tis-remote-repo-nginx
1.3.2-25
Package for installing nginx for remote repositories agents
4255 downloads
Download
See build result See VirusTotal scan
- package : tis-remote-repo-nginx
- name : Remote Repository NGINX
- version : 1.3.2-25
- categories : System and network
- maintainer : WAPT Team,Tranquil IT,Hubert TOUVET,Evan BLAUDY,Jimmy PELÉ
- installed_size :
- editor :
- licence :
- signature_date : 2023-01-07T16:00:08.380254
- size : 11.00 Ko
- locale : all
- target_os : linux
- impacted_process :
- architecture : all
- Homepage : https://www.wapt.fr/en/doc/wapt-replication/index.html
- Depends :
package : tis-remote-repo-nginx
version : 1.3.2-25
architecture : all
section : base
priority : optional
name : Remote Repository NGINX
categories : System and network
maintainer : WAPT Team,Tranquil IT,Hubert TOUVET,Evan BLAUDY,Jimmy PELÉ
description : Package for installing nginx for remote repositories agents
depends : tis-remote-repo-conf
conflicts :
maturity : PROD
locale : all
target_os : linux
min_wapt_version : 2.0
sources : https://nginx.org/en/download.html
installed_size :
impacted_process :
description_fr : Paquet pour l'installation de nginx pour les agents de dépôts à distance
description_pl : Pakiet do instalacji nginx dla agentów zdalnych repozytoriów
description_de : Paket zur Installation von nginx für Agenten für entfernte Repositories
description_es : Paquete para instalar nginx para agentes de repositorios remotos
description_pt : Pacote para instalação de nginx para agentes de repositórios remotos
description_it : Pacchetto per l'installazione di nginx per gli agenti dei repository remoti
description_nl : Pakket voor het installeren van nginx voor remote repositories agents
description_ru : Пакет для установки nginx для агентов удаленных репозиториев
audit_schedule :
editor :
keywords :
licence :
homepage : https://www.wapt.fr/en/doc/wapt-replication/index.html
package_uuid : 0a636ade-3a18-4f3a-ad0c-92e2f64117df
valid_from :
valid_until :
forced_install_on :
changelog : https://nginx.org/en/CHANGES
min_os_version :
max_os_version :
icon_sha256sum : cc84c091e5b69b2c2c902cba5f4e34ff5e71494f3f3d376fb640d5b68d242a56
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature : LaSnIsn0gWFwSlmcGttEgquuXRbE27CdBxx8vPcCByFGKvNGQekZF3Q2CdV4bdtxEgQNyvsDRfopI1/5m2YuwGfmlaqlHAWr6AXCqp0tzPluE/dmCj/JJWtcS7veBVSgYWAZGlGYKAsBrKS/TyiYn+phg5Fva6+2f5bKhB41XaOG1p/GQoYG+uHc658CmuLgMHYo0mXyp5K2uc2lhO4iwuYyTx+24/JmpDHVbv08JKLJObSNG8xanXNPn+WiSTqsy2Eh1Oi2+TK/C++xEHRmrYc2nWN9LQeT+9bpFvy2tXL+2gqVG6ZBcNUNwREc9vbM/pkrZLLag19OSXkr/ZLujw==
signature_date : 2023-01-07T16:00:08.380254
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes# -*- coding: utf-8 -*-
from setuphelpers import *
def install():
import re
import nginxparser
import jinja2
import datetime
import subprocess
from waptcrypto import SSLCertificate, SSLPrivateKey
try:
import grp
except:
raise Exception("This package have to be installed on Linux")
def generate_dhparam(NGINX_GID):
dh_filename = "/etc/ssl/certs/dhparam.pem"
if not os.path.exists(dh_filename):
print(run("openssl dhparam -out %s 2048" % dh_filename))
