255, \
nolog, \
pass"
#
# -- Limit argument name length
#SecAction \
"id:'900007', \
phase:1, \
t:none, \
setvar:tx.arg_name_length=100, \
nolog, \
pass"
#
# -- Limit value name length
#SecAction \
"id:'900008', \
phase:1, \
t:none, \
setvar:tx.arg_length=400, \
nolog, \
pass"
#
# -- Limit arguments total length
#SecAction \
"id:'900009', \
phase:1, \
t:none, \
setvar:tx.total_arg_length=64000, \
nolog, \
pass"
#
# -- Individual file size is limited
#SecAction \
"id:'900010', \
phase:1, \
t:none, \
setvar:tx.max_file_size=1048576, \
nolog, \
pass"
#
# -- Combined file size is limited
#SecAction \
"id:'900011', \
phase:1, \
t:none, \
setvar:tx.combined_file_sizes=1048576, \
nolog, \
pass"
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
#SecAction \
"id:'900012', \
phase:1, \
t:none, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
nolog, \
pass"
#
# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
#
# The purpose of these settings is to send CSP response headers to
# Mozilla FireFox users so that you can enforce how dynamic content
# is used. CSP usage helps to prevent XSS attacks against your users.
#
# Reference Link:
#
# https://developer.mozilla.org/en/Security/CSP
#
# Uncomment this SecAction line if you want use CSP enforcement.
# You need to set the appropriate directives and settings for your site/domain and
# and activate the CSP file in the experimental_rules directory.
#
# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
#
#SecAction \
"id:'900013', \
phase:1, \
t:none, \
setvar:tx.csp_report_only=1, \
setvar:tx.csp_report_uri=/csp_violation_report, \
setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
nolog, \
pass"
#
# -- [[ Brute Force Protection ]] ---------------------------------------------------------
#
# If you are using the Brute Force Protection rule set, then uncomment the following
# lines and set the following variables:
# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900014', \
phase:1, \
t:none, \
setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
setvar:'tx.brute_force_burst_time_slice=60', \
setvar:'tx.brute_force_counter_threshold=10', \
setvar:'tx.brute_force_block_timeout=300', \
nolog, \
pass"
#
# -- [[ DoS Protection ]] ----------------------------------------------------------------
#
# If you are using the DoS Protection rule set, then uncomment the following
# lines and set the following variables:
# - Burst Time Slice Interval: time interval window to monitor for bursts
# - Request Threshold: request # threshold to trigger a burst
# - Block Period: temporary block timeout
#
#SecAction \
"id:'900015', \
phase:1, \
t:none, \
setvar:'tx.dos_burst_time_slice=60', \
setvar:'tx.dos_counter_threshold=100', \
setvar:'tx.dos_block_timeout=600', \
nolog, \
pass"
#
# -- [[ Check UTF enconding ]] -----------------------------------------------------------
#
# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
# it will result in false positives.
#
# Uncomment this line if your site uses UTF8 encoding
#SecAction \
"id:'900016', \
phase:1, \
t:none, \
setvar:tx.crs_validate_utf8_encoding=1, \
nolog, \
pass"
#
# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
#
# The rules in this file will trigger the XML parser upon an XML request
#
# Initiate XML Processor in case of xml content-type
#
#SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'900017', \
phase:1, \
t:none,t:lowercase, \
nolog, \
pass, \
chain"
#SecRule REQBODY_PROCESSOR "!@streq XML" \
"ctl:requestBodyProcessor=XML"
#
# -- [[ Global and IP Collections ]] -----------------------------------------------------
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
#SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
"id:'900018', \
phase:1, \
t:none,t:sha1,t:hexEncode, \
setvar:tx.ua_hash=%{matched_var}, \
nolog, \
pass"
#SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
"id:'900019', \
phase:1, \
t:none, \
capture, \
setvar:tx.real_ip=%{tx.1}, \
nolog, \
pass"
#SecRule &TX:REAL_IP "!@eq 0" \
"id:'900020', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
nolog, \
pass"
#SecRule &TX:REAL_IP "@eq 0" \
"id:'900021', \
phase:1, \
t:none, \
initcol:global=global, \
initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
nolog, \
pass"

