def to_keepalived(self): global_defs = [] global_defs.extend(util.generic_brace_config('notification_email', [self._notification_email])) global_defs.extend([ 'notification_email_from %s' % self._notification_email_from, 'smtp_server %s' % self._smtp_server, ]) return util.generic_brace_config('global_defs', global_defs)
def _tcp_check(self): return util.generic_brace_config( 'TCP_CHECK', [ 'connect_port %s' % self._port, 'connect_timeout 10', ] )
def _smtp_check(self): return util.generic_brace_config( 'SMTP_CHECK', [ 'connect_timeout 10', 'helo_name keepalived', ] )
def to_nginx_config(self): config = [] config.extend(self._build_server_list(self._server)) config.extend(self._build_server_list( self._backup_server, backup=True )) config.append('keepalive %s;' % self.keepalive) return util.generic_brace_config('upstream %s' % self.name, config)
def _dns_check(self): return util.generic_brace_config( 'MISC_CHECK', [ 'misc_path "/usr/bin/dig +%s -t %s localhost. @%s +time=5 ' '+tries=5 +fail > /dev/null"' % ('notcp' if self._l4proto == 'udp' else 'tcp', 'A' if self._l3proto == 'ipv4' else 'AAAA', self._ip), 'misc_timeout 6', ] )
def to_keepalived(self): vrrp_instance = [ 'state BACKUP', 'interface %s' % self._interface, 'virtual_router_id %s' % self._id, 'priority %s' % self._priority, 'nopreempt', 'native_ipv6', 'smtp_alert', ] authentication = [ 'auth_type AH', 'auth_pass %s' % self._pass, ] vrrp_instance.extend(util.generic_brace_config('authentication', authentication)) if self._virtual_ipaddress is not None: vrrp_instance.extend(util.generic_brace_config( 'virtual_ipaddress', ["%s dev %s" % (self._virtual_ipaddress, self._interface)])) if len(self._virtual_ipaddress_excluded) > 0: vrrp_instance.extend(util.generic_brace_config( 'virtual_ipaddress_excluded', ["%s dev %s" % (ip, self._interface) for ip in self._virtual_ipaddress_excluded])) return util.generic_brace_config('vrrp_instance zork', vrrp_instance)
def to_keepalived(self): real_server = [] if self._drain is False: real_server.append('weight 1000') else: real_server.append('weight 0') real_server.append('inhibit_on_failure') real_server.extend({ 'http': self._http_check, 'https': self._http_check, 'smtp': self._smtp_check, 'dns': self._dns_check, }.get(self._l7proto)()) return util.generic_brace_config('real_server %s %s' % (self._ip, self._port), real_server)
def _render_racoon(tunnels): lines = [] if any([tunnel.racoon.debug for tunnel in tunnels]): lines.append("log debug;") lines.extend([ "path pre_shared_key \"/etc/racoon/psk.txt\";", "", ]) local_endpoints = [tunnel.local_endpoint for tunnel in tunnels] listen_ips = (sorted(set([ip for ip in local_endpoints if isinstance(ip, ipaddr.IPv4Address)])) + sorted(set([ip for ip in local_endpoints if isinstance(ip, ipaddr.IPv6Address)]))) listen_lines = ['isakmp %s;' % ip for ip in listen_ips] lines.extend(util.generic_brace_config('listen', listen_lines)) for tunnel in tunnels: lines.extend(tunnel.racoon.to_racoon_conf()) return lines
def to_keepalived(self): virtual_server = [ 'lb_kind DR', 'lb_algo wrr', 'delay_loop 10', 'ha_suspend', 'protocol %s' % self._l4proto.upper(), ] if self._l7proto == 'dns' and self._l4proto == 'udp': virtual_server.append('ops') if self._l7proto == 'dns': virtual_server.append('persistence_timeout 0') else: virtual_server.append('persistence_timeout 600') for rs in self._real_server: virtual_server.extend(rs.to_keepalived()) return util.generic_brace_config('virtual_server group %s' % self._name, virtual_server)
def phase2_lines(self, local_subnet, remote_subnet): phase2 = ['%s %s;' % (k, v) for k, v in self.phase2] return util.generic_brace_config('sainfo address %s any address %s any' % (local_subnet, remote_subnet), phase2)
def phase1_proposal_lines(self): proposal = ['%s %s;' % (k, v) for k, v in self.phase1_proposal] return util.generic_brace_config('proposal', proposal)
def phase1_lines(self, remote_endpoint): phase1 = ['%s %s;' % (k, v) for k, v in self.phase1] phase1.extend(self.phase1_proposal_lines()) return util.generic_brace_config('remote %s' % remote_endpoint, phase1)
def to_keepalived(self): return util.generic_brace_config('virtual_server_group %s' % self._name, ["%s %s" % (ip, self._port) for ip in self._ips])
