1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Added uWSGI support and documentation

This commit is contained in:
Lauri Võsandi 2015-07-27 15:30:50 +03:00
parent d024f778f8
commit 10a329c0fe
4 changed files with 125 additions and 46 deletions

View File

@ -45,6 +45,12 @@ To install Certidude:
apt-get install python3 python3-dev build-essential apt-get install python3 python3-dev build-essential
pip3 install certidude pip3 install certidude
Create a user for ``certidude``:
.. code:: bash
useradd certidude
Setting up CA Setting up CA
-------------- --------------
@ -87,11 +93,80 @@ Use web interface or following to sign a certificate on Certidude server:
certidude sign client-hostname-or-common-name certidude sign client-hostname-or-common-name
Streaming push support Production deployment
---------------------- ---------------------
Unstall uWSGI:
.. code:: bash
apt-get install uwsgi uwsgi-plugin-python3
Configure uUWSGI application in ``/etc/uwsgi/apps-available/certidude.ini``:
.. code:: ini
[uwsgi]
master = true
processes = 1
vaccum = true
uid = certidude
gid = certidude
plugins = python34
pidfile = /run/certidude/api/uwsgi.pid
socket = /run/certidude/api/uwsgi.sock
chdir = /tmp
module = certidude.wsgi
callable = app
chmod-socket = 660
chown-socket = certidude:www-data
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%s
Also enable the application:
.. code:: bash
ln -s ../apps-available/certidude.ini /etc/uwsgi/apps-enabled/certidude.ini
We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module>`_, We support `nginx-push-stream-module <https://github.com/wandenberg/nginx-push-stream-module>`_,
configure it as follows to enable real-time responses to events: configure the site in /etc/nginx/sites-available.d/certidude:
.. code::
upstream certidude_api {
server unix:///run/uwsgi/app/certidude/socket;
}
server {
server_name localhost;
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
location ~ /event/publish/(.*) {
allow 127.0.0.1; # Allow publishing only from this IP address
push_stream_publisher admin;
push_stream_channels_path $1;
}
location ~ /event/subscribe/(.*) {
push_stream_channels_path $1;
push_stream_subscriber long-polling;
}
location / {
include uwsgi_params;
uwsgi_pass certidude_api;
}
}
Enable the site:
.. code:: bash
ln -s ../sites-available.d/certidude.ini /etc/nginx/sites-enabled.d/certidude
Also adjust ``/etc/nginx/nginx.conf``:
.. code:: .. code::
@ -117,36 +192,12 @@ configure it as follows to enable real-time responses to events:
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
gzip on; gzip on;
gzip_disable "msie6"; gzip_disable "msie6";
include /etc/nginx/sites-enabled.d/*;
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name localhost;
location ~ /event/publish/(.*) {
allow 127.0.0.1; # Allow publishing only from this IP address
push_stream_publisher admin;
push_stream_channels_path $1;
} }
location ~ /event/subscribe/(.*) { Restart the services:
push_stream_channels_path $1;
push_stream_subscriber long-polling;
}
location /api/ {
proxy_pass http://127.0.0.1:9090/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
For ``butterknife serve`` export environment variables:
.. code:: bash .. code:: bash
export CERTIDUDE_EVENT_PUBLISH = "http://localhost/event/publish/%s" service uwsgi restart
export CERTIDUDE_EVENT_SUBSCRIBE = "http://localhost/event/subscribe/%s" service nginx restart
certidude server -p 9090

View File

@ -755,6 +755,7 @@ def certidude_serve(user, port, listen, enable_signature):
class ThreadingWSGIServer(ThreadingMixIn, WSGIServer): class ThreadingWSGIServer(ThreadingMixIn, WSGIServer):
pass pass
click.echo("Listening on %s:%d" % (listen, port)) click.echo("Listening on %s:%d" % (listen, port))
app = falcon.API() app = falcon.API()

26
certidude/wsgi.py Normal file
View File

@ -0,0 +1,26 @@
import falcon
from certidude.wrappers import CertificateAuthorityConfig
from certidude.api import CertificateAuthorityResource, \
RequestDetailResource, RequestListResource, \
SignedCertificateDetailResource, SignedCertificateListResource, \
RevocationListResource, IndexResource, ApplicationConfigurationResource, \
CertificateStatusResource
# TODO: deduplicate routing code
# TODO: set up /run/certidude/api paths and permissions
config = CertificateAuthorityConfig("/etc/ssl/openssl.cnf")
app = falcon.API()
app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))
app.add_route("/api/{ca}/signed/{cn}/openvpn", ApplicationConfigurationResource(config))
app.add_route("/api/{ca}/certificate/", CertificateAuthorityResource(config))
app.add_route("/api/{ca}/revoked/", RevocationListResource(config))
app.add_route("/api/{ca}/signed/{cn}/", SignedCertificateDetailResource(config))
app.add_route("/api/{ca}/signed/", SignedCertificateListResource(config))
app.add_route("/api/{ca}/request/{cn}/", RequestDetailResource(config))
app.add_route("/api/{ca}/request/", RequestListResource(config))
app.add_route("/api/{ca}/", IndexResource(config))

View File

@ -5,7 +5,7 @@ from setuptools import setup
setup( setup(
name = "certidude", name = "certidude",
version = "0.1.2", version = "0.1.3",
author = u"Lauri Võsandi", author = u"Lauri Võsandi",
author_email = "lauri.vosandi@gmail.com", author_email = "lauri.vosandi@gmail.com",
description = "Certidude is a novel X.509 Certificate Authority management tool aiming to support PKCS#11 and in far future WebCrypto.", description = "Certidude is a novel X.509 Certificate Authority management tool aiming to support PKCS#11 and in far future WebCrypto.",
@ -24,7 +24,8 @@ setup(
"netifaces", "netifaces",
"pyopenssl", "pyopenssl",
"pycountry", "pycountry",
"humanize" "humanize",
"pycrypto"
], ],
scripts=[ scripts=[
"misc/certidude" "misc/certidude"