From 0db7b5998b8abb5c70cc13bf2ed61b671fcdef0c Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Mon, 6 Jun 2016 15:15:52 -0700 Subject: [PATCH 01/79] fix broken link in contributing.rst --- docs/contributing.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index 3318ec103..267d466e4 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -266,8 +266,7 @@ with the core upstream source code. An example is provided in it with any necessary API changes. .. _`setuptools entry points`: - https://pythonhosted.org/setuptools/setuptools.html#dynamic-discovery-of-services-and-plugins - + http://setuptools.readthedocs.io/en/latest/pkg_resources.html#entry-points .. _coding-style: From 5a126a92772a451399b564d708f663def3d324cb Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 16 Jun 2016 12:00:43 -0700 Subject: [PATCH 02/79] ignore bad files in initial sweep --- certbot-apache/certbot_apache/configurator.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 9caa4a764..0d6669313 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -511,7 +511,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ addrs = set() - args = self.aug.match(path + "/arg") + try: + args = self.aug.match(path + "/arg") + except RuntimeError: + logger.warn("It looks like one of your paths has a character that your version of augeas can't parse") for arg in args: addrs.add(obj.Addr.fromstring(self.parser.get_arg(arg))) is_ssl = False From 48b03d91cfd6c662866d3d3f061521fae49e46e6 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 16 Jun 2016 12:30:48 -0700 Subject: [PATCH 03/79] return if error --- certbot-apache/certbot_apache/configurator.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 0d6669313..647b84bdf 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -515,6 +515,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): args = self.aug.match(path + "/arg") except RuntimeError: logger.warn("It looks like one of your paths has a character that your version of augeas can't parse") + return None for arg in args: addrs.add(obj.Addr.fromstring(self.parser.get_arg(arg))) is_ssl = False @@ -563,7 +564,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): for path in paths: new_vhost = self._create_vhost(path) realpath = os.path.realpath(new_vhost.filep) - if realpath not in vhost_paths.keys(): + if realpath and realpath not in vhost_paths.keys(): vhs.append(new_vhost) vhost_paths[realpath] = new_vhost.filep elif realpath == new_vhost.filep: From 68dd7e9192a40ae7ea32450b2fb696f66ce8757b Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 16 Jun 2016 12:32:34 -0700 Subject: [PATCH 04/79] don't add empty vhosts --- certbot-apache/certbot_apache/configurator.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 647b84bdf..57249eea5 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -563,8 +563,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): os.path.basename(path) == "VirtualHost"] for path in paths: new_vhost = self._create_vhost(path) + if not new_vhost: + continue realpath = os.path.realpath(new_vhost.filep) - if realpath and realpath not in vhost_paths.keys(): + if realpath not in vhost_paths.keys(): vhs.append(new_vhost) vhost_paths[realpath] = new_vhost.filep elif realpath == new_vhost.filep: From 50d900718ba0dd3d577edbc67ad4d026e21a7f04 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 16 Jun 2016 16:22:42 -0700 Subject: [PATCH 05/79] add invalid file for cover --- .../apache2/sites-available/old,default.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf new file mode 100644 index 000000000..2bd4e1fe9 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf @@ -0,0 +1,12 @@ + + + ServerName ip-172-30-0-17 + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet From 07fb5dd9cc2895799b370d5d25c56b9fca692e3a Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 24 Jun 2016 15:55:51 -0700 Subject: [PATCH 06/79] escape and unescape augeas --- certbot-apache/certbot_apache/configurator.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 57249eea5..33d79fadb 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -514,7 +514,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): try: args = self.aug.match(path + "/arg") except RuntimeError: - logger.warn("It looks like one of your paths has a character that your version of augeas can't parse") + logger.warn("Encountered a problem while parsing file: %s, skipping", path) return None for arg in args: addrs.add(obj.Addr.fromstring(self.parser.get_arg(arg))) @@ -529,7 +529,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if addr.get_port() == "443": is_ssl = True - filename = get_file_path(path) + filename = _unescape(get_file_path(path)) if self.conf("handle-sites"): is_enabled = self.is_site_enabled(filename) else: @@ -727,7 +727,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ avail_fp = nonssl_vhost.filep - ssl_fp = self._get_ssl_vhost_path(avail_fp) + ssl_fp = _escape(self._get_ssl_vhost_path(avail_fp)) self._copy_create_ssl_vhost_skeleton(avail_fp, ssl_fp) @@ -901,7 +901,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.parser.add_dir(vh_path, "Include", self.mod_ssl_conf) def _add_servername_alias(self, target_name, vhost): - fp = vhost.filep + fp = _escape(vhost.filep) vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" % (fp, parser.case_i("VirtualHost"))) if not vh_p: @@ -953,6 +953,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if need_to_save: self.save() + def _unescape(fp): + return fp.replace("\\", "") + + def _escape(fp): + return fp.replace(",", "\\,") ###################################################################### # Enhancements From d67bc676813a0d67e73c23fd5f74b670d510db31 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 24 Jun 2016 16:17:09 -0700 Subject: [PATCH 07/79] add self --- certbot-apache/certbot_apache/configurator.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 33d79fadb..f7d37cc40 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -529,7 +529,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if addr.get_port() == "443": is_ssl = True - filename = _unescape(get_file_path(path)) + filename = self._unescape(get_file_path(path)) if self.conf("handle-sites"): is_enabled = self.is_site_enabled(filename) else: @@ -727,7 +727,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ avail_fp = nonssl_vhost.filep - ssl_fp = _escape(self._get_ssl_vhost_path(avail_fp)) + ssl_fp = self._escape(self._get_ssl_vhost_path(avail_fp)) self._copy_create_ssl_vhost_skeleton(avail_fp, ssl_fp) @@ -901,7 +901,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.parser.add_dir(vh_path, "Include", self.mod_ssl_conf) def _add_servername_alias(self, target_name, vhost): - fp = _escape(vhost.filep) + fp = self._escape(vhost.filep) vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" % (fp, parser.case_i("VirtualHost"))) if not vh_p: @@ -953,10 +953,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if need_to_save: self.save() - def _unescape(fp): + + def _unescape(self, fp): return fp.replace("\\", "") - def _escape(fp): + def _escape(self, fp): return fp.replace(",", "\\,") ###################################################################### From 797d0a066072189c0745319bc8c4d524534e1d31 Mon Sep 17 00:00:00 2001 From: Amjad Mashaal Date: Wed, 15 Jun 2016 13:39:42 +0200 Subject: [PATCH 08/79] Printing pip output to terminal when -v is used Signed-off-by: Amjad Mashaal --- letsencrypt-auto-source/letsencrypt-auto.template | 12 +++++++++--- letsencrypt-auto-source/tests/auto_test.py | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto.template b/letsencrypt-auto-source/letsencrypt-auto.template index e8f313208..d838e976d 100755 --- a/letsencrypt-auto-source/letsencrypt-auto.template +++ b/letsencrypt-auto-source/letsencrypt-auto.template @@ -247,13 +247,19 @@ UNLIKELY_EOF # Set PATH so pipstrap upgrades the right (v)env: PATH="$VENV_BIN:$PATH" "$VENV_BIN/python" "$TEMP_DIR/pipstrap.py" set +e - PIP_OUT=`"$VENV_BIN/pip" install --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt" 2>&1` + if [ "$VERBOSE" = 1 ]; then + "$VENV_BIN/pip" install --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt" 2>&1 + else + PIP_OUT=`"$VENV_BIN/pip" install --no-cache-dir --require-hashes -r "$TEMP_DIR/letsencrypt-auto-requirements.txt" 2>&1` + fi PIP_STATUS=$? set -e if [ "$PIP_STATUS" != 0 ]; then # Report error. (Otherwise, be quiet.) - echo "Had a problem while installing Python packages:" - echo "$PIP_OUT" + echo "Had a problem while installing Python packages." + if [ "$VERBOSE" != 1 ]; then + echo "$PIP_OUT" + fi rm -rf "$VENV_PATH" exit 1 fi diff --git a/letsencrypt-auto-source/tests/auto_test.py b/letsencrypt-auto-source/tests/auto_test.py index 56023bc6f..8aea6603a 100644 --- a/letsencrypt-auto-source/tests/auto_test.py +++ b/letsencrypt-auto-source/tests/auto_test.py @@ -201,7 +201,7 @@ iQIDAQAB **kwargs) env.update(d) return out_and_err( - join(venv_dir, 'letsencrypt-auto') + ' --version', + join(venv_dir, 'letsencrypt-auto') + ' --verbose --version', shell=True, env=env) From 6f7ed85844c8842743228a5afb9163c7642225aa Mon Sep 17 00:00:00 2001 From: Amjad Mashaal Date: Wed, 25 May 2016 00:17:47 +0200 Subject: [PATCH 09/79] -v implies --text --- certbot/cli.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/certbot/cli.py b/certbot/cli.py index 35b3b74ae..244d321d8 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -392,6 +392,11 @@ class HelpfulArgumentParser(object): ("Conflicting values for displayer." " {0} conflicts with dialog_mode").format(arg) ) + else: + # -v should imply --text + if (parsed_args.verbose_count > flag_default("verbose_count") and + not parsed_args.dialog_mode): + parsed_args.text_mode = True if parsed_args.validate_hooks: hooks.validate_hooks(parsed_args) From bbd5ce45e90ba6bb0aaf3d55dcf87c9f2ad7552d Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 28 Jun 2016 13:49:44 -0500 Subject: [PATCH 10/79] Defer signals in ErrorHandler. --- certbot/error_handler.py | 46 ++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 431e677a1..5b9220583 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -19,6 +19,14 @@ _SIGNALS = ([signal.SIGTERM] if os.name == "nt" else signal.SIGXCPU, signal.SIGXFSZ]) +class SignalExit(Exception): + """This exception is used stop of execution of the code in the body of the + ErrorHandler context manager. + + """ + pass + + class ErrorHandler(object): """Registers functions to be called if an exception or signal occurs. @@ -34,16 +42,17 @@ class ErrorHandler(object): if a signal is encountered, cleanup_func is called followed by the previously registered signal handler. - Every registered function is attempted to be run to completion - exactly once. If a registered function raises an exception, it is - logged and the next function is called. If a (different) handled - signal occurs while calling a registered function, it is attempted - to be called again by the next signal handler. + Each registered cleanup function is called exactly once. If a registered + function raises an exception, it is logged and the next function is called. + Signals received while the registered functions are executing are + deferred until they finish. """ def __init__(self, func=None, *args, **kwargs): + self.body_executed = False self.funcs = [] self.prev_handlers = {} + self.received_signals = [] if func is not None: self.register(func, *args, **kwargs) @@ -51,12 +60,22 @@ class ErrorHandler(object): self.set_signal_handlers() def __exit__(self, exec_type, exec_value, trace): + self.body_executed = True + retval = False + if exec_type is SignalExit: + logger.debug("Encountered signals: %s", self.received_signals) + self.call_registered() + for signum in self.received_signals: + self.call_signal(signum) + retval = True # SystemExit is ignored to properly handle forks that don't exec - if exec_type not in (None, SystemExit): + elif exec_type not in (None, SystemExit): logger.debug("Encountered exception:\n%s", "".join( traceback.format_exception(exec_type, exec_value, trace))) self.call_registered() + self.reset_signal_handlers() + return retval def register(self, func, *args, **kwargs): """Sets func to be called with *args and **kwargs during cleanup @@ -93,12 +112,21 @@ class ErrorHandler(object): self.prev_handlers.clear() def _signal_handler(self, signum, unused_frame): - """Calls registered functions and the previous signal handler. + """Stores the recieved signal. :param int signum: number of current signal """ - logger.debug("Singal %s encountered", signum) - self.call_registered() + self.received_signals.append(signum) + if not self.body_executed: + raise SignalExit + + def call_signal(self, signum): + """Calls the signal given by signum. + + :param int signum: signal number + + """ + logger.debug("Calling signal %s", signum) signal.signal(signum, self.prev_handlers[signum]) os.kill(os.getpid(), signum) From 1356941f9760c4cda79097716c6cf86d0d179e07 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 28 Jun 2016 13:58:26 -0500 Subject: [PATCH 11/79] Test signal handling in error handler. --- certbot/tests/error_handler_test.py | 61 +++++++++++++++++++++-------- 1 file changed, 45 insertions(+), 16 deletions(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index 5434b36be..c2551195a 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -1,11 +1,33 @@ """Tests for certbot.error_handler.""" +import os import signal import sys import unittest +from contextlib import contextmanager import mock +@contextmanager +def signal_receiver(signums): + """Context manager to catch signals""" + def receiver(signum, unused_frame): + signals.append(signum) + signals = [] + prev_handlers = {} + for signum in signums: + prev_handlers[signum] = signal.getsignal(signum) + signal.signal(signum, receiver) + yield signals + for signum in signums: + signal.signal(signum, prev_handlers[signum]) + + +def send_signal(signum): + """Send the given signal""" + os.kill(os.getpid(), signum) + + class ErrorHandlerTest(unittest.TestCase): """Tests for certbot.error_handler.""" @@ -30,25 +52,20 @@ class ErrorHandlerTest(unittest.TestCase): self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) - @mock.patch('certbot.error_handler.os') - @mock.patch('certbot.error_handler.signal') - def test_signal_handler(self, mock_signal, mock_os): - # pylint: disable=protected-access - mock_signal.getsignal.return_value = signal.SIG_DFL - self.handler.set_signal_handlers() - signal_handler = self.handler._signal_handler - for signum in self.signals: - mock_signal.signal.assert_any_call(signum, signal_handler) + def test_context_manager_with_signal(self): + with signal_receiver(self.signals) as signals_received: + with self.handler: + should_be_42 = 42 + send_signal(signal.SIGTERM) + should_be_42 *= 10 - signum = self.signals[0] - signal_handler(signum, None) + # check exectuion stoped when the signal was sent + assert 42 == should_be_42 + # assert signals were caught + assert [signal.SIGTERM] == signals_received + # assert the error handling function was just called once self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) - mock_os.kill.assert_called_once_with(mock_os.getpid(), signum) - - self.handler.reset_signal_handlers() - for signum in self.signals: - mock_signal.signal.assert_any_call(signum, signal.SIG_DFL) def test_bad_recovery(self): bad_func = mock.MagicMock(side_effect=[ValueError]) @@ -58,6 +75,18 @@ class ErrorHandlerTest(unittest.TestCase): **self.init_kwargs) bad_func.assert_called_once_with() + def test_bad_recovery_with_signal(self): + bad_func = mock.MagicMock( + side_effect=lambda: send_signal(signal.SIGHUP)) + self.handler.register(bad_func) + with signal_receiver(self.signals) as signals_received: + with self.handler: + send_signal(signal.SIGTERM) + assert [signal.SIGTERM, signal.SIGHUP] == signals_received + self.init_func.assert_called_once_with(*self.init_args, + **self.init_kwargs) + bad_func.assert_called_once_with() + def test_sysexit_ignored(self): try: with self.handler: From e6521414499247570e8e252ad5bc1d32fbdf33c3 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 28 Jun 2016 16:55:46 -0500 Subject: [PATCH 12/79] Use lambda instead of closure. --- certbot/tests/error_handler_test.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index c2551195a..f8ac0718b 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -11,13 +11,11 @@ import mock @contextmanager def signal_receiver(signums): """Context manager to catch signals""" - def receiver(signum, unused_frame): - signals.append(signum) signals = [] prev_handlers = {} for signum in signums: prev_handlers[signum] = signal.getsignal(signum) - signal.signal(signum, receiver) + signal.signal(signum, lambda signum, _: signals.append(signum)) yield signals for signum in signums: signal.signal(signum, prev_handlers[signum]) From 78b30539faa87fbeb6edea99d5685173a2439505 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 28 Jun 2016 17:56:31 -0700 Subject: [PATCH 13/79] augeas tests --- .../certbot_apache/tests/configurator_test.py | 33 +++ .../augeas_vhosts/apache2/apache2.conf | 196 ++++++++++++++++++ .../apache2/conf-available/bad_conf_file.conf | 3 + .../other-vhosts-access-log.conf | 4 + .../apache2/conf-available/security.conf | 35 ++++ .../apache2/conf-available/serve-cgi-bin.conf | 20 ++ .../conf-enabled/other-vhosts-access-log.conf | 1 + .../apache2/conf-enabled/security.conf | 1 + .../apache2/conf-enabled/serve-cgi-bin.conf | 1 + .../augeas_vhosts/apache2/envvars | 29 +++ .../apache2/mods-available/authz_svn.load | 5 + .../apache2/mods-available/dav.load | 3 + .../apache2/mods-available/dav_svn.conf | 56 +++++ .../apache2/mods-available/dav_svn.load | 7 + .../apache2/mods-available/rewrite.load | 1 + .../apache2/mods-available/ssl.conf | 89 ++++++++ .../apache2/mods-available/ssl.load | 2 + .../apache2/mods-enabled/.gitignore | 0 .../apache2/mods-enabled/authz_svn.load | 1 + .../apache2/mods-enabled/dav.load | 1 + .../apache2/mods-enabled/dav_svn.conf | 1 + .../apache2/mods-enabled/dav_svn.load | 1 + .../augeas_vhosts/apache2/ports.conf | 15 ++ .../apache2/sites-available/000-default.conf | 12 ++ .../apache2/sites-available/certbot.conf | 42 ++++ .../default-ssl-port-only.conf | 36 ++++ .../apache2/sites-available/default-ssl.conf | 40 ++++ .../sites-available/encryption-example.conf | 42 ++++ .../sites-available/mod_macro-example.conf | 15 ++ .../apache2/sites-available/ocsp-ssl.conf | 36 ++++ .../apache2/sites-available/old,default.conf | 12 ++ .../apache2/sites-available/wildcard.conf | 13 ++ .../apache2/sites-enabled/000-default.conf | 1 + .../apache2/sites-enabled/certbot.conf | 1 + .../sites-enabled/encryption-example.conf | 1 + .../sites-enabled/mod_macro-example.conf | 1 + .../apache2/sites-enabled/ocsp-ssl.conf | 1 + .../debian_apache_2_4/augeas_vhosts/sites | 3 + 38 files changed, 761 insertions(+) create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/apache2.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/bad_conf_file.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/other-vhosts-access-log.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/security.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/serve-cgi-bin.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/other-vhosts-access-log.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/security.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/serve-cgi-bin.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/envvars create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/authz_svn.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/rewrite.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/authz_svn.load create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav.load create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.load create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/ports.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf create mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf create mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/sites diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index e5c09fd1d..fca62a626 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1169,6 +1169,39 @@ class MultipleVhostsTest(util.ApacheTest): self.config.aug.match.side_effect = RuntimeError self.assertFalse(self.config._check_aug_version()) +class AugeasVhostsTest(util.ApacheTest): + """Test vhosts with illegal names dependant on augeas version.""" + + def setUp(self): # pylint: disable=arguments-differ + super(AugeasVhostsTest, self).setUp(test_dir="debian_apache_2_4/augeas_vhosts", + config_root="debian_apache_2_4/augeas_vhosts/apache2", + vhost_root="debian_apache_2_4/augeas_vhosts/apache2/sites-available") + + self.config = util.get_apache_configurator( + self.config_path, self.vhost_path, self.config_dir, self.work_dir) + self.config = self.mock_deploy_cert(self.config) + self.vh_truth = util.get_vh_truth( + self.temp_dir, "debian_apache_2_4/augeas_vhosts") + + def mock_deploy_cert(self, config): + """A test for a mock deploy cert""" + self.config.real_deploy_cert = self.config.deploy_cert + + def mocked_deploy_cert(*args, **kwargs): + """a helper to mock a deployed cert""" + with mock.patch("certbot_apache.configurator.ApacheConfigurator.enable_mod"): + config.real_deploy_cert(*args, **kwargs) + self.config.deploy_cert = mocked_deploy_cert + return self.config + + def tearDown(self): + shutil.rmtree(self.temp_dir) + shutil.rmtree(self.config_dir) + shutil.rmtree(self.work_dir) + + def test_choosevhost_with_illegal_name(self): + chosen_vhost = self.config._create_vhost("debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf") + self.assertEqual(None, chosen_vhost) if __name__ == "__main__": unittest.main() # pragma: no cover diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/apache2.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/apache2.conf new file mode 100644 index 000000000..2a5bb7be2 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/apache2.conf @@ -0,0 +1,196 @@ +# This is the main Apache server configuration file. It contains the +# configuration directives that give the server its instructions. +# See http://httpd.apache.org/docs/2.4/ for detailed information about +# the directives and /usr/share/doc/apache2/README.Debian about Debian specific +# hints. +# +# +# Summary of how the Apache 2 configuration works in Debian: +# The Apache 2 web server configuration in Debian is quite different to +# upstream's suggested way to configure the web server. This is because Debian's +# default Apache2 installation attempts to make adding and removing modules, +# virtual hosts, and extra configuration directives as flexible as possible, in +# order to make automating the changes and administering the server as easy as +# possible. + +# It is split into several files forming the configuration hierarchy outlined +# below, all located in the /etc/apache2/ directory: +# +# /etc/apache2/ +# |-- apache2.conf +# | `-- ports.conf +# |-- mods-enabled +# | |-- *.load +# | `-- *.conf +# |-- conf-enabled +# | `-- *.conf +# `-- sites-enabled +# `-- *.conf +# +# +# * apache2.conf is the main configuration file (this file). It puts the pieces +# together by including all remaining configuration files when starting up the +# web server. +# +# * ports.conf is always included from the main configuration file. It is +# supposed to determine listening ports for incoming connections which can be +# customized anytime. +# +# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ +# directories contain particular configuration snippets which manage modules, +# global configuration fragments, or virtual host configurations, +# respectively. +# +# They are activated by symlinking available configuration files from their +# respective *-available/ counterparts. These should be managed by using our +# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See +# their respective man pages for detailed information. +# +# * The binary is called apache2. Due to the use of environment variables, in +# the default configuration, apache2 needs to be started/stopped with +# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not +# work with the default configuration. + + +# Global configuration + +# +# The accept serialization lock file MUST BE STORED ON A LOCAL DISK. +# +Mutex file:${APACHE_LOCK_DIR} default + +# +# PidFile: The file in which the server should record its process +# identification number when it starts. +# This needs to be set in /etc/apache2/envvars +# +PidFile ${APACHE_PID_FILE} + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 300 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + + +# These need to be set in /etc/apache2/envvars +User ${APACHE_RUN_USER} +Group ${APACHE_RUN_GROUP} + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog ${APACHE_LOG_DIR}/error.log + +# +# LogLevel: Control the severity of messages logged to the error_log. +# Available values: trace8, ..., trace1, debug, info, notice, warn, +# error, crit, alert, emerg. +# It is also possible to configure the log level for particular modules, e.g. +# "LogLevel info ssl:warn" +# +LogLevel warn + +# Include module configuration: +IncludeOptional mods-enabled/*.load +IncludeOptional mods-enabled/*.conf + +# Include list of ports to listen on +Include ports.conf + + +# Sets the default security model of the Apache2 HTTPD server. It does +# not allow access to the root filesystem outside of /usr/share and /var/www. +# The former is used by web applications packaged in Debian, +# the latter may be used for local directories served by the web server. If +# your system is serving content from a sub-directory in /srv you must allow +# access here, or in any related virtual host. + + Options FollowSymLinks + AllowOverride None + Require all denied + + + + AllowOverride None + Require all granted + + + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# The following directives define some format nicknames for use with +# a CustomLog directive. +# +# These deviate from the Common Log Format definitions in that they use %O +# (the actual bytes sent including headers) instead of %b (the size of the +# requested file), because the latter makes it impossible to detect partial +# requests. +# +# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. +# Use mod_remoteip instead. +# +LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined +LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %O" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent + +# Include of directories ignores editors' and dpkg's backup files, +# see README.Debian for details. + +# Include generic snippets of statements +IncludeOptional conf-enabled/*.conf + +# Include the virtual host configurations: +IncludeOptional sites-enabled/*.conf + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/bad_conf_file.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/bad_conf_file.conf new file mode 100644 index 000000000..8e9178803 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/bad_conf_file.conf @@ -0,0 +1,3 @@ + + +ServerName invalid.net diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/other-vhosts-access-log.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/other-vhosts-access-log.conf new file mode 100644 index 000000000..5e9f5e9e7 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/other-vhosts-access-log.conf @@ -0,0 +1,4 @@ +# Define an access log for VirtualHosts that don't define their own logfile +CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/security.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/security.conf new file mode 100644 index 000000000..eccfcb1fd --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/security.conf @@ -0,0 +1,35 @@ +# Changing the following options will not really affect the security of the +# server, but might make attacks slightly more difficult in some cases. + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minimal | Minor | Major | Prod +# where Full conveys the most information, and Prod the least. +#ServerTokens Minimal +ServerTokens OS +#ServerTokens Full + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +#ServerSignature Off +ServerSignature On + +# +# Allow TRACE method +# +# Set to "extended" to also reflect the request body (only for testing and +# diagnostic purposes). +# +# Set to one of: On | Off | extended +TraceEnable Off +#TraceEnable On + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/serve-cgi-bin.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/serve-cgi-bin.conf new file mode 100644 index 000000000..b02782dab --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-available/serve-cgi-bin.conf @@ -0,0 +1,20 @@ + + + Define ENABLE_USR_LIB_CGI_BIN + + + + Define ENABLE_USR_LIB_CGI_BIN + + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Require all granted + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/other-vhosts-access-log.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/other-vhosts-access-log.conf new file mode 120000 index 000000000..8af91e530 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/other-vhosts-access-log.conf @@ -0,0 +1 @@ +../conf-available/other-vhosts-access-log.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/security.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/security.conf new file mode 120000 index 000000000..036c97fa7 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/security.conf @@ -0,0 +1 @@ +../conf-available/security.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/serve-cgi-bin.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/serve-cgi-bin.conf new file mode 120000 index 000000000..d917f688e --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/conf-enabled/serve-cgi-bin.conf @@ -0,0 +1 @@ +../conf-available/serve-cgi-bin.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/envvars b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/envvars new file mode 100644 index 000000000..a13d9a89e --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/envvars @@ -0,0 +1,29 @@ +# envvars - default environment variables for apache2ctl + +# this won't be correct after changing uid +unset HOME + +# for supporting multiple apache2 instances +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# Since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=www-data +export APACHE_RUN_GROUP=www-data +# temporary state file location. This might be changed to /run in Wheezy+1 +export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + +## The locale used by some modules like mod_dav +export LANG=C + +export LANG + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/authz_svn.