155
certbot-apache/certbot_apache/tests/configurator_test.py
View file

@ -1,4 +1,4 @@
# pylint: disable=too-many-public-methods
# pylint: disable=too-many-public-methods,too-many-lines
"""Test for certbot_apache.configurator."""
import os
import shutil
@ -49,11 +49,14 @@ class MultipleVhostsTest(util.ApacheTest):
shutil.rmtree(self.config_dir)
shutil.rmtree(self.work_dir)
@mock.patch("certbot_apache.configurator.util.exe_exists")
def test_prepare_no_install(self, mock_exe_exists):
mock_exe_exists.return_value = False
self.assertRaises(
errors.NoInstallationError, self.config.prepare)
@mock.patch("certbot_apache.configurator.ApacheConfigurator.init_augeas")
@mock.patch("certbot_apache.configurator.path_surgery")
def test_prepare_no_install(self, mock_surgery, _init_augeas):
silly_path = {"PATH": "/tmp/nothingness2342"}
mock_surgery.return_value = False
with mock.patch.dict('os.environ', silly_path):
self.assertRaises(errors.NoInstallationError, self.config.prepare)
self.assertEqual(mock_surgery.call_count, 1)
@mock.patch("certbot_apache.augeas_configurator.AugeasConfigurator.init_augeas")
def test_prepare_no_augeas(self, mock_init_augeas):
@ -86,6 +89,7 @@ class MultipleVhostsTest(util.ApacheTest):
self.assertRaises(
errors.NotSupportedError, self.config.prepare)
def test_add_parser_arguments(self): # pylint: disable=no-self-use
from certbot_apache.configurator import ApacheConfigurator
# Weak test..
@ -497,13 +501,8 @@ class MultipleVhostsTest(util.ApacheTest):
# Test Listen statements with specific ip listeed
self.config.prepare_server_https("443")
# Should only be 2 here, as the third interface
# already listens to the correct port
self.assertEqual(mock_add_dir.call_count, 2)
# Check argument to new Listen statements
self.assertEqual(mock_add_dir.call_args_list[0][0][2], ["1.2.3.4:443"])
self.assertEqual(mock_add_dir.call_args_list[1][0][2], ["[::1]:443"])
# Should be 0 as one interface already listens to 443
self.assertEqual(mock_add_dir.call_count, 0)
# Reset return lists and inputs
mock_add_dir.reset_mock()
@ -519,6 +518,28 @@ class MultipleVhostsTest(util.ApacheTest):
self.assertEqual(mock_add_dir.call_args_list[2][0][2],
["1.1.1.1:8080", "https"])
# mock_get.side_effect = ["1.2.3.4:80", "[::1]:80"]
# mock_find.return_value = ["test1", "test2", "test3"]
# self.config.parser.get_arg = mock_get
# self.config.prepare_server_https("8080", temp=True)
# self.assertEqual(self.listens, 0)
def test_prepare_server_https_needed_listen(self):
mock_find = mock.Mock()
mock_find.return_value = ["test1", "test2"]
mock_get = mock.Mock()
mock_get.side_effect = ["1.2.3.4:8080", "80"]
mock_add_dir = mock.Mock()
mock_enable = mock.Mock()
self.config.parser.find_dir = mock_find
self.config.parser.get_arg = mock_get
self.config.parser.add_dir_to_ifmodssl = mock_add_dir
self.config.enable_mod = mock_enable
self.config.prepare_server_https("443")
self.assertEqual(mock_add_dir.call_count, 1)
def test_prepare_server_https_mixed_listen(self):
mock_find = mock.Mock()
@ -1093,16 +1114,19 @@ class MultipleVhostsTest(util.ApacheTest):
self.config._enable_redirect(self.vh_truth[1], "")
self.assertEqual(len(self.config.vhosts), 9)
def test_sift_line(self):
def test_sift_rewrite_rule(self):
# pylint: disable=protected-access
small_quoted_target = "RewriteRule ^ \"http://\""
self.assertFalse(self.config._sift_line(small_quoted_target))
self.assertFalse(self.config._sift_rewrite_rule(small_quoted_target))
https_target = "RewriteRule ^ https://satoshi"
self.assertTrue(self.config._sift_line(https_target))
self.assertTrue(self.config._sift_rewrite_rule(https_target))
normal_target = "RewriteRule ^/(.*) http://www.a.com:1234/$1 [L,R]"
self.assertFalse(self.config._sift_line(normal_target))
self.assertFalse(self.config._sift_rewrite_rule(normal_target))
not_rewriterule = "NotRewriteRule ^ ..."
self.assertFalse(self.config._sift_rewrite_rule(not_rewriterule))
@mock.patch("certbot_apache.configurator.zope.component.getUtility")
def test_make_vhost_ssl_with_existing_rewrite_rule(self, mock_get_utility):
@ -1131,7 +1155,61 @@ class MultipleVhostsTest(util.ApacheTest):
"[L,QSA,R=permanent]")
self.assertTrue(commented_rewrite_rule in conf_text)
mock_get_utility().add_message.assert_called_once_with(mock.ANY,
mock.ANY)
@mock.patch("certbot_apache.configurator.zope.component.getUtility")
def test_make_vhost_ssl_with_existing_rewrite_conds(self, mock_get_utility):
self.config.parser.modules.add("rewrite_module")
http_vhost = self.vh_truth[0]
self.config.parser.add_dir(
http_vhost.path, "RewriteEngine", "on")
# Add a chunk that should not be commented out.
self.config.parser.add_dir(http_vhost.path,
"RewriteCond", ["%{DOCUMENT_ROOT}/%{REQUEST_FILENAME}", "!-f"])
self.config.parser.add_dir(
http_vhost.path, "RewriteRule",
["^(.*)$", "b://u%{REQUEST_URI}", "[P,QSA,L]"])
# Add a chunk that should be commented out.
self.config.parser.add_dir(http_vhost.path,
"RewriteCond", ["%{HTTPS}", "!=on"])
self.config.parser.add_dir(http_vhost.path,
"RewriteCond", ["%{HTTPS}", "!^$"])
self.config.parser.add_dir(
http_vhost.path, "RewriteRule",
["^",
"https://%{SERVER_NAME}%{REQUEST_URI}",
"[L,QSA,R=permanent]"])
self.config.save()
ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[0])
conf_line_set = set(open(ssl_vhost.filep).read().splitlines())
not_commented_cond1 = ("RewriteCond "
"%{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f")
not_commented_rewrite_rule = ("RewriteRule "
"^(.*)$ b://u%{REQUEST_URI} [P,QSA,L]")
commented_cond1 = "# RewriteCond %{HTTPS} !=on"
commented_cond2 = "# RewriteCond %{HTTPS} !^$"
commented_rewrite_rule = ("# RewriteRule ^ "
"https://%{SERVER_NAME}%{REQUEST_URI} "
"[L,QSA,R=permanent]")
self.assertTrue(not_commented_cond1 in conf_line_set)
self.assertTrue(not_commented_rewrite_rule in conf_line_set)
self.assertTrue(commented_cond1 in conf_line_set)
self.assertTrue(commented_cond2 in conf_line_set)
self.assertTrue(commented_rewrite_rule in conf_line_set)
mock_get_utility().add_message.assert_called_once_with(mock.ANY,
mock.ANY)
def get_achalls(self):
"""Return testing achallenges."""
@ -1164,11 +1242,50 @@ class MultipleVhostsTest(util.ApacheTest):
mock_match = mock.Mock(return_value=["something"])
self.config.aug.match = mock_match
# pylint: disable=protected-access
self.assertEquals(self.config._check_aug_version(),
["something"])
self.assertEqual(self.config._check_aug_version(),
["something"])
self.config.aug.match.side_effect = RuntimeError
self.assertFalse(self.config._check_aug_version())
class AugeasVhostsTest(util.ApacheTest):
"""Test vhosts with illegal names dependant on augeas version."""
# pylint: disable=protected-access
def setUp(self): # pylint: disable=arguments-differ
td = "debian_apache_2_4/augeas_vhosts"
cr = "debian_apache_2_4/augeas_vhosts/apache2"
vr = "debian_apache_2_4/augeas_vhosts/apache2/sites-available"
super(AugeasVhostsTest, self).setUp(test_dir=td,
config_root=cr,
vhost_root=vr)
self.config = util.get_apache_configurator(
self.config_path, self.vhost_path, self.config_dir, self.work_dir)
self.vh_truth = util.get_vh_truth(
self.temp_dir, "debian_apache_2_4/augeas_vhosts")
def tearDown(self):
shutil.rmtree(self.temp_dir)
shutil.rmtree(self.config_dir)
shutil.rmtree(self.work_dir)
def test_choosevhost_with_illegal_name(self):
self.config.aug = mock.MagicMock()
self.config.aug.match.side_effect = RuntimeError
path = "debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf"
chosen_vhost = self.config._create_vhost(path)
self.assertEqual(None, chosen_vhost)
def test_choosevhost_works(self):
path = "debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf"
chosen_vhost = self.config._create_vhost(path)
self.assertTrue(chosen_vhost == None or chosen_vhost.path == path)
@mock.patch("certbot_apache.configurator.ApacheConfigurator._create_vhost")
def test_get_vhost_continue(self, mock_vhost):
mock_vhost.return_value = None
vhs = self.config.get_virtual_hosts()
self.assertEqual([], vhs)
if __name__ == "__main__":
unittest.main() # pragma: no cover

2
certbot-apache/certbot_apache/tests/display_ops_test.py
View file

@ -38,7 +38,7 @@ class SelectVhostTest(unittest.TestCase):
try:
self._call(self.vhosts)
except errors.MissingCommandlineFlag as e:
self.assertTrue("VirtualHost directives" in e.message)
self.assertTrue("vhost ambiguity" in e.message)
@mock.patch("certbot_apache.display_ops.zope.component.getUtility")
def test_more_info_cancel(self, mock_util):

3
certbot-apache/certbot_apache/tests/obj_test.py
View file

@ -22,6 +22,9 @@ class VirtualHostTest(unittest.TestCase):
self.vhost2 = VirtualHost(
"fp", "vhp", set([self.addr2]), False, False, "localhost")
def test_repr(self):
self.assertEqual(repr(self.addr2), "certbot_apache.obj.Addr(('127.0.0.1', '443'))")
def test_eq(self):
self.assertTrue(self.vhost1b == self.vhost1)
self.assertFalse(self.vhost1 == self.vhost2)

196
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/apache2.conf vendored Normal file
View file

@ -0,0 +1,196 @@
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.
# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.
# Global configuration
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
Mutex file:${APACHE_LOCK_DIR} default
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog ${APACHE_LOG_DIR}/error.log
#
# LogLevel: Control the severity of messages logged to the error_log.
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include list of ports to listen on
Include ports.conf
# Sets the default security model of the Apache2 HTTPD server. It does
# not allow access to the root filesystem outside of /usr/share and /var/www.
# The former is used by web applications packaged in Debian,
# the latter may be used for local directories served by the web server. If
# your system is serving content from a sub-directory in /srv you must allow
# access here, or in any related virtual host.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# These deviate from the Common Log Format definitions in that they use %O
# (the actual bytes sent including headers) instead of %b (the size of the
# requested file), because the latter makes it impossible to detect partial
# requests.
#
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

3
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/bad_conf_file.conf vendored Normal file
View file

@ -0,0 +1,3 @@
<VirtualHost 1.1.1.1>
ServerName invalid.net

4
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/other-vhosts-access-log.conf vendored Normal file
View file

