def to_keepalived(self):
global_defs = []
global_defs.extend(util.generic_brace_config('notification_email',
[self._notification_email]))
global_defs.extend([
'notification_email_from %s' % self._notification_email_from,
'smtp_server %s' % self._smtp_server,
])
return util.generic_brace_config('global_defs', global_defs)
def _tcp_check(self):
return util.generic_brace_config(
'TCP_CHECK', [
'connect_port %s' % self._port,
'connect_timeout 10',
]
)
def _smtp_check(self):
return util.generic_brace_config(
'SMTP_CHECK', [
'connect_timeout 10',
'helo_name keepalived',
]
)
def to_nginx_config(self):
config = []
config.extend(self._build_server_list(self._server))
config.extend(self._build_server_list(
self._backup_server, backup=True
))
config.append('keepalive %s;' % self.keepalive)
return util.generic_brace_config('upstream %s' % self.name, config)
def _dns_check(self):
return util.generic_brace_config(
'MISC_CHECK', [
'misc_path "/usr/bin/dig +%s -t %s localhost. @%s +time=5 '
'+tries=5 +fail > /dev/null"' %
('notcp' if self._l4proto == 'udp' else 'tcp',
'A' if self._l3proto == 'ipv4' else 'AAAA',
self._ip),
'misc_timeout 6',
]
)
def to_keepalived(self):
vrrp_instance = [
'state BACKUP',
'interface %s' % self._interface,
'virtual_router_id %s' % self._id,
'priority %s' % self._priority,
'nopreempt',
'native_ipv6',
'smtp_alert',
]
authentication = [
'auth_type AH',
'auth_pass %s' % self._pass,
]
vrrp_instance.extend(util.generic_brace_config('authentication', authentication))
if self._virtual_ipaddress is not None:
vrrp_instance.extend(util.generic_brace_config(
'virtual_ipaddress', ["%s dev %s" % (self._virtual_ipaddress, self._interface)]))
if len(self._virtual_ipaddress_excluded) > 0:
vrrp_instance.extend(util.generic_brace_config(
'virtual_ipaddress_excluded', ["%s dev %s" % (ip, self._interface)
for ip in self._virtual_ipaddress_excluded]))
return util.generic_brace_config('vrrp_instance zork', vrrp_instance)
def to_keepalived(self):
real_server = []
if self._drain is False:
real_server.append('weight 1000')
else:
real_server.append('weight 0')
real_server.append('inhibit_on_failure')
real_server.extend({
'http': self._http_check,
'https': self._http_check,
'smtp': self._smtp_check,
'dns': self._dns_check,
}.get(self._l7proto)())
return util.generic_brace_config('real_server %s %s' % (self._ip, self._port),
real_server)
def _render_racoon(tunnels):
lines = []
if any([tunnel.racoon.debug for tunnel in tunnels]):
lines.append("log debug;")
lines.extend([
"path pre_shared_key \"/etc/racoon/psk.txt\";",
"",
])
local_endpoints = [tunnel.local_endpoint for tunnel in tunnels]
listen_ips = (sorted(set([ip for ip in local_endpoints
if isinstance(ip, ipaddr.IPv4Address)])) +
sorted(set([ip for ip in local_endpoints
if isinstance(ip, ipaddr.IPv6Address)])))
listen_lines = ['isakmp %s;' % ip for ip in listen_ips]
lines.extend(util.generic_brace_config('listen', listen_lines))
for tunnel in tunnels:
lines.extend(tunnel.racoon.to_racoon_conf())
return lines
def to_keepalived(self):
virtual_server = [
'lb_kind DR',
'lb_algo wrr',
'delay_loop 10',
'ha_suspend',
'protocol %s' % self._l4proto.upper(),
]
if self._l7proto == 'dns' and self._l4proto == 'udp':
virtual_server.append('ops')
if self._l7proto == 'dns':
virtual_server.append('persistence_timeout 0')
else:
virtual_server.append('persistence_timeout 600')
for rs in self._real_server:
virtual_server.extend(rs.to_keepalived())
return util.generic_brace_config('virtual_server group %s' %
self._name,
virtual_server)
def phase2_lines(self, local_subnet, remote_subnet):
phase2 = ['%s %s;' % (k, v) for k, v in self.phase2]
return util.generic_brace_config('sainfo address %s any address %s any' %
(local_subnet, remote_subnet), phase2)
def phase1_proposal_lines(self):
proposal = ['%s %s;' % (k, v) for k, v in self.phase1_proposal]
return util.generic_brace_config('proposal', proposal)
def phase1_lines(self, remote_endpoint):
phase1 = ['%s %s;' % (k, v) for k, v in self.phase1]
phase1.extend(self.phase1_proposal_lines())
return util.generic_brace_config('remote %s' % remote_endpoint, phase1)
def to_keepalived(self):
return util.generic_brace_config('virtual_server_group %s' % self._name,
["%s %s" % (ip, self._port)
for ip in self._ips])
def to_nginx_config(self):
config = []
if self.root is not None:
config.append('root %s;' % self.root)
if self.internal is True:
config.append('internal;')
if self.expires is not None:
if self.cachebust_regex is not None:
config.append("if ($request_uri ~ %s) {" % self.cachebust_regex)
config.append(" expires %s;" % self.expires)
config.append("}")
else:
config.append("expires %s;" % self.expires)
if self.verify_header_presence:
config.extend([
'if ($%s) {' % self.verify_header_presence,
'return 200;',
'}',
'return 403;',
])
if self.authenticate != 'none':
if self.authenticate == 'ip_or_cert':