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/authz_svn.load new file mode 100644 index 000000000..c6df2733b --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/authz_svn.load @@ -0,0 +1,5 @@ +# Depends: dav_svn + + Include mods-enabled/dav_svn.load + +LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav.load new file mode 100644 index 000000000..a5867fff3 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav.load @@ -0,0 +1,3 @@ + + LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.conf new file mode 100644 index 000000000..801cbd6bd --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.conf @@ -0,0 +1,56 @@ +# dav_svn.conf - Example Subversion/Apache configuration +# +# For details and further options see the Apache user manual and +# the Subversion book. +# +# NOTE: for a setup with multiple vhosts, you will want to do this +# configuration in /etc/apache2/sites-available/*, not here. + +# ... +# URL controls how the repository appears to the outside world. +# In this example clients access the repository as http://hostname/svn/ +# Note, a literal /svn should NOT exist in your document root. +# + + # Uncomment this to enable the repository + #DAV svn + + # Set this to the path to your repository + #SVNPath /var/lib/svn + # Alternatively, use SVNParentPath if you have multiple repositories under + # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). + # You need either SVNPath and SVNParentPath, but not both. + #SVNParentPath /var/lib/svn + + # Access control is done at 3 levels: (1) Apache authentication, via + # any of several methods. A "Basic Auth" section is commented out + # below. (2) Apache and , also commented out + # below. (3) mod_authz_svn is a svn-specific authorization module + # which offers fine-grained read/write access control for paths + # within a repository. (The first two layers are coarse-grained; you + # can only enable/disable access to an entire repository.) Note that + # mod_authz_svn is noticeably slower than the other two layers, so if + # you don't need the fine-grained control, don't configure it. + + # Basic Authentication is repository-wide. It is not secure unless + # you are using https. See the 'htpasswd' command to create and + # manage the password file - and the documentation for the + # 'auth_basic' and 'authn_file' modules, which you will need for this + # (enable them with 'a2enmod'). + #AuthType Basic + #AuthName "Subversion Repository" + #AuthUserFile /etc/apache2/dav_svn.passwd + + # To enable authorization via mod_authz_svn (enable that module separately): + # + #AuthzSVNAccessFile /etc/apache2/dav_svn.authz + # + + # The following three lines allow anonymous read, but make + # committers authenticate themselves. It requires the 'authz_user' + # module (enable it with 'a2enmod'). + # + #Require valid-user + # + +# diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.load new file mode 100644 index 000000000..e41e1581a --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/dav_svn.load @@ -0,0 +1,7 @@ +# Depends: dav + + + Include mods-enabled/dav.load + + LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/rewrite.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/rewrite.load new file mode 100644 index 000000000..b32f16264 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/rewrite.load @@ -0,0 +1 @@ +LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.conf new file mode 100644 index 000000000..e9fcf4f9b --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.conf @@ -0,0 +1,89 @@ + + + # Pseudo Random Number Generator (PRNG): + # Configure one or more sources to seed the PRNG of the SSL library. + # The seed data should be of good random quality. + # WARNING! On some platforms /dev/random blocks if not enough entropy + # is available. This means you then cannot use the /dev/random device + # because it would lead to very long connection times (as long as + # it requires to make more entropy available). But usually those + # platforms additionally provide a /dev/urandom device which doesn't + # block. So, if available, use this one instead. Read the mod_ssl User + # Manual for more details. + # + SSLRandomSeed startup builtin + SSLRandomSeed startup file:/dev/urandom 512 + SSLRandomSeed connect builtin + SSLRandomSeed connect file:/dev/urandom 512 + + ## + ## SSL Global Context + ## + ## All SSL configuration in this context applies both to + ## the main server and all SSL-enabled virtual hosts. + ## + + # + # Some MIME-types for downloading Certificates and CRLs + # + AddType application/x-x509-ca-cert .crt + AddType application/x-pkcs7-crl .crl + + # Pass Phrase Dialog: + # Configure the pass phrase gathering process. + # The filtering dialog program (`builtin' is a internal + # terminal dialog) has to provide the pass phrase on stdout. + SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase + + # Inter-Process Session Cache: + # Configure the SSL Session Cache: First the mechanism + # to use and second the expiring timeout (in seconds). + # (The mechanism dbm has known memory leaks and should not be used). + #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache + SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) + SSLSessionCacheTimeout 300 + + # Semaphore: + # Configure the path to the mutual exclusion semaphore the + # SSL engine uses internally for inter-process synchronization. + # (Disabled by default, the global Mutex directive consolidates by default + # this) + #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache + + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. See the + # ciphers(1) man page from the openssl package for list of all available + # options. + # Enable only secure ciphers: + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + + # Speed-optimized SSL Cipher configuration: + # If speed is your main concern (on busy HTTPS servers e.g.), + # you might want to force clients to specific, performance + # optimized ciphers. In this case, prepend those ciphers + # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. + # Caveat: by giving precedence to RC4-SHA and AES128-SHA + # (as in the example below), most connections will no longer + # have perfect forward secrecy - if the server's key is + # compromised, captures of past or future traffic must be + # considered compromised, too. + #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 + #SSLHonorCipherOrder on + + # The protocols to enable. + # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 + # SSL v2 is no longer supported + SSLProtocol all + + # Allow insecure renegotiation with clients which do not yet support the + # secure renegotiation protocol. Default: Off + #SSLInsecureRenegotiation on + + # Whether to forbid non-SNI clients to access name based virtual hosts. + # Default: Off + #SSLStrictSNIVHostCheck On + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.load new file mode 100644 index 000000000..3d2336ae0 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-available/ssl.load @@ -0,0 +1,2 @@ +# Depends: setenvif mime socache_shmcb +LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore new file mode 100644 index 000000000..e69de29bb diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/authz_svn.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/authz_svn.load new file mode 120000 index 000000000..7ac0725dd --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/authz_svn.load @@ -0,0 +1 @@ +../mods-available/authz_svn.load \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav.load new file mode 120000 index 000000000..9dcfef6da --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav.load @@ -0,0 +1 @@ +../mods-available/dav.load \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.conf new file mode 120000 index 000000000..964c7bb0b --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.conf @@ -0,0 +1 @@ +../mods-available/dav_svn.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.load b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.load new file mode 120000 index 000000000..4094e4173 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/dav_svn.load @@ -0,0 +1 @@ +../mods-available/dav_svn.load \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/ports.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/ports.conf new file mode 100644 index 000000000..5daec58c1 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/ports.conf @@ -0,0 +1,15 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default.conf + +Listen 80 + + + Listen 443 + + + + Listen 443 + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf new file mode 100644 index 000000000..2bd4e1fe9 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf @@ -0,0 +1,12 @@ + + + ServerName ip-172-30-0-17 + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf new file mode 100644 index 000000000..b3147a523 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf @@ -0,0 +1,42 @@ + +ServerName certbot.demo +ServerAdmin webmaster@localhost + +DocumentRoot /var/www-certbot-reworld/static/ + +Options FollowSymLinks +AllowOverride None + + +Options Indexes FollowSymLinks MultiViews +AllowOverride None +Order allow,deny +allow from all + + +ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + +AllowOverride None +Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch +Order allow,deny +Allow from all + + +ErrorLog ${APACHE_LOG_DIR}/error.log + +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +LogLevel warn + +CustomLog ${APACHE_LOG_DIR}/access.log combined + +Alias /doc/ "/usr/share/doc/" + +Options Indexes MultiViews FollowSymLinks +AllowOverride None +Order deny,allow +Deny from all +Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf new file mode 100644 index 000000000..849b42e9f --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf @@ -0,0 +1,36 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem + SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem + + + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf new file mode 100644 index 000000000..a3025ae8a --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf @@ -0,0 +1,40 @@ + + + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # SSL Engine Switch: + # Enable/Disable SSL for this virtual host. + SSLEngine on + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem + SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem + + + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # MSIE 7 and newer should be able to use keepalive + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf new file mode 100644 index 000000000..4786bda13 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf @@ -0,0 +1,42 @@ + + ServerName encryption-example.demo + ServerAdmin webmaster@localhost + + DocumentRoot /var/www-encryption-example/static/ + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + + ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ + + AllowOverride None + Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch + Order allow,deny + Allow from all + + + ErrorLog ${APACHE_LOG_DIR}/error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/access.log combined + + Alias /doc/ "/usr/share/doc/" + + Options Indexes MultiViews FollowSymLinks + AllowOverride None + Order deny,allow + Deny from all + Allow from 127.0.0.0/255.0.0.0 ::1/128 + + + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf new file mode 100644 index 000000000..6a6579007 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf @@ -0,0 +1,15 @@ + + + ServerName $domain + ServerAlias www.$domain + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + +Use VHost macro1 test.com +Use VHost macro2 hostname.org +Use VHost macro3 apache.org + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf new file mode 100644 index 000000000..631cf16c8 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf @@ -0,0 +1,36 @@ + +SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + ServerName ocspvhost.com + + ServerAdmin webmaster@dumpbits.com + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf +SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem +SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem +SSLUseStapling on + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet + diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf new file mode 100644 index 000000000..2bd4e1fe9 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf @@ -0,0 +1,12 @@ + + + ServerName ip-172-30-0-17 + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf new file mode 100644 index 000000000..33e30a63b --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf @@ -0,0 +1,13 @@ + + + ServerName ip-172-30-0-17 + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + ServerAlias *.blue.purple.com + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + + +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf new file mode 120000 index 000000000..3c4632b73 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf @@ -0,0 +1 @@ +../sites-available/000-default.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf new file mode 120000 index 000000000..4d08c763f --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf @@ -0,0 +1 @@ +../sites-available/certbot.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf new file mode 120000 index 000000000..417818069 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf @@ -0,0 +1 @@ +../sites-available/encryption-example.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf new file mode 120000 index 000000000..44f254304 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf @@ -0,0 +1 @@ +../sites-available/mod_macro-example.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf new file mode 120000 index 000000000..b25ee0482 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf @@ -0,0 +1 @@ +../sites-available/ocsp-ssl.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/sites b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/sites new file mode 100644 index 000000000..ab518ee5b --- /dev/null +++ b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/sites @@ -0,0 +1,3 @@ +sites-available/certbot.conf, certbot.demo +sites-available/encryption-example.conf, encryption-example.demo +sites-available/ocsp-ssl.conf, ocspvhost.com From a9679e2c25f81e3263a476978c931ce4431797c9 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 28 Jun 2016 18:08:38 -0700 Subject: [PATCH 14/79] create regression test --- .../certbot_apache/tests/configurator_test.py | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index ae56002b8..0d3e7e08f 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1196,29 +1196,24 @@ class AugeasVhostsTest(util.ApacheTest): self.config = util.get_apache_configurator( self.config_path, self.vhost_path, self.config_dir, self.work_dir) - self.config = self.mock_deploy_cert(self.config) self.vh_truth = util.get_vh_truth( self.temp_dir, "debian_apache_2_4/augeas_vhosts") - def mock_deploy_cert(self, config): - """A test for a mock deploy cert""" - self.config.real_deploy_cert = self.config.deploy_cert - - def mocked_deploy_cert(*args, **kwargs): - """a helper to mock a deployed cert""" - with mock.patch("certbot_apache.configurator.ApacheConfigurator.enable_mod"): - config.real_deploy_cert(*args, **kwargs) - self.config.deploy_cert = mocked_deploy_cert - return self.config - def tearDown(self): shutil.rmtree(self.temp_dir) shutil.rmtree(self.config_dir) shutil.rmtree(self.work_dir) def test_choosevhost_with_illegal_name(self): + self.config.aug = mock.MagicMock() + self.config.aug.match.side_effect = RuntimeError chosen_vhost = self.config._create_vhost("debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf") self.assertEqual(None, chosen_vhost) + def test_choosevhost_works(self): + path = "debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf" + chosen_vhost = self.config._create_vhost(path) + self.assertTrue(chosen_vhost == None or chosen_vhost.path == path) + if __name__ == "__main__": unittest.main() # pragma: no cover From 395843f3f409ae654766d7ef18243b957ea7de87 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 29 Jun 2016 11:06:18 -0700 Subject: [PATCH 15/79] fix coverage --- .../certbot_apache/tests/configurator_test.py | 6 +++ .../apache2/sites-available/000-default.conf | 12 ------ .../apache2/sites-available/certbot.conf | 42 ------------------- .../default-ssl-port-only.conf | 36 ---------------- .../apache2/sites-available/default-ssl.conf | 40 ------------------ .../sites-available/encryption-example.conf | 42 ------------------- .../sites-available/mod_macro-example.conf | 15 ------- .../apache2/sites-available/ocsp-ssl.conf | 36 ---------------- .../apache2/sites-available/wildcard.conf | 13 ------ .../apache2/sites-available/old,default.conf | 12 ------ 10 files changed, 6 insertions(+), 248 deletions(-) delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 0d3e7e08f..5de979834 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1215,5 +1215,11 @@ class AugeasVhostsTest(util.ApacheTest): chosen_vhost = self.config._create_vhost(path) self.assertTrue(chosen_vhost == None or chosen_vhost.path == path) + @mock.patch("certbot_apache.configurator.ApacheConfigurator._create_vhost") + def test_get_vhost_continue(self, mock_vhost): + mock_vhost.return_value = None + vhs = self.config.get_virtual_hosts() + self.assertEqual([], vhs) + if __name__ == "__main__": unittest.main() # pragma: no cover diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf deleted file mode 100644 index 2bd4e1fe9..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/000-default.conf +++ /dev/null @@ -1,12 +0,0 @@ - - - ServerName ip-172-30-0-17 - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf deleted file mode 100644 index b3147a523..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/certbot.conf +++ /dev/null @@ -1,42 +0,0 @@ - -ServerName certbot.demo -ServerAdmin webmaster@localhost - -DocumentRoot /var/www-certbot-reworld/static/ - -Options FollowSymLinks -AllowOverride None - - -Options Indexes FollowSymLinks MultiViews -AllowOverride None -Order allow,deny -allow from all - - -ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - -AllowOverride None -Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch -Order allow,deny -Allow from all - - -ErrorLog ${APACHE_LOG_DIR}/error.log - -# Possible values include: debug, info, notice, warn, error, crit, -# alert, emerg. -LogLevel warn - -CustomLog ${APACHE_LOG_DIR}/access.log combined - -Alias /doc/ "/usr/share/doc/" - -Options Indexes MultiViews FollowSymLinks -AllowOverride None -Order deny,allow -Deny from all -Allow from 127.0.0.0/255.0.0.0 ::1/128 - - - diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf deleted file mode 100644 index 849b42e9f..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl-port-only.conf +++ /dev/null @@ -1,36 +0,0 @@ - - - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem - SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem - - - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - BrowserMatch "MSIE [2-6]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - # MSIE 7 and newer should be able to use keepalive - BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf deleted file mode 100644 index a3025ae8a..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/default-ssl.conf +++ /dev/null @@ -1,40 +0,0 @@ - - - ServerAdmin webmaster@localhost - - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # SSL Engine Switch: - # Enable/Disable SSL for this virtual host. - SSLEngine on - - # A self-signed (snakeoil) certificate can be created by installing - # the ssl-cert package. See - # /usr/share/doc/apache2/README.Debian.gz for more info. - # If both key and certificate are stored in the same file, only the - # SSLCertificateFile directive is needed. - SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem - SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem - - - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - BrowserMatch "MSIE [2-6]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - # MSIE 7 and newer should be able to use keepalive - BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown - - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf deleted file mode 100644 index 4786bda13..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/encryption-example.conf +++ /dev/null @@ -1,42 +0,0 @@ - - ServerName encryption-example.demo - ServerAdmin webmaster@localhost - - DocumentRoot /var/www-encryption-example/static/ - - Options FollowSymLinks - AllowOverride None - - - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Order allow,deny - allow from all - - - ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ - - AllowOverride None - Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch - Order allow,deny - Allow from all - - - ErrorLog ${APACHE_LOG_DIR}/error.log - - # Possible values include: debug, info, notice, warn, error, crit, - # alert, emerg. - LogLevel warn - - CustomLog ${APACHE_LOG_DIR}/access.log combined - - Alias /doc/ "/usr/share/doc/" - - Options Indexes MultiViews FollowSymLinks - AllowOverride None - Order deny,allow - Deny from all - Allow from 127.0.0.0/255.0.0.0 ::1/128 - - - diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf deleted file mode 100644 index 6a6579007..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/mod_macro-example.conf +++ /dev/null @@ -1,15 +0,0 @@ - - - ServerName $domain - ServerAlias www.$domain - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - -Use VHost macro1 test.com -Use VHost macro2 hostname.org -Use VHost macro3 apache.org - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf deleted file mode 100644 index 631cf16c8..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/ocsp-ssl.conf +++ /dev/null @@ -1,36 +0,0 @@ - -SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000) - - # The ServerName directive sets the request scheme, hostname and port that - # the server uses to identify itself. This is used when creating - # redirection URLs. In the context of virtual hosts, the ServerName - # specifies what hostname must appear in the request's Host: header to - # match this virtual host. For the default virtual host (this file) this - # value is not decisive as it is used as a last resort host regardless. - # However, you must set it for any further virtual host explicitly. - ServerName ocspvhost.com - - ServerAdmin webmaster@dumpbits.com - DocumentRoot /var/www/html - - # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, - # error, crit, alert, emerg. - # It is also possible to configure the loglevel for particular - # modules, e.g. - #LogLevel info ssl:warn - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - # For most configuration files from conf-available/, which are - # enabled or disabled at a global level, it is possible to - # include a line for only one particular virtual host. For example the - # following line enables the CGI configuration for this host only - # after it has been globally disabled with "a2disconf". - #Include conf-available/serve-cgi-bin.conf -SSLCertificateFile /etc/apache2/certs/certbot-cert_5.pem -SSLCertificateKeyFile /etc/apache2/ssl/key-certbot_15.pem -SSLUseStapling on - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet - diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf deleted file mode 100644 index 33e30a63b..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-available/wildcard.conf +++ /dev/null @@ -1,13 +0,0 @@ - - - ServerName ip-172-30-0-17 - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - ServerAlias *.blue.purple.com - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf deleted file mode 100644 index 2bd4e1fe9..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/sites-available/old,default.conf +++ /dev/null @@ -1,12 +0,0 @@ - - - ServerName ip-172-30-0-17 - ServerAdmin webmaster@localhost - DocumentRoot /var/www/html - - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - - -# vim: syntax=apache ts=4 sw=4 sts=4 sr noet From b64da855a2bf0c482ddff53ef508b7bba1bbdb30 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 29 Jun 2016 11:55:22 -0700 Subject: [PATCH 16/79] lint --- .../certbot_apache/tests/configurator_test.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 5de979834..a90940f94 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1,4 +1,4 @@ -# pylint: disable=too-many-public-methods +# pylint: disable=too-many-public-methods, protected-access """Test for certbot_apache.configurator.""" import os import shutil @@ -1190,9 +1190,12 @@ class AugeasVhostsTest(util.ApacheTest): """Test vhosts with illegal names dependant on augeas version.""" def setUp(self): # pylint: disable=arguments-differ - super(AugeasVhostsTest, self).setUp(test_dir="debian_apache_2_4/augeas_vhosts", - config_root="debian_apache_2_4/augeas_vhosts/apache2", - vhost_root="debian_apache_2_4/augeas_vhosts/apache2/sites-available") + td = "debian_apache_2_4/augeas_vhosts" + cr = "debian_apache_2_4/augeas_vhosts/apache2" + vr = "debian_apache_2_4/augeas_vhosts/apache2/sites-available" + super(AugeasVhostsTest, self).setUp(test_dir=td, + config_root=cr, + vhost_root=vr) self.config = util.get_apache_configurator( self.config_path, self.vhost_path, self.config_dir, self.work_dir) @@ -1207,7 +1210,8 @@ class AugeasVhostsTest(util.ApacheTest): def test_choosevhost_with_illegal_name(self): self.config.aug = mock.MagicMock() self.config.aug.match.side_effect = RuntimeError - chosen_vhost = self.config._create_vhost("debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf") + path = "debian_apache_2_4/augeas_vhosts/apache2/sites-available/old,default.conf" + chosen_vhost = self.config._create_vhost(path) self.assertEqual(None, chosen_vhost) def test_choosevhost_works(self): From 92870f0bbb2a912b16f77079243efeb4e5293bef Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Thu, 30 Jun 2016 10:22:12 -0500 Subject: [PATCH 17/79] Better docstring for _signal_handler --- certbot/error_handler.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 5b9220583..42861b4a1 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -112,7 +112,8 @@ class ErrorHandler(object): self.prev_handlers.clear() def _signal_handler(self, signum, unused_frame): - """Stores the recieved signal. + """Stores the recieved signal. If we are executing the code block in + the body of the context manager, stop by raising signal exit. :param int signum: number of current signal From 8c3e443de9d26d0e722956107db8a36134c0134c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 30 Jun 2016 15:07:28 -0700 Subject: [PATCH 18/79] First attempt at mitigating #3206 --- certbot-nginx/certbot_nginx/nginxparser.py | 31 +++++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/certbot-nginx/certbot_nginx/nginxparser.py b/certbot-nginx/certbot_nginx/nginxparser.py index d6c352296..895c4f8a3 100644 --- a/certbot-nginx/certbot_nginx/nginxparser.py +++ b/certbot-nginx/certbot_nginx/nginxparser.py @@ -38,19 +38,42 @@ class RawNginxParser(object): assignment = space + key + Optional(space + value, default=None) + semicolon location_statement = space + Optional(modifier) + Optional(space + location + space) if_statement = space + Literal("if") + space + condition + space + map_statement = space + Literal("map") + space + nonspace + space + dollar_var + space + + # This is NOT an accurate way to parse nginx map entries; it's almost + # certianly too permissive and may be wrong in other ways, but it should + # preserve things correctly in mmmmost or all cases. + # - it sometimes splits the two tokens incorrectly eg + # '''"~Opera Mini" 1''' -> ['"~Opera', ' Mini" 1'] + # - I can neither prove nor disprove that it is corect wrt all escaped + # semicolon situations + # Addresses https://github.com/fatiherikli/nginxparser/issues/19 + + map_entry = space + nonspace + value + space + semicolon + map_block = Forward() + map_block << Group( + # key could for instance be "server" or "http", or "location" (in which case + # location_statement needs to have a non-empty location) + Group(map_statement).leaveWhitespace() + + left_bracket + + Group(ZeroOrMore(Group(comment | map_entry)) + space).leaveWhitespace() + + right_bracket) + + block = Forward() block << Group( # key could for instance be "server" or "http", or "location" (in which case # location_statement needs to have a non-empty location) - (Group(space + key + location_statement) ^ Group(if_statement) ^ - Group(map_statement)).leaveWhitespace() + + (Group(space + key + location_statement) ^ Group(if_statement)).leaveWhitespace() + left_bracket + - Group(ZeroOrMore(Group(comment | assignment) | block) + space).leaveWhitespace() + + Group(ZeroOrMore(Group(comment | assignment) | block | map_block) + space).leaveWhitespace() + right_bracket) - script = OneOrMore(Group(comment | assignment) ^ block) + space + stringEnd + + + script = OneOrMore(Group(comment | assignment) ^ block ^ map_block) + space + stringEnd script.parseWithTabs() def __init__(self, source): From db8ddac4e252780fb4015298b7cbe0388d340f10 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 30 Jun 2016 15:13:35 -0700 Subject: [PATCH 19/79] lint & tweak --- certbot-nginx/certbot_nginx/nginxparser.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/certbot-nginx/certbot_nginx/nginxparser.py b/certbot-nginx/certbot_nginx/nginxparser.py index 895c4f8a3..50ed41eb9 100644 --- a/certbot-nginx/certbot_nginx/nginxparser.py +++ b/certbot-nginx/certbot_nginx/nginxparser.py @@ -40,7 +40,6 @@ class RawNginxParser(object): if_statement = space + Literal("if") + space + condition + space map_statement = space + Literal("map") + space + nonspace + space + dollar_var + space - # This is NOT an accurate way to parse nginx map entries; it's almost # certianly too permissive and may be wrong in other ways, but it should # preserve things correctly in mmmmost or all cases. @@ -49,7 +48,6 @@ class RawNginxParser(object): # - I can neither prove nor disprove that it is corect wrt all escaped # semicolon situations # Addresses https://github.com/fatiherikli/nginxparser/issues/19 - map_entry = space + nonspace + value + space + semicolon map_block = Forward() map_block << Group( @@ -60,18 +58,14 @@ class RawNginxParser(object): Group(ZeroOrMore(Group(comment | map_entry)) + space).leaveWhitespace() + right_bracket) - block = Forward() - block << Group( # key could for instance be "server" or "http", or "location" (in which case # location_statement needs to have a non-empty location) (Group(space + key + location_statement) ^ Group(if_statement)).leaveWhitespace() + left_bracket + - Group(ZeroOrMore(Group(comment | assignment) | block | map_block) + space).leaveWhitespace() + - right_bracket) - - + Group(ZeroOrMore(Group(comment | assignment) | block | map_block) + space).leaveWhitespace() + + right_bracket) script = OneOrMore(Group(comment | assignment) ^ block ^ map_block) + space + stringEnd script.parseWithTabs() From be8f0bc53b657fdf3a104c355858c396f96eb6a0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 30 Jun 2016 15:29:38 -0700 Subject: [PATCH 20/79] Do a better job of parsing map patterns --- certbot-nginx/certbot_nginx/nginxparser.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/certbot-nginx/certbot_nginx/nginxparser.py b/certbot-nginx/certbot_nginx/nginxparser.py index 50ed41eb9..0cc912515 100644 --- a/certbot-nginx/certbot_nginx/nginxparser.py +++ b/certbot-nginx/certbot_nginx/nginxparser.py @@ -27,6 +27,8 @@ class RawNginxParser(object): condition = Regex(r"\(.+\)") # Matches anything that is not a special character AND any chars in single # or double quotes + # All of these COULD be upgraded to something like + # https://stackoverflow.com/a/16130746 value = Regex(r"((\".*\")?(\'.*\')?[^\{\};,]?)+") location = CharsNotIn("{};," + string.whitespace) # modifier for location uri [ = | ~ | ~* | ^~ ] @@ -43,14 +45,13 @@ class RawNginxParser(object): # This is NOT an accurate way to parse nginx map entries; it's almost # certianly too permissive and may be wrong in other ways, but it should # preserve things correctly in mmmmost or all cases. - # - it sometimes splits the two tokens incorrectly eg - # '''"~Opera Mini" 1''' -> ['"~Opera', ' Mini" 1'] + # # - I can neither prove nor disprove that it is corect wrt all escaped # semicolon situations # Addresses https://github.com/fatiherikli/nginxparser/issues/19 - map_entry = space + nonspace + value + space + semicolon - map_block = Forward() - map_block << Group( + map_pattern = Regex(r'".*"') | Regex(r"'.