@ -0,0 +1,4 @@
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

35
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/security.conf vendored Normal file
View file

@ -0,0 +1,35 @@
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens OS
#ServerTokens Full
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#ServerSignature Off
ServerSignature On
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#TraceEnable On
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

20
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/serve-cgi-bin.conf vendored Normal file
View file

@ -0,0 +1,20 @@
<IfModule mod_alias.c>
<IfModule mod_cgi.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfModule mod_cgid.c>
Define ENABLE_USR_LIB_CGI_BIN
</IfModule>
<IfDefine ENABLE_USR_LIB_CGI_BIN>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
</Directory>
</IfDefine>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/other-vhosts-access-log.conf vendored Symbolic link
View file

@ -0,0 +1 @@
../conf-available/other-vhosts-access-log.conf

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/security.conf vendored Symbolic link
View file

@ -0,0 +1 @@
../conf-available/security.conf

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/serve-cgi-bin.conf vendored Symbolic link
View file

@ -0,0 +1 @@
../conf-available/serve-cgi-bin.conf

29
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/envvars vendored Normal file
View file

@ -0,0 +1,29 @@
# envvars - default environment variables for apache2ctl
# this won't be correct after changing uid
unset HOME
# for supporting multiple apache2 instances
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
else
SUFFIX=
fi
# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# temporary state file location. This might be changed to /run in Wheezy+1
export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
## The locale used by some modules like mod_dav
export LANG=C
export LANG

5
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/authz_svn.load vendored Normal file
View file

@ -0,0 +1,5 @@
# Depends: dav_svn
<IfModule !mod_dav_svn.c>
Include mods-enabled/dav_svn.load
</IfModule>
LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so

3
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav.load vendored Normal file
View file

@ -0,0 +1,3 @@
<IfModule !mod_dav.c>
LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
</IfModule>

56
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.conf vendored Normal file
View file

@ -0,0 +1,56 @@
# dav_svn.conf - Example Subversion/Apache configuration
#
# For details and further options see the Apache user manual and
# the Subversion book.
#
# NOTE: for a setup with multiple vhosts, you will want to do this
# configuration in /etc/apache2/sites-available/*, not here.
# <Location URL> ... </Location>
# URL controls how the repository appears to the outside world.
# In this example clients access the repository as http://hostname/svn/
# Note, a literal /svn should NOT exist in your document root.
#<Location /svn>
# Uncomment this to enable the repository
#DAV svn
# Set this to the path to your repository
#SVNPath /var/lib/svn
# Alternatively, use SVNParentPath if you have multiple repositories under
# under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
# You need either SVNPath and SVNParentPath, but not both.
#SVNParentPath /var/lib/svn
# Access control is done at 3 levels: (1) Apache authentication, via
# any of several methods. A "Basic Auth" section is commented out
# below. (2) Apache <Limit> and <LimitExcept>, also commented out
# below. (3) mod_authz_svn is a svn-specific authorization module
# which offers fine-grained read/write access control for paths
# within a repository. (The first two layers are coarse-grained; you
# can only enable/disable access to an entire repository.) Note that
# mod_authz_svn is noticeably slower than the other two layers, so if
# you don't need the fine-grained control, don't configure it.
# Basic Authentication is repository-wide. It is not secure unless
# you are using https. See the 'htpasswd' command to create and
# manage the password file - and the documentation for the
# 'auth_basic' and 'authn_file' modules, which you will need for this
# (enable them with 'a2enmod').
#AuthType Basic
#AuthName "Subversion Repository"
#AuthUserFile /etc/apache2/dav_svn.passwd
# To enable authorization via mod_authz_svn (enable that module separately):
#<IfModule mod_authz_svn.c>
#AuthzSVNAccessFile /etc/apache2/dav_svn.authz
#</IfModule>
# The following three lines allow anonymous read, but make
# committers authenticate themselves. It requires the 'authz_user'
# module (enable it with 'a2enmod').
#<LimitExcept GET PROPFIND OPTIONS REPORT>
#Require valid-user
#</LimitExcept>
#</Location>

7
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.load vendored Normal file
View file

@ -0,0 +1,7 @@
# Depends: dav
<IfModule !mod_dav_svn.c>
<IfModule !mod_dav.c>
Include mods-enabled/dav.load
</IfModule>
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
</IfModule>

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/rewrite.load vendored Normal file
View file

@ -0,0 +1 @@
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

89
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.conf vendored Normal file
View file

@ -0,0 +1,89 @@
<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
# (Disabled by default, the global Mutex directive consolidates by default
# this)
#Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

2
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.load vendored Normal file
View file

@ -0,0 +1,2 @@
# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

0
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore vendored Normal file
View file

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/authz_svn.load vendored Symbolic link
View file

@ -0,0 +1 @@
../mods-available/authz_svn.load

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav.load vendored Symbolic link
View file

@ -0,0 +1 @@
../mods-available/dav.load

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.conf vendored Symbolic link
View file

@ -0,0 +1 @@
../mods-available/dav_svn.conf

1
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.load vendored Symbolic link
View file

@ -0,0 +1 @@
../mods-available/dav_svn.load

15
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/ports.conf vendored Normal file
View file

@ -0,0 +1,15 @@
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

12
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf vendored Normal file
View file

@ -0,0 +1,12 @@
<VirtualHost *:80 [::]:80>
ServerName ip-172-30-0-17
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

0
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/placeholder.conf vendored Normal file
View file

3
certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/sites vendored Normal file
View file

@ -0,0 +1,3 @@
sites-available/certbot.conf, certbot.demo
sites-available/encryption-example.conf, encryption-example.demo
sites-available/ocsp-ssl.conf, ocspvhost.com

1
certbot-apache/certbot_apache/tls_sni_01.py
View file

@ -129,6 +129,7 @@ class ApacheTlsSni01(common.TLSSNI01):
# because it's a new vhost that's not configured yet (GH #677),
# or perhaps because there were multiple <VirtualHost> sections
# in the config file (GH #1042). See also GH #2600.
logger.warning("Falling back to default vhost %s...", default_addr)
addrs.add(default_addr)
return addrs