os.chown(dh_filename, 0, NGINX_GID) # pylint: disable=no-member
os.chmod(dh_filename, 0o640) # pylint: disable=no-member
def selinux_rules(local_repo):
"""SELinux httpd security rules"""
run("setsebool -P httpd_can_network_connect 1")
run("setsebool -P httpd_setrlimit on")
for sepath in ("wapt", "wapt-host", "waptwua", "wads"):
path = makepath(local_repo, sepath)
mkdirs(path)
try:
run('semanage fcontext -a -t httpd_sys_content_t "%s(/.*)?"' % (path))
except:
run('semanage fcontext -m -t httpd_sys_content_t "%s(/.*)?"' % (path))
run("restorecon -R -v %s" % (path))
def nginx_set_worker_limit(nginx_conf):
already_set = False
for entries in nginx_conf:
if entries[0] == "worker_rlimit_nofile":
print("Nginx - worker_rlimit_nofile already set")
already_set = True
if not already_set:
nginx_conf.insert(3, ["worker_rlimit_nofile", "32768"])
return nginx_conf
def make_httpd_config(waptservice_dir, fqdn, local_repo):
ssl_dir = makepath(waptservice_dir, "nginx", "ssl")
scripts_dir = makepath(waptservice_dir, "scripts")
wapt_ssl_key_file = makepath(ssl_dir, "key.pem")
wapt_ssl_cert_file = makepath(ssl_dir, "cert.pem")
# write the apache configuration fragment
jinja_env = jinja2.Environment(loader=jinja2.FileSystemLoader(scripts_dir))
template = jinja_env.get_template("wapt.nginxconfig.template")
template_vars = {
"wapt_repository_path": local_repo,
"windows": False,
"debian": type_debian(),
"redhat": type_redhat(),
"force_https": False,
"wapt_ssl_key_file": wapt_ssl_key_file,
"wapt_ssl_cert_file": wapt_ssl_cert_file,
"fqdn": fqdn,
"use_ssl_client_auth": False,
"clients_signing_certificate": False,
"server_tokens": "off",
}
print("Nginx - creating wapt.conf virtualhost")
config_string = template.render(template_vars)
if type_debian():
dst_file_path = "/etc/nginx/sites-available/wapt.conf"
if not os.path.exists("/etc/nginx/sites-enabled/wapt.conf"):
print(run("ln -s /etc/nginx/sites-available/wapt.conf /etc/nginx/sites-enabled/wapt.conf"))
if os.path.exists("/etc/nginx/sites-enabled/default"):
os.unlink("/etc/nginx/sites-enabled/default")
elif type_redhat():
dst_file_path = "/etc/nginx/conf.d/wapt.conf"
with open(dst_file_path, "wt") as dst_file:
dst_file.write(config_string)
# create keys for https:// access
if not os.path.exists(wapt_ssl_key_file) or not os.path.exists(wapt_ssl_cert_file):
print("Nginx - generate self-signed certs")
key = SSLPrivateKey(wapt_ssl_key_file)
if not os.path.isfile(wapt_ssl_key_file):
print("Create SSL RSA Key %s" % wapt_ssl_key_file)
key.create()
key.save_as_pem()
if os.path.isfile(wapt_ssl_cert_file):
crt = SSLCertificate(wapt_ssl_cert_file)
if crt.cn != fqdn:
os.rename(wapt_ssl_cert_file, "%s-%s.old" % (wapt_ssl_cert_file, "{:%Y%m%d-%Hh%Mm%Ss}".format(datetime.datetime.now())))
crt = key.build_sign_certificate(cn=fqdn, dnsname=fqdn, is_code_signing=False)
print("Create X509 cert %s" % wapt_ssl_cert_file)
crt.save_as_pem(wapt_ssl_cert_file)
else:
crt = key.build_sign_certificate(cn=fqdn, dnsname=fqdn, is_code_signing=False)
print("Create X509 cert %s" % wapt_ssl_cert_file)
crt.save_as_pem(wapt_ssl_cert_file)
def nginx_clean_default_vhost(nginx_conf):
for entry in nginx_conf:
if entry[0] == ["http"]:
for subentry in entry[1]:
if subentry[0] == ["server"]:
print("Nginx - removing default vhost")
entry[1].remove(subentry)
return nginx_conf
def enable_nginx():
print(run("systemctl enable nginx"))
def restart_nginx():
print(run("systemctl restart nginx"))
def nginx_cleanup():
with open("/etc/nginx/nginx.conf", "r") as read_conf:
nginx_conf = nginxparser.load(read_conf)
nginx_conf = nginx_set_worker_limit(nginx_conf)
nginx_conf = nginx_clean_default_vhost(nginx_conf)
with open("/etc/nginx/nginx.conf", "w") as nginx_conf_file:
nginx_conf_file.write(nginxparser.dumps(nginx_conf))
def setup_firewall():
"""Add permanent rules for firewalld"""
if type_redhat():
output = run("firewall-cmd --list-ports")
if "443/tcp" in output and "80/tcp" in output:
print("Firewall already configured, skipping firewalld configuration")
elif subprocess.call(["firewall-cmd", "--state"], stdout=open(os.devnull, "w")) == 0:
run("firewall-cmd --permanent --add-port=443/tcp")
run("firewall-cmd --permanent --add-port=80/tcp")
run("firewall-cmd --reload")
else:
run("firewall-offline-cmd --add-port=443/tcp")
run("firewall-offline-cmd --add-port=80/tcp")
print("Install nginx to permit WAPTAgent to become a repository")
if type_debian():
install_apt("nginx")
NGINX_GID = grp.getgrnam("www-data").gr_gid
elif type_redhat():
install_yum("nginx")
NGINX_GID = grp.getgrnam("nginx").gr_gid
else:
raise Exception("Distribution not supported yet")
print("Create WAPTService directories for nginx")
for dirname in ["nginx", "scripts"]:
mkdirs(makepath(WAPT.wapt_base_dir, "waptservice", dirname))
for dirname in ["ssl"]:
mkdirs(makepath(WAPT.wapt_base_dir, "waptservice", "nginx", dirname))
copytree2("scripts", makepath(WAPT.wapt_base_dir, "waptservice", "scripts"), onreplace=default_overwrite)
local_repo = inifile_readstring(WAPT.config_filename, "repo-sync", "local_repo_path") or makepath(WAPT.wapt_base_dir, "repository")
# SELinux rules for CentOS/RedHat
if type_redhat():
if re.match("^SELinux status:.*enabled", run("sestatus")):
print("Redhat/Centos detected, tweaking SELinux rules")
selinux_rules(local_repo)
print("Nginx - SELinux correctly configured for Nginx reverse proxy")
fqdn = get_fqdn()
# Nginx configuration
generate_dhparam(NGINX_GID)
nginx_cleanup()
make_httpd_config(makepath(WAPT.wapt_base_dir, "waptservice"), fqdn, local_repo)
print("Testing NGINX configuration")
run("nginx -t")
enable_nginx()
restart_nginx()
try:
setup_firewall()
except:
pass
68286f0f9f9ceb0ee28813d69ce950496b049bf14828a4d58e6eca3de6308e93 : setup.py
201fb8f3d2d6f21d7ed177afe64e7919b93c2ff0eb0e9b6f9fc1f44efc0860ae : scripts/wapt.nginxconfig.template
cc84c091e5b69b2c2c902cba5f4e34ff5e71494f3f3d376fb640d5b68d242a56 : WAPT/icon.png
a5a97261381e1d0ad46ee15916abec9c2631d0201f5cc50ceb0197a165a0bbbf : WAPT/certificate.crt
f84269f72d762e0f29f06fc9488c7ecb84840cc16efe0c3c07b9dd36bb9d7b74 : WAPT/changelog.txt
a0290a4e6ae3ffebf06f79d783dfe1d7203a59eef4da3e29bf35f943632971fd : luti.json
3fdfe1a959f8d5ce96a64184967f8c9c19a2e213fd5ead9d41dd423fc9aebeac : nginxparser.py
d2566297b958030e50e5dd239c5928e7f072616c5cf0b6ae67f64ad34c58a8f1 : WAPT/control
1.3.2-25
===
adding option server_tokens=off