*'") | nonspace + map_entry = space + map_pattern + space + value + space + semicolon + map_block = Group( # key could for instance be "server" or "http", or "location" (in which case # location_statement needs to have a non-empty location) Group(map_statement).leaveWhitespace() + From a9abc7b39e89ee26c116244e528d49931f922252 Mon Sep 17 00:00:00 2001 From: sagi Date: Fri, 1 Jul 2016 15:17:37 +0000 Subject: [PATCH 21/79] typo --- certbot-apache/certbot_apache/configurator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 89d602f5f..fdc0f37d8 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -874,7 +874,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if self._sift_line(line): if not sift: new_file.write( - "# Some rewrite rules in this file were " + "# Some rewrite rules in this file " "were disabled on your HTTPS site,\n" "# because they have the potential to " "create redirection loops.\n") From 15ba12ed4647990d8e72f244a682c00327493443 Mon Sep 17 00:00:00 2001 From: sagi Date: Fri, 1 Jul 2016 21:06:16 +0000 Subject: [PATCH 22/79] Parsing State Machine + some tests --- certbot-apache/certbot_apache/configurator.py | 64 ++++++++++++++++--- .../certbot_apache/tests/configurator_test.py | 11 ++-- 2 files changed, 61 insertions(+), 14 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index fdc0f37d8..23c7a0c29 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -819,7 +819,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): else: return non_ssl_vh_fp + self.conf("le_vhost_ext") - def _sift_line(self, line): + def _sift_rewrite_rule(self, line): """Decides whether a line should be copied to a SSL vhost. A canonical example of when sifting a line is required: @@ -861,7 +861,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): A new file is created on the filesystem. """ - # First register the creation so that it is properly removed if + # First register the creation so thatu it is properly removed if # configuration is rolled back self.reverter.register_file_creation(False, ssl_fp) sift = False @@ -870,18 +870,62 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): with open(avail_fp, "r") as orig_file: with open(ssl_fp, "w") as new_file: new_file.write("\n") + + comment = ("# Some rewrite rules in this file were " + "disabled on your HTTPS site,\n" + "# because they have the potential to create " + "redirection loops.\n") + for line in orig_file: - if self._sift_line(line): + A = line.lstrip().startswith("RewriteCond") + B = line.lstrip().startswith("RewriteRule") + + if not (A or B): + new_file.write(line) + continue + + # A RewriteRule that doesn't need filtering + if B and not self._sift_rewrite_rule(line): + new_file.write(line) + continue + + # A RewriteRule that does need filtering + if B and self._sift_rewrite_rule(line): if not sift: - new_file.write( - "# Some rewrite rules in this file " - "were disabled on your HTTPS site,\n" - "# because they have the potential to " - "create redirection loops.\n") + new_file.write(comment) sift = True new_file.write("# " + line) - else: - new_file.write(line) + continue + + # We save RewriteCond(s) and their corresponding + # RewriteRule in 'chunk'. + # We then decide whether we comment out the entire + # chunk based on its RewriteRule. + chunk = [] + if A: + chunk.append(line) + line = next(orig_file) + + # RewriteCond(s) must be followed by one RewriteRule + while not line.lstrip().startswith("RewriteRule"): + chunk.append(line) + line = next(orig_file) + + # Now, current line must start with a RewriteRule + chunk.append(line) + + if self._sift_rewrite_rule(line): + if not sift: + new_file.write(comment) + sift = True + + new_file.write(''.join( + ['# ' + l for l in chunk])) + continue + else: + new_file.write(''.join(chunk)) + continue + new_file.write("\n") except IOError: logger.fatal("Error writing/reading to file in make_vhost_ssl") diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 9a034c3e0..5a8684c9a 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1110,16 +1110,19 @@ class MultipleVhostsTest(util.ApacheTest): self.config._enable_redirect(self.vh_truth[1], "") self.assertEqual(len(self.config.vhosts), 9) - def test_sift_line(self): + def test_sift_rewrite_rule(self): # pylint: disable=protected-access small_quoted_target = "RewriteRule ^ \"http://\"" - self.assertFalse(self.config._sift_line(small_quoted_target)) + self.assertFalse(self.config._sift_rewrite_rule(small_quoted_target)) https_target = "RewriteRule ^ https://satoshi" - self.assertTrue(self.config._sift_line(https_target)) + self.assertTrue(self.config._sift_rewrite_rule(https_target)) normal_target = "RewriteRule ^/(.*) http://www.a.com:1234/$1 [L,R]" - self.assertFalse(self.config._sift_line(normal_target)) + self.assertFalse(self.config._sift_rewrite_rule(normal_target)) + + not_rewriterule = "NotRewriteRule ^ ..." + self.assertFalse(self.config._sift_rewrite_rule(not_rewriterule)) @mock.patch("certbot_apache.configurator.zope.component.getUtility") def test_make_vhost_ssl_with_existing_rewrite_rule(self, mock_get_utility): From 74593607803e67818ab23b0e3f7a772ee99bc417 Mon Sep 17 00:00:00 2001 From: sagi Date: Fri, 1 Jul 2016 22:08:37 +0000 Subject: [PATCH 23/79] Add more test cases --- .../certbot_apache/tests/configurator_test.py | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 5a8684c9a..57c6a8009 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1151,7 +1151,61 @@ class MultipleVhostsTest(util.ApacheTest): "[L,QSA,R=permanent]") self.assertTrue(commented_rewrite_rule in conf_text) mock_get_utility().add_message.assert_called_once_with(mock.ANY, + mock.ANY) + @mock.patch("certbot_apache.configurator.zope.component.getUtility") + def test_make_vhost_ssl_with_existing_rewrite_conds(self, mock_get_utility): + self.config.parser.modules.add("rewrite_module") + + http_vhost = self.vh_truth[0] + + self.config.parser.add_dir( + http_vhost.path, "RewriteEngine", "on") + + # Add a chunk that should not be commented out. + self.config.parser.add_dir(http_vhost.path, + "RewriteCond", ["%{DOCUMENT_ROOT}/%{REQUEST_FILENAME}", "!-f"]) + self.config.parser.add_dir( + http_vhost.path, "RewriteRule", + ["^(.*)$", "b://u%{REQUEST_URI}", "[P,QSA,L]"]) + + # Add a chunk that should be commented out. + self.config.parser.add_dir(http_vhost.path, + "RewriteCond", ["%{HTTPS}", "!=on"]) + self.config.parser.add_dir(http_vhost.path, + "RewriteCond", ["%{HTTPS}", "!^$"]) + self.config.parser.add_dir( + http_vhost.path, "RewriteRule", + ["^", + "https://%{SERVER_NAME}%{REQUEST_URI}", + "[L,QSA,R=permanent]"]) + + self.config.save() + + ssl_vhost = self.config.make_vhost_ssl(self.vh_truth[0]) + + conf_line_set = set(open(ssl_vhost.filep).read().splitlines()) + + not_commented_cond1 = ("RewriteCond " + "%{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f") + not_commented_rewrite_rule = ("RewriteRule " + "^(.*)$ b://u%{REQUEST_URI} [P,QSA,L]") + + commented_cond1 = "# RewriteCond %{HTTPS} !=on" + commented_cond2 = "# RewriteCond %{HTTPS} !^$" + commented_rewrite_rule = ("# RewriteRule ^ " + "https://%{SERVER_NAME}%{REQUEST_URI} " + "[L,QSA,R=permanent]") + + self.assertTrue(not_commented_cond1 in conf_line_set) + self.assertTrue(not_commented_rewrite_rule in conf_line_set) + + self.assertTrue(commented_cond1 in conf_line_set) + self.assertTrue(commented_cond2 in conf_line_set) + self.assertTrue(commented_rewrite_rule in conf_line_set) + mock_get_utility().add_message.assert_called_once_with(mock.ANY, + mock.ANY) + def get_achalls(self): """Return testing achallenges.""" From 0e9622322a89f8efbeb149d4ccf8cb33ddc19660 Mon Sep 17 00:00:00 2001 From: sagi Date: Fri, 1 Jul 2016 22:17:41 +0000 Subject: [PATCH 24/79] typo --- certbot-apache/certbot_apache/configurator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 23c7a0c29..0a24759dc 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -861,7 +861,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): A new file is created on the filesystem. """ - # First register the creation so thatu it is properly removed if + # First register the creation so that it is properly removed if # configuration is rolled back self.reverter.register_file_creation(False, ssl_fp) sift = False From 2cd4f6f008a9762db08f053084cbabd2d53c7384 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 5 Jul 2016 14:14:31 -0700 Subject: [PATCH 25/79] update FreeBSD package name --- docs/using.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/using.rst b/docs/using.rst index fb96bb853..806dfb340 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -429,7 +429,7 @@ Operating System Packages **FreeBSD** * Port: ``cd /usr/ports/security/py-certbot && make install clean`` - * Package: ``pkg install py27-letsencrypt`` + * Package: ``pkg install py27-certbot`` **OpenBSD** From 777a654d90ec347231c81c7e6c6135e77f58fce6 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 23:13:16 -0500 Subject: [PATCH 26/79] Move SignalExit to errors.py --- certbot/error_handler.py | 13 +++---------- certbot/errors.py | 4 ++++ 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 42861b4a1..45d37f847 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -5,6 +5,7 @@ import os import signal import traceback +from certbot import errors logger = logging.getLogger(__name__) @@ -19,14 +20,6 @@ _SIGNALS = ([signal.SIGTERM] if os.name == "nt" else signal.SIGXCPU, signal.SIGXFSZ]) -class SignalExit(Exception): - """This exception is used stop of execution of the code in the body of the - ErrorHandler context manager. - - """ - pass - - class ErrorHandler(object): """Registers functions to be called if an exception or signal occurs. @@ -62,7 +55,7 @@ class ErrorHandler(object): def __exit__(self, exec_type, exec_value, trace): self.body_executed = True retval = False - if exec_type is SignalExit: + if exec_type is errors.SignalExit: logger.debug("Encountered signals: %s", self.received_signals) self.call_registered() for signum in self.received_signals: @@ -120,7 +113,7 @@ class ErrorHandler(object): """ self.received_signals.append(signum) if not self.body_executed: - raise SignalExit + raise errors.SignalExit def call_signal(self, signum): """Calls the signal given by signum. diff --git a/certbot/errors.py b/certbot/errors.py index 1553b6317..738b7536b 100644 --- a/certbot/errors.py +++ b/certbot/errors.py @@ -29,6 +29,10 @@ class HookCommandNotFound(Error): """Failed to find a hook command in the PATH.""" +class SignalExit(Error): + """A Unix signal was recieved while in the ErrorHandler context manager.""" + + # Auth Handler Errors class AuthorizationError(Error): """Authorization error.""" From 15336d45bd9f16c9acc1c0662e1c03caf40f7b15 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 23:13:45 -0500 Subject: [PATCH 27/79] Reset self.body_executed in __enter__ --- certbot/error_handler.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 45d37f847..a0f9f9143 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -50,6 +50,7 @@ class ErrorHandler(object): self.register(func, *args, **kwargs) def __enter__(self): + self.body_executed = False self.set_signal_handlers() def __exit__(self, exec_type, exec_value, trace): From 79c602ffc83bfac8f95a5d1e89464dd68c2af16a Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 21:30:22 -0500 Subject: [PATCH 28/79] Make non-public methods as private. --- certbot/error_handler.py | 18 +++++++++--------- certbot/tests/error_handler_test.py | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index a0f9f9143..10e956e13 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -51,24 +51,24 @@ class ErrorHandler(object): def __enter__(self): self.body_executed = False - self.set_signal_handlers() + self._set_signal_handlers() def __exit__(self, exec_type, exec_value, trace): self.body_executed = True retval = False if exec_type is errors.SignalExit: logger.debug("Encountered signals: %s", self.received_signals) - self.call_registered() + self._call_registered() for signum in self.received_signals: - self.call_signal(signum) + self._call_signal(signum) retval = True # SystemExit is ignored to properly handle forks that don't exec elif exec_type not in (None, SystemExit): logger.debug("Encountered exception:\n%s", "".join( traceback.format_exception(exec_type, exec_value, trace))) - self.call_registered() + self._call_registered() - self.reset_signal_handlers() + self._reset_signal_handlers() return retval def register(self, func, *args, **kwargs): @@ -79,7 +79,7 @@ class ErrorHandler(object): """ self.funcs.append(functools.partial(func, *args, **kwargs)) - def call_registered(self): + def _call_registered(self): """Calls all registered functions""" logger.debug("Calling registered functions") while self.funcs: @@ -90,7 +90,7 @@ class ErrorHandler(object): logger.exception(error) self.funcs.pop() - def set_signal_handlers(self): + def _set_signal_handlers(self): """Sets signal handlers for signals in _SIGNALS.""" for signum in _SIGNALS: prev_handler = signal.getsignal(signum) @@ -99,7 +99,7 @@ class ErrorHandler(object): self.prev_handlers[signum] = prev_handler signal.signal(signum, self._signal_handler) - def reset_signal_handlers(self): + def _reset_signal_handlers(self): """Resets signal handlers for signals in _SIGNALS.""" for signum in self.prev_handlers: signal.signal(signum, self.prev_handlers[signum]) @@ -116,7 +116,7 @@ class ErrorHandler(object): if not self.body_executed: raise errors.SignalExit - def call_signal(self, signum): + def _call_signal(self, signum): """Calls the signal given by signum. :param int signum: signal number diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index f8ac0718b..a7906c5ef 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -68,7 +68,7 @@ class ErrorHandlerTest(unittest.TestCase): def test_bad_recovery(self): bad_func = mock.MagicMock(side_effect=[ValueError]) self.handler.register(bad_func) - self.handler.call_registered() + self.handler._call_registered() self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) bad_func.assert_called_once_with() From 277b7a89f10a5cfa8b216db77d0d522d1fe8fc94 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 21:59:00 -0500 Subject: [PATCH 29/79] Update ErrorHandler docstring. --- certbot/error_handler.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 10e956e13..f3226de9d 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -21,19 +21,26 @@ _SIGNALS = ([signal.SIGTERM] if os.name == "nt" else class ErrorHandler(object): - """Registers functions to be called if an exception or signal occurs. + """Context manager for running code that must be cleaned up on failure. - This class allows you to register functions that will be called when - an exception (excluding SystemExit) or signal is encountered. The - class works best as a context manager. For example: + The context manager allows you to register functions that will be called + when an exception (excluding SystemExit) or signal is encountered. Usage: - with ErrorHandler(cleanup_func): + handler = ErrorHandler(cleanup1_func, *cleanup1_args, **cleanup1_kwargs) + handler.register(cleanup2_func, *cleanup2_args, **cleanup2_kwargs) + + with handler: do_something() - If an exception is raised out of do_something, cleanup_func will be - called. The exception is not caught by the ErrorHandler. Similarly, - if a signal is encountered, cleanup_func is called followed by the - previously registered signal handler. + Or for one cleanup function: + + with ErrorHandler(func, args, kwargs): + do_something() + + If an exception is raised out of do_something, the cleanup functions will + be called in last in first out order. Then the exception is raised. + Similarly, if a signal is encountered, the cleanup functions are called + followed by the previously received signal handler. Each registered cleanup function is called exactly once. If a registered function raises an exception, it is logged and the next function is called. From 815887d4e4167102260f866cc4170abdfe31612b Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 22:44:22 -0500 Subject: [PATCH 30/79] Refactor ErrorHandler.__exit__ also call_signal -> call_signals --- certbot/error_handler.py | 41 +++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index f3226de9d..20315ded7 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -61,22 +61,24 @@ class ErrorHandler(object): self._set_signal_handlers() def __exit__(self, exec_type, exec_value, trace): - self.body_executed = True - retval = False - if exec_type is errors.SignalExit: - logger.debug("Encountered signals: %s", self.received_signals) - self._call_registered() - for signum in self.received_signals: - self._call_signal(signum) - retval = True - # SystemExit is ignored to properly handle forks that don't exec - elif exec_type not in (None, SystemExit): - logger.debug("Encountered exception:\n%s", "".join( - traceback.format_exception(exec_type, exec_value, trace))) - self._call_registered() + try: + self.body_executed = True + retval = False + # SystemExit is ignored to properly handle forks that don't exec + if exec_type in (None, SystemExit): + return retval + elif exec_type is errors.SignalExit: + logger.debug("Encountered signals: %s", self.received_signals) + retval = True + else: + logger.debug("Encountered exception:\n%s", "".join( + traceback.format_exception(exec_type, exec_value, trace))) - self._reset_signal_handlers() - return retval + self._call_registered() + self._call_signals() + return retval + finally: + self._reset_signal_handlers() def register(self, func, *args, **kwargs): """Sets func to be called with *args and **kwargs during cleanup @@ -123,12 +125,13 @@ class ErrorHandler(object): if not self.body_executed: raise errors.SignalExit - def _call_signal(self, signum): + def _call_signals(self): """Calls the signal given by signum. :param int signum: signal number """ - logger.debug("Calling signal %s", signum) - signal.signal(signum, self.prev_handlers[signum]) - os.kill(os.getpid(), signum) + for signum in self.received_signals: + logger.debug("Calling signal %s", signum) + signal.signal(signum, self.prev_handlers[signum]) + os.kill(os.getpid(), signum) From 5e4f250110366e126e099ab41b1b2f4d6f10d50a Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 22:46:23 -0500 Subject: [PATCH 31/79] Stylize _signal_handler docstring. --- certbot/error_handler.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 20315ded7..779c2d5ca 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -115,7 +115,9 @@ class ErrorHandler(object): self.prev_handlers.clear() def _signal_handler(self, signum, unused_frame): - """Stores the recieved signal. If we are executing the code block in + """Replacement function for handling recieved signals. + + Store the recieved signal. If we are executing the code block in the body of the context manager, stop by raising signal exit. :param int signum: number of current signal From 8333829bbe53d5e20813285e483c8ac9776e984b Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 22:47:42 -0500 Subject: [PATCH 32/79] Check that ErrorHandler raises exception. --- certbot/tests/error_handler_test.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index a7906c5ef..0974fe92a 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -46,7 +46,9 @@ class ErrorHandlerTest(unittest.TestCase): with self.handler: raise ValueError except ValueError: - pass + exception_raised = True + + self.assertTrue(exception_raised) self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) From 7ade835476d4afca12597fcf54f77bb4c7afca92 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 22:57:13 -0500 Subject: [PATCH 33/79] import module instead of function --- certbot/tests/error_handler_test.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index 0974fe92a..a81d4a2d1 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -3,12 +3,12 @@ import os import signal import sys import unittest -from contextlib import contextmanager +import contextlib import mock -@contextmanager +@contextlib.contextmanager def signal_receiver(signums): """Context manager to catch signals""" signals = [] From e9f879a443e0f6d037ff9abeb11bd55fdf74a5df Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 22:58:15 -0500 Subject: [PATCH 34/79] Use assertTrue and index in _SIGNALS --- certbot/tests/error_handler_test.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index a81d4a2d1..a242c4cab 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -56,13 +56,13 @@ class ErrorHandlerTest(unittest.TestCase): with signal_receiver(self.signals) as signals_received: with self.handler: should_be_42 = 42 - send_signal(signal.SIGTERM) + send_signal(self.signals[0]) should_be_42 *= 10 # check exectuion stoped when the signal was sent - assert 42 == should_be_42 + self.assertEqual(42, should_be_42) # assert signals were caught - assert [signal.SIGTERM] == signals_received + self.assertEqual([self.signals[0]], signals_received) # assert the error handling function was just called once self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) @@ -76,13 +76,14 @@ class ErrorHandlerTest(unittest.TestCase): bad_func.assert_called_once_with() def test_bad_recovery_with_signal(self): - bad_func = mock.MagicMock( - side_effect=lambda: send_signal(signal.SIGHUP)) + sig1 = self.signals[0] + sig2 = self.signals[-1] + bad_func = mock.MagicMock(side_effect=lambda: send_signal(sig1)) self.handler.register(bad_func) with signal_receiver(self.signals) as signals_received: with self.handler: - send_signal(signal.SIGTERM) - assert [signal.SIGTERM, signal.SIGHUP] == signals_received + send_signal(sig2) + self.assertEqual([sig2, sig1], signals_received) self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) bad_func.assert_called_once_with() From ece1f6a24d5abfe8991638ef4c5b5dd61ebbdc79 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Tue, 5 Jul 2016 23:28:57 -0500 Subject: [PATCH 35/79] Don't use _private functions in tests. --- certbot/tests/error_handler_test.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index a242c4cab..6cbc3c1fe 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -70,7 +70,11 @@ class ErrorHandlerTest(unittest.TestCase): def test_bad_recovery(self): bad_func = mock.MagicMock(side_effect=[ValueError]) self.handler.register(bad_func) - self.handler._call_registered() + try: + with self.handler: + raise ValueError + except ValueError: + pass self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) bad_func.assert_called_once_with() From 3d3908c8b31d66e495b0762627962f3f64b08b2e Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Wed, 6 Jul 2016 13:19:03 -0500 Subject: [PATCH 36/79] Update _call_signals docstring. --- certbot/error_handler.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 779c2d5ca..2140aec4f 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -128,7 +128,7 @@ class ErrorHandler(object): raise errors.SignalExit def _call_signals(self): - """Calls the signal given by signum. + """Finally call the deferred signals. :param int signum: signal number From 40983d67d7b4f1431619086ac0df19ddcf24f363 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Wed, 6 Jul 2016 13:19:58 -0500 Subject: [PATCH 37/79] Alphabetize imports in error_handler_test.py --- certbot/tests/error_handler_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index 6cbc3c1fe..58bc4850c 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -1,9 +1,9 @@ """Tests for certbot.error_handler.""" +import contextlib import os import signal import sys import unittest -import contextlib import mock From 2e7f02805ce848b8cd4cea8cda944e5fb473c607 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Wed, 6 Jul 2016 15:59:51 -0500 Subject: [PATCH 38/79] Call _call_signals after _reset_signals. --- certbot/error_handler.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index 2140aec4f..e9deaea5c 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -75,10 +75,10 @@ class ErrorHandler(object): traceback.format_exception(exec_type, exec_value, trace))) self._call_registered() - self._call_signals() return retval finally: - self._reset_signal_handlers() + prev_handlers = self._reset_signal_handlers() + self._call_signals(prev_handlers) def register(self, func, *args, **kwargs): """Sets func to be called with *args and **kwargs during cleanup @@ -112,7 +112,9 @@ class ErrorHandler(object): """Resets signal handlers for signals in _SIGNALS.""" for signum in self.prev_handlers: signal.signal(signum, self.prev_handlers[signum]) + out = dict((k, v) for k, v in self.prev_handlers.items()) self.prev_handlers.clear() + return out def _signal_handler(self, signum, unused_frame): """Replacement function for handling recieved signals. @@ -127,7 +129,7 @@ class ErrorHandler(object): if not self.body_executed: raise errors.SignalExit - def _call_signals(self): + def _call_signals(self, prev_handlers): """Finally call the deferred signals. :param int signum: signal number @@ -135,5 +137,5 @@ class ErrorHandler(object): """ for signum in self.received_signals: logger.debug("Calling signal %s", signum) - signal.signal(signum, self.prev_handlers[signum]) + signal.signal(signum, prev_handlers[signum]) os.kill(os.getpid(), signum) From e28560514a8f9c6da979a8fc86d7b8c42544dd64 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Wed, 6 Jul 2016 16:56:11 -0500 Subject: [PATCH 39/79] Test that ErrorHandler resets default signals. --- certbot/tests/error_handler_test.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index 58bc4850c..a32f2a448 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -66,6 +66,9 @@ class ErrorHandlerTest(unittest.TestCase): # assert the error handling function was just called once self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) + for signum in self.signals: + sig = signal.getsignal(signum) + self.assertTrue((sig == signal.SIG_DFL) or (sig == signal.SIG_IGN)) def test_bad_recovery(self): bad_func = mock.MagicMock(side_effect=[ValueError]) From fd35e407ca221e145805cdb88d76dc8b094d4e2d Mon Sep 17 00:00:00 2001 From: Robert Buchholz Date: Thu, 7 Jul 2016 11:20:52 +0200 Subject: [PATCH 40/79] Reference certbot-auto in CLI help --- certbot/cli.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/certbot/cli.py b/certbot/cli.py index 35b3b74ae..470267029 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -721,10 +721,10 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis "(both can be renewed in parallel)") helpful.add( "automation", "--os-packages-only", action="store_true", - help="(letsencrypt-auto only) install OS package dependencies and then stop") + help="(certbot-auto only) install OS package dependencies and then stop") helpful.add( "automation", "--no-self-upgrade", action="store_true", - help="(letsencrypt-auto only) prevent the letsencrypt-auto script from" + help="(certbot-auto only) prevent the certbot-auto script from" " upgrading itself to newer released versions") helpful.add( "automation", "-q", "--quiet", dest="quiet", action="store_true", @@ -737,7 +737,7 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis "really know what you're doing!") helpful.add( "testing", "--debug", action="store_true", - help="Show tracebacks in case of errors, and allow letsencrypt-auto " + help="Show tracebacks in case of errors, and allow certbot-auto " "execution on experimental platforms") helpful.add( "testing", "--no-verify-ssl", action="store_true", From c92a1cd182f4ad15e40552777648621b08dab486 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 7 Jul 2016 17:24:58 -0700 Subject: [PATCH 41/79] Clarifications to Docker, certbot-auto content reflecting first three questions in my comment https://github.com/certbot/certbot/pull/3232#issuecomment-231154320 --- docs/using.rst | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 806dfb340..1d9dc0c32 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -8,14 +8,16 @@ User Guide Getting Certbot =============== -To get specific instructions for installing Certbot on your OS, we recommend -visiting certbot.eff.org_. If you're offline, you can find some general +To get specific instructions for installing Certbot on your OS, +visit certbot.eff.org_. This is the easiest way to install Certbot. + +If you're offline, or if your webserver or OS are not in the menu, you can find some general instructions `in the README / Introduction `__ __ installation_ .. _certbot.eff.org: https://certbot.eff.org -.. _certbot-auto: +.. _certbot-auto: https://certbot.eff.org/docs/using.html#certbot-auto The name of the certbot command ------------------------------- @@ -394,7 +396,12 @@ Running with Docker Docker_ is an amazingly simple and quick way to obtain a certificate. However, this mode of operation is unable to install certificates or configure your webserver, because our installer -plugins cannot reach it from inside the Docker container. +plugins cannot reach your webserver from inside the Docker container. + +Most users should use the operating system packages (available from +certbot.eff.org_) or, as a fallback, ``certbot-auto``. You should only +use Docker if you are sure you know what you are doing and have a +good reason to do so. You should definitely read the :ref:`where-certs` section, in order to know how to manage the certs @@ -415,9 +422,13 @@ to, `install Docker`_, then issue the following command: -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ quay.io/letsencrypt/letsencrypt:latest auth -and follow the instructions (note that ``auth`` command is explicitly -used - no installer plugins involved). Your new cert will be available -in ``/etc/letsencrypt/live`` on the host. +Certbot will obtain a certificate and place it in the directory +``/etc/letsencrypt/live`` on your system and display further instructions +for installing the certificates. You must use the ``auth`` command +to install the certificates instead of plug-ins for this method. + +For more information about the layout +of the ``/etc/letsencrypt`` directory, see :ref:`where-certs`. .. _Docker: https://docker.com .. _`install Docker`: https://docs.docker.com/userguide/ @@ -543,10 +554,10 @@ whole process is described in the :doc:`contributing`. Comparison of different methods ------------------------------- -Unless you have a very specific requirements, we kindly suggest that you use -the certbot-auto_ method. It's the fastest, the most thoroughly -tested and the most reliable way of getting our software and the free -TLS/SSL certificates! +Unless you have very specific requirements, we kindly suggest that you use +the Certbot packages provided by your package manager (see certbot.eff.org_). +If such packages are not available, we recommend using ``certbot-auto``, which +automates the process of installing Certbot on your system. Beyond the methods discussed here, other methods may be possible, such as installing Certbot directly with pip from PyPI or downloading a ZIP From 4b4a02a7af221116c2820af310cab317f78c4ed3 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Thu, 7 Jul 2016 20:07:13 -0500 Subject: [PATCH 42/79] Remove extra tracking of prev_handlers. --- certbot/error_handler.py | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/certbot/error_handler.py b/certbot/error_handler.py index e9deaea5c..68bd7f754 100644 --- a/certbot/error_handler.py +++ b/certbot/error_handler.py @@ -77,8 +77,8 @@ class ErrorHandler(object): self._call_registered() return retval finally: - prev_handlers = self._reset_signal_handlers() - self._call_signals(prev_handlers) + self._reset_signal_handlers() + self._call_signals() def register(self, func, *args, **kwargs): """Sets func to be called with *args and **kwargs during cleanup @@ -112,9 +112,7 @@ class ErrorHandler(object): """Resets signal handlers for signals in _SIGNALS.""" for signum in self.prev_handlers: signal.signal(signum, self.prev_handlers[signum]) - out = dict((k, v) for k, v in self.prev_handlers.items()) self.prev_handlers.clear() - return out def _signal_handler(self, signum, unused_frame): """Replacement function for handling recieved signals. @@ -129,13 +127,8 @@ class ErrorHandler(object): if not self.body_executed: raise errors.SignalExit - def _call_signals(self, prev_handlers): - """Finally call the deferred signals. - - :param int signum: signal number - - """ + def _call_signals(self): + """Finally call the deferred signals.""" for signum in self.received_signals: logger.debug("Calling signal %s", signum) - signal.signal(signum, prev_handlers[signum]) os.kill(os.getpid(), signum) From 40449ed2747634ae77928cae45424e5031a66c5b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 12:49:41 -0700 Subject: [PATCH 43/79] Add single _PERM_ERR_FMT string --- certbot/main.