config.append('satisfy any;')
else:
config.append('satisfy all;')
if 'cert' in self.authenticate:
config.append('auth_request /client-cert-check-internal;')
if self.mobile is True:
config.extend([
"error_page 418 = @mobile;",
"set $mobile D;",
"if ($http_user_agent ~* '""(iPhone|iPad|iPod|Android|""blackberry|windows (ce|phone))') { set $mobile M; }", # noqa
'if ($request_uri ~* "desktop=true") { set $mobile D; }',
'if ($mobile = M) { return 418; }',
'if ($mobile = D) { rewrite ^ /index.html last; }',
])
if self.try_files is not None:
config.append('try_files %s;' % ' '.join(self.try_files))
elif self.try_mobile is True:
config.append('try_files /index-mobile.html /index.html =404;')
if self.x_accel_redirect is not None:
config.extend([
'set $bork_reproxy_url $upstream_http_x_reproxy_url;',
'set $bork_reproxy_host $upstream_http_x_reproxy_host;',
'proxy_set_header Host $bork_reproxy_host;',
])
self.proxy_pass = '******'
if self.proxy_pass is not None:
if self.proxy_path is not None:
config.append('proxy_pass %s%s;' % (self.proxy_pass, self.proxy_path))
else:
config.append('proxy_pass %s;' % self.proxy_pass)
if self.client_max_body_size is not None:
config.append('client_max_body_size %s;' % self.client_max_body_size)
if self.proxy_read_timeout is not None:
config.append('proxy_read_timeout %s;' % self.proxy_read_timeout)
if self.limit_req_burst is not None:
config.append('limit_req zone=one burst=%d;' % self.limit_req_burst)
if self.ipfilter is not None:
config.extend(self.ipfilter.to_nginx_config())
if self.return_code is not None:
config.append('return %s;' % self.return_code)
return util.generic_brace_config(
'location %s%s%s' % (
self.match_type,
' ' if self.match_type != '' else '',
self.suburl
),
config
)
def to_nginx_config(self):
config = []
for listen in self._listen:
for address in listen.addresses:
listen_config = ['listen']
listen_address = ('[%s]' % address
if isinstance(address, ipaddr.IPv6Address)
else str(address))
if listen.port is None:
listen_config.append('%s:%s' % (
listen_address, '443' if self.ssl is not None else '80'
))
else:
listen_config.append('%s:%s' % (
listen_address, listen.port
))
if len(self.server_name) == 0:
listen_config.append('default_server')
if isinstance(address, ipaddr.IPv6Address) and self.catchall is True:
listen_config.append('ipv6only=on')
if self.ssl is not None and self.catchall is True:
listen_config.append('ssl')
config.append('%s;' % ' '.join(listen_config))
if len(self.server_name) == 0:
config.append("server_name _;") # catchall...
else:
for server_name in self.server_name:
if server_name.fqdn is not None:
config.append('server_name %s;' % server_name.fqdn)
else:
for address in server_name.ipv4:
config.append('server_name %s;' % address)
for address in server_name.ipv6:
config.append('server_name [%s];' % address)
if self.index is not None:
config.append('index %s;' % self.index)
if self.root is not None:
config.append('root %s;' % self.root)
if self.ssl is not None:
config.append('ssl_certificate /etc/ssl/nginx/%s.crt;' % self.ssl)
config.append('ssl_certificate_key /etc/ssl/nginx/%s.key;' % self.ssl)
if self.hsts_max_age is not None and self.hsts_max_age > 0:
config.append('add_header Strict-Transport-Security "max-age=%d;";' %
self.hsts_max_age)
if self.x_frame_options is not None and self.x_frame_options != '':
config.append('add_header X-Frame-Options "%s";' % self.x_frame_options)
if self.ssl_client_certificate is not None:
config.append('ssl_client_certificate /etc/ssl/nginx/%s.crt;' %
self.ssl_client_certificate)
if self.ssl_crl is not None:
config.append('ssl_crl /etc/ssl/nginx/%s.crl;' % self.ssl_crl)
config.append('ssl_verify_client %s;' % self.ssl_verify_client)
if len(self.error_page) != 0:
for code, uri in self.error_page.items():
config.append('error_page %s %s;' % (code, uri))
if self.redirect is not None:
config.append('rewrite ^(.*)$ https://%s$1 permanent;' % self.redirect)
if self.mobile is True:
location = Location('/')
location.match_type = '='
location.mobile = True
self.add_location(location)
location = Location('@mobile')
location.try_mobile = True
self.add_location(location)
if self.authenticate != 'none':
if self._authenticate == 'ip_or_cert':
config.append('satisfy any;')
else:
config.append('satisfy all;')
if 'cert' in self.authenticate:
config.append('auth_request /client-cert-check-internal;')
if 'cert' in self.authenticate:
location = Location('/client-cert-check-internal')
location.verify_header_presence = 'HTTP-X-Client-Certificate'
self.add_location(location)
if self.client_max_body_size is not None:
config.append('client_max_body_size %s;' % self.client_max_body_size)
for location in sorted(self.location, key=lambda l: l.suburl):
config.extend(location.to_nginx_config())
if self.ipfilter is not None:
config.extend(self.ipfilter.to_nginx_config())
return util.generic_brace_config('server', config)