52
certbot-auto
View file

@ -19,7 +19,7 @@ XDG_DATA_HOME=${XDG_DATA_HOME:-~/.local/share}
VENV_NAME="letsencrypt"
VENV_PATH=${VENV_PATH:-"$XDG_DATA_HOME/$VENV_NAME"}
VENV_BIN="$VENV_PATH/bin"
LE_AUTO_VERSION="0.8.0"
LE_AUTO_VERSION="0.8.1"
BASENAME=$(basename $0)
USAGE="Usage: $BASENAME [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
@ -172,7 +172,7 @@ BootstrapDebCommon() {
# distro version (#346)
virtualenv=
if apt-cache show virtualenv > /dev/null 2>&1; then
if apt-cache show virtualenv > /dev/null 2>&1 && ! apt-cache --quiet=0 show virtualenv 2>&1 | grep -q 'No packages found'; then
virtualenv="virtualenv"
fi
@ -458,12 +458,39 @@ BootstrapSmartOS() {
pkgin -y install 'gcc49' 'py27-augeas' 'py27-virtualenv'
}
BootstrapMageiaCommon() {
if ! $SUDO urpmi --force \
python \
libpython-devel \
python-virtualenv
then
echo "Could not install Python dependencies. Aborting bootstrap!"
exit 1
fi
if ! $SUDO urpmi --force \
git \
gcc \
cdialog \
python-augeas \
libopenssl-devel \
libffi-devel \
rootcerts
then
echo "Could not install additional dependencies. Aborting bootstrap!"
exit 1
fi
}
# Install required OS packages:
Bootstrap() {
if [ -f /etc/debian_version ]; then
echo "Bootstrapping dependencies for Debian-based OSes..."
BootstrapDebCommon
elif [ -f /etc/mageia-release ] ; then
# Mageia has both /etc/mageia-release and /etc/redhat-release
ExperimentalBootstrap "Mageia" BootstrapMageiaCommon
elif [ -f /etc/redhat-release ]; then
echo "Bootstrapping dependencies for RedHat-based OSes..."
BootstrapRpmCommon
@ -476,7 +503,7 @@ Bootstrap() {
BootstrapArchCommon
else
echo "Please use pacman to install letsencrypt packages:"
echo "# pacman -S letsencrypt letsencrypt-apache"
echo "# pacman -S certbot certbot-apache"
echo
echo "If you would like to use the virtualenv way, please run the script again with the"
echo "--debug flag."
@ -500,6 +527,7 @@ Bootstrap() {
echo "You will need to bootstrap, configure virtualenv, and run pip install manually."
echo "Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites"
echo "for more info."
exit 1
fi
}
@ -719,15 +747,15 @@ letsencrypt==0.7.0 \
# THE LINES BELOW ARE EDITED BY THE RELEASE SCRIPT; ADD ALL DEPENDENCIES ABOVE.
acme==0.8.0 \
--hash=sha256:8561d590e496afb41a8ff2dac389199661d9cd785b1636ae08325771511189af \
--hash=sha256:dfa86b547628b231f275c7e0efc7a09bec5dfaec866f89f5c5b59b78c14564da
certbot==0.8.0 \
--hash=sha256:395c5840ff6b75aa51ee6449c86d016c14c5f65a71281e7bcef5feecac6a3293 \
--hash=sha256:3c3c70b484fb3243a166515adc81ae0401c5d687a2763c75b40df9d8241a4314
certbot-apache==0.8.0 \
--hash=sha256:f4d4fc962ecc19646f6745d49c62a265d26e5b2df3acf34ef4865351594156e3 \
--hash=sha256:cfb211debbcb0d0645c88d7e8bb38c591fca263bfdb5337242c023956055e268
acme==0.8.1 \
--hash=sha256:ccd7883772efbf933f91713b8241455993834f3620c8fbd459d9ed5e50bbaaca \
--hash=sha256:d3ea4acf280bf6253ad7d641cb0970f230a19805acfed809e7a8ddcf62157d9f
certbot==0.8.1 \
--hash=sha256:89805d9f70249ae859ec4d7a99c00b4bb7083ca90cd12d4d202b76dfc284f7c5 \
--hash=sha256:6ca8df3d310ced6687d38aac17c0fb8c1b2ec7a3bea156a254e4cc2a1c132771
certbot-apache==0.8.1 \
--hash=sha256:c9e3fdc15e65589c2e39eb0e6b1f61f0c0a1db3c17b00bb337f0ff636cc61cb3 \
--hash=sha256:0faf2879884d3b7a58b071902fba37d4b8b58a50e2c3b8ac262c0a74134045ed
UNLIKELY_EOF
# -------------------------------------------------------------------------

4
certbot-compatibility-test/certbot_compatibility_test/test_driver.py
View file

@ -369,10 +369,10 @@ def main():
plugin.cleanup_from_tests()
if overall_success:
logger.warn("All compatibility tests succeeded")
logger.warning("All compatibility tests succeeded")
sys.exit(0)
else:
logger.warn("One or more compatibility tests failed")
logger.warning("One or more compatibility tests failed")
sys.exit(1)

27
certbot-compatibility-test/nginx/README Normal file
View file

@ -0,0 +1,27 @@
Eventually there will also be a compatibility test here like the Apache one.
Right now, this is data for the roundtrip test (checking that the parser
can parse each file and that the reserialized config file it generates is
identical to the original).
If run in a virtualenv or otherwise so that certbot_nginx can be imported,
the roundtrip test can run as
python roundtrip.py nginx-roundtrip-testdata
It gives exit status 0 for success and 1 if at least one parse or roundtrip
failure occurred.
The directory nginx-roundtrip-testdata includes some config files that were
contributed to our project as well as most of the configs linked from
https://www.nginx.com/resources/wiki/start/
Some exceptions that were skipped are
https://www.nginx.com/resources/wiki/start/topics/recipes/moinmoin/
https://www.nginx.com/resources/wiki/start/topics/examples/SSL-Offloader/ (not much nginx configuration)
https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/ (likewise)
https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/
https://www.nginx.com/resources/wiki/start/topics/examples/fcgiwrap/

34
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10033 Normal file
View file

@ -0,0 +1,34 @@
upstream django_server_random18709.example.org {
server unix:/srv/http/random22194/live/website.sock;
}
server {
listen 80;
server_name random18709.example.org;
location /media/ {
alias /srv/http/random22194/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random22194/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random18709.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random22194/live/access.log combined_plus;
error_log /var/log/nginx/random22194/live/error.log;
}
server {
server_name www.random18709.example.org;
server_name random24607.example.org www.random24607.example.org;
return 301 http://random18709.example.org$request_uri;
}

71
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10571 Normal file
View file

@ -0,0 +1,71 @@
upstream django_server_random1413.example.org {
server unix:/srv/http/random25151/live/website.sock;
}
server {
listen 443;
server_name www.random25266.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random25266.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random25266.example.org.key;
location /media/ {
alias /srv/http/random25151/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random25151/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random1413.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random25151/live/access.log combined_plus;
error_log /var/log/nginx/random25151/live/error.log;
}
server {
listen 443;
server_name random1413.example.org www.random1413.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random1413.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random1413.example.org.key;
location / {
return 301 https://www.random25266.example.org$request_uri;
}
}
server {
listen 443;
server_name random25266.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random25266.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random25266.example.org.key;
location / {
return 301 https://www.random25266.example.org$request_uri;
}
}
server {
listen 80;
server_name random1413.example.org www.random1413.example.org;
server_name random28524.example.org www.random28524.example.org;
server_name random25266.example.org www.random25266.example.org;
server_name random26791.example.org www.random26791.example.org;
location / {
return 301 https://www.random25266.example.org$request_uri;
}
}

38
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10591 Normal file
View file

@ -0,0 +1,38 @@
upstream django_server_random11921.example.org {
server unix:/srv/http/random9726/acceptance/website.sock;
}
server {
listen 80;
server_name random11921.example.org www.random11921.example.org;
if ($host != 'random11921.example.org') {
rewrite ^/(.*)$ http://random11921.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random9726/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random9726/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random11921.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
error_page 502 503 504 /50x.html;
}
location /50x.html {
root /usr/share/nginx/www/;
}
access_log /var/log/nginx/random9726/acceptance/access.log combined_plus;
error_log /var/log/nginx/random9726/acceptance/error.log;
}

16
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10920 Normal file
View file

@ -0,0 +1,16 @@
server {
listen 80 default;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:81;
}
location ~ /\.ht {
deny all;
}
access_log /var/log/nginx/random27802/access.log combined_plus;
}

40
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10947 Normal file
View file

@ -0,0 +1,40 @@
upstream django_server_acceptance.random8289.random17507.example.org {
server unix:/srv/http/random8289/acceptance/website.sock;
}
server {
listen 80;
server_name random23045.example.org;
location /media/ {
alias /srv/http/random8289/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random8289/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_acceptance.random8289.random17507.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
satisfy any;
auth_basic 'random8289 acceptance';
auth_basic_user_file /srv/http/random8289/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random8289/acceptance/access.log combined_plus;
error_log /var/log/nginx/random8289/acceptance/error.log;
}
server {
server_name www.random23045.example.org;
return 301 http://random23045.example.org$request_uri;
}

37
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11018 Normal file
View file