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/certbot/main.py b/certbot/main.py index be68d694e..8e47e736a 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -36,6 +36,12 @@ from certbot.display import util as display_util, ops as display_ops from certbot.plugins import disco as plugins_disco from certbot.plugins import selection as plug_sel + +_PERM_ERR_FMT = ("An error occurred while trying to create or modify {0}. To " + "run as non-root, set --config-dir, --logs-dir, and " + "--work-dir to writeable paths.") + + logger = logging.getLogger(__name__) From 9ae755ef4cf3f8f4978d7c5594d6d16ed835a1f5 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 12:53:09 -0700 Subject: [PATCH 44/79] simplify log file error handling --- certbot/main.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index 8e47e736a..d3f90926a 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -2,7 +2,6 @@ from __future__ import print_function import atexit import dialog -import errno import functools import logging.handlers import os @@ -602,13 +601,8 @@ def setup_log_file_handler(config, logfile, fmt): try: handler = logging.handlers.RotatingFileHandler( log_file_path, maxBytes=2 ** 20, backupCount=10) - except IOError as e: - if e.errno == errno.EACCES: - msg = ("Access denied writing to {0}. To run as non-root, set " + - "--logs-dir, --config-dir, --work-dir to writable paths.") - raise errors.Error(msg.format(log_file_path)) - else: - raise + except IOError: + raise errors.Error(_PERM_ERR_FMT.format(log_file_path)) # rotate on each invocation, rollover only possible when maxBytes # is nonzero and backupCount is nonzero, so we set maxBytes as big # as possible not to overrun in single CLI invocation (1MB). From f3c6bac31065a200e1a2b79579c907279d48af1b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 13:02:28 -0700 Subject: [PATCH 45/79] stop spacing out --- certbot/tests/main_test.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 66cba64a3..d044a50b7 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -1,10 +1,8 @@ """Tests for certbot.main.""" import unittest - import mock - from certbot import cli from certbot import configuration from certbot.plugins import disco as plugins_disco From 4f35f3fdf7e8631282d11d3c7a854770dd02dccf Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 13:07:49 -0700 Subject: [PATCH 46/79] Add SetupLogFileHandlerTest --- certbot/tests/main_test.py | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index d044a50b7..5f6723bd7 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -1,10 +1,13 @@ """Tests for certbot.main.""" +import shutil +import tempfile import unittest import mock from certbot import cli from certbot import configuration +from certbot import errors from certbot.plugins import disco as plugins_disco @@ -42,5 +45,26 @@ class ObtainCertTest(unittest.TestCase): self.assertFalse(pause) +class SetupLogFileHandlerTest(unittest.TestCase): + """Tests for certbot.main.setup_log_file_handler.""" + + def setUp(self): + self.config = mock.Mock(spec_set=['logs_dir'], + logs_dir=tempfile.mkdtemp()) + + def tearDown(self): + shutil.rmtree(self.config.logs_dir) + + def _call(self, *args, **kwargs): + from certbot.main import setup_log_file_handler + return setup_log_file_handler(*args, **kwargs) + + @mock.patch('certbot.main.logging.handlers.RotatingFileHandler') + def test_ioerror(self, mock_handler): + mock_handler.side_effect = IOError + self.assertRaises(errors.Error, self._call, + self.config, "test.log", "%s") + + if __name__ == '__main__': unittest.main() # pragma: no cover From 754b7956b3003cc75b2b1a11e40d86a6bf6828f3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 6 Jul 2016 15:49:22 -0700 Subject: [PATCH 47/79] Make the error even more informative --- certbot-apache/certbot_apache/configurator.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index d1c2b7165..0c95fe18e 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -159,8 +159,9 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Verify Apache is installed restart_cmd = constants.os_constant("restart_cmd")[0] if not util.exe_exists(restart_cmd): + logger.warn("Failed to find %s in PATH: %s", restart_cmd, os.environ["PATH"]) raise errors.NoInstallationError( - 'Cannot find Apache install ({0} not in PATH)'.format(restart_cmd)) + 'Cannot find Apache control command {0}'.format(restart_cmd)) # Make sure configuration is valid self.config_test() From a322f44f2b7c0ef0302de956ed068671cf4ef32f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 7 Jul 2016 17:54:39 -0700 Subject: [PATCH 48/79] Implement PATH fallback for apachectl search --- certbot-apache/certbot_apache/configurator.py | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 0c95fe18e..c9a00a64e 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -159,9 +159,16 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Verify Apache is installed restart_cmd = constants.os_constant("restart_cmd")[0] if not util.exe_exists(restart_cmd): - logger.warn("Failed to find %s in PATH: %s", restart_cmd, os.environ["PATH"]) - raise errors.NoInstallationError( - 'Cannot find Apache control command {0}'.format(restart_cmd)) + # mitigate https://github.com/certbot/certbot/issues/1833 + logger.debug("Can't find %s, attempting PATH mitigation by adding " + "/usr/sbin/ and /usr/local/bin/", restart_cmd) + os.environ["PATH"] = os.pathsep.join((os.environ["PATH"], "/usr/sbin/", + "/usr/local/bin/")) + if not util.exe_exists(restart_cmd): + logger.warn("Failed to find %s in expanded PATH: %s", + restart_cmd, os.environ["PATH"]) + raise errors.NoInstallationError( + 'Cannot find Apache control command {0}'.format(restart_cmd)) # Make sure configuration is valid self.config_test() From cecac803a09c8c934f6fbe14bbe9204467d7174b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 7 Jul 2016 18:17:45 -0700 Subject: [PATCH 49/79] Do this more cleanly --- certbot-apache/certbot_apache/configurator.py | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index c9a00a64e..329e62135 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -141,6 +141,20 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST) + def _path_surgery(self): + """Mitigate https://github.com/certbot/certbot/issues/1833""" + dirs = ("/usr/sbin/", "/usr/local/bin/", "/usr/local/sbin/") + path = os.environ["PATH"] + added = [] + for d in dirs: + if d not in path: + path += os.pathsep + d + added.append(d) + if any(added): + logger.debug("Can't find %s, attempting PATH mitigation by adding %s" + restart_cmd, os.pathsep.join(added)) + os.environ["PATH"] = path + def prepare(self): """Prepare the authenticator/installer. @@ -159,11 +173,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Verify Apache is installed restart_cmd = constants.os_constant("restart_cmd")[0] if not util.exe_exists(restart_cmd): - # mitigate https://github.com/certbot/certbot/issues/1833 - logger.debug("Can't find %s, attempting PATH mitigation by adding " - "/usr/sbin/ and /usr/local/bin/", restart_cmd) - os.environ["PATH"] = os.pathsep.join((os.environ["PATH"], "/usr/sbin/", - "/usr/local/bin/")) + self._path_surgery() if not util.exe_exists(restart_cmd): logger.warn("Failed to find %s in expanded PATH: %s", restart_cmd, os.environ["PATH"]) From 757a8ddae7c5ac1a8acd500cda9b1f7505fc4963 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Jul 2016 00:37:52 -0700 Subject: [PATCH 50/79] Fixes & tests --- certbot-apache/certbot_apache/configurator.py | 20 +++++++++----- .../certbot_apache/tests/configurator_test.py | 26 +++++++++++++++++++ 2 files changed, 39 insertions(+), 7 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 329e62135..12cba34f1 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -141,9 +141,13 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST) - def _path_surgery(self): - """Mitigate https://github.com/certbot/certbot/issues/1833""" - dirs = ("/usr/sbin/", "/usr/local/bin/", "/usr/local/sbin/") + def _path_surgery(self, restart_cmd): + """Mitigate https://github.com/certbot/certbot/issues/1833 + + :returns: " expanded" if an expansion of the PATH occurred; + "" otherwise + """ + dirs = ("/usr/sbin", "/usr/local/bin", "/usr/local/sbin") path = os.environ["PATH"] added = [] for d in dirs: @@ -151,9 +155,11 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): path += os.pathsep + d added.append(d) if any(added): - logger.debug("Can't find %s, attempting PATH mitigation by adding %s" + logger.debug("Can't find %s, attempting PATH mitigation by adding %s", restart_cmd, os.pathsep.join(added)) os.environ["PATH"] = path + return " expanded" + return "" def prepare(self): """Prepare the authenticator/installer. @@ -173,10 +179,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Verify Apache is installed restart_cmd = constants.os_constant("restart_cmd")[0] if not util.exe_exists(restart_cmd): - self._path_surgery() + expanded = self._path_surgery(restart_cmd) if not util.exe_exists(restart_cmd): - logger.warn("Failed to find %s in expanded PATH: %s", - restart_cmd, os.environ["PATH"]) + logger.warn("Failed to find %s in %s PATH: %s", + restart_cmd, expanded, os.environ["PATH"]) raise errors.NoInstallationError( 'Cannot find Apache control command {0}'.format(restart_cmd)) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 9a034c3e0..d5139912e 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -86,6 +86,32 @@ class MultipleVhostsTest(util.ApacheTest): self.assertRaises( errors.NotSupportedError, self.config.prepare) + @mock.patch("certbot_apache.configurator.logger.debug") + def test_path_surgery(self, mock_debug): + # pylint: disable=protected-access + all_path = {"PATH": "/usr/local/bin:/bin/:/usr/sbin/:/usr/local/sbin/"} + with mock.patch.dict('os.environ', all_path): + self.config._path_surgery("thingy") + self.assertEquals(mock_debug.call_count, 0) + self.assertEquals(os.environ["PATH"], all_path["PATH"]) + no_path = {"PATH": "/tmp/"} + with mock.patch.dict('os.environ', no_path): + self.config._path_surgery("thingy") + self.assertEquals(mock_debug.call_count, 1) + self.assertTrue("/usr/local/bin" in os.environ["PATH"]) + self.assertTrue("/tmp" in os.environ["PATH"]) + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.init_augeas") + @mock.patch("certbot_apache.configurator.ApacheConfigurator._path_surgery") + @mock.patch("certbot_apache.configurator.logger.warn") + def test_no_install(self, mock_warn, mock_surgery, _init_augeas): + silly_path = {"PATH": "/tmp/nothingness2342"} + with mock.patch.dict('os.environ', silly_path): + self.assertRaises(errors.NoInstallationError, self.config.prepare) + self.assertEquals(mock_warn.call_count, 1) + self.assertEquals(mock_surgery.call_count, 1) + self.assertTrue("Failed to find" in mock_warn.call_args[0][0]) + def test_add_parser_arguments(self): # pylint: disable=no-self-use from certbot_apache.configurator import ApacheConfigurator # Weak test.. From 0bedeb449a239e79ccba3989c12ba07b3c93e363 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Jul 2016 13:58:39 -0700 Subject: [PATCH 51/79] Refactor path_surgery into plugins.util so that nginx can call it --- certbot-apache/certbot_apache/configurator.py | 25 +----------- .../certbot_apache/tests/configurator_test.py | 38 ++++--------------- certbot/plugins/util.py | 30 +++++++++++++++ certbot/plugins/util_test.py | 24 ++++++++++++ 4 files changed, 64 insertions(+), 53 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 12cba34f1..74aab242e 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -18,6 +18,7 @@ from certbot import interfaces from certbot import util from certbot.plugins import common +from certbot.plugins.util import path_surgery from certbot_apache import augeas_configurator from certbot_apache import constants @@ -141,25 +142,6 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): return os.path.join(self.config.config_dir, constants.MOD_SSL_CONF_DEST) - def _path_surgery(self, restart_cmd): - """Mitigate https://github.com/certbot/certbot/issues/1833 - - :returns: " expanded" if an expansion of the PATH occurred; - "" otherwise - """ - dirs = ("/usr/sbin", "/usr/local/bin", "/usr/local/sbin") - path = os.environ["PATH"] - added = [] - for d in dirs: - if d not in path: - path += os.pathsep + d - added.append(d) - if any(added): - logger.debug("Can't find %s, attempting PATH mitigation by adding %s", - restart_cmd, os.pathsep.join(added)) - os.environ["PATH"] = path - return " expanded" - return "" def prepare(self): """Prepare the authenticator/installer. @@ -179,10 +161,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # Verify Apache is installed restart_cmd = constants.os_constant("restart_cmd")[0] if not util.exe_exists(restart_cmd): - expanded = self._path_surgery(restart_cmd) - if not util.exe_exists(restart_cmd): - logger.warn("Failed to find %s in %s PATH: %s", - restart_cmd, expanded, os.environ["PATH"]) + if not path_surgery(restart_cmd): raise errors.NoInstallationError( 'Cannot find Apache control command {0}'.format(restart_cmd)) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index d5139912e..eac16c7fe 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -49,11 +49,14 @@ class MultipleVhostsTest(util.ApacheTest): shutil.rmtree(self.config_dir) shutil.rmtree(self.work_dir) - @mock.patch("certbot_apache.configurator.util.exe_exists") - def test_prepare_no_install(self, mock_exe_exists): - mock_exe_exists.return_value = False - self.assertRaises( - errors.NoInstallationError, self.config.prepare) + @mock.patch("certbot_apache.configurator.ApacheConfigurator.init_augeas") + @mock.patch("certbot_apache.configurator.path_surgery") + def test_prepare_no_install(self, mock_surgery, _init_augeas): + silly_path = {"PATH": "/tmp/nothingness2342"} + mock_surgery.return_value = False + with mock.patch.dict('os.environ', silly_path): + self.assertRaises(errors.NoInstallationError, self.config.prepare) + self.assertEquals(mock_surgery.call_count, 1) @mock.patch("certbot_apache.augeas_configurator.AugeasConfigurator.init_augeas") def test_prepare_no_augeas(self, mock_init_augeas): @@ -86,31 +89,6 @@ class MultipleVhostsTest(util.ApacheTest): self.assertRaises( errors.NotSupportedError, self.config.prepare) - @mock.patch("certbot_apache.configurator.logger.debug") - def test_path_surgery(self, mock_debug): - # pylint: disable=protected-access - all_path = {"PATH": "/usr/local/bin:/bin/:/usr/sbin/:/usr/local/sbin/"} - with mock.patch.dict('os.environ', all_path): - self.config._path_surgery("thingy") - self.assertEquals(mock_debug.call_count, 0) - self.assertEquals(os.environ["PATH"], all_path["PATH"]) - no_path = {"PATH": "/tmp/"} - with mock.patch.dict('os.environ', no_path): - self.config._path_surgery("thingy") - self.assertEquals(mock_debug.call_count, 1) - self.assertTrue("/usr/local/bin" in os.environ["PATH"]) - self.assertTrue("/tmp" in os.environ["PATH"]) - - @mock.patch("certbot_apache.configurator.ApacheConfigurator.init_augeas") - @mock.patch("certbot_apache.configurator.ApacheConfigurator._path_surgery") - @mock.patch("certbot_apache.configurator.logger.warn") - def test_no_install(self, mock_warn, mock_surgery, _init_augeas): - silly_path = {"PATH": "/tmp/nothingness2342"} - with mock.patch.dict('os.environ', silly_path): - self.assertRaises(errors.NoInstallationError, self.config.prepare) - self.assertEquals(mock_warn.call_count, 1) - self.assertEquals(mock_surgery.call_count, 1) - self.assertTrue("Failed to find" in mock_warn.call_args[0][0]) def test_add_parser_arguments(self): # pylint: disable=no-self-use from certbot_apache.configurator import ApacheConfigurator diff --git a/certbot/plugins/util.py b/certbot/plugins/util.py index 5fc98dff6..cdba88a87 100644 --- a/certbot/plugins/util.py +++ b/certbot/plugins/util.py @@ -1,15 +1,45 @@ """Plugin utilities.""" import logging +import os import socket import psutil import zope.component from certbot import interfaces +from certbot import util logger = logging.getLogger(__name__) +def path_surgery(restart_cmd): + """Attempt to perform PATH surgery to find restart_cmd + + Mitigates https://github.com/certbot/certbot/issues/1833 + + :param str restart_cmd: the command that is being searched for in the PATH + + :returns: True if the operation succeeded, False otherwise + """ + dirs = ("/usr/sbin", "/usr/local/bin", "/usr/local/sbin") + path = os.environ["PATH"] + added = [] + for d in dirs: + if d not in path: + path += os.pathsep + d + added.append(d) + + if any(added): + logger.debug("Can't find %s, attempting PATH mitigation by adding %s", + restart_cmd, os.pathsep.join(added)) + os.environ["PATH"] = path + + if util.exe_exists(restart_cmd): + return True + else: + expanded = " expanded" if any(added) else "" + logger.warn("Failed to find %s in%s PATH: %s", restart_cmd, expanded, path) + return False def already_listening(port, renewer=False): """Check if a process is already listening on the port. diff --git a/certbot/plugins/util_test.py b/certbot/plugins/util_test.py index 9bc8793c7..fa8b364d9 100644 --- a/certbot/plugins/util_test.py +++ b/certbot/plugins/util_test.py @@ -1,9 +1,33 @@ """Tests for certbot.plugins.util.""" +import os import unittest import mock import psutil +class PathSurgeryTest(unittest.TestCase): + """Tests for certbot.plugins.path_surgery.""" + + @mock.patch("certbot.plugins.util.logger.warn") + @mock.patch("certbot.plugins.util.logger.debug") + def test_path_surgery(self, mock_debug, mock_warn): + from certbot.plugins.util import path_surgery + all_path = {"PATH": "/usr/local/bin:/bin/:/usr/sbin/:/usr/local/sbin/"} + with mock.patch.dict('os.environ', all_path): + with mock.patch('certbot.util.exe_exists') as mock_exists: + mock_exists.return_value = True + self.assertEquals(path_surgery("eg"), True) + self.assertEquals(mock_debug.call_count, 0) + self.assertEquals(mock_warn.call_count, 0) + self.assertEquals(os.environ["PATH"], all_path["PATH"]) + no_path = {"PATH": "/tmp/"} + with mock.patch.dict('os.environ', no_path): + path_surgery("thingy") + self.assertEquals(mock_debug.call_count, 1) + self.assertEquals(mock_warn.call_count, 1) + self.assertTrue("Failed to find" in mock_warn.call_args[0][0]) + self.assertTrue("/usr/local/bin" in os.environ["PATH"]) + self.assertTrue("/tmp" in os.environ["PATH"]) class AlreadyListeningTest(unittest.TestCase): """Tests for certbot.plugins.already_listening.""" From ed73c55b7bfca9939d9cd0d8edebddedf29ade2e Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Fri, 8 Jul 2016 16:03:40 -0500 Subject: [PATCH 52/79] Instantiate exception_raised in test. --- certbot/tests/error_handler_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index a32f2a448..2eb1506be 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -42,6 +42,7 @@ class ErrorHandlerTest(unittest.TestCase): self.signals = error_handler._SIGNALS def test_context_manager(self): + exception_raised = False try: with self.handler: raise ValueError From 48b7c01a5925e476f6b4197fa34370cc07d97607 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 14:06:15 -0700 Subject: [PATCH 53/79] bring make_or_verify_dir docstring up to date --- certbot/util.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot/util.py b/certbot/util.py index 301fc669b..2b40a0f2c 100644 --- a/certbot/util.py +++ b/certbot/util.py @@ -95,6 +95,7 @@ def make_or_verify_dir(directory, mode=0o755, uid=0, strict=False): :param str directory: Path to a directory. :param int mode: Directory mode. :param int uid: Directory owner. + :param bool strict: require directory to be owned by current user :raises .errors.Error: if a directory already exists, but has wrong permissions or owner From d7772217032235337405f8e4b62a9970f057a8fc Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 14:17:19 -0700 Subject: [PATCH 54/79] write make_or_verify_core_dir --- certbot/main.py | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index d3f90926a..2a18aa528 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -702,6 +702,23 @@ def _handle_exception(exc_type, exc_value, trace, config): traceback.format_exception(exc_type, exc_value, trace))) +def make_or_verify_core_dir(directory, mode, uid, strict): + """Make sure directory exists with proper permissions. + + :param str directory: Path to a directory. + :param int mode: Directory mode. + :param int uid: Directory owner. + :param bool strict: require directory to be owned by current user + + :raises .errors.Error: if the directory cannot be made or verified + + """ + try: + util.make_or_verify_dir(directory, mode, uid, strict) + except OSError: + raise errors.Error(_PERM_ERR_FMT.format(directory)) + + def main(cli_args=sys.argv[1:]): """Command line argument parsing and main script execution.""" sys.excepthook = functools.partial(_handle_exception, config=None) @@ -712,16 +729,16 @@ def main(cli_args=sys.argv[1:]): config = configuration.NamespaceConfig(args) zope.component.provideUtility(config) - # Setup logging ASAP, otherwise "No handlers could be found for - # logger ..." TODO: this should be done before plugins discovery - for directory in config.config_dir, config.work_dir: - util.make_or_verify_dir( - directory, constants.CONFIG_DIRS_MODE, os.geteuid(), - "--strict-permissions" in cli_args) + make_or_verify_core_dir(config.config_dir, constants.CONFIG_DIRS_MODE, + os.geteuid(), config.strict_permissions) + make_or_verify_core_dir(config.work_dir, constants.CONFIG_DIRS_MODE, + os.geteuid(), config.strict_permissions) # TODO: logs might contain sensitive data such as contents of the # private key! #525 - util.make_or_verify_dir( - config.logs_dir, 0o700, os.geteuid(), "--strict-permissions" in cli_args) + make_or_verify_core_dir(config.logs_dir, 0o700, + os.geteuid(), config.strict_permissions) + # Setup logging ASAP, otherwise "No handlers could be found for + # logger ..." TODO: this should be done before plugins discovery setup_logging(config, _cli_log_handler, logfile='letsencrypt.log') cli.possible_deprecation_warning(config) From e598e907bdbfb69418e6909a5e0f8bc3eb1994e4 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 14:54:51 -0700 Subject: [PATCH 55/79] create MakeOrVerifyCoreDirTest --- certbot/tests/main_test.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 5f6723bd7..32df525f0 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -1,4 +1,5 @@ """Tests for certbot.main.""" +import os import shutil import tempfile import unittest @@ -66,5 +67,30 @@ class SetupLogFileHandlerTest(unittest.TestCase): self.config, "test.log", "%s") +class MakeOrVerifyCoreDirTest(unittest.TestCase): + """Tests for certbot.main.make_or_verify_core_dir.""" + + def setUp(self): + self.dir = tempfile.mkdtemp() + + def tearDown(self): + shutil.rmtree(self.dir) + + def _call(self, *args, **kwargs): + from certbot.main import make_or_verify_core_dir + return make_or_verify_core_dir(*args, **kwargs) + + def test_success(self): + new_dir = os.path.join(self.dir, 'new') + self._call(new_dir, 0o700, os.geteuid(), False) + self.assertTrue(os.path.exists(new_dir)) + + @mock.patch('certbot.main.util.make_or_verify_dir') + def test_failure(self, mock_make_or_verify): + mock_make_or_verify.side_effect = OSError + self.assertRaises(errors.Error, self._call, + self.dir, 0o700, os.geteuid(), False) + + if __name__ == '__main__': unittest.main() # pragma: no cover From d4a8820bdcc2cfaf380e58fb026b4681636ed084 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 8 Jul 2016 15:04:44 -0700 Subject: [PATCH 56/79] wrap with escapes --- certbot-apache/certbot_apache/configurator.py | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 5733baa26..3d6253f33 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -529,7 +529,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if addr.get_port() == "443": is_ssl = True - filename = self._unescape(get_file_path(path)) + filename = get_file_path(self.aug.get("/augeas/files%s/file" % get_file_path(path))) if self.conf("handle-sites"): is_enabled = self.is_site_enabled(filename) else: @@ -770,7 +770,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ avail_fp = nonssl_vhost.filep - ssl_fp = self._escape(self._get_ssl_vhost_path(avail_fp)) + ssl_fp = self._get_ssl_vhost_path(avail_fp) self._copy_create_ssl_vhost_skeleton(avail_fp, ssl_fp) @@ -778,7 +778,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.aug.load() # Get Vhost augeas path for new vhost vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" % - (ssl_fp, parser.case_i("VirtualHost"))) + (_escape(ssl_fp), parser.case_i("VirtualHost"))) if len(vh_p) != 1: logger.error("Error: should only be one vhost in %s", avail_fp) raise errors.PluginError("Currently, we only support " @@ -997,11 +997,15 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if need_to_save: self.save() - def _unescape(self, fp): - return fp.replace("\\", "") - def _escape(self, fp): - return fp.replace(",", "\\,") + fp = fp.replace(",", "\\,") + fp = fp.replace("[", "\\[") + fp = fp.replace("]", "\\]") + fp = fp.replace("|", "\\|") + fp = fp.replace("=", "\\=") + fp = fp.replace("(", "\\(") + fp = fp.replace(")", "\\)") + fp = fp.replace("!", "\\!") ###################################################################### # Enhancements @@ -1332,7 +1336,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.aug.load() # Make a new vhost data structure and add it to the lists - new_vhost = self._create_vhost(parser.get_aug_path(redirect_filepath)) + new_vhost = self._create_vhost(parser.get_aug_path(self._escape(redirect_filepath))) self.vhosts.append(new_vhost) self._enhanced_vhosts["redirect"].add(new_vhost) From 1113e280460f811486a6404d4ed5a9b0c286ef8f Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 8 Jul 2016 15:22:56 -0700 Subject: [PATCH 57/79] fix typo --- certbot-apache/certbot_apache/configurator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 3d6253f33..afaf7f93e 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -529,7 +529,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if addr.get_port() == "443": is_ssl = True - filename = get_file_path(self.aug.get("/augeas/files%s/file" % get_file_path(path))) + filename = get_file_path(self.aug.get("/augeas/files%s/path" % get_file_path(path))) if self.conf("handle-sites"): is_enabled = self.is_site_enabled(filename) else: From d8c2dd1a5c741bb9d2f375bf3f453a44a6ab7184 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 8 Jul 2016 15:28:12 -0700 Subject: [PATCH 58/79] add self --- certbot-apache/certbot_apache/configurator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index afaf7f93e..a2a4182db 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -778,7 +778,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self.aug.load() # Get Vhost augeas path for new vhost vh_p = self.aug.match("/files%s//* [label()=~regexp('%s')]" % - (_escape(ssl_fp), parser.case_i("VirtualHost"))) + (self._escape(ssl_fp), parser.case_i("VirtualHost"))) if len(vh_p) != 1: logger.error("Error: should only be one vhost in %s", avail_fp) raise errors.PluginError("Currently, we only support " From 1bbfde1771a97b828218061b1c83734a087896ce Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Fri, 8 Jul 2016 15:35:29 -0700 Subject: [PATCH 59/79] don't code while distracted --- certbot-apache/certbot_apache/configurator.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index a2a4182db..b4ce29d31 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -1006,6 +1006,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): fp = fp.replace("(", "\\(") fp = fp.replace(")", "\\)") fp = fp.replace("!", "\\!") + return fp ###################################################################### # Enhancements From 9372914c67e189c00a4f6c4143011811b4a617d9 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 8 Jul 2016 15:51:31 -0700 Subject: [PATCH 60/79] Improve error message --- certbot/main.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index 2a18aa528..8bccc524d 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -36,9 +36,10 @@ from certbot.plugins import disco as plugins_disco from certbot.plugins import selection as plug_sel -_PERM_ERR_FMT = ("An error occurred while trying to create or modify {0}. To " - "run as non-root, set --config-dir, --logs-dir, and " - "--work-dir to writeable paths.") +_PERM_ERR_FMT = os.linesep.join(( + "The following error was encountered:", "{0}", + "If running as non-root, set --config-dir, " + "--logs-dir, and --work-dir to writeable paths.")) logger = logging.getLogger(__name__) @@ -601,8 +602,8 @@ def setup_log_file_handler(config, logfile, fmt): try: handler = logging.handlers.RotatingFileHandler( log_file_path, maxBytes=2 ** 20, backupCount=10) - except IOError: - raise errors.Error(_PERM_ERR_FMT.format(log_file_path)) + except IOError as error: + raise errors.Error(_PERM_ERR_FMT.format(error)) # rotate on each invocation, rollover only possible when maxBytes # is nonzero and backupCount is nonzero, so we set maxBytes as big # as possible not to overrun in single CLI invocation (1MB). @@ -715,8 +716,8 @@ def make_or_verify_core_dir(directory, mode, uid, strict): """ try: util.make_or_verify_dir(directory, mode, uid, strict) - except OSError: - raise errors.Error(_PERM_ERR_FMT.format(directory)) + except OSError as error: + raise errors.Error(_PERM_ERR_FMT.format(error)) def main(cli_args=sys.argv[1:]): From 156ea46a09fde04fd24c959566d25a11326a089d Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Fri, 8 Jul 2016 16:30:50 -0500 Subject: [PATCH 61/79] Compare initial and final signals in tests. --- certbot/tests/error_handler_test.py | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/certbot/tests/error_handler_test.py b/certbot/tests/error_handler_test.py index 2eb1506be..2e2ffe2d9 100644 --- a/certbot/tests/error_handler_test.py +++ b/certbot/tests/error_handler_test.py @@ -7,18 +7,25 @@ import unittest import mock +def get_signals(signums): + """Get the handlers for an iterable of signums.""" + return dict((s, signal.getsignal(s)) for s in signums) + + +def set_signals(sig_handler_dict): + """Set the signal (keys) with the handler (values) from the input dict.""" + tuple(signal.signal(s, h) for (s, h) in sig_handler_dict.items()) + @contextlib.contextmanager def signal_receiver(signums): """Context manager to catch signals""" signals = [] prev_handlers = {} - for signum in signums: - prev_handlers[signum] = signal.getsignal(signum) - signal.signal(signum, lambda signum, _: signals.append(signum)) + prev_handlers = get_signals(signums) + set_signals(dict((s, lambda s, _: signals.append(s)) for s in signums)) yield signals - for signum in signums: - signal.signal(signum, prev_handlers[signum]) + set_signals(dict((s, prev_handlers[s]) for s in signums)) def send_signal(signum): @@ -54,6 +61,7 @@ class ErrorHandlerTest(unittest.TestCase): **self.init_kwargs) def test_context_manager_with_signal(self): + init_signals = get_signals(self.signals) with signal_receiver(self.signals) as signals_received: with self.handler: should_be_42 = 42 @@ -68,8 +76,7 @@ class ErrorHandlerTest(unittest.TestCase): self.init_func.assert_called_once_with(*self.init_args, **self.init_kwargs) for signum in self.signals: - sig = signal.getsignal(signum) - self.assertTrue((sig == signal.SIG_DFL) or (sig == signal.SIG_IGN)) + self.assertEqual(init_signals[signum], signal.getsignal(signum)) def test_bad_recovery(self): bad_func = mock.MagicMock(side_effect=[ValueError]) From 68500cd4361bd0d07167c8f42a77adec3ac034f9 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sat, 9 Jul 2016 15:13:09 -0700 Subject: [PATCH 62/79] Don't allow dollar_var to swalllow characters like "{" --- certbot-nginx/certbot_nginx/nginxparser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-nginx/certbot_nginx/nginxparser.py b/certbot-nginx/certbot_nginx/nginxparser.py index 0cc912515..1859777d8 100644 --- a/certbot-nginx/certbot_nginx/nginxparser.py +++ b/certbot-nginx/certbot_nginx/nginxparser.py @@ -23,7 +23,7 @@ class RawNginxParser(object): right_bracket = space.leaveWhitespace() + Literal("}").suppress() semicolon = Literal(";").suppress() key = Word(alphanums + "_/+-.") - dollar_var = Combine(Literal('$') + nonspace) + dollar_var = Combine(Literal('$') + Regex(r"[^\{\};,\s]+")) condition = Regex(r"\(.