def to_nginx_config(self): config = [] if self.root is not None: config.append('root %s;' % self.root) if self.internal is True: config.append('internal;') if self.expires is not None: if self.cachebust_regex is not None: config.append("if ($request_uri ~ %s) {" % self.cachebust_regex) config.append(" expires %s;" % self.expires) config.append("}") else: config.append("expires %s;" % self.expires) if self.verify_header_presence: config.extend([ 'if ($%s) {' % self.verify_header_presence, 'return 200;', '}', 'return 403;', ]) if self.authenticate != 'none': if self.authenticate == 'ip_or_cert': config.append('satisfy any;') else: config.append('satisfy all;') if 'cert' in self.authenticate: config.append('auth_request /client-cert-check-internal;') if self.mobile is True: config.extend([ "error_page 418 = @mobile;", "set $mobile D;", "if ($http_user_agent ~* '""(iPhone|iPad|iPod|Android|""blackberry|windows (ce|phone))') { set $mobile M; }", # noqa 'if ($request_uri ~* "desktop=true") { set $mobile D; }', 'if ($mobile = M) { return 418; }', 'if ($mobile = D) { rewrite ^ /index.html last; }', ]) if self.try_files is not None: config.append('try_files %s;' % ' '.join(self.try_files)) elif self.try_mobile is True: config.append('try_files /index-mobile.html /index.html =404;') if self.x_accel_redirect is not None: config.extend([ 'set $bork_reproxy_url $upstream_http_x_reproxy_url;', 'set $bork_reproxy_host $upstream_http_x_reproxy_host;', 'proxy_set_header Host $bork_reproxy_host;', ]) self.proxy_pass = '******' if self.proxy_pass is not None: if self.proxy_path is not None: config.append('proxy_pass %s%s;' % (self.proxy_pass, self.proxy_path)) else: config.append('proxy_pass %s;' % self.proxy_pass) if self.client_max_body_size is not None: config.append('client_max_body_size %s;' % self.client_max_body_size) if self.proxy_read_timeout is not None: config.append('proxy_read_timeout %s;' % self.proxy_read_timeout) if self.limit_req_burst is not None: config.append('limit_req zone=one burst=%d;' % self.limit_req_burst) if self.ipfilter is not None: config.extend(self.ipfilter.to_nginx_config()) if self.return_code is not None: config.append('return %s;' % self.return_code) return util.generic_brace_config( 'location %s%s%s' % ( self.match_type, ' ' if self.match_type != '' else '', self.suburl ), config )
def to_nginx_config(self): config = [] for listen in self._listen: for address in listen.addresses: listen_config = ['listen'] listen_address = ('[%s]' % address if isinstance(address, ipaddr.IPv6Address) else str(address)) if listen.port is None: listen_config.append('%s:%s' % ( listen_address, '443' if self.ssl is not None else '80' )) else: listen_config.append('%s:%s' % ( listen_address, listen.port )) if len(self.server_name) == 0: listen_config.append('default_server') if isinstance(address, ipaddr.IPv6Address) and self.catchall is True: listen_config.append('ipv6only=on') if self.ssl is not None and self.catchall is True: listen_config.append('ssl') config.append('%s;' % ' '.join(listen_config)) if len(self.server_name) == 0: config.append("server_name _;") # catchall... else: for server_name in self.server_name: if server_name.fqdn is not None: config.append('server_name %s;' % server_name.fqdn) else: for address in server_name.ipv4: config.append('server_name %s;' % address) for address in server_name.ipv6: config.append('server_name [%s];' % address) if self.index is not None: config.append('index %s;' % self.index) if self.root is not None: config.append('root %s;' % self.root) if self.ssl is not None: config.append('ssl_certificate /etc/ssl/nginx/%s.crt;' % self.ssl) config.append('ssl_certificate_key /etc/ssl/nginx/%s.key;' % self.ssl) if self.hsts_max_age is not None and self.hsts_max_age > 0: config.append('add_header Strict-Transport-Security "max-age=%d;";' % self.hsts_max_age) if self.x_frame_options is not None and self.x_frame_options != '': config.append('add_header X-Frame-Options "%s";' % self.x_frame_options) if self.ssl_client_certificate is not None: config.append('ssl_client_certificate /etc/ssl/nginx/%s.crt;' % self.ssl_client_certificate) if self.ssl_crl is not None: config.append('ssl_crl /etc/ssl/nginx/%s.crl;' % self.ssl_crl) config.append('ssl_verify_client %s;' % self.ssl_verify_client) if len(self.error_page) != 0: for code, uri in self.error_page.items(): config.append('error_page %s %s;' % (code, uri)) if self.redirect is not None: config.append('rewrite ^(.*)$ https://%s$1 permanent;' % self.redirect) if self.mobile is True: location = Location('/') location.match_type = '=' location.mobile = True self.add_location(location) location = Location('@mobile') location.try_mobile = True self.add_location(location) if self.authenticate != 'none': if self._authenticate == 'ip_or_cert': config.append('satisfy any;') else: config.append('satisfy all;') if 'cert' in self.authenticate: config.append('auth_request /client-cert-check-internal;') if 'cert' in self.authenticate: location = Location('/client-cert-check-internal') location.verify_header_presence = 'HTTP-X-Client-Certificate' self.add_location(location) if self.client_max_body_size is not None: config.append('client_max_body_size %s;' % self.client_max_body_size) for location in sorted(self.location, key=lambda l: l.suburl): config.extend(location.to_nginx_config()) if self.ipfilter is not None: config.extend(self.ipfilter.to_nginx_config()) return util.generic_brace_config('server', config)