@ -0,0 +1,37 @@
upstream django_server_random24036.example.org {
server unix:/srv/http/random1006/live/website.sock;
}
server {
listen 80;
server_name random24036.example.org;
gzip on;
gzip_http_version 1.0;
gzip_types *;
gzip_vary on;
gzip_proxied any;
location ~ /media/(.*)$ {
alias /srv/http/random1006/live/website/static/$1;
expires 7d;
gzip on;
}
location / {
proxy_pass http://django_server_random24036.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random1006/live/access.log combined_plus;
error_log /var/log/nginx/random1006/live/error.log;
}
server {
server_name www.random24036.example.org;
server_name random32349.example.org www.random32349.example.org;
server_name random23794.example.org www.random23794.example.org;
rewrite ^ http://random24036.example.org$request_uri permanent;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11046 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_random25979.example.org {
server unix:/srv/http/random24211/internal/website.sock;
}
server {
listen 80;
server_name random25979.example.org;
location ^~ /media/ {
alias /srv/http/random24211/internal/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random24211/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random25979.example.org;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'internal for random24211';
auth_basic_user_file /srv/http/random24211/internal/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random24211/internal/access.log combined_plus;
error_log /var/log/nginx/random24211/internal/error.log;
}
server {
server_name www.random25979.example.org;
rewrite ^ http://intern.random24211.org$request_uri permanent;
}

29
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11382 Normal file
View file

@ -0,0 +1,29 @@
server {
listen 80;
listen 7891; # User0
listen 8080; # User1
listen 8900; # User2
listen 8912; # User3
listen 3567; # User4
server_name random666.example.org www.random666.example.org;
root /srv/http/random666.example.org;
index index.html index.htm;
location /duif_assets/ {
try_files $uri $uri/ =404;
}
location /index.html {
try_files $uri $uri/ =404;
}
location / {
rewrite ^.+$ / break;
try_files $uri $uri/ =404;
}
access_log /var/log/nginx/random666.example.org/access.log combined_plus;
error_log /var/log/nginx/random666.example.org/error.log;
}

38
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1167 Normal file
View file

@ -0,0 +1,38 @@
upstream django_server_random23900.example.org {
server unix:/srv/http/random29467/acceptance/website.sock;
}
server {
listen 80;
server_name random23900.example.org www.random23900.example.org;
if ($host != 'random23900.example.org') {
rewrite ^/(.*)$ http://random23900.example.org/$1 permanent;
}
location ^~ /media/ {
alias /srv/http/random29467/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location ^~ /static/ {
alias /srv/http/random29467/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random23900.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
satisfy any;
allow 89.188.25.162;
auth_basic "random29467 acceptance";
auth_basic_user_file htpasswords/random29467_acceptance;
}
access_log /var/log/nginx/random29467/acceptance/access.log combined_plus;
error_log /var/log/nginx/random29467/acceptance/error.log;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11849 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_random3140.example.org {
server unix:/srv/http/random2912/live/website.sock;
}
server {
listen 80;
server_name random3140.example.org;
location ^~ /media/ {
alias /srv/http/random2912/live/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random2912/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random3140.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random2912/live/access.log combined_plus;
error_log /var/log/nginx/random2912/live/error.log;
}
server {
server_name www.random3140.example.org;
server_name random28398.example.org;
server_name random23689.example.org www.random23689.example.org;
server_name random25863.example.org www.random25863.example.org;
rewrite ^ http://random3140.example.org$request_uri permanent;
}

29
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12027 Normal file
View file

@ -0,0 +1,29 @@
upstream django_server_random6410.example.org {
server unix:/srv/http/random28641/live/website.sock;
}
server {
listen 80;
server_name www.random6410.example.org;
location ~ /static/(.*)$ {
alias /srv/http/random28641/live/website/static/$1;
expires 7d;
}
location / {
proxy_pass http://django_server_random6410.example.org;
include /etc/nginx/proxy_params;
proxy_connect_timeout 240;
proxy_read_timeout 240;
}
access_log /var/log/nginx/random28641/live/access.log combined_plus;
error_log /var/log/nginx/random28641/live/error.log;
}
server {
server_name random6410.example.org;
rewrite ^ http://www.random6410.example.org$request_uri permanent;
}

33
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12235 Normal file
View file

@ -0,0 +1,33 @@
server {
server_name random18267.example.org;
gzip on;
gzip_min_length 2000;
gzip_proxied any;
gzip_types application/json;
client_max_body_size 30M;
root /srv/http/random23264/data;
# Security
satisfy any;
include /etc/nginx/allow_ytec_ips_params;
deny all;
# try serving docs and (md5/immutable) directly
location ~ \+(f|doc)/ {
try_files $uri @proxy_to_app;
}
location / {
# XXX how to tell nginx to just refer to @proxy_to_app here?
try_files /.lqkwje @proxy_to_app;
}
location @proxy_to_app {
proxy_pass http://random20604.example.org:4040;
proxy_set_header X-outside-url $scheme://$host;
proxy_set_header X-Real-IP $remote_addr;
}
access_log /var/log/nginx/random23264/access.log combined_plus;
error_log /var/log/nginx/random23264/error.log;
}

45
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12649 Normal file
View file

@ -0,0 +1,45 @@
upstream django_server_random10305.example.org {
server unix:/srv/http/random23322/live/website.sock;
}
server {
listen 80;
server_name random10305.example.org;
location /media/ {
alias /srv/http/random23322/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random23322/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random10305.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random23322/live/access.log combined_plus;
error_log /var/log/nginx/random23322/live/error.log;
}
server {
listen 80;
server_name random13399.example.org;
server_name www.random10305.example.org;
server_name random17958.example.org www.random17958.example.org;
server_name random15266.example.org www.random15266.example.org;
server_name random21296.example.org www.random21296.example.org;
server_name random5261.example.org www.random5261.example.org;
server_name random679.example.org www.random679.example.org;
server_name random31788.example.org www.random31788.example.org;
server_name random22704.example.org www.random22704.example.org;
server_name random17411.example.org www.random17411.example.org;
return 301 http://random10305.example.org$request_uri;
}

38
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-13577 Normal file
View file

@ -0,0 +1,38 @@
upstream django_server_random30837.example.org {
server unix:/srv/http/random30992/live/website.sock;
}
server {
listen 80;
server_name www.random30837.example.org;
location ^~ /media/ {
alias /srv/http/random30992/live/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random30992/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random30837.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random30992/live/access.log combined_plus;
error_log /var/log/nginx/random30992/live/error.log;
}
server {
server_name random30837.example.org;
server_name random3263.example.org www.random3263.example.org;
server_name random6771.example.org www.random6771.example.org;
server_name random17696.example.org www.random17696.example.org;
server_name random7179.example.org www.random7179.example.org;
server_name random8127.example.org www.random8127.example.org;
rewrite ^ http://www.random30837.example.org$request_uri permanent;
}

33
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14402 Normal file
View file

@ -0,0 +1,33 @@
upstream django_server_random17705.example.org {
server unix:/srv/http/random8289/internal/website.sock;
}
server {
listen 80;
server_name random17705.example.org;
location /media/ {
alias /srv/http/random8289/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random8289/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random17705.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random8289/internal/access.log combined_plus;
error_log /var/log/nginx/random8289/internal/error.log;
}
server {
server_name www.random17705.example.org;
return 301 http://random17705.example.org$request_uri;
}

54
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14430 Normal file
View file