+\)") # Matches anything that is not a special character AND any chars in single # or double quotes From 9bc50d4a4761e6734389697b1cdff1c5339726d7 Mon Sep 17 00:00:00 2001 From: Blake Griffith Date: Mon, 11 Jul 2016 12:43:33 -0500 Subject: [PATCH 63/79] Try to fix travis-ci lint failure --- certbot-apache/certbot_apache/tests/configurator_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 633757de4..99b1b8b74 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1,4 +1,4 @@ -# pylint: disable=too-many-public-methods +# pylint: disable=too-many-public-methods,too-many-lines """Test for certbot_apache.configurator.""" import os import shutil From 8f1a141d2a3c343d1521a48897fde187e7bcc94e Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Mon, 11 Jul 2016 13:20:31 -0700 Subject: [PATCH 64/79] incorporate brad's comments --- certbot-apache/certbot_apache/configurator.py | 2 +- certbot-apache/certbot_apache/tests/configurator_test.py | 3 ++- .../augeas_vhosts/apache2/sites-enabled/000-default.conf | 1 - .../augeas_vhosts/apache2/sites-enabled/certbot.conf | 1 - .../apache2/sites-enabled/encryption-example.conf | 1 - .../augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf | 1 - .../augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf | 1 - 7 files changed, 3 insertions(+), 7 deletions(-) delete mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf delete mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf delete mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf delete mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf delete mode 120000 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index b4ce29d31..2c9bd982f 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -1080,7 +1080,7 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if not use_stapling_aug_path: self.parser.add_dir(ssl_vhost.path, "SSLUseStapling", "on") - ssl_vhost_aug_path = parser.get_aug_path(ssl_vhost.filep) + ssl_vhost_aug_path = self._escape(parser.get_aug_path(ssl_vhost.filep)) # Check if there's an existing SSLStaplingCache directive. stapling_cache_aug_path = self.parser.find_dir('SSLStaplingCache', diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index a90940f94..ceef5b9e4 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1,4 +1,4 @@ -# pylint: disable=too-many-public-methods, protected-access +# pylint: disable=too-many-public-methods """Test for certbot_apache.configurator.""" import os import shutil @@ -1188,6 +1188,7 @@ class MultipleVhostsTest(util.ApacheTest): class AugeasVhostsTest(util.ApacheTest): """Test vhosts with illegal names dependant on augeas version.""" + # pylint: disable=protected-access def setUp(self): # pylint: disable=arguments-differ td = "debian_apache_2_4/augeas_vhosts" diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf deleted file mode 120000 index 3c4632b73..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/000-default.conf +++ /dev/null @@ -1 +0,0 @@ -../sites-available/000-default.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf deleted file mode 120000 index 4d08c763f..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/certbot.conf +++ /dev/null @@ -1 +0,0 @@ -../sites-available/certbot.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf deleted file mode 120000 index 417818069..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/encryption-example.conf +++ /dev/null @@ -1 +0,0 @@ -../sites-available/encryption-example.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf deleted file mode 120000 index 44f254304..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/mod_macro-example.conf +++ /dev/null @@ -1 +0,0 @@ -../sites-available/mod_macro-example.conf \ No newline at end of file diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf deleted file mode 120000 index b25ee0482..000000000 --- a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/sites-enabled/ocsp-ssl.conf +++ /dev/null @@ -1 +0,0 @@ -../sites-available/ocsp-ssl.conf \ No newline at end of file From b48ddac5285572129937661e0e8291a329d3bb98 Mon Sep 17 00:00:00 2001 From: Seth Schoen Date: Mon, 11 Jul 2016 13:58:21 -0700 Subject: [PATCH 65/79] Initial version of nginx parser roundtrip test --- certbot-compatibility-test/nginx/README | 27 ++++ .../79-configs/site-10033 | 34 +++++ .../79-configs/site-10571 | 71 +++++++++ .../79-configs/site-10591 | 38 +++++ .../79-configs/site-10920 | 16 +++ .../79-configs/site-10947 | 40 ++++++ .../79-configs/site-11018 | 37 +++++ .../79-configs/site-11046 | 36 +++++ .../79-configs/site-11382 | 29 ++++ .../79-configs/site-1167 | 38 +++++ .../79-configs/site-11849 | 36 +++++ .../79-configs/site-12027 | 29 ++++ .../79-configs/site-12235 | 33 +++++ .../79-configs/site-12649 | 45 ++++++ .../79-configs/site-13577 | 38 +++++ .../79-configs/site-14402 | 33 +++++ .../79-configs/site-14430 | 54 +++++++ .../79-configs/site-15141 | 36 +++++ .../79-configs/site-15270 | 38 +++++ .../79-configs/site-15291 | 112 +++++++++++++++ .../79-configs/site-15456 | 39 +++++ .../79-configs/site-15497 | 35 +++++ .../79-configs/site-15852 | 38 +++++ .../79-configs/site-16345 | 34 +++++ .../79-configs/site-17175 | 14 ++ .../79-configs/site-17832 | 32 +++++ .../79-configs/site-17942 | 32 +++++ .../79-configs/site-18018 | 36 +++++ .../79-configs/site-18069 | 39 +++++ .../79-configs/site-19334 | 39 +++++ .../79-configs/site-19639 | 39 +++++ .../79-configs/site-1966 | 36 +++++ .../79-configs/site-19791 | 34 +++++ .../79-configs/site-19955 | 36 +++++ .../79-configs/site-21369 | 33 +++++ .../79-configs/site-21549 | 32 +++++ .../79-configs/site-230 | 33 +++++ .../79-configs/site-23325 | 74 ++++++++++ .../79-configs/site-23470 | 56 ++++++++ .../79-configs/site-23791 | 33 +++++ .../79-configs/site-23803 | 32 +++++ .../79-configs/site-23838 | 32 +++++ .../79-configs/site-24125 | 7 + .../79-configs/site-24193 | 62 ++++++++ .../79-configs/site-24213 | 36 +++++ .../79-configs/site-25480 | 32 +++++ .../79-configs/site-26195 | 26 ++++ .../79-configs/site-26221 | 32 +++++ .../79-configs/site-26637 | 32 +++++ .../79-configs/site-26758 | 21 +++ .../79-configs/site-27646 | 37 +++++ .../79-configs/site-27728 | 5 + .../79-configs/site-27736 | 32 +++++ .../79-configs/site-27812 | 36 +++++ .../79-configs/site-28050 | 36 +++++ .../79-configs/site-28690 | 32 +++++ .../79-configs/site-29159 | 33 +++++ .../79-configs/site-2951 | 67 +++++++++ .../79-configs/site-30011 | 37 +++++ .../79-configs/site-30571 | 31 ++++ .../79-configs/site-31900 | 33 +++++ .../79-configs/site-32190 | 4 + .../79-configs/site-32279 | 25 ++++ .../79-configs/site-32317 | 32 +++++ .../79-configs/site-32438 | 46 ++++++ .../79-configs/site-3483 | 32 +++++ .../79-configs/site-3507 | 44 ++++++ .../79-configs/site-3874 | 46 ++++++ .../79-configs/site-4035 | 31 ++++ .../79-configs/site-4143 | 33 +++++ .../79-configs/site-4264 | 12 ++ .../79-configs/site-5826 | 38 +++++ .../79-configs/site-5872 | 36 +++++ .../79-configs/site-6228 | 39 +++++ .../79-configs/site-7895 | 32 +++++ .../79-configs/site-8343 | 36 +++++ .../79-configs/site-8422 | 46 ++++++ .../79-configs/site-8637 | 40 ++++++ .../79-configs/site-8662 | 32 +++++ .../79-configs/site-9426 | 111 ++++++++++++++ .../activecolab/www.example.com.vhost | 44 ++++++ .../chive/chive-nginx-master/fastcgi.conf | 9 ++ .../chive/chive-nginx-master/fastcgi_params | 32 +++++ .../chive/chive-nginx-master/koi-utf | 109 ++++++++++++++ .../chive/chive-nginx-master/koi-win | 103 +++++++++++++ .../chive-nginx-master/map_https_fcgi.conf | 7 + .../chive/chive-nginx-master/mime.types | 77 ++++++++++ .../chive/chive-nginx-master/nginx.conf | 119 +++++++++++++++ .../chive-nginx-master/reverse_proxy.conf | 10 ++ .../sites-available/000-default | 19 +++ .../sites-available/chive.example.com.conf | 102 +++++++++++++ .../secure.chive.example.com.conf | 135 ++++++++++++++++++ .../upstream_phpapache.conf | 8 ++ .../chive-nginx-master/upstream_phpcgi.conf | 8 ++ .../chive/chive-nginx-master/win-utf | 126 ++++++++++++++++ .../cms-made-simple/nginx.conf | 17 +++ .../codeigniter/nginx-alt.conf | 25 ++++ .../codeigniter/nginx.conf | 22 +++ .../contao/sites-available/example.com.vhost | 41 ++++++ .../cs-cart/sites-available/example.com.vhost | 65 +++++++++ .../djangofastcgi/large.conf | 98 +++++++++++++ .../djangofastcgi/nginx.conf | 34 +++++ .../dokuwiki/dokuwiki.conf | 30 ++++ .../dokuwiki/drop.conf | 4 + .../dokuwiki/full.conf | 61 ++++++++ .../dokuwiki/nginx-no-ssl.conf | 29 ++++ .../dokuwiki/nginx.conf | 30 ++++ .../drupal/nginx.conf | 95 ++++++++++++ .../dynamic_ssi/nginx.conf | 39 +++++ .../nginx-roundtrip-testdata/elgg/nginx.conf | 84 +++++++++++ .../embeddedperlminifyjs/nginx.conf | 19 +++ .../embeddedperlsitemapsproxy/nginx.conf | 29 ++++ .../expressionengine/bad.conf | 24 ++++ .../expressionengine/better.conf | 24 ++++ .../expressionengine/yourpath.conf | 37 +++++ .../fastcgiexample/fastcgi.conf | 18 +++ .../fastcgiexample/nginx.conf | 6 + .../sites-available/www.example.com.vhost | 33 +++++ .../full-example/fastcgi.conf | 21 +++ .../full-example/mime.types | 48 +++++++ .../full-example/nginx.conf | 70 +++++++++ .../full-example/proxy.conf | 10 ++ .../fullexample2/nginx.conf | 126 ++++++++++++++++ .../nginx-roundtrip-testdata/geoip/nginx.conf | 9 ++ .../guide-to-nginx-ssl-spdy-hsts/nginx.conf | 120 ++++++++++++++++ .../hardwarelberrors/nginx.conf | 22 +++ .../sites-available/www.example.com.vhost | 66 +++++++++ .../nginx.conf | 39 +++++ .../nginx.conf | 27 ++++ .../imapproxyexample/nginx.conf | 38 +++++ .../imapproxyexample/proxy-example.conf | 20 +++ .../iphone-website-with-nginx/mobile.conf | 37 +++++ .../iphone-website-with-nginx/nginx.conf | 33 +++++ .../iredmail/iredadmin.conf | 31 ++++ .../iredmail/nginx.conf | 43 ++++++ .../javaservers/nginx.conf | 49 +++++++ .../joomla/nginx.conf | 39 +++++ .../likeapache/nginx.conf | 11 ++ .../loadbalanceexample/nginx.conf | 16 +++ .../mailman/nginx.conf | 37 +++++ .../mediawiki/nginx.conf | 44 ++++++ .../memcachepreload/sites-available/default | 12 ++ .../minio/sites-enabled/nginx.conf | 10 ++ .../nginx-roundtrip-testdata/mono/nginx.conf | 36 +++++ .../nginx-roundtrip-testdata/mybb/nginx.conf | 27 ++++ .../nonrootwebpath/nginx.conf | 7 + .../nginx-roundtrip-testdata/omeka/nginx.conf | 50 +++++++ .../oscommerce/nginx.conf | 50 +++++++ .../osticket/nginx.conf | 71 +++++++++ .../sites-available/www.example.com.vhost | 75 ++++++++++ .../sites-available/www.example.com.vhost | 66 +++++++++ .../php-fpm/default.conf | 9 ++ .../phpbb/nginx.sample.conf | 129 +++++++++++++++++ .../phpfastcgionwindows/nginx.conf | 8 ++ .../phpfcgi/fastcgi_params | 27 ++++ .../phpfcgi/nginx.conf | 10 ++ .../phplist/nginx.conf | 44 ++++++ .../nginx-roundtrip-testdata/piwik/nginx.conf | 70 +++++++++ .../pmwiki/nginx.conf | 39 +++++ .../sites-available/www.example.com.vhost | 75 ++++++++++ .../sites-available/www.example.com.vhost | 64 +++++++++ .../pylons/nginx.vhost.conf | 11 ++ .../pyrocms/drop.conf | 4 + .../pyrocms/fastcgi_params | 31 ++++ .../pyrocms/nginx.conf | 50 +++++++ .../qwebric/redirect.conf | 6 + .../qwebric/reverse-proxy.conf | 18 +++ .../sites-available/www.example.com.vhost | 46 ++++++ .../redmine/nginx.conf | 19 +++ .../reverseproxycachingexample/nginx.conf | 14 ++ .../sites-available/example.com.vhost.conf | 46 ++++++ .../nginx.conf | 20 +++ .../server_blocks/catchall.conf | 13 ++ .../server_blocks/two.conf | 17 +++ .../server_blocks/wildcard-subdomains.conf | 31 ++++ .../sites-available/www.example.com.vhost | 75 ++++++++++ .../sites-available/www.example.com.vhost | 53 +++++++ .../silverstripe/nginx.conf | 72 ++++++++++ .../simplecgi/nginx.conf | 26 ++++ .../sites-available/www.example.com.vhost | 78 ++++++++++ .../simplepythonfcgi/fastcgi.conf | 20 +++ .../simplepythonfcgi/nginx.conf | 17 +++ .../simplerubyfcgi/nginx.conf | 32 +++++ .../nginx-roundtrip-testdata/spip/nginx.conf | 24 ++++ .../sites-available/www.example.com.vhost | 39 +++++ .../symfony/nginx.conf | 54 +++++++ .../nginx-roundtrip-testdata/symfony/old.conf | 70 +++++++++ .../symfony/oldold.conf | 50 +++++++ .../sites-available/www.example.com.vhost | 89 ++++++++++++ .../sites-available/www.example.com.vhost | 91 ++++++++++++ .../wordpress-caching/no-cache.conf | 41 ++++++ .../wordpress-caching/supercache.conf | 74 ++++++++++ .../wordpress-caching/total-cache.conf | 41 ++++++ .../totalcache-enhanced.conf | 64 +++++++++ .../wordpress/multisite-subdir.conf | 47 ++++++ .../wordpress/multisite-subdomain.conf | 39 +++++ .../wordpress/nginx.conf | 43 ++++++ .../xenforo/nginx.conf | 18 +++ .../nginx-roundtrip-testdata/yii/nginx.conf | 42 ++++++ .../nginx-roundtrip-testdata/zend/nginx.conf | 16 +++ .../zenphoto/nginx.conf | 93 ++++++++++++ .../nginx-roundtrip-testdata/zope/nginx.conf | 18 +++ certbot-compatibility-test/nginx/roundtrip.py | 34 +++++ 203 files changed, 8263 insertions(+) create mode 100644 certbot-compatibility-test/nginx/README create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10033 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10571 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10591 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10920 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10947 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11018 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11046 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11382 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1167 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11849 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12027 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12235 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12649 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-13577 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14402 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14430 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15141 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15270 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15291 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15456 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15497 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15852 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-16345 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17175 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17832 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17942 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18018 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18069 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19334 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19639 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1966 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19791 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19955 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21369 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21549 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-230 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23325 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23470 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23791 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23803 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23838 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24125 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24193 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24213 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-25480 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26195 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26221 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26637 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26758 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27646 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27728 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27736 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27812 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28050 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28690 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-29159 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-2951 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30011 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30571 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-31900 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32190 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32279 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32317 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32438 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3483 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3507 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3874 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4035 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4143 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4264 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5826 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5872 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-6228 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-7895 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8343 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8422 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8637 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8662 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-9426 create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/activecolab/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi_params create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-utf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-win create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/map_https_fcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/mime.types create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/reverse_proxy.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/000-default create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/chive.example.com.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/secure.chive.example.com.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/upstream_phpapache.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/upstream_phpcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/win-utf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/cms-made-simple/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/codeigniter/nginx-alt.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/codeigniter/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/contao/sites-available/example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/cs-cart/sites-available/example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/djangofastcgi/large.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/djangofastcgi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dokuwiki/dokuwiki.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dokuwiki/drop.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dokuwiki/full.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dokuwiki/nginx-no-ssl.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dokuwiki/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/drupal/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/dynamic_ssi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/elgg/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/embeddedperlminifyjs/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/embeddedperlsitemapsproxy/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/expressionengine/bad.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/expressionengine/better.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/expressionengine/yourpath.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/fastcgiexample/fastcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/fastcgiexample/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/fengoffice/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/full-example/fastcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/full-example/mime.types create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/full-example/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/full-example/proxy.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/fullexample2/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/geoip/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/guide-to-nginx-ssl-spdy-hsts/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/hardwarelberrors/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/icinga/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/imapauthenticatewithapacheperlscript/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/imapauthenticatewithapachephpscript/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/imapproxyexample/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/imapproxyexample/proxy-example.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/iphone-website-with-nginx/mobile.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/iphone-website-with-nginx/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/iredmail/iredadmin.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/iredmail/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/javaservers/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/joomla/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/likeapache/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/loadbalanceexample/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/mailman/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/mediawiki/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/memcachepreload/sites-available/default create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/minio/sites-enabled/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/mono/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/mybb/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/nonrootwebpath/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/omeka/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/oscommerce/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/osticket/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/owncloud/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/oxid-eshop/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/php-fpm/default.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/phpbb/nginx.sample.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/phpfastcgionwindows/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/phpfcgi/fastcgi_params create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/phpfcgi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/phplist/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/piwik/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/pmwiki/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/prestashop/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/processwire/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/pylons/nginx.vhost.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/pyrocms/drop.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/pyrocms/fastcgi_params create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/pyrocms/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/qwebric/redirect.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/qwebric/reverse-proxy.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/redaxo/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/redmine/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/reverseproxycachingexample/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/roundcube/sites-available/example.com.vhost.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/separateerrorloggingpervirtualhost/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/server_blocks/catchall.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/server_blocks/two.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/server_blocks/wildcard-subdomains.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/shopware/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/shopware4/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/silverstripe/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/simplecgi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/simplegroupware/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/simplepythonfcgi/fastcgi.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/simplepythonfcgi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/simplerubyfcgi/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/spip/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/sugarcrm/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/symfony/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/symfony/old.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/symfony/oldold.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/typo3-4.6/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/typo3-6.2/sites-available/www.example.com.vhost create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress-caching/no-cache.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress-caching/supercache.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress-caching/total-cache.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress-caching/totalcache-enhanced.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress/multisite-subdir.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress/multisite-subdomain.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/wordpress/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/xenforo/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/yii/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/zend/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/zenphoto/nginx.conf create mode 100644 certbot-compatibility-test/nginx/nginx-roundtrip-testdata/zope/nginx.conf create mode 100644 certbot-compatibility-test/nginx/roundtrip.py diff --git a/certbot-compatibility-test/nginx/README b/certbot-compatibility-test/nginx/README new file mode 100644 index 000000000..f32de2148 --- /dev/null +++ b/certbot-compatibility-test/nginx/README @@ -0,0 +1,27 @@ +Eventually there will also be a compatibility test here like the Apache one. + +Right now, this is data for the roundtrip test (checking that the parser +can parse each file and that the reserialized config file it generates is +identical to the original). + +If run in a virtualenv or otherwise so that certbot_nginx can be imported, +the roundtrip test can run as + +python roundtrip.py nginx-roundtrip-testdata + +It gives exit status 0 for success and 1 if at least one parse or roundtrip +failure occurred. + + +The directory nginx-roundtrip-testdata includes some config files that were +contributed to our project as well as most of the configs linked from + +https://www.nginx.com/resources/wiki/start/ + +Some exceptions that were skipped are + +https://www.nginx.com/resources/wiki/start/topics/recipes/moinmoin/ +https://www.nginx.com/resources/wiki/start/topics/examples/SSL-Offloader/ (not much nginx configuration) +https://www.nginx.com/resources/wiki/start/topics/examples/xsendfile/ (likewise) +https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/ +https://www.nginx.com/resources/wiki/start/topics/examples/fcgiwrap/ diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10033 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10033 new file mode 100644 index 000000000..19dc49444 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10033 @@ -0,0 +1,34 @@ +upstream django_server_random18709.example.org { + server unix:/srv/http/random22194/live/website.sock; +} + +server { + listen 80; + server_name random18709.example.org; + + location /media/ { + alias /srv/http/random22194/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random22194/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random18709.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random22194/live/access.log combined_plus; + error_log /var/log/nginx/random22194/live/error.log; +} + +server { + server_name www.random18709.example.org; + server_name random24607.example.org www.random24607.example.org; + return 301 http://random18709.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10571 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10571 new file mode 100644 index 000000000..fe95ac8dc --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10571 @@ -0,0 +1,71 @@ +upstream django_server_random1413.example.org { + server unix:/srv/http/random25151/live/website.sock; +} + +server { + listen 443; + server_name www.random25266.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random25266.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random25266.example.org.key; + + location /media/ { + alias /srv/http/random25151/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random25151/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1413.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random25151/live/access.log combined_plus; + error_log /var/log/nginx/random25151/live/error.log; +} + + +server { + listen 443; + server_name random1413.example.org www.random1413.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random1413.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random1413.example.org.key; + + location / { + return 301 https://www.random25266.example.org$request_uri; + } +} + +server { + listen 443; + server_name random25266.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random25266.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random25266.example.org.key; + + location / { + return 301 https://www.random25266.example.org$request_uri; + } +} + +server { + listen 80; + server_name random1413.example.org www.random1413.example.org; + server_name random28524.example.org www.random28524.example.org; + server_name random25266.example.org www.random25266.example.org; + server_name random26791.example.org www.random26791.example.org; + + location / { + return 301 https://www.random25266.example.org$request_uri; + } +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10591 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10591 new file mode 100644 index 000000000..103b56009 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10591 @@ -0,0 +1,38 @@ +upstream django_server_random11921.example.org { + server unix:/srv/http/random9726/acceptance/website.sock; +} + +server { + listen 80; + server_name random11921.example.org www.random11921.example.org; + + if ($host != 'random11921.example.org') { + rewrite ^/(.