mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Added uWSGI support and documentation
This commit is contained in:
parent
d024f778f8
commit
10a329c0fe
113
README.rst
113
README.rst
@ -45,6 +45,12 @@ To install Certidude:
|
|||||||
apt-get install python3 python3-dev build-essential
|
apt-get install python3 python3-dev build-essential
|
||||||
pip3 install certidude
|
pip3 install certidude
|
||||||
|
|
||||||
|
Create a user for ``certidude``:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
useradd certidude
|
||||||
|
|
||||||
|
|
||||||
Setting up CA
|
Setting up CA
|
||||||
--------------
|
--------------
|
||||||
@ -87,11 +93,80 @@ Use web interface or following to sign a certificate on Certidude server:
|
|||||||
certidude sign client-hostname-or-common-name
|
certidude sign client-hostname-or-common-name
|
||||||
|
|
||||||
|
|
||||||
Streaming push support
|
Production deployment
|
||||||
----------------------
|
---------------------
|
||||||
|
|
||||||
|
Unstall uWSGI:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
apt-get install uwsgi uwsgi-plugin-python3
|
||||||
|
|
||||||
|
Configure uUWSGI application in ``/etc/uwsgi/apps-available/certidude.ini``:
|
||||||
|
|
||||||
|
.. code:: ini
|
||||||
|
|
||||||
|
[uwsgi]
|
||||||
|
master = true
|
||||||
|
processes = 1
|
||||||
|
vaccum = true
|
||||||
|
uid = certidude
|
||||||
|
gid = certidude
|
||||||
|
plugins = python34
|
||||||
|
pidfile = /run/certidude/api/uwsgi.pid
|
||||||
|
socket = /run/certidude/api/uwsgi.sock
|
||||||
|
chdir = /tmp
|
||||||
|
module = certidude.wsgi
|
||||||
|
callable = app
|
||||||
|
chmod-socket = 660
|
||||||
|
chown-socket = certidude:www-data
|
||||||
|
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%s
|
||||||
|
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%s
|
||||||
|
|
||||||
|
Also enable the application:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
ln -s ../apps-available/certidude.ini /etc/uwsgi/apps-enabled/certidude.ini
|
||||||
|
|
||||||
We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module>`_,
|
We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module>`_,
|
||||||
configure it as follows to enable real-time responses to events:
|
configure the site in /etc/nginx/sites-available.d/certidude:
|
||||||
|
|
||||||
|
.. code::
|
||||||
|
|
||||||
|
upstream certidude_api {
|
||||||
|
server unix:///run/uwsgi/app/certidude/socket;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name localhost;
|
||||||
|
listen 80 default_server;
|
||||||
|
listen [::]:80 default_server ipv6only=on;
|
||||||
|
|
||||||
|
location ~ /event/publish/(.*) {
|
||||||
|
allow 127.0.0.1; # Allow publishing only from this IP address
|
||||||
|
push_stream_publisher admin;
|
||||||
|
push_stream_channels_path $1;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /event/subscribe/(.*) {
|
||||||
|
push_stream_channels_path $1;
|
||||||
|
push_stream_subscriber long-polling;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
include uwsgi_params;
|
||||||
|
uwsgi_pass certidude_api;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Enable the site:
|
||||||
|
|
||||||
|
.. code:: bash
|
||||||
|
|
||||||
|
ln -s ../sites-available.d/certidude.ini /etc/nginx/sites-enabled.d/certidude
|
||||||
|
|
||||||
|
Also adjust ``/etc/nginx/nginx.conf``:
|
||||||
|
|
||||||
.. code::
|
.. code::
|
||||||
|
|
||||||
@ -117,36 +192,12 @@ configure it as follows to enable real-time responses to events:
|
|||||||
error_log /var/log/nginx/error.log;
|
error_log /var/log/nginx/error.log;
|
||||||
gzip on;
|
gzip on;
|
||||||
gzip_disable "msie6";
|
gzip_disable "msie6";
|
||||||
|
include /etc/nginx/sites-enabled.d/*;
|
||||||
server {
|
|
||||||
listen 80 default_server;
|
|
||||||
listen [::]:80 default_server ipv6only=on;
|
|
||||||