@ -0,0 +1,54 @@
upstream django_server_random17507.example.org {
server unix:/srv/http/random7740/live/website.sock;
}
server {
listen 80;
server_name random17507.example.org;
location ^~ /media/ {
alias /srv/http/random7740/live/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random7740/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random17507.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random7740/live/access.log combined_plus;
error_log /var/log/nginx/random7740/live/error.log;
}
server {
server_name www.random17507.example.org;
server_name random31197.example.org www.random31197.example.org;
server_name random19579.example.org www.random19579.example.org;
server_name random16629.example.org www.random16629.example.org;
server_name random28363.example.org www.random28363.example.org;
server_name random30185.example.org www.random30185.example.org;
server_name random22326.example.org www.random22326.example.org;
server_name random3622.example.org www.random3622.example.org;
server_name random1463.example.org www.random1463.example.org;
server_name random23341.example.org www.random23341.example.org;
server_name random2214.example.org www.random2214.example.org;
server_name random22684.example.org www.random22684.example.org;
server_name random6606.example.org www.random6606.example.org;
server_name random29138.example.org www.random29138.example.org;
server_name random15109.example.org www.random15109.example.org;
server_name random8002.example.org www.random8002.example.org;
server_name random16836.example.org www.random16836.example.org;
server_name random22283.example.org www.random22283.example.org;
location = /googleXXXXXXXXXXXXXXXX.html {
alias /srv/http/random7740/live/website/templates/googleXXXXXXXXXXXXXXXX.html;
}
rewrite ^ http://random17507.example.org$request_uri permanent;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15141 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_acceptatie.random20374.nl {
server unix:/srv/http/random20374/acceptance/website.sock;
}
server {
listen 80;
server_name random28586.example.org;
location ^~ /media/ {
alias /srv/http/random20374/acceptance/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random20374/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_acceptatie.random20374.nl;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'acceptance for random20374';
auth_basic_user_file /srv/http/random20374/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random20374/acceptance/access.log combined_plus;
error_log /var/log/nginx/random20374/acceptance/error.log;
}
server {
server_name www.random28586.example.org;
rewrite ^ http://random28586.example.org$request_uri permanent;
}

38
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15270 Normal file
View file

@ -0,0 +1,38 @@
upstream django_server_random6822.example.org {
server unix:/srv/http/random7047/live/website.sock;
}
server {
listen 8443;
server_name random6822.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random6822.example.org.complete-bundle.crt;
ssl_certificate_key /etc/ssl/private/random6822.example.org.key;
location /media/ {
alias /srv/http/random7047/live/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random7047/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random6822.example.org;
include /etc/nginx/proxy_params;
}
access_log /var/log/nginx/random7047/live/access.log combined_plus;
error_log /var/log/nginx/random7047/live/error.log;
}
server {
listen 80;
server_name random6822.example.org;
rewrite ^/(.*) https://random6822.example.org:8443/$1;
}

112
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15291 Normal file
View file

@ -0,0 +1,112 @@
# You may add here your
# server {
# ...
# }
# statements for each of your virtual hosts to this file
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
root /usr/share/nginx/html;
index index.html index.htm;
# Make site accessible from http://random20604.example.org/
server_name random20604.example.org;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
# Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests
#location /RequestDenied {
# proxy_pass http://127.0.0.1:8080;
#}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
#error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
#
# # With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php5-fpm:
# fastcgi_pass unix:/var/run/php5-fpm.sock;
# fastcgi_index index.php;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen random20605.example.org:8080;
# server_name random20605.example.org alias another.alias;
# root html;
# index index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
# HTTPS server
#
#server {
# listen 443;
# server_name random20604.example.org;
#
# root html;
# index index.html index.htm;
#
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
#
# ssl_session_timeout 5m;
#
# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
# ssl_prefer_server_ciphers on;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}

39
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15456 Normal file
View file

@ -0,0 +1,39 @@
upstream django_server_random29275.example.org {
server unix:/srv/http/random14353/internal/website.sock;
}
server {
listen 80;
server_name random29275.example.org;
location /media/ {
alias /srv/http/random14353/internal/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random14353/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random29275.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
satisfy any;
auth_basic 'internal for random14353';
auth_basic_user_file /srv/http/random14353/internal/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random14353/internal/access.log;
error_log /var/log/nginx/random14353/internal/error.log;
}
server {
server_name www.random29275.example.org;
return 301 http://random29275.example.org$request_uri;
}

35
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15497 Normal file
View file

@ -0,0 +1,35 @@
upstream django_server_random16112.example.org {
server unix:/srv/http/random29227/live/website.sock;
}
server {
listen 80;
server_name random16112.example.org;
location /media/ {
alias /srv/http/random29227/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random29227/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random16112.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random29227/live/access.log combined_plus;
error_log /var/log/nginx/random29227/live/error.log;
}
server {
server_name random5297.example.org www.random5297.example.org;
server_name random17050.example.org www.random17050.example.org;
server_name www.random16112.example.org;
return 301 http://random16112.example.org$request_uri;
}

38
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15852 Normal file
View file

@ -0,0 +1,38 @@
upstream django_server_random7474.example.org {
server unix:/srv/http/random4886/acceptance/website.sock;
}
server {
listen 80;
server_name random7474.example.org;
location /media/ {
alias /srv/http/random4886/acceptance/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random4886/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random7474.example.org;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'acceptance for random4886';
auth_basic_user_file /srv/http/random4886/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
client_max_body_size 20m;
access_log /var/log/nginx/random4886/acceptance/access.log;
error_log /var/log/nginx/random4886/acceptance/error.log;
}
server {
server_name www.random7474.example.org;
return 301 http://random7474.example.org$request_uri;
}

34
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-16345 Normal file
View file

@ -0,0 +1,34 @@
upstream django_server_random25713.example.org {
server unix:/srv/http/random24922/live/website.sock;
}
server {
listen 80;
server_name random25713.example.org;
location /media/ {
alias /srv/http/random24922/live/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random24922/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random25713.example.org;
include /etc/nginx/proxy_params;
satisfy any;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random24922/live/access.log;
error_log /var/log/nginx/random24922/live/error.log;
}
server {
server_name www.random25713.example.org;
return 301 http://random25713.example.org$request_uri;
}

14
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17175 Normal file
View file

@ -0,0 +1,14 @@
server {
listen 80;
server_name random25647.example.org www.random25647.example.org random10963.example.org www.random10963.example.org;
if ($host != 'random25647.example.org') {
rewrite ^/(.*)$ http://random25647.example.org/$1 permanent;
}
index index.html index.htm;
root /srv/http/random11461/countdown/;
access_log /var/log/nginx/random11461/live/access.log combined_plus;
error_log /var/log/nginx/random11461/live/error.log;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17832 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random6430.example.org {
server unix:/srv/http/random550/internal/website.sock;
}
server {
listen 80;
server_name random6430.example.org;
location /media/ {
alias /srv/http/random550/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random550/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random6430.example.org;
include /etc/nginx/django_proxy_params;
}
access_log /var/log/nginx/random550/internal/access.log combined_plus;
error_log /var/log/nginx/random550/internal/error.log;
}
server {
server_name www.random6430.example.org;
return 301 http://random6430.example.org$request_uri;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17942 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random25647.example.org {
server unix:/srv/http/random11461/live/website.sock;
}
server {
listen 80;
server_name random25647.example.org www.random25647.example.org random10963.example.org www.random10963.example.org;
if ($host != 'random25647.example.org') {
rewrite ^/(.*)$ http://random25647.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random11461/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random11461/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random25647.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random11461/live/access.log combined_plus;
error_log /var/log/nginx/random11461/live/error.log;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18018 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_intern.random20374.nl {
server unix:/srv/http/random20374/internal/website.sock;
}
server {
listen 80;
server_name random23818.example.org;
location ^~ /media/ {
alias /srv/http/random20374/internal/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random20374/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_intern.random20374.nl;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'internal for random20374';
auth_basic_user_file /srv/http/random20374/internal/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random20374/internal/access.log combined_plus;
error_log /var/log/nginx/random20374/internal/error.log;
}
server {
server_name www.random23818.example.org;
rewrite ^ http://random23818.example.org$request_uri permanent;
}

39
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18069 Normal file
View file