*)$ http://random11921.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random9726/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random9726/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random11921.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + error_page 502 503 504 /50x.html; + } + + location /50x.html { + root /usr/share/nginx/www/; + } + + access_log /var/log/nginx/random9726/acceptance/access.log combined_plus; + error_log /var/log/nginx/random9726/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10920 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10920 new file mode 100644 index 000000000..0f7c55762 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10920 @@ -0,0 +1,16 @@ +server { + listen 80 default; + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:81; + } + + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/random27802/access.log combined_plus; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10947 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10947 new file mode 100644 index 000000000..a09605d03 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-10947 @@ -0,0 +1,40 @@ +upstream django_server_acceptance.random8289.random17507.example.org { + server unix:/srv/http/random8289/acceptance/website.sock; +} + +server { + listen 80; + server_name random23045.example.org; + + location /media/ { + alias /srv/http/random8289/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random8289/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_acceptance.random8289.random17507.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + + satisfy any; + auth_basic 'random8289 acceptance'; + auth_basic_user_file /srv/http/random8289/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random8289/acceptance/access.log combined_plus; + error_log /var/log/nginx/random8289/acceptance/error.log; +} + +server { + server_name www.random23045.example.org; + return 301 http://random23045.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11018 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11018 new file mode 100644 index 000000000..8aceca7ca --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11018 @@ -0,0 +1,37 @@ +upstream django_server_random24036.example.org { + server unix:/srv/http/random1006/live/website.sock; +} + +server { + listen 80; + server_name random24036.example.org; + gzip on; + gzip_http_version 1.0; + gzip_types *; + gzip_vary on; + gzip_proxied any; + + location ~ /media/(.*)$ { + alias /srv/http/random1006/live/website/static/$1; + expires 7d; + gzip on; + } + + + location / { + proxy_pass http://django_server_random24036.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random1006/live/access.log combined_plus; + error_log /var/log/nginx/random1006/live/error.log; +} + +server { + server_name www.random24036.example.org; + server_name random32349.example.org www.random32349.example.org; + server_name random23794.example.org www.random23794.example.org; + rewrite ^ http://random24036.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11046 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11046 new file mode 100644 index 000000000..1d81e5b52 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11046 @@ -0,0 +1,36 @@ +upstream django_server_random25979.example.org { + server unix:/srv/http/random24211/internal/website.sock; +} + +server { + listen 80; + server_name random25979.example.org; + + location ^~ /media/ { + alias /srv/http/random24211/internal/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random24211/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random25979.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random24211'; + auth_basic_user_file /srv/http/random24211/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random24211/internal/access.log combined_plus; + error_log /var/log/nginx/random24211/internal/error.log; +} + +server { + server_name www.random25979.example.org; + rewrite ^ http://intern.random24211.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11382 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11382 new file mode 100644 index 000000000..0dc1af725 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11382 @@ -0,0 +1,29 @@ +server { + listen 80; + listen 7891; # User0 + listen 8080; # User1 + listen 8900; # User2 + listen 8912; # User3 + listen 3567; # User4 + + server_name random666.example.org www.random666.example.org; + + root /srv/http/random666.example.org; + index index.html index.htm; + + location /duif_assets/ { + try_files $uri $uri/ =404; + } + + location /index.html { + try_files $uri $uri/ =404; + } + + location / { + rewrite ^.+$ / break; + try_files $uri $uri/ =404; + } + + access_log /var/log/nginx/random666.example.org/access.log combined_plus; + error_log /var/log/nginx/random666.example.org/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1167 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1167 new file mode 100644 index 000000000..13210b056 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1167 @@ -0,0 +1,38 @@ +upstream django_server_random23900.example.org { + server unix:/srv/http/random29467/acceptance/website.sock; +} + +server { + listen 80; + server_name random23900.example.org www.random23900.example.org; + + if ($host != 'random23900.example.org') { + rewrite ^/(.*)$ http://random23900.example.org/$1 permanent; + } + + location ^~ /media/ { + alias /srv/http/random29467/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location ^~ /static/ { + alias /srv/http/random29467/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random23900.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + satisfy any; + allow 89.188.25.162; + auth_basic "random29467 acceptance"; + auth_basic_user_file htpasswords/random29467_acceptance; + + } + + access_log /var/log/nginx/random29467/acceptance/access.log combined_plus; + error_log /var/log/nginx/random29467/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11849 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11849 new file mode 100644 index 000000000..8a8c90b7e --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-11849 @@ -0,0 +1,36 @@ +upstream django_server_random3140.example.org { + server unix:/srv/http/random2912/live/website.sock; +} + +server { + listen 80; + server_name random3140.example.org; + + location ^~ /media/ { + alias /srv/http/random2912/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random2912/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random3140.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random2912/live/access.log combined_plus; + error_log /var/log/nginx/random2912/live/error.log; +} + +server { + server_name www.random3140.example.org; + server_name random28398.example.org; + server_name random23689.example.org www.random23689.example.org; + server_name random25863.example.org www.random25863.example.org; + + rewrite ^ http://random3140.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12027 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12027 new file mode 100644 index 000000000..9d74e2098 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12027 @@ -0,0 +1,29 @@ +upstream django_server_random6410.example.org { + server unix:/srv/http/random28641/live/website.sock; +} + +server { + listen 80; + server_name www.random6410.example.org; + + location ~ /static/(.*)$ { + alias /srv/http/random28641/live/website/static/$1; + expires 7d; + } + + location / { + proxy_pass http://django_server_random6410.example.org; + include /etc/nginx/proxy_params; + + proxy_connect_timeout 240; + proxy_read_timeout 240; + } + + access_log /var/log/nginx/random28641/live/access.log combined_plus; + error_log /var/log/nginx/random28641/live/error.log; +} + +server { + server_name random6410.example.org; + rewrite ^ http://www.random6410.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12235 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12235 new file mode 100644 index 000000000..17ba72db4 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12235 @@ -0,0 +1,33 @@ +server { + server_name random18267.example.org; + gzip on; + gzip_min_length 2000; + gzip_proxied any; + gzip_types application/json; + + client_max_body_size 30M; + + root /srv/http/random23264/data; + + # Security + satisfy any; + include /etc/nginx/allow_ytec_ips_params; + deny all; + + # try serving docs and (md5/immutable) directly + location ~ \+(f|doc)/ { + try_files $uri @proxy_to_app; + } + location / { + # XXX how to tell nginx to just refer to @proxy_to_app here? + try_files /.lqkwje @proxy_to_app; + } + location @proxy_to_app { + proxy_pass http://random20604.example.org:4040; + proxy_set_header X-outside-url $scheme://$host; + proxy_set_header X-Real-IP $remote_addr; + } + + access_log /var/log/nginx/random23264/access.log combined_plus; + error_log /var/log/nginx/random23264/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12649 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12649 new file mode 100644 index 000000000..af5a22620 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-12649 @@ -0,0 +1,45 @@ +upstream django_server_random10305.example.org { + server unix:/srv/http/random23322/live/website.sock; +} + +server { + listen 80; + server_name random10305.example.org; + + location /media/ { + alias /srv/http/random23322/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random23322/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random10305.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random23322/live/access.log combined_plus; + error_log /var/log/nginx/random23322/live/error.log; +} + +server { + listen 80; + + server_name random13399.example.org; + server_name www.random10305.example.org; + server_name random17958.example.org www.random17958.example.org; + server_name random15266.example.org www.random15266.example.org; + server_name random21296.example.org www.random21296.example.org; + server_name random5261.example.org www.random5261.example.org; + server_name random679.example.org www.random679.example.org; + server_name random31788.example.org www.random31788.example.org; + server_name random22704.example.org www.random22704.example.org; + server_name random17411.example.org www.random17411.example.org; + + return 301 http://random10305.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-13577 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-13577 new file mode 100644 index 000000000..d7a17f76e --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-13577 @@ -0,0 +1,38 @@ +upstream django_server_random30837.example.org { + server unix:/srv/http/random30992/live/website.sock; +} + +server { + listen 80; + server_name www.random30837.example.org; + + location ^~ /media/ { + alias /srv/http/random30992/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random30992/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random30837.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random30992/live/access.log combined_plus; + error_log /var/log/nginx/random30992/live/error.log; +} + +server { + server_name random30837.example.org; + server_name random3263.example.org www.random3263.example.org; + server_name random6771.example.org www.random6771.example.org; + server_name random17696.example.org www.random17696.example.org; + server_name random7179.example.org www.random7179.example.org; + server_name random8127.example.org www.random8127.example.org; + + rewrite ^ http://www.random30837.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14402 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14402 new file mode 100644 index 000000000..ca9ca2f61 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14402 @@ -0,0 +1,33 @@ +upstream django_server_random17705.example.org { + server unix:/srv/http/random8289/internal/website.sock; +} + +server { + listen 80; + server_name random17705.example.org; + + location /media/ { + alias /srv/http/random8289/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random8289/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random17705.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random8289/internal/access.log combined_plus; + error_log /var/log/nginx/random8289/internal/error.log; +} + +server { + server_name www.random17705.example.org; + return 301 http://random17705.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14430 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14430 new file mode 100644 index 000000000..7caf7b2a4 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-14430 @@ -0,0 +1,54 @@ +upstream django_server_random17507.example.org { + server unix:/srv/http/random7740/live/website.sock; +} + +server { + listen 80; + server_name random17507.example.org; + + location ^~ /media/ { + alias /srv/http/random7740/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random7740/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random17507.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random7740/live/access.log combined_plus; + error_log /var/log/nginx/random7740/live/error.log; +} + +server { + server_name www.random17507.example.org; + server_name random31197.example.org www.random31197.example.org; + server_name random19579.example.org www.random19579.example.org; + server_name random16629.example.org www.random16629.example.org; + server_name random28363.example.org www.random28363.example.org; + server_name random30185.example.org www.random30185.example.org; + server_name random22326.example.org www.random22326.example.org; + server_name random3622.example.org www.random3622.example.org; + server_name random1463.example.org www.random1463.example.org; + server_name random23341.example.org www.random23341.example.org; + server_name random2214.example.org www.random2214.example.org; + server_name random22684.example.org www.random22684.example.org; + server_name random6606.example.org www.random6606.example.org; + server_name random29138.example.org www.random29138.example.org; + server_name random15109.example.org www.random15109.example.org; + server_name random8002.example.org www.random8002.example.org; + server_name random16836.example.org www.random16836.example.org; + server_name random22283.example.org www.random22283.example.org; + + location = /googleXXXXXXXXXXXXXXXX.html { + alias /srv/http/random7740/live/website/templates/googleXXXXXXXXXXXXXXXX.html; + } + + rewrite ^ http://random17507.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15141 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15141 new file mode 100644 index 000000000..2b2689f09 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15141 @@ -0,0 +1,36 @@ +upstream django_server_acceptatie.random20374.nl { + server unix:/srv/http/random20374/acceptance/website.sock; +} + +server { + listen 80; + server_name random28586.example.org; + + location ^~ /media/ { + alias /srv/http/random20374/acceptance/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random20374/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_acceptatie.random20374.nl; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random20374'; + auth_basic_user_file /srv/http/random20374/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random20374/acceptance/access.log combined_plus; + error_log /var/log/nginx/random20374/acceptance/error.log; +} + +server { + server_name www.random28586.example.org; + rewrite ^ http://random28586.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15270 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15270 new file mode 100644 index 000000000..b4f4bd61c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15270 @@ -0,0 +1,38 @@ +upstream django_server_random6822.example.org { + server unix:/srv/http/random7047/live/website.sock; +} + +server { + listen 8443; + server_name random6822.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random6822.example.org.complete-bundle.crt; + ssl_certificate_key /etc/ssl/private/random6822.example.org.key; + + location /media/ { + alias /srv/http/random7047/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random7047/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random6822.example.org; + include /etc/nginx/proxy_params; + } + + access_log /var/log/nginx/random7047/live/access.log combined_plus; + error_log /var/log/nginx/random7047/live/error.log; +} + +server { + listen 80; + server_name random6822.example.org; + + rewrite ^/(.*) https://random6822.example.org:8443/$1; +} + + diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15291 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15291 new file mode 100644 index 000000000..fa09bed93 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15291 @@ -0,0 +1,112 @@ +# You may add here your +# server { +# ... +# } +# statements for each of your virtual hosts to this file + +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# http://wiki.nginx.org/Pitfalls +# http://wiki.nginx.org/QuickStart +# http://wiki.nginx.org/Configuration +# +# Generally, you will want to move this file somewhere, and start with a clean +# file but keep this around for reference. Or just disable in sites-enabled. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +server { + listen 80 default_server; + listen [::]:80 default_server ipv6only=on; + + root /usr/share/nginx/html; + index index.html index.htm; + + # Make site accessible from http://random20604.example.org/ + server_name random20604.example.org; + + location / { + # First attempt to serve request as file, then + # as directory, then fall back to displaying a 404. + try_files $uri $uri/ =404; + # Uncomment to enable naxsi on this location + # include /etc/nginx/naxsi.rules + } + + # Only for nginx-naxsi used with nginx-naxsi-ui : process denied requests + #location /RequestDenied { + # proxy_pass http://127.0.0.1:8080; + #} + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # fastcgi_split_path_info ^(.+\.php)(/.+)$; + # # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + # + # # With php5-cgi alone: + # fastcgi_pass 127.0.0.1:9000; + # # With php5-fpm: + # fastcgi_pass unix:/var/run/php5-fpm.sock; + # fastcgi_index index.php; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} +} + + +# another virtual host using mix of IP-, name-, and port-based configuration +# +#server { +# listen 8000; +# listen random20605.example.org:8080; +# server_name random20605.example.org alias another.alias; +# root html; +# index index.html index.htm; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} + + +# HTTPS server +# +#server { +# listen 443; +# server_name random20604.example.org; +# +# root html; +# index index.html index.htm; +# +# ssl on; +# ssl_certificate cert.pem; +# ssl_certificate_key cert.key; +# +# ssl_session_timeout 5m; +# +# ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; +# ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; +# ssl_prefer_server_ciphers on; +# +# location / { +# try_files $uri $uri/ =404; +# } +#} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15456 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15456 new file mode 100644 index 000000000..273694b51 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15456 @@ -0,0 +1,39 @@ +upstream django_server_random29275.example.org { + server unix:/srv/http/random14353/internal/website.sock; +} + +server { + listen 80; + server_name random29275.example.org; + + location /media/ { + alias /srv/http/random14353/internal/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random14353/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random29275.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + + satisfy any; + auth_basic 'internal for random14353'; + auth_basic_user_file /srv/http/random14353/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random14353/internal/access.log; + error_log /var/log/nginx/random14353/internal/error.log; +} + +server { + server_name www.random29275.example.org; + return 301 http://random29275.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15497 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15497 new file mode 100644 index 000000000..86a8980d2 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15497 @@ -0,0 +1,35 @@ +upstream django_server_random16112.example.org { + server unix:/srv/http/random29227/live/website.sock; +} + +server { + listen 80; + server_name random16112.example.org; + + location /media/ { + alias /srv/http/random29227/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random29227/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random16112.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random29227/live/access.log combined_plus; + error_log /var/log/nginx/random29227/live/error.log; +} +server { + server_name random5297.example.org www.random5297.example.org; + server_name random17050.example.org www.random17050.example.org; + server_name www.random16112.example.org; + + return 301 http://random16112.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15852 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15852 new file mode 100644 index 000000000..32b88c62f --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-15852 @@ -0,0 +1,38 @@ +upstream django_server_random7474.example.org { + server unix:/srv/http/random4886/acceptance/website.sock; +} + +server { + listen 80; + server_name random7474.example.org; + + location /media/ { + alias /srv/http/random4886/acceptance/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random4886/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random7474.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random4886'; + auth_basic_user_file /srv/http/random4886/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + client_max_body_size 20m; + + access_log /var/log/nginx/random4886/acceptance/access.log; + error_log /var/log/nginx/random4886/acceptance/error.log; +} + +server { + server_name www.random7474.example.org; + return 301 http://random7474.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-16345 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-16345 new file mode 100644 index 000000000..ac8ce609c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-16345 @@ -0,0 +1,34 @@ +upstream django_server_random25713.example.org { + server unix:/srv/http/random24922/live/website.sock; +} + +server { + listen 80; + server_name random25713.example.org; + + location /media/ { + alias /srv/http/random24922/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random24922/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random25713.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random24922/live/access.log; + error_log /var/log/nginx/random24922/live/error.log; +} + +server { + server_name www.random25713.example.org; + return 301 http://random25713.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17175 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17175 new file mode 100644 index 000000000..e733a70ed --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17175 @@ -0,0 +1,14 @@ +server { + listen 80; + server_name random25647.example.org www.random25647.example.org random10963.example.org www.random10963.example.org; + + if ($host != 'random25647.example.org') { + rewrite ^/(.*)$ http://random25647.example.org/$1 permanent; + } + + index index.html index.htm; + root /srv/http/random11461/countdown/; + + access_log /var/log/nginx/random11461/live/access.log combined_plus; + error_log /var/log/nginx/random11461/live/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17832 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17832 new file mode 100644 index 000000000..4a0967de8 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17832 @@ -0,0 +1,32 @@ +upstream django_server_random6430.example.org { + server unix:/srv/http/random550/internal/website.sock; +} + +server { + listen 80; + server_name random6430.example.org; + + location /media/ { + alias /srv/http/random550/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random550/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random6430.example.org; + include /etc/nginx/django_proxy_params; + + } + + access_log /var/log/nginx/random550/internal/access.log combined_plus; + error_log /var/log/nginx/random550/internal/error.log; +} + +server { + server_name www.random6430.example.org; + return 301 http://random6430.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17942 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17942 new file mode 100644 index 000000000..a3b10eed6 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-17942 @@ -0,0 +1,32 @@ +upstream django_server_random25647.example.org { + server unix:/srv/http/random11461/live/website.sock; +} + +server { + listen 80; + server_name random25647.example.org www.random25647.example.org random10963.example.org www.random10963.example.org; + + if ($host != 'random25647.example.org') { + rewrite ^/(.*)$ http://random25647.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random11461/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random11461/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random25647.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random11461/live/access.log combined_plus; + error_log /var/log/nginx/random11461/live/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18018 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18018 new file mode 100644 index 000000000..63b68d6ff --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18018 @@ -0,0 +1,36 @@ +upstream django_server_intern.random20374.nl { + server unix:/srv/http/random20374/internal/website.sock; +} + +server { + listen 80; + server_name random23818.example.org; + + location ^~ /media/ { + alias /srv/http/random20374/internal/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random20374/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_intern.random20374.nl; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random20374'; + auth_basic_user_file /srv/http/random20374/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random20374/internal/access.log combined_plus; + error_log /var/log/nginx/random20374/internal/error.log; +} + +server { + server_name www.random23818.example.org; + rewrite ^ http://random23818.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18069 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18069 new file mode 100644 index 000000000..d6d4e5bea --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-18069 @@ -0,0 +1,39 @@ +upstream django_server_random7949.example.org { + server unix:/srv/http/random1006/acceptance/website.sock; +} + +server { + listen 80; + server_name random7949.example.org; + gzip on; + gzip_http_version 1.0; + gzip_types *; + gzip_vary on; + gzip_proxied any; + + location ~ /media/(.*)$ { + alias /srv/http/random1006/acceptance/website/static/$1; + expires 7d; + gzip on; + } + + + location / { + proxy_pass http://django_server_random7949.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random1006'; + auth_basic_user_file /srv/http/random1006/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random1006/acceptance/access.log combined_plus; + error_log /var/log/nginx/random1006/acceptance/error.log; +} + +server { + server_name www.random7949.example.org; + rewrite ^ http://random7949.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19334 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19334 new file mode 100644 index 000000000..2609e2080 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19334 @@ -0,0 +1,39 @@ +upstream django_server_random1515.example.org { + server unix:/srv/http/random15255/acceptance/website.sock fail_timeout=5; +} + +server { + listen 80; + server_name random1515.example.org www.random1515.example.org; + + if ($host != 'random1515.example.org') { + rewrite ^/(.*)$ http://random1515.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random15255/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random15255/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1515.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + + satisfy any; + auth_basic 'random191 acceptance'; + auth_basic_user_file /srv/http/random15255/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random15255/acceptance/access.log combined_plus; + error_log /var/log/nginx/random15255/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19639 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19639 new file mode 100644 index 000000000..617472e0d --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19639 @@ -0,0 +1,39 @@ +upstream django_server_live.random8289.random17507.example.org { + server unix:/srv/http/random8289/live/website.sock; +} + +server { + listen 443; + server_name random23886.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random23886.example.org.complete-bundle.crt; + ssl_certificate_key /etc/ssl/private/random23886.example.org.key; + + location /media/ { + alias /srv/http/random8289/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random8289/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_live.random8289.random17507.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random8289/live/access.log combined_plus; + error_log /var/log/nginx/random8289/live/error.log; +} + +server { + listen 80; + server_name random23886.example.org; + return 301 https://random23886.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1966 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1966 new file mode 100644 index 000000000..41aaef04d --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-1966 @@ -0,0 +1,36 @@ +upstream django_server_random31523.example.org { + server unix:/srv/http/random16722.example.org/internal/website.sock; +} + +server { + listen 80; + server_name random31523.example.org; + + location ^~ /media/ { + alias /srv/http/random16722.example.org/internal/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random16722.example.org/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random31523.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random16722.example.org'; + auth_basic_user_file /srv/http/random16722.example.org/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random16722.example.org/internal/access.log combined_plus; + error_log /var/log/nginx/random16722.example.org/internal/error.log; +} + +server { + server_name www.random31523.example.org; + rewrite ^ http://random31523.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19791 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19791 new file mode 100644 index 000000000..6e3112ad8 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19791 @@ -0,0 +1,34 @@ +upstream django_server_random1413.example.org { + server unix:/srv/http/random25151/live/website.sock; +} + +server { + listen 80; + server_name random1413.example.org; + + location ^~ /media/ { + alias /srv/http/random25151/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location ^~ /static/ { + alias /srv/http/random25151/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1413.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random25151/live/access.log combined_plus; + error_log /var/log/nginx/random25151/live/error.log; +} + +server { + server_name www.random1413.example.org; + server_name random28524.example.org www.random28524.example.org; + rewrite ^ http://random1413.