server_name localhost;
|
|
||||||
|
|
||||||
location ~ /event/publish/(.*) {
|
|
||||||
allow 127.0.0.1; # Allow publishing only from this IP address
|
|
||||||
push_stream_publisher admin;
|
|
||||||
push_stream_channels_path $1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /event/subscribe/(.*) {
|
Restart the services:
|
||||||
push_stream_channels_path $1;
|
|
||||||
push_stream_subscriber long-polling;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /api/ {
|
|
||||||
proxy_pass http://127.0.0.1:9090/api/;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
For ``butterknife serve`` export environment variables:
|
|
||||||
|
|
||||||
.. code:: bash
|
.. code:: bash
|
||||||
|
|
||||||
export CERTIDUDE_EVENT_PUBLISH = "http://localhost/event/publish/%s"
|
service uwsgi restart
|
||||||
export CERTIDUDE_EVENT_SUBSCRIBE = "http://localhost/event/subscribe/%s"
|
service nginx restart
|
||||||
certidude server -p 9090
|
|
||||||
|
@ -755,6 +755,7 @@ def certidude_serve(user, port, listen, enable_signature):
|
|||||||
|
|
||||||
class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
|
class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
click.echo("Listening on %s:%d" % (listen, port))
|
click.echo("Listening on %s:%d" % (listen, port))
|
||||||
|
|
||||||
app = falcon.API()
|
app = falcon.API()
|
||||||
|
26
certidude/wsgi.py
Normal file
26
certidude/wsgi.py
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
|
||||||
|
|
||||||
|
import falcon
|
||||||
|
from certidude.wrappers import CertificateAuthorityConfig
|
||||||
|
from certidude.api import CertificateAuthorityResource, \
|
||||||
|
RequestDetailResource, RequestListResource, \
|
||||||
|
SignedCertificateDetailResource, SignedCertificateListResource, \
|
||||||
|
RevocationListResource, IndexResource, ApplicationConfigurationResource, \
|
||||||
|
CertificateStatusResource
|
||||||
|
|
||||||
|
# TODO: deduplicate routing code
|
||||||
|
# TODO: set up /run/certidude/api paths and permissions
|
||||||
|
|
||||||
|
config = CertificateAuthorityConfig("/etc/ssl/openssl.cnf")
|
||||||
|
|
||||||
|
app = falcon.API()
|
||||||
|
app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
|
||||||
|
app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
|
||||||
|
app.add_route("/api/{ca}/certificate/", CertificateAuthorityResource(config))
|
||||||
|
app.add_route("/api/{ca}/revoked/", RevocationListResource(config))
|
||||||
|
app.add_route("/api/{ca}/signed/{cn}/", SignedCertificateDetailResource(config))
|
||||||
|
app.add_route("/api/{ca}/signed/", SignedCertificateListResource(config))
|
||||||
|
app.add_route("/api/{ca}/request/{cn}/", RequestDetailResource(config))
|
||||||
|
app.add_route("/api/{ca}/request/", RequestListResource(config))
|
||||||
|
app.add_route("/api/{ca}/", IndexResource(config))
|
||||||
|
|
5
setup.py
5
setup.py
@ -5,7 +5,7 @@ from setuptools import setup
|
|||||||
|
|
||||||
setup(
|
setup(
|
||||||
name = "certidude",
|
name = "certidude",
|
||||||
version = "0.1.2",
|
version = "0.1.3",
|
||||||
author = u"Lauri Võsandi",
|
author = u"Lauri Võsandi",
|
||||||
author_email = "lauri.vosandi@gmail.com",
|
author_email = "lauri.vosandi@gmail.com",
|
||||||
description = "Certidude is a novel X.509 Certificate Authority management tool aiming to support PKCS#11 and in far future WebCrypto.",
|
description = "Certidude is a novel X.509 Certificate Authority management tool aiming to support PKCS#11 and in far future WebCrypto.",
|
||||||
@ -24,7 +24,8 @@ setup(
|
|||||||
"netifaces",
|
"netifaces",
|
||||||
"pyopenssl",
|
"pyopenssl",
|
||||||
"pycountry",
|
"pycountry",
|
||||||
"humanize"
|
"humanize",
|
||||||
|
"pycrypto"
|
||||||
],
|
],
|
||||||
scripts=[
|
scripts=[
|
||||||
"misc/certidude"
|
"misc/certidude"
|
||||||
|
Loading…
Reference in New Issue
Block a user