@ -0,0 +1,39 @@
upstream django_server_random7949.example.org {
server unix:/srv/http/random1006/acceptance/website.sock;
}
server {
listen 80;
server_name random7949.example.org;
gzip on;
gzip_http_version 1.0;
gzip_types *;
gzip_vary on;
gzip_proxied any;
location ~ /media/(.*)$ {
alias /srv/http/random1006/acceptance/website/static/$1;
expires 7d;
gzip on;
}
location / {
proxy_pass http://django_server_random7949.example.org;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'acceptance for random1006';
auth_basic_user_file /srv/http/random1006/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random1006/acceptance/access.log combined_plus;
error_log /var/log/nginx/random1006/acceptance/error.log;
}
server {
server_name www.random7949.example.org;
rewrite ^ http://random7949.example.org$request_uri permanent;
}

39
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19334 Normal file
View file

@ -0,0 +1,39 @@
upstream django_server_random1515.example.org {
server unix:/srv/http/random15255/acceptance/website.sock fail_timeout=5;
}
server {
listen 80;
server_name random1515.example.org www.random1515.example.org;
if ($host != 'random1515.example.org') {
rewrite ^/(.*)$ http://random1515.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random15255/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random15255/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random1515.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
satisfy any;
auth_basic 'random191 acceptance';
auth_basic_user_file /srv/http/random15255/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random15255/acceptance/access.log combined_plus;
error_log /var/log/nginx/random15255/acceptance/error.log;
}

39
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19639 Normal file
View file

@ -0,0 +1,39 @@
upstream django_server_live.random8289.random17507.example.org {
server unix:/srv/http/random8289/live/website.sock;
}
server {
listen 443;
server_name random23886.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random23886.example.org.complete-bundle.crt;
ssl_certificate_key /etc/ssl/private/random23886.example.org.key;
location /media/ {
alias /srv/http/random8289/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random8289/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_live.random8289.random17507.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
access_log /var/log/nginx/random8289/live/access.log combined_plus;
error_log /var/log/nginx/random8289/live/error.log;
}
server {
listen 80;
server_name random23886.example.org;
return 301 https://random23886.example.org$request_uri;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1966 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_random31523.example.org {
server unix:/srv/http/random16722.example.org/internal/website.sock;
}
server {
listen 80;
server_name random31523.example.org;
location ^~ /media/ {
alias /srv/http/random16722.example.org/internal/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random16722.example.org/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random31523.example.org;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'internal for random16722.example.org';
auth_basic_user_file /srv/http/random16722.example.org/internal/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random16722.example.org/internal/access.log combined_plus;
error_log /var/log/nginx/random16722.example.org/internal/error.log;
}
server {
server_name www.random31523.example.org;
rewrite ^ http://random31523.example.org$request_uri permanent;
}

34
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19791 Normal file
View file

@ -0,0 +1,34 @@
upstream django_server_random1413.example.org {
server unix:/srv/http/random25151/live/website.sock;
}
server {
listen 80;
server_name random1413.example.org;
location ^~ /media/ {
alias /srv/http/random25151/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location ^~ /static/ {
alias /srv/http/random25151/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random1413.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random25151/live/access.log combined_plus;
error_log /var/log/nginx/random25151/live/error.log;
}
server {
server_name www.random1413.example.org;
server_name random28524.example.org www.random28524.example.org;
rewrite ^ http://random1413.example.org$request_uri permanent;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19955 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_random9619.example.org {
server unix:/srv/http/random28641/internal/website.sock;
}
server {
listen 80;
server_name random9619.example.org;
location ^~ /media/ {
alias /srv/http/random28641/internal/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random28641/internal/website/static/;
expires 7d;
}
location / {
proxy_pass http://django_server_random9619.example.org;
include /etc/nginx/proxy_params;
satisfy any;
auth_basic 'internal for random28641';
auth_basic_user_file /srv/http/random28641/internal/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random28641/internal/access.log combined_plus;
error_log /var/log/nginx/random28641/internal/error.log;
}
server {
server_name www.random9619.example.org;
rewrite ^ http://random9619.example.org$request_uri permanent;
}

33
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21369 Normal file
View file

@ -0,0 +1,33 @@
upstream django_server_random31758.example.org {
server unix:/srv/http/random21623/internal/website.sock;
}
server {
listen 80;
server_name random31758.example.org www.random31758.example.org;
if ($host != 'random31758.example.org') {
rewrite ^/(.*)$ http://random31758.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random21623/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random21623/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random31758.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
access_log /var/log/nginx/random21623/internal/access.log combined_plus;
error_log /var/log/nginx/random21623/internal/error.log;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21549 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random1688.example.org {
server unix:/srv/http/random6470/acceptance/website.sock;
}
server {
listen 80;
server_name random5078.example.org random1688.example.org www.random1688.example.org;
if ($host != 'random5078.example.org') {
rewrite ^/(.*)$ http://random5078.example.org/$1 permanent;
}
location ^~ /media/ {
alias /srv/http/random6470/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location ^~ /static/ {
alias /srv/http/random6470/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random1688.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random6470/acceptance/access.log combined_plus;
error_log /var/log/nginx/random6470/acceptance/error.log;
}

33
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-230 Normal file
View file

@ -0,0 +1,33 @@
upstream django_server_random22746.example.org {
server unix:/srv/http/random6344/internal/website.sock;
}
server {
listen 80;
server_name random22746.example.org;
if ($host != 'random22746.example.org') {
rewrite ^/(.*)$ http://random22746.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random6344/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random6344/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random22746.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
access_log /var/log/nginx/random6344/internal/access.log combined_plus;
error_log /var/log/nginx/random6344/internal/error.log;
}

74
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23325 Normal file
View file

@ -0,0 +1,74 @@
upstream django_server_random15255_live {
server unix:/srv/http/random15255/live/website.sock fail_timeout=5;
}
server {
listen 443;
server_name random7381.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt;
ssl_certificate_key /etc/ssl/private/random7381.example.org.key;
location /media/ {
alias /srv/http/random15255/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random15255/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random15255_live;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
access_log /var/log/nginx/random15255/live/access.log combined_plus;
error_log /var/log/nginx/random15255/live/error.log;
}
server {
listen 80;
server_name random7381.example.org www.random7381.example.org;
return 301 https://random7381.example.org$request_uri;
}
server {
listen 8445;
server_name random7381.example.org www.random7381.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt;
ssl_certificate_key /etc/ssl/private/random7381.example.org.key;
return 301 https://random7381.example.org$request_uri;
}
server {
listen 1000;
server_name random7381.example.org www.random7381.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt;
ssl_certificate_key /etc/ssl/private/random7381.example.org.key;
return 301 https://random7381.example.org$request_uri;
}
server {
listen 443;
server_name www.random7381.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt;
ssl_certificate_key /etc/ssl/private/random7381.example.org.key;
return 301 https://random7381.example.org$request_uri;
}

56
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23470 Normal file
View file

@ -0,0 +1,56 @@
upstream django_server_random27579.example.org {
server unix:/srv/http/random21623/live/website.sock;
}
server {
listen 443;
server_name random27579.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random27579.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random27579.example.org.key;
location /media/ {
alias /srv/http/random21623/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random21623/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random27579.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
access_log /var/log/nginx/random21623/live/access.log combined_plus;
error_log /var/log/nginx/random21623/live/error.log;
}
server {
listen 443;
server_name www.random27579.example.org;
ssl on;
ssl_certificate /etc/ssl/public/random27579.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random27579.example.org.key;
return 301 https://random27579.example.org$request_uri;
}
server {
listen 80;
server_name random27579.example.org www.random27579.example.org random11512.example.org;
server_name random18003.example.org www.random18003.example.org;
server_name random26730.example.org www.random26730.example.org;
server_name random3968.example.org www.random3968.example.org;
server_name random11925.example.org www.random11925.example.org;
return 301 https://random27579.example.org$request_uri;
}

33
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23791 Normal file
View file