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19955 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19955 new file mode 100644 index 000000000..20d718409 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-19955 @@ -0,0 +1,36 @@ +upstream django_server_random9619.example.org { + server unix:/srv/http/random28641/internal/website.sock; +} + +server { + listen 80; + server_name random9619.example.org; + + location ^~ /media/ { + alias /srv/http/random28641/internal/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random28641/internal/website/static/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random9619.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random28641'; + auth_basic_user_file /srv/http/random28641/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random28641/internal/access.log combined_plus; + error_log /var/log/nginx/random28641/internal/error.log; +} + +server { + server_name www.random9619.example.org; + rewrite ^ http://random9619.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21369 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21369 new file mode 100644 index 000000000..5650efb4c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21369 @@ -0,0 +1,33 @@ +upstream django_server_random31758.example.org { + server unix:/srv/http/random21623/internal/website.sock; +} + +server { + listen 80; + server_name random31758.example.org www.random31758.example.org; + + if ($host != 'random31758.example.org') { + rewrite ^/(.*)$ http://random31758.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random21623/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random21623/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random31758.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random21623/internal/access.log combined_plus; + error_log /var/log/nginx/random21623/internal/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21549 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21549 new file mode 100644 index 000000000..85576da76 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-21549 @@ -0,0 +1,32 @@ +upstream django_server_random1688.example.org { + server unix:/srv/http/random6470/acceptance/website.sock; +} + +server { + listen 80; + server_name random5078.example.org random1688.example.org www.random1688.example.org; + + if ($host != 'random5078.example.org') { + rewrite ^/(.*)$ http://random5078.example.org/$1 permanent; + } + + location ^~ /media/ { + alias /srv/http/random6470/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location ^~ /static/ { + alias /srv/http/random6470/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1688.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random6470/acceptance/access.log combined_plus; + error_log /var/log/nginx/random6470/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-230 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-230 new file mode 100644 index 000000000..00d1d2b0b --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-230 @@ -0,0 +1,33 @@ +upstream django_server_random22746.example.org { + server unix:/srv/http/random6344/internal/website.sock; +} + +server { + listen 80; + server_name random22746.example.org; + + if ($host != 'random22746.example.org') { + rewrite ^/(.*)$ http://random22746.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random6344/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random6344/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random22746.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random6344/internal/access.log combined_plus; + error_log /var/log/nginx/random6344/internal/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23325 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23325 new file mode 100644 index 000000000..5b91f0eaf --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23325 @@ -0,0 +1,74 @@ +upstream django_server_random15255_live { + server unix:/srv/http/random15255/live/website.sock fail_timeout=5; +} + +server { + listen 443; + server_name random7381.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7381.example.org.key; + + location /media/ { + alias /srv/http/random15255/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + + location /static/ { + alias /srv/http/random15255/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random15255_live; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random15255/live/access.log combined_plus; + error_log /var/log/nginx/random15255/live/error.log; +} + +server { + listen 80; + server_name random7381.example.org www.random7381.example.org; + + return 301 https://random7381.example.org$request_uri; +} + +server { + listen 8445; + server_name random7381.example.org www.random7381.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7381.example.org.key; + + return 301 https://random7381.example.org$request_uri; +} + +server { + listen 1000; + server_name random7381.example.org www.random7381.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7381.example.org.key; + + return 301 https://random7381.example.org$request_uri; +} + +server { + listen 443; + server_name www.random7381.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random7381.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7381.example.org.key; + + return 301 https://random7381.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23470 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23470 new file mode 100644 index 000000000..4f78b645b --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23470 @@ -0,0 +1,56 @@ +upstream django_server_random27579.example.org { + server unix:/srv/http/random21623/live/website.sock; +} + +server { + listen 443; + server_name random27579.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random27579.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random27579.example.org.key; + + location /media/ { + alias /srv/http/random21623/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random21623/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random27579.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random21623/live/access.log combined_plus; + error_log /var/log/nginx/random21623/live/error.log; +} + +server { + listen 443; + server_name www.random27579.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random27579.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random27579.example.org.key; + + return 301 https://random27579.example.org$request_uri; +} + +server { + listen 80; + + server_name random27579.example.org www.random27579.example.org random11512.example.org; + server_name random18003.example.org www.random18003.example.org; + server_name random26730.example.org www.random26730.example.org; + server_name random3968.example.org www.random3968.example.org; + server_name random11925.example.org www.random11925.example.org; + + return 301 https://random27579.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23791 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23791 new file mode 100644 index 000000000..25933cebb --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23791 @@ -0,0 +1,33 @@ +upstream django_server_random31057.example.org { + server unix:/srv/http/random22194/acceptance/website.sock; +} + +server { + listen 80; + server_name random31057.example.org www.random31057.example.org; + + if ($host != 'random31057.example.org') { + rewrite ^/(.*)$ http://random31057.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random22194/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random22194/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random31057.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 120; + } + + access_log /var/log/nginx/random22194/acceptance/access.log combined_plus; + error_log /var/log/nginx/random22194/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23803 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23803 new file mode 100644 index 000000000..9db2c07f5 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23803 @@ -0,0 +1,32 @@ +upstream django_server_random16722.example.org { + server unix:/srv/http/random16722.example.org/live/website.sock; +} + +server { + listen 80; + server_name random16722.example.org; + + location ^~ /media/ { + alias /srv/http/random16722.example.org/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random16722.example.org/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random16722.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random16722.example.org/live/access.log combined_plus; + error_log /var/log/nginx/random16722.example.org/live/error.log; +} + +server { + server_name www.random16722.example.org; + rewrite ^ http://random16722.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23838 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23838 new file mode 100644 index 000000000..7bd3f2778 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-23838 @@ -0,0 +1,32 @@ +upstream django_server_random14388.example.org { + server unix:/srv/http/random4886/live/website.sock; +} + +server { + listen 80; + server_name random14388.example.org; + + location /media/ { + alias /srv/http/random4886/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random4886/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random14388.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random4886/live/access.log; + error_log /var/log/nginx/random4886/live/error.log; +} + +server { + server_name www.random14388.example.org; + return 301 http://random14388.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24125 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24125 new file mode 100644 index 000000000..f7efda324 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24125 @@ -0,0 +1,7 @@ +server { + listen 80; + server_name random14996.example.org; + + root /srv/http/random23392/; + index index.html; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24193 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24193 new file mode 100644 index 000000000..1d2b7ec83 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24193 @@ -0,0 +1,62 @@ +upstream django_server_random6177.example.org { + server unix:/srv/http/random550/live/website.sock; +} + +server { + listen 443 ssl; + server_name random2179.example.org; + + ssl_certificate /etc/ssl/public/random2179.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random2179.example.org.key; + + + location /media/ { + alias /srv/http/random550/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random550/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random6177.example.org; + include /etc/nginx/django_proxy_params; + } + + access_log /var/log/nginx/random550/live/access.log combined_plus; + error_log /var/log/nginx/random550/live/error.log; +} + +server { + listen 80; + server_name random2179.example.org; + + location /media/ { + alias /srv/http/random550/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random550/live/static_collected/; + expires 7d; + } + + #location = / { + # return 301 https://random2179.example.org$request_uri; + #} + + location / { + proxy_pass http://django_server_random6177.example.org; + include /etc/nginx/django_proxy_params; + } + + access_log /var/log/nginx/random550/live/access_http.log combined_plus; + error_log /var/log/nginx/random550/live/error_http.log; +} + +server { + server_name random6177.example.org www.random6177.example.org; + return 301 http://random2179.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24213 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24213 new file mode 100644 index 000000000..b23aeae19 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-24213 @@ -0,0 +1,36 @@ +upstream django_server_random22047.example.org { + server unix:/srv/http/random26975/acceptance/website.sock; +} + +server { + listen 80; + server_name random22047.example.org; + + location /media/ { + alias /srv/http/random26975/acceptance/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random26975/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random22047.example.org; + include /etc/nginx/django_proxy_params; + + satisfy any; + auth_basic 'acceptance for random26975'; + auth_basic_user_file /srv/http/random26975/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random26975/acceptance/access.log; + error_log /var/log/nginx/random26975/acceptance/error.log; +} + +server { + server_name www.random22047.example.org; + return 301 http://random22047.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-25480 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-25480 new file mode 100644 index 000000000..7628d27d2 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-25480 @@ -0,0 +1,32 @@ +upstream django_server_random6193.example.org { + server unix:/srv/http/random4755/live/website.sock; +} + +server { + listen 80; + server_name random6193.example.org www.random6193.example.org; + + if ($host != 'random6193.example.org') { + rewrite ^/(.*)$ http://random6193.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random4755/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random4755/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random6193.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random4755/live/access.log combined_plus; + error_log /var/log/nginx/random4755/live/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26195 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26195 new file mode 100644 index 000000000..232935a51 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26195 @@ -0,0 +1,26 @@ +server { + listen 80; + server_name www.random25446.example.org random25446.example.org; + + if ($host != 'random25446.example.org') { + rewrite ^/(.*)$ http://random25446.example.org/$1 permanent; + } + + location ^~ /media { + alias /srv/http/random17476/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location ^~ /static { + alias /srv/http/random17476/internal/static_collected/; + expires 7d; + } + + location / { + include fastcgi_params; + fastcgi_pass unix:/srv/http/random17476/internal/website.sock; + } + + access_log /var/log/nginx/random17476/internal/access.log combined_plus; + error_log /var/log/nginx/random17476/internal/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26221 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26221 new file mode 100644 index 000000000..8e5893d61 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26221 @@ -0,0 +1,32 @@ +upstream django_server_random4030.example.org { + server unix:/srv/http/random26975/live/website.sock; +} + +server { + listen 80; + server_name random4030.example.org; + + location /media/ { + alias /srv/http/random26975/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random26975/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random4030.example.org; + include /etc/nginx/django_proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random26975/live/access.log; + error_log /var/log/nginx/random26975/live/error.log; +} + +server { + server_name www.random4030.example.org; + return 301 http://random4030.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26637 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26637 new file mode 100644 index 000000000..3ef549982 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26637 @@ -0,0 +1,32 @@ +upstream django_server_random5890.example.org { + server unix:/srv/http/random4755/internal/website.sock; +} + +server { + listen 80; + server_name random5890.example.org; + + if ($host != 'random5890.example.org') { + rewrite ^/(.*)$ http://random5890.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random4755/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random4755/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random5890.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random4755/internal/access.log combined_plus; + error_log /var/log/nginx/random4755/internal/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26758 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26758 new file mode 100644 index 000000000..f7cfb854c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-26758 @@ -0,0 +1,21 @@ +server { + listen 80 default_server; + #listen [::]:80 default_server ipv6only=on; + root /var/www/default/; + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { + deny all; + } + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + + access_log /var/log/nginx/access.log combined_plus; + error_log /var/log/nginx/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27646 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27646 new file mode 100644 index 000000000..9328e2943 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27646 @@ -0,0 +1,37 @@ +upstream django_server_random10783.example.org { + server unix:/srv/http/random4711/acceptance/website.sock; +} + +server { + listen 80; + server_name random10783.example.org; + + location ^~ /media/ { + alias /srv/http/random4711/acceptance/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random4711/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random10783.example.org; + include /etc/nginx/proxy_params; + proxy_read_timeout 4m; + + satisfy any; + auth_basic 'acceptance for random4711'; + auth_basic_user_file /srv/http/random4711/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random4711/acceptance/access.log combined_plus; + error_log /var/log/nginx/random4711/acceptance/error.log; +} + +server { + server_name www.random10783.example.org; + rewrite ^ http://random10783.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27728 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27728 new file mode 100644 index 000000000..fdef2900c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27728 @@ -0,0 +1,5 @@ +server { + location =/ { + return 404; + } +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27736 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27736 new file mode 100644 index 000000000..5f579971a --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27736 @@ -0,0 +1,32 @@ +upstream django_server_random17112.example.org { + server unix:/srv/http/random29467/live/website.sock; +} + +server { + listen 80; + server_name random17112.example.org www.random17112.example.org; + + if ($host != 'random17112.example.org') { + rewrite ^/(.*)$ http://random17112.example.org/$1 permanent; + } + + location ^~ /media/ { + alias /srv/http/random29467/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location ^~ /static/ { + alias /srv/http/random29467/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random17112.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random29467/live/access.log combined_plus; + error_log /var/log/nginx/random29467/live/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27812 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27812 new file mode 100644 index 000000000..8e455eb9b --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-27812 @@ -0,0 +1,36 @@ +upstream django_server_random1296.example.org { + server unix:/srv/http/random2912/acceptance/website.sock; +} + +server { + listen 80; + server_name random1296.example.org; + + location ^~ /media/ { + alias /srv/http/random2912/acceptance/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random2912/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1296.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random2912'; + auth_basic_user_file /srv/http/random2912/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random2912/acceptance/access.log combined_plus; + error_log /var/log/nginx/random2912/acceptance/error.log; +} + +server { + server_name www.random1296.example.org; + rewrite ^ http://random1296.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28050 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28050 new file mode 100644 index 000000000..3d0ac97ae --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28050 @@ -0,0 +1,36 @@ +upstream django_server_random11685.example.org { + server unix:/srv/http/random4886/internal/website.sock; +} + +server { + listen 80; + server_name random11685.example.org; + + location /media/ { + alias /srv/http/random4886/internal/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random4886/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random11685.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random4886'; + auth_basic_user_file /srv/http/random4886/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random4886/internal/access.log; + error_log /var/log/nginx/random4886/internal/error.log; +} + +server { + server_name www.random11685.example.org; + return 301 http://random11685.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28690 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28690 new file mode 100644 index 000000000..69bcb26c0 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-28690 @@ -0,0 +1,32 @@ +upstream django_server_random16112.example.org { + server unix:/srv/http/random24645/live/website.sock; +} + +server { + listen 80; + server_name random16112.example.org; + + location ^~ /media/ { + alias /srv/http/random24645/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random24645/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random16112.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random24645/live/access.log; + error_log /var/log/nginx/random24645/live/error.log; +} + +server { + server_name www.random16112.example.org; + rewrite ^ http://random16112.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-29159 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-29159 new file mode 100644 index 000000000..be6481eae --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-29159 @@ -0,0 +1,33 @@ +upstream django_server_random29198.example.org { + server unix:/srv/http/random28641/acceptance/website.sock; +} + +server { + listen 80; + server_name random29198.example.org; + + location ~ /static/(.*)$ { + alias /srv/http/random28641/acceptance/website/static/$1; + expires 7d; + } + + + location / { + proxy_pass http://django_server_random29198.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random28641'; + auth_basic_user_file /srv/http/random28641/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random28641/acceptance/access.log combined_plus; + error_log /var/log/nginx/random28641/acceptance/error.log; +} + +server { + server_name www.random29198.example.org; + rewrite ^ http://random29198.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-2951 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-2951 new file mode 100644 index 000000000..683aa3226 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-2951 @@ -0,0 +1,67 @@ +server { + listen 80; + #listen [::]:80 default_server ipv6only=on; + root /var/www/random616_log/; + server_name random12800.example.org; + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { + deny all; + } + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + + access_log /var/log/nginx/random12543/access.log combined_plus; + error_log /var/log/nginx/random12543/error.log; +} + +server { + listen 443 default_server; + #listen [::]:443 default_server ipv6only=on; + root /var/www/random616_log/; + server_name random12800.example.org; + + # We created (will create) this SSL certificate ourselves, using our own CA. This way, we can control strictly which CA the XXX trusts. + # See ytec #6244 + # However, we're working on a fix for high SSL overhead. We're hoping to be able to keep the connections open between log POSTs, like SSL can. + ssl on; + ssl_certificate /etc/ssl/public/random12800.example.org.crt; + ssl_certificate_key /etc/ssl/private/random12800.example.org.key; + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/random12543/access.log combined_plus; + error_log /var/log/nginx/random12543/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30011 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30011 new file mode 100644 index 000000000..479edac5d --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30011 @@ -0,0 +1,37 @@ +upstream django_server_random12785.example.org { + server unix:/srv/http/random14353/live/website.sock; +} + +server { + listen 80; + server_name random12785.example.org; + + location /media/ { + alias /srv/http/random14353/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random14353/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random12785.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + + satisfy any; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random14353/live/access.log; + error_log /var/log/nginx/random14353/live/error.log; +} + +server { + server_name www.random12785.example.org; + return 301 http://random12785.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30571 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30571 new file mode 100644 index 000000000..84e44dd7c --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-30571 @@ -0,0 +1,31 @@ +upstream django_server_random7150.example.org { + server unix:/srv/http/random550/acceptance/website.sock; +} + +server { + listen 80; + server_name random7150.example.org; + + location /media/ { + alias /srv/http/random550/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random550/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random7150.example.org; + include /etc/nginx/django_proxy_params; + } + + access_log /var/log/nginx/random550/acceptance/access.log combined_plus; + error_log /var/log/nginx/random550/acceptance/error.log; +} + +server { + server_name www.random7150.example.org; + return 301 http://random7150.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-31900 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-31900 new file mode 100644 index 000000000..648693cbc --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-31900 @@ -0,0 +1,33 @@ +upstream django_server_random31131.example.org { + server unix:/srv/http/random24334/internal/website.sock; +} + +server { + listen 80; + server_name random31131.example.org; + + location /media/ { + alias /srv/http/random24334/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random24334/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random31131.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random24334/internal/access.log combined_plus; + error_log /var/log/nginx/random24334/internal/error.log; +} + +server { + server_name www.random31131.example.org; + return 301 http://random31131.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32190 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32190 new file mode 100644 index 000000000..8c7738c03 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32190 @@ -0,0 +1,4 @@ +server { + server_name www.random5115; + return 301 http://www.random10305.example.org; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32279 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32279 new file mode 100644 index 000000000..16f4e5e9e --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32279 @@ -0,0 +1,25 @@ +server { + listen 80; + root /home/admin/random19651_log/; + server_name random16339.example.org; + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini + + # With php5-fpm: + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/random4235/access.log combined_plus; + error_log /var/log/nginx/random4235/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32317 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32317 new file mode 100644 index 000000000..e9c986ff1 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32317 @@ -0,0 +1,32 @@ +upstream django_server_random21989.example.org { + server unix:/srv/http/random28136/acceptance/website.sock; +} + +server { + listen 80; + server_name random21989.example.org; + + location ~ /static/(.*)$ { + alias /srv/http/random28136/acceptance/website/static/$1; + expires 7d; + } + + location / { + proxy_pass http://django_server_random21989.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'acceptance for random28136'; + auth_basic_user_file /srv/http/random28136/acceptance/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random28136/acceptance/access.log combined_plus; + error_log /var/log/nginx/random28136/acceptance/error.log; +} + +server { + server_name www.random21989.example.org; + rewrite ^ http://random21989.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32438 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32438 new file mode 100644 index 000000000..66929620f --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-32438 @@ -0,0 +1,46 @@ +upstream django_server_random1769.example.org { + server unix:/srv/http/random7047/acceptance/website.sock; +} + +server { + listen 80; + server_name random1769.example.org; + + if ($host != 'random1769.example.org') { + rewrite ^/(.*)$ http://random1769.example.org/$1 permanent; + } + + rewrite ^/(.*) https://$host:8444/$1; +} + +server { + listen 8444; + server_name random1769.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random6822.example.org.crt; + ssl_certificate_key /etc/ssl/private/random6822.example.org.key; + + location ^~ /media/ { + alias /srv/http/random7047/acceptance/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random7047/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1769.example.org; + include /etc/nginx/proxy_params; + + #satisfy any; + #auth_basic 'acceptance for random7047'; + #auth_basic_user_file /srv/http/random7047/acceptance/htpasswords; + #include /etc/nginx/allow_ytec_ips_params; + #deny all; + } + + access_log /var/log/nginx/random7047/acceptance/access.log combined_plus; + error_log /var/log/nginx/random7047/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3483 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3483 new file mode 100644 index 000000000..7a415c293 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3483 @@ -0,0 +1,32 @@ +server { + listen 80; + server_name random9761.example.org; + + + location ~ /static/(.*)$ { + alias /srv/http/random14537/static_collected/$1; + expires 7d; + } + + location ~ /media/(.*)$ { + alias /srv/http/random14537/dynamic/public/$1; + expires 7d; + include upload_folder_security_params; + } + + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:81; + proxy_connect_timeout 120; + proxy_read_timeout 120; + } + + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/random14537/access.log combined_plus; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3507 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3507 new file mode 100644 index 000000000..0fdca78d7 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3507 @@ -0,0 +1,44 @@ +server { + listen 80; + server_name random3674.example.org www.random3674.example.org; + + root /srv/http/random3674.example.org; + index index.html index.htm; + + location / { + try_files $uri $uri/ =404; + } + + access_log /var/log/nginx/random3674.example.org/access.log combined_plus; + error_log /var/log/nginx/random3674.example.org/error.log; +} + +server { + listen 80; + server_name random27569.example.org www.random27569.example.org; + + root /srv/http/random27569.example.org; + index index.html index.htm; + + location / { + try_files $uri $uri/ =404; + } + + access_log /var/log/nginx/random27569.example.org/access.log combined_plus; + error_log /var/log/nginx/random27569.example.org/error.log; +} + +server { + listen 80; + server_name random11055.example.org www.random11055.example.org; + + root /srv/http/random11055.example.org; + index index.html index.htm; + + location / { + try_files $uri $uri/ =404; + } + + access_log /var/log/nginx/random11055.example.org/access.log combined_plus; + error_log /var/log/nginx/random11055.example.org/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3874 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3874 new file mode 100644 index 000000000..1180f2eb1 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-3874 @@ -0,0 +1,46 @@ +upstream django_server_random7267.example.org { + server unix:/srv/http/random24334/live/website.sock; +} + +server { + listen 80; + listen 443 ssl; + + server_name random7267.example.org; + + ssl_certificate /etc/ssl/public/random7267.