@ -0,0 +1,33 @@
upstream django_server_random31057.example.org {
server unix:/srv/http/random22194/acceptance/website.sock;
}
server {
listen 80;
server_name random31057.example.org www.random31057.example.org;
if ($host != 'random31057.example.org') {
rewrite ^/(.*)$ http://random31057.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random22194/acceptance/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random22194/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random31057.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 120;
}
access_log /var/log/nginx/random22194/acceptance/access.log combined_plus;
error_log /var/log/nginx/random22194/acceptance/error.log;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23803 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random16722.example.org {
server unix:/srv/http/random16722.example.org/live/website.sock;
}
server {
listen 80;
server_name random16722.example.org;
location ^~ /media/ {
alias /srv/http/random16722.example.org/live/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random16722.example.org/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random16722.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random16722.example.org/live/access.log combined_plus;
error_log /var/log/nginx/random16722.example.org/live/error.log;
}
server {
server_name www.random16722.example.org;
rewrite ^ http://random16722.example.org$request_uri permanent;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23838 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random14388.example.org {
server unix:/srv/http/random4886/live/website.sock;
}
server {
listen 80;
server_name random14388.example.org;
location /media/ {
alias /srv/http/random4886/live/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random4886/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random14388.example.org;
include /etc/nginx/proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random4886/live/access.log;
error_log /var/log/nginx/random4886/live/error.log;
}
server {
server_name www.random14388.example.org;
return 301 http://random14388.example.org$request_uri;
}

7
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24125 Normal file
View file

@ -0,0 +1,7 @@
server {
listen 80;
server_name random14996.example.org;
root /srv/http/random23392/;
index index.html;
}

62
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24193 Normal file
View file

@ -0,0 +1,62 @@
upstream django_server_random6177.example.org {
server unix:/srv/http/random550/live/website.sock;
}
server {
listen 443 ssl;
server_name random2179.example.org;
ssl_certificate /etc/ssl/public/random2179.example.org.bundle.crt;
ssl_certificate_key /etc/ssl/private/random2179.example.org.key;
location /media/ {
alias /srv/http/random550/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random550/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random6177.example.org;
include /etc/nginx/django_proxy_params;
}
access_log /var/log/nginx/random550/live/access.log combined_plus;
error_log /var/log/nginx/random550/live/error.log;
}
server {
listen 80;
server_name random2179.example.org;
location /media/ {
alias /srv/http/random550/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random550/live/static_collected/;
expires 7d;
}
#location = / {
# return 301 https://random2179.example.org$request_uri;
#}
location / {
proxy_pass http://django_server_random6177.example.org;
include /etc/nginx/django_proxy_params;
}
access_log /var/log/nginx/random550/live/access_http.log combined_plus;
error_log /var/log/nginx/random550/live/error_http.log;
}
server {
server_name random6177.example.org www.random6177.example.org;
return 301 http://random2179.example.org$request_uri;
}

36
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24213 Normal file
View file

@ -0,0 +1,36 @@
upstream django_server_random22047.example.org {
server unix:/srv/http/random26975/acceptance/website.sock;
}
server {
listen 80;
server_name random22047.example.org;
location /media/ {
alias /srv/http/random26975/acceptance/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random26975/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random22047.example.org;
include /etc/nginx/django_proxy_params;
satisfy any;
auth_basic 'acceptance for random26975';
auth_basic_user_file /srv/http/random26975/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random26975/acceptance/access.log;
error_log /var/log/nginx/random26975/acceptance/error.log;
}
server {
server_name www.random22047.example.org;
return 301 http://random22047.example.org$request_uri;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-25480 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random6193.example.org {
server unix:/srv/http/random4755/live/website.sock;
}
server {
listen 80;
server_name random6193.example.org www.random6193.example.org;
if ($host != 'random6193.example.org') {
rewrite ^/(.*)$ http://random6193.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random4755/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random4755/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random6193.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random4755/live/access.log combined_plus;
error_log /var/log/nginx/random4755/live/error.log;
}

26
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26195 Normal file
View file

@ -0,0 +1,26 @@
server {
listen 80;
server_name www.random25446.example.org random25446.example.org;
if ($host != 'random25446.example.org') {
rewrite ^/(.*)$ http://random25446.example.org/$1 permanent;
}
location ^~ /media {
alias /srv/http/random17476/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location ^~ /static {
alias /srv/http/random17476/internal/static_collected/;
expires 7d;
}
location / {
include fastcgi_params;
fastcgi_pass unix:/srv/http/random17476/internal/website.sock;
}
access_log /var/log/nginx/random17476/internal/access.log combined_plus;
error_log /var/log/nginx/random17476/internal/error.log;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26221 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random4030.example.org {
server unix:/srv/http/random26975/live/website.sock;
}
server {
listen 80;
server_name random4030.example.org;
location /media/ {
alias /srv/http/random26975/live/dynamic/public/;
expires 7d;
}
location /static/ {
alias /srv/http/random26975/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random4030.example.org;
include /etc/nginx/django_proxy_params;
# You can configure access rules here
}
access_log /var/log/nginx/random26975/live/access.log;
error_log /var/log/nginx/random26975/live/error.log;
}
server {
server_name www.random4030.example.org;
return 301 http://random4030.example.org$request_uri;
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26637 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random5890.example.org {
server unix:/srv/http/random4755/internal/website.sock;
}
server {
listen 80;
server_name random5890.example.org;
if ($host != 'random5890.example.org') {
rewrite ^/(.*)$ http://random5890.example.org/$1 permanent;
}
location /media/ {
alias /srv/http/random4755/internal/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location /static/ {
alias /srv/http/random4755/internal/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random5890.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random4755/internal/access.log combined_plus;
error_log /var/log/nginx/random4755/internal/error.log;
}

21
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26758 Normal file
View file

@ -0,0 +1,21 @@
server {
listen 80 default_server;
#listen [::]:80 default_server ipv6only=on;
root /var/www/default/;
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
location ~ /\.ht {
deny all;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
access_log /var/log/nginx/access.log combined_plus;
error_log /var/log/nginx/error.log;
}

37
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27646 Normal file
View file

@ -0,0 +1,37 @@
upstream django_server_random10783.example.org {
server unix:/srv/http/random4711/acceptance/website.sock;
}
server {
listen 80;
server_name random10783.example.org;
location ^~ /media/ {
alias /srv/http/random4711/acceptance/dynamic/public/;
expires 7d;
}
location ^~ /static/ {
alias /srv/http/random4711/acceptance/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random10783.example.org;
include /etc/nginx/proxy_params;
proxy_read_timeout 4m;
satisfy any;
auth_basic 'acceptance for random4711';
auth_basic_user_file /srv/http/random4711/acceptance/htpasswords;
include /etc/nginx/allow_ytec_ips_params;
deny all;
}
access_log /var/log/nginx/random4711/acceptance/access.log combined_plus;
error_log /var/log/nginx/random4711/acceptance/error.log;
}
server {
server_name www.random10783.example.org;
rewrite ^ http://random10783.example.org$request_uri permanent;
}

5
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27728 Normal file
View file

@ -0,0 +1,5 @@
server {
location =/ {
return 404;
}
}

32
certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27736 Normal file
View file

@ -0,0 +1,32 @@
upstream django_server_random17112.example.org {
server unix:/srv/http/random29467/live/website.sock;
}
server {
listen 80;
server_name random17112.example.org www.random17112.example.org;
if ($host != 'random17112.example.org') {
rewrite ^/(.*)$ http://random17112.example.org/$1 permanent;
}
location ^~ /media/ {
alias /srv/http/random29467/live/dynamic/public/;
expires 7d;
include upload_folder_security_params;
}
location ^~ /static/ {
alias /srv/http/random29467/live/static_collected/;
expires 7d;
}
location / {
proxy_pass http://django_server_random17112.example.org;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/random29467/live/access.log combined_plus;
error_log /var/log/nginx/random29467/live/error.log;
}

Some files were not shown because too many files have changed in this diff Show more