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7267.example.org.key; + + location /media/ { + alias /srv/http/random24334/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random24334/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random7267.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random24334/live/access.log combined_plus; + error_log /var/log/nginx/random24334/live/error.log; +} + +server { + listen 80; + listen 443 ssl; + + server_name www.random7267.example.org; + + ssl_certificate /etc/ssl/public/random7267.example.org_chained.crt; + ssl_certificate_key /etc/ssl/private/random7267.example.org.key; + + return 301 http://random7267.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4035 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4035 new file mode 100644 index 000000000..1a1deb96b --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4035 @@ -0,0 +1,31 @@ +upstream django_server_random2104.example.org { + server unix:/srv/http/random28136/live/website.sock; +} + +server { + listen 80; + server_name www.random2104.example.org; + + location ~ /static/(.*)$ { + alias /srv/http/random28136/live/website/static/$1; + expires 7d; + } + + + location / { + proxy_pass http://django_server_random2104.example.org; + include /etc/nginx/proxy_params; + proxy_connect_timeout 240; + proxy_read_timeout 240; + + # You can configure access rules here + } + + access_log /var/log/nginx/random28136/live/access.log combined_plus; + error_log /var/log/nginx/random28136/live/error.log; +} + +server { + server_name random2104.example.org; + rewrite ^ http://www.random2104.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4143 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4143 new file mode 100644 index 000000000..add683007 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4143 @@ -0,0 +1,33 @@ +upstream django_server_random24919.example.org { + server unix:/srv/http/random7831/live/website.sock; +} + +server { + listen 80; + server_name random24919.example.org; + + location ^~ /media/ { + alias /srv/http/random7831/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random7831/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random24919.example.org; + include /etc/nginx/proxy_params; + + proxy_connect_timeout 240; + proxy_read_timeout 240; + } + + access_log /var/log/nginx/random7831/live/access.log combined_plus; + error_log /var/log/nginx/random7831/live/error.log; +} + +server { + server_name www.random24919.example.org; + rewrite ^ http://random24919.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4264 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4264 new file mode 100644 index 000000000..ef347862f --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-4264 @@ -0,0 +1,12 @@ +# vhost created by moving from marauder, but there it was an apache vhost. + +server { + listen 80; + server_name random3080.example.org www.random3080.example.org random26833.example.org www.random26833.example.org; + + root /srv/http/random10391.example.org/; + + if ($request_uri != '/googleYYYYYYYYYYYYYYYY.html') { + rewrite ^ http://random10305.example.org/ permanent; + } +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5826 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5826 new file mode 100644 index 000000000..bcfc662b2 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5826 @@ -0,0 +1,38 @@ +upstream django_server_random1107.example.org { + server unix:/srv/http/random4755/acceptance/website.sock; +} + +server { + listen 80; + server_name random1107.example.org www.random1107.example.org; + + if ($host != 'random1107.example.org') { + rewrite ^/(.*)$ http://random1107.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random4755/acceptance/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random4755/acceptance/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random1107.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + satisfy any; + allow 89.188.25.162; + auth_basic "random4755 acceptance"; + auth_basic_user_file htpasswords/random4755_acceptance; + + } + + access_log /var/log/nginx/random4755/acceptance/access.log combined_plus; + error_log /var/log/nginx/random4755/acceptance/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5872 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5872 new file mode 100644 index 000000000..fe41f9872 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-5872 @@ -0,0 +1,36 @@ +upstream django_server_random8404.example.org { + server unix:/srv/http/random1006/internal/website.sock; +} + +server { + listen 80; + server_name random8404.example.org; + + location ^~ /media/ { + alias /srv/http/random1006/internal/website/static/; + expires 7d; + } + #location ^~ /static/ { + # alias /srv/http/random1006/internal/website/static/; + # expires 7d; + #} + + location / { + proxy_pass http://django_server_random8404.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random1006'; + auth_basic_user_file /srv/http/random1006/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random1006/internal/access.log combined_plus; + error_log /var/log/nginx/random1006/internal/error.log; +} + +server { + server_name www.random8404.example.org; + rewrite ^ http://random8404.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-6228 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-6228 new file mode 100644 index 000000000..d5c157e88 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-6228 @@ -0,0 +1,39 @@ +upstream django_server_random15255_intern { + server unix:/srv/http/random15255/intern/website.sock fail_timeout=5; +} + +server { + listen 80; + server_name random11459.example.org www.random11459.example.org; + + if ($host != 'random11459.example.org') { + rewrite ^/(.*)$ http://random11459.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random15255/internal/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random15255/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random15255_intern; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + + satisfy any; + auth_basic 'random191 internal'; + auth_basic_user_file /srv/http/random15255/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random15255/internal/access.log combined_plus; + error_log /var/log/nginx/random15255/internal/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-7895 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-7895 new file mode 100644 index 000000000..4a49ea47e --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-7895 @@ -0,0 +1,32 @@ +upstream django_server_random20084.example.org { + server unix:/srv/http/random1540/live/website.sock; +} + +server { + listen 80; + server_name random3969.example.org www.random20084.example.org random20084.example.org; + + if ($host != 'www.random20084.example.org') { + rewrite ^/(.*)$ http://www.random20084.example.org/$1 permanent; + } + + location /media/ { + alias /srv/http/random1540/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random1540/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random20084.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + access_log /var/log/nginx/random1540/live/access.log combined_plus; + error_log /var/log/nginx/random1540/live/error.log; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8343 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8343 new file mode 100644 index 000000000..9e0d39d47 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8343 @@ -0,0 +1,36 @@ +upstream django_server_random29577.example.org { + server unix:/srv/http/random24645/internal/website.sock; +} + +server { + listen 80; + server_name random29577.example.org; + + location ^~ /media/ { + alias /srv/http/random24645/internal/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random24645/internal/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random29577.example.org; + include /etc/nginx/proxy_params; + + satisfy any; + auth_basic 'internal for random24645'; + auth_basic_user_file /srv/http/random24645/internal/htpasswords; + include /etc/nginx/allow_ytec_ips_params; + deny all; + } + + access_log /var/log/nginx/random24645/internal/access.log; + error_log /var/log/nginx/random24645/internal/error.log; +} + +server { + server_name www.random29577.example.org; + rewrite ^ http://random29577.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8422 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8422 new file mode 100644 index 000000000..c3b979b4e --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8422 @@ -0,0 +1,46 @@ +upstream django_server_random25771.example.org { + server unix:/srv/http/random4711/live/website.sock; +} + +server { + listen 80; + server_name random25771.example.org; + + location ^~ /media/ { + alias /srv/http/random4711/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random4711/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random25771.example.org; + include /etc/nginx/proxy_params; + proxy_read_timeout 4m; + + # You can configure access rules here + } + + client_max_body_size 25m; + + access_log /var/log/nginx/random4711/live/access.log combined_plus; + error_log /var/log/nginx/random4711/live/error.log; +} + +server { + server_name www.random25771.example.org; + server_name *.random17707.example.org; + server_name *.random22274.example.org; + server_name *.random26333.example.org; + server_name *.random10742.example.org; + server_name *.random8297.example.org; + server_name *.random18250.example.org; + server_name *.random30184.example.org; + server_name *.random27005.example.org; + server_name *.random12286.example.org; + server_name *.random28076.example.org; + server_name *.random26194.example.org; + rewrite ^ http://random25771.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8637 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8637 new file mode 100644 index 000000000..91e31bbfd --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8637 @@ -0,0 +1,40 @@ +upstream django_server_random27891.example.org { + server unix:/srv/http/random6344/live/website.sock; +} + +server { + listen 443; + server_name random27891.example.org; + + ssl on; + ssl_certificate /etc/ssl/public/random27891.example.org.bundle.crt; + ssl_certificate_key /etc/ssl/private/random27891.example.org.key; + + location /media/ { + alias /srv/http/random6344/live/dynamic/public/; + expires 7d; + include upload_folder_security_params; + } + location /static/ { + alias /srv/http/random6344/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random27891.example.org; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Protocol $scheme; + } + + access_log /var/log/nginx/random6344/live/access.log combined_plus; + error_log /var/log/nginx/random6344/live/error.log; +} + +server { + listen 80; + server_name random27891.example.org; + + return 301 https://random27891.example.org$request_uri; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8662 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8662 new file mode 100644 index 000000000..3fe9c4011 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-8662 @@ -0,0 +1,32 @@ +upstream django_server_random27507.example.org { + server unix:/srv/http/random24211/live/website.sock; +} + +server { + listen 80; + server_name random27507.example.org; + + location ^~ /media/ { + alias /srv/http/random24211/live/dynamic/public/; + expires 7d; + } + location ^~ /static/ { + alias /srv/http/random24211/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random27507.example.org; + include /etc/nginx/proxy_params; + + # You can configure access rules here + } + + access_log /var/log/nginx/random24211/live/access.log combined_plus; + error_log /var/log/nginx/random24211/live/error.log; +} + +server { + server_name www.random27507.example.org; + rewrite ^ http://random27507.example.org$request_uri permanent; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-9426 b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-9426 new file mode 100644 index 000000000..90dad9601 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/79-configs/site-9426 @@ -0,0 +1,111 @@ +upstream django_server_random20374.nl { + server unix:/srv/http/random20374/live/website.sock; +} + +server { + listen 80; + + # Main domain + server_name random9123.example.org; + + # So called mini-sites, resulting in landing pages for Google. + server_name random16942.example.org; + server_name random23560.example.org; + server_name random17636.example.org; + server_name random13969.example.org; + server_name random4892.example.org; + server_name random24240.example.org; + server_name random25863.example.org; + server_name random26503.example.org; + server_name random5090.example.org; + server_name random1856.example.org; + server_name random2911.example.org; + server_name random16405.example.org; + + location /media/ { + alias /srv/http/random20374/live/dynamic/public/; + expires 7d; + } + location /static/ { + alias /srv/http/random20374/live/static_collected/; + expires 7d; + } + + location / { + proxy_pass http://django_server_random20374.nl; + include /etc/nginx/proxy_params; + } + + access_log /var/log/nginx/random20374/live/access.log combined_plus; + error_log /var/log/nginx/random20374/live/error.log; +} + +server { + server_name www.random9123.example.org; + return 301 $scheme://random9123.example.org$request_uri; +} + +server { + server_name www.random1825.example.org random1825.example.org; + return 301 $scheme://random9123.example.org$request_uri; +} + +server { + server_name www.random16942.example.org; + return 301 $scheme://random16942.example.org; +} + +server { + server_name www.random23560.example.org; + return 301 $scheme://random23560.example.org; +} + +server { + server_name www.random17636.example.org; + return 301 $scheme://random17636.example.org; +} + +server { + server_name www.random13969.example.org; + return 301 $scheme://random13969.example.org; +} + +server { + server_name www.random4892.example.org; + return 301 $scheme://random4892.example.org; +} + +server { + server_name www.random24240.example.org; + return 301 $scheme://random24240.example.org; +} + +server { + server_name www.random25863.example.org; + return 301 $scheme://random25863.example.org; +} + +server { + server_name www.random26503.example.org; + return 301 $scheme://random26503.example.org; +} + +server { + server_name www.random5090.example.org; + return 301 $scheme://random5090.example.org; +} + +server { + server_name www.random1856.example.org; + return 301 $scheme://random1856.example.org; +} + +server { + server_name www.random2911.example.org; + return 301 $scheme://random2911.example.org; +} + +server { + server_name www.random16405.example.org; + return 301 $scheme://random16405.example.org; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/activecolab/www.example.com.vhost b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/activecolab/www.example.com.vhost new file mode 100644 index 000000000..71344abea --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/activecolab/www.example.com.vhost @@ -0,0 +1,44 @@ +server { + listen 80; + server_name www.example.com example.com; + root /var/www/www.example.com/web; + + if ($http_host != "www.example.com") { + rewrite ^ http://www.example.com$request_uri permanent; + } + + index index.php index.html; + + location = /favicon.ico { + log_not_found off; + access_log off; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). + location ~ /\. { + deny all; + access_log off; + log_not_found off; + } + + location / { + try_files $uri $uri/ /index.php?path_info=$uri&$args; + access_log off; + expires max; + } + + location ~ \.php$ { + try_files $uri =404; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors on; + } +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi.conf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi.conf new file mode 100644 index 000000000..056987136 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi.conf @@ -0,0 +1,9 @@ +#-*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*- +### fastcgi configuration. +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; +include fastcgi_params; +fastcgi_buffers 256 4k; +fastcgi_intercept_errors on; +## allow 4 hrs - pass timeout responsibility to upstrea +fastcgi_read_timeout 14400; +fastcgi_index index.php; diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi_params b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi_params new file mode 100644 index 000000000..4a7f26920 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/fastcgi_params @@ -0,0 +1,32 @@ +# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### fastcgi parameters. +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; +fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + +## PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; +## HTTPS 'on' parameter. This requires Nginx version 1.1.11 or +## later. The if_not_empty flag was introduced in 1.1.11. See: +## http://nginx.org/en/CHANGES. If using a version that doesn't +## support this comment out the line below. +fastcgi_param HTTPS $https if_not_empty; +## For Nginx versions below 1.1.11 uncomment the line below after commenting out the above. +#fastcgi_param HTTPS $https diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-utf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-utf new file mode 100644 index 000000000..e7974ff6a --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-utf @@ -0,0 +1,109 @@ + +# This map is not a full koi8-r <> utf8 map: it does not contain +# box-drawing and some other characters. Besides this map contains +# several koi8-u and Byelorussian letters which are not in koi8-r. +# If you need a full and standard map, use contrib/unicode2nginx/koi-utf +# map instead. + +charset_map koi8-r utf-8 { + + 80 E282AC ; # euro + + 95 E280A2 ; # bullet + + 9A C2A0 ; #   + + 9E C2B7 ; # · + + A3 D191 ; # small yo + A4 D194 ; # small Ukrainian ye + + A6 D196 ; # small Ukrainian i + A7 D197 ; # small Ukrainian yi + + AD D291 ; # small Ukrainian soft g + AE D19E ; # small Byelorussian short u + + B0 C2B0 ; # ° + + B3 D081 ; # capital YO + B4 D084 ; # capital Ukrainian YE + + B6 D086 ; # capital Ukrainian I + B7 D087 ; # capital Ukrainian YI + + B9 E28496 ; # numero sign + + BD D290 ; # capital Ukrainian soft G + BE D18E ; # capital Byelorussian short U + + BF C2A9 ; # (C) + + C0 D18E ; # small yu + C1 D0B0 ; # small a + C2 D0B1 ; # small b + C3 D186 ; # small ts + C4 D0B4 ; # small d + C5 D0B5 ; # small ye + C6 D184 ; # small f + C7 D0B3 ; # small g + C8 D185 ; # small kh + C9 D0B8 ; # small i + CA D0B9 ; # small j + CB D0BA ; # small k + CC D0BB ; # small l + CD D0BC ; # small m + CE D0BD ; # small n + CF D0BE ; # small o + + D0 D0BF ; # small p + D1 D18F ; # small ya + D2 D180 ; # small r + D3 D181 ; # small s + D4 D182 ; # small t + D5 D183 ; # small u + D6 D0B6 ; # small zh + D7 D0B2 ; # small v + D8 D18C ; # small soft sign + D9 D18B ; # small y + DA D0B7 ; # small z + DB D188 ; # small sh + DC D18D ; # small e + DD D189 ; # small shch + DE D187 ; # small ch + DF D18A ; # small hard sign + + E0 D0AE ; # capital YU + E1 D090 ; # capital A + E2 D091 ; # capital B + E3 D0A6 ; # capital TS + E4 D094 ; # capital D + E5 D095 ; # capital YE + E6 D0A4 ; # capital F + E7 D093 ; # capital G + E8 D0A5 ; # capital KH + E9 D098 ; # capital I + EA D099 ; # capital J + EB D09A ; # capital K + EC D09B ; # capital L + ED D09C ; # capital M + EE D09D ; # capital N + EF D09E ; # capital O + + F0 D09F ; # capital P + F1 D0AF ; # capital YA + F2 D0A0 ; # capital R + F3 D0A1 ; # capital S + F4 D0A2 ; # capital T + F5 D0A3 ; # capital U + F6 D096 ; # capital ZH + F7 D092 ; # capital V + F8 D0AC ; # capital soft sign + F9 D0AB ; # capital Y + FA D097 ; # capital Z + FB D0A8 ; # capital SH + FC D0AD ; # capital E + FD D0A9 ; # capital SHCH + FE D0A7 ; # capital CH + FF D0AA ; # capital hard sign +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-win b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-win new file mode 100644 index 000000000..72afabe89 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/koi-win @@ -0,0 +1,103 @@ + +charset_map koi8-r windows-1251 { + + 80 88 ; # euro + + 95 95 ; # bullet + + 9A A0 ; #   + + 9E B7 ; # · + + A3 B8 ; # small yo + A4 BA ; # small Ukrainian ye + + A6 B3 ; # small Ukrainian i + A7 BF ; # small Ukrainian yi + + AD B4 ; # small Ukrainian soft g + AE A2 ; # small Byelorussian short u + + B0 B0 ; # ° + + B3 A8 ; # capital YO + B4 AA ; # capital Ukrainian YE + + B6 B2 ; # capital Ukrainian I + B7 AF ; # capital Ukrainian YI + + B9 B9 ; # numero sign + + BD A5 ; # capital Ukrainian soft G + BE A1 ; # capital Byelorussian short U + + BF A9 ; # (C) + + C0 FE ; # small yu + C1 E0 ; # small a + C2 E1 ; # small b + C3 F6 ; # small ts + C4 E4 ; # small d + C5 E5 ; # small ye + C6 F4 ; # small f + C7 E3 ; # small g + C8 F5 ; # small kh + C9 E8 ; # small i + CA E9 ; # small j + CB EA ; # small k + CC EB ; # small l + CD EC ; # small m + CE ED ; # small n + CF EE ; # small o + + D0 EF ; # small p + D1 FF ; # small ya + D2 F0 ; # small r + D3 F1 ; # small s + D4 F2 ; # small t + D5 F3 ; # small u + D6 E6 ; # small zh + D7 E2 ; # small v + D8 FC ; # small soft sign + D9 FB ; # small y + DA E7 ; # small z + DB F8 ; # small sh + DC FD ; # small e + DD F9 ; # small shch + DE F7 ; # small ch + DF FA ; # small hard sign + + E0 DE ; # capital YU + E1 C0 ; # capital A + E2 C1 ; # capital B + E3 D6 ; # capital TS + E4 C4 ; # capital D + E5 C5 ; # capital YE + E6 D4 ; # capital F + E7 C3 ; # capital G + E8 D5 ; # capital KH + E9 C8 ; # capital I + EA C9 ; # capital J + EB CA ; # capital K + EC CB ; # capital L + ED CC ; # capital M + EE CD ; # capital N + EF CE ; # capital O + + F0 CF ; # capital P + F1 DF ; # capital YA + F2 D0 ; # capital R + F3 D1 ; # capital S + F4 D2 ; # capital T + F5 D3 ; # capital U + F6 C6 ; # capital ZH + F7 C2 ; # capital V + F8 DC ; # capital soft sign + F9 DB ; # capital Y + FA C7 ; # capital Z + FB D8 ; # capital SH + FC DD ; # capital E + FD D9 ; # capital SHCH + FE D7 ; # capital CH + FF DA ; # capital hard sign +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/map_https_fcgi.conf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/map_https_fcgi.conf new file mode 100644 index 000000000..a8d62223a --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/map_https_fcgi.conf @@ -0,0 +1,7 @@ +# -*- mode: conf; mode: flyspell-prog; ispell-local-dictionary: "american" -*- +### Implement the $https_if_not_empty variable for Nginx versions below 1.1.11. + +map $scheme $https { + default ''; + https on; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/mime.types b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/mime.types new file mode 100644 index 000000000..618b8f8e7 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/mime.types @@ -0,0 +1,77 @@ +# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-current-dictionary: american -*- +types { + text/html html htm shtml; + text/css css; + text/xml xml rss; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + application/atom+xml atom; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.wap.xhtml+xml xhtml; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/zip zip; + + # Mime types for web fonts. Stolen from here: + # http://seconddrawer.com.au/blog/ in part. + application/x-font-ttf ttf; + font/opentype otf; + application/vnd.ms-fontobject eot; + application/x-woff woff; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mpeg mpeg mpg; + video/quicktime mov; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/nginx.conf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/nginx.conf new file mode 100644 index 000000000..22ad4c317 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/nginx.conf @@ -0,0 +1,119 @@ +# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*- +user www-data; +worker_processes 4; + +error_log /var/log/nginx/error.log; +pid /var/run/nginx.pid; + +worker_rlimit_nofile 8192; + +events { + worker_connections 4096; + ## epoll is preferred on 2.6 Linux + ## kernels. Cf. http://www.kegel.com/c10k.html#nb.epoll + use epoll; + ## Accept as many connections as possible. + multi_accept on; +} + +http { + ## MIME types. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## FastCGI. + include /etc/nginx/fastcgi.conf; + + ## Default log and error files. + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + ## Use sendfile() syscall to speed up I/O operations and speed up + ## static file serving. + sendfile on; + ## Handling of IPs in proxied and load balancing situations. + set_real_ip_from 0.0.0.0/32; # all addresses get a real IP. + real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy + + ## Define a zone for limiting the number of simultaneous + ## connections nginx accepts. 1m means 32000 simultaneous + ## sessions. We need to define for each server the limit_conn + ## value refering to this or other zones. + ## ** This syntax requires nginx version >= + ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older + ## ** version then use the limit_zone directive below + ## ** instead. Comment out this + ## ** one if not using nginx version >= 1.1.8. + limit_conn_zone $binary_remote_addr zone=arbeit:10m; + + ## Timeouts. + client_body_timeout 60; + client_header_timeout 60; + keepalive_timeout 10 10; + send_timeout 60; + + ## Reset lingering timed out connections. Deflect DDoS. + reset_timedout_connection on; + + ## Body size. + client_max_body_size 10m; + + ## TCP options. + tcp_nodelay on; + tcp_nopush on; + + ## Compression. + gzip on; + gzip_buffers 16 8k; + gzip_comp_level 1; + gzip_http_version 1.1; + gzip_min_length 10; + gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf; + gzip_vary on; + gzip_proxied any; # Compression for all requests. + ## No need for regexps. See + ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable + gzip_disable "msie6"; + + ## Serve already compressed files directly, bypassing on-the-fly + ## compression. + gzip_static on; + + ## Hide the Nginx version number. + server_tokens off; + + ## Use a SSL/TLS cache for SSL session resume. This needs to be + ## here (in this context, for session resumption to work. See this + ## thread on the Nginx mailing list: + ## http://nginx.org/pipermail/nginx/2010-November/023736.html. + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + ## For the filefield_nginx_progress module to work. From the + ## README. Reserve 1MB under the name 'uploads' to track uploads. + upload_progress uploads 1m; + + ## Enable clickjacking protection in modern browsers. Available in + ## IE8 also. See + ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header + add_header X-Frame-Options sameorigin; + + ## Include the upstream servers for PHP FastCGI handling config. + include upstream_phpcgi.conf; + + ## If using Nginx version >= 1.1.11 then there's a $https variable + ## that has the value 'on' if the used scheme is https and '' if not. + ## See: http://trac.nginx.org/nginx/changeset/4380/nginx + ## http://trac.nginx.org/nginx/changeset/4333/nginx and + ## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a + ## previous version then uncomment out the line below. + #include map_https_fcgi.conf; + + ## Include the upstream servers for Apache handling the PHP + ## processes. In this case Nginx functions as a reverse proxy. + #include reverse_proxy.conf; + #include upstream_phpapache.conf; + + ## Include all vhosts. + include /etc/nginx/sites-enabled/*; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/reverse_proxy.conf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/reverse_proxy.conf new file mode 100644 index 000000000..ee0faadd7 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/reverse_proxy.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*- + +### Configuration for reverse proxy. Passing the necessary headers to +### the backend. Nginx doesn't tunnel the connection, it opens a new +### one. Hence whe need to send these headers to the backend so that +### the client(s) IP is available to them. The host is also sent. + +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header Host $http_host; diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/000-default b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/000-default new file mode 100644 index 000000000..9dbaa44ff --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/000-default @@ -0,0 +1,19 @@ +# -*-mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*- +### Block all illegal host headers. Taken from a discussion on nginx +### forums. Cf. http://forum.nginx.org/read.php?2,3482,3518 following +### a suggestion by Maxim Dounin. Also suggested in +### http://nginx.org/en/docs/http/request_processing.html. +server { + listen [::]:80 default_server; + # Uncomment the line below and comment the above if you're + # running a Nginx version less than 0.8.20. + # listen [::]:80 default; + + # Accept redirects based on the value of the Host header. If + # there's no valid vhost configuration file with a + # corresponding server_name directive then signal an error and + # fail silently. See: + # http://wiki.nginx.org/NginxHttpCoreModule#server_name_in_redirect + server_name_in_redirect off; + return 444; +} diff --git a/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/chive.example.com.conf b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/chive.example.com.conf new file mode 100644 index 000000000..e77024456 --- /dev/null +++ b/certbot-compatibility-test/nginx/nginx-roundtrip-testdata/chive/chive-nginx-master/sites-available/chive.example.com.conf @@ -0,0 +1,102 @@ +# -*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*- +### Nginx configuration for Chive. + +server { + ## This is to avoid the spurious if for sub-domain name + ## rewriting. See http://wiki.nginx.org/Pitfalls#Server_Name. + listen 80; # IPv4 + + ## Replace the IPv6 address by your own address. The address below + ## was stolen from the wikipedia page on IPv6. + listen [fe80::202:b3ff:fe1e:8329]:80 ipv6only=on; + + server_name www.chive.example.com; + + return 301 $scheme://chive.example.com$request_uri; + +} # server domain rewrite. + +server { + listen 80; # IPv4 + + ## Replace the IPv6 address by your own address. The address below + ## was stolen from the wikipedia page on IPv6. + listen [fe80::202:b3ff:fe1e:8329]:80 ipv6only=on; + + limit_conn arbeit 32; + server_name chive.example.com; + + ## Parameterization using hostname of access and log filenames. + access_log /var/log/nginx/chive.example.com_access.log; + error_log /var/log/nginx/chive.example.com_error.log; + + root /var/www/sites/chive.example.com; + index index.php index.html; + + ## Support for favicon. Return a 204 (No Content) if the favicon + ## doesn't exist. + location = /favicon.ico { + try_files /favicon.ico =204; + } + + ## The main location is accessed using Basic Auth. + location / { + ## Access is restricted. + auth_basic "Restricted Access"; # auth realm + auth_basic_user_file .htpasswd-users; # htpasswd file + + ## Use PATH_INFO for translating the requests to the + ## FastCGI. This config follows Igor's suggestion here: + ## http://forum.nginx.org/read.php?2,124378,124582. + ## This is preferable to using: + ## fastcgi_split_path_info ^(.+\.php)(.*)$ + ## It saves one regex in the location. Hence it's faster. + location ~ ^(?