upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-02-09 22:06:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
certbot/certbot-apache/certbot_apache/_internal/constants.py

77 lines
3.3 KiB
Python
Raw Normal View History

Move apache constants/args/IConfig to its subdirectory
2015-04-22 04:32:34 -04:00
"""Apache plugin constants."""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
from typing import List, Dict
Move apache constants/args/IConfig to its subdirectory
2015-04-22 04:32:34 -04:00
import pkg_resources
Make the contents of the apache plugin private (#7579) Part of #5775. Tree: ``` certbot-apache/certbot_apache ├── __init__.py ├── _internal │   ├── apache_util.py │   ├── augeas_lens │   │   ├── httpd.aug │   │   └── README │   ├── centos-options-ssl-apache.conf │   ├── configurator.py │   ├── constants.py │   ├── display_ops.py │   ├── entrypoint.py │   ├── http_01.py │   ├── __init__.py │   ├── obj.py │   ├── options-ssl-apache.conf │   ├── override_arch.py │   ├── override_centos.py │   ├── override_darwin.py │   ├── override_debian.py │   ├── override_fedora.py │   ├── override_gentoo.py │   ├── override_suse.py │   └── parser.py └── tests ├── ... ``` * Create _internal folder for certbot_apache * Move apache_util.py to _internal * Move display_ops.py to _internal * Move override_centos.py to _internal * Move override_gentoo.py to _internal * Move override_darwin.py to _internal * Move override_suse.py to _internal * Move override_debian.py to _internal * Move override_fedora.py to _internal * Move override_arch.py to _internal * Move parser.py to _internal * Move obj.py to _internal * Move http_01.py to _internal * Move entrypoint.py to _internal * Move constants.py to _internal * Move configurator.py to _internal * Move augeas_lens to _internal * Move options-ssl-apache.conf files to _internal * move augeas_lens in MANIFEST * Clean up some stray references to certbot_apache that could use _internal * Correct imports and lint
2019-11-25 12:44:40 -05:00
from certbot.compat import os
Don't allow user supplied mod_ssl conf destination (fixes #451).
2015-06-01 20:14:10 -04:00
MOD_SSL_CONF_DEST = "options-ssl-apache.conf"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the mod_ssl config file as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Move apache constants/args/IConfig to its subdirectory
2015-04-22 04:32:34 -04:00
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-apache-conf-digest.txt"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the hash of the updated or informed mod_ssl_conf as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
Disable TLS session tickets for Apache 2.4.11+ (#7191) * Implement the logic * Update tests * Fix lint and changelog * Update configurator.py * Move the TLS configs in a dedicated folder. Fix the formalism of their naming and location. * Improve existing test to check all TLS config have their hash registered in Certbot * Corrections after review * Improve a test * Remove commented useless lines in TLS configs * Add a nice warning. Because I am nice. * Fix lint * Add a test
2019-07-29 15:54:51 -04:00
# NEVER REMOVE A SINGLE HASH FROM THIS LIST UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING!
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
ALL_SSL_OPTIONS_HASHES: List[str] = [
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
'2086bca02db48daf93468332543c60ac6acdb6f0b58c7bfdf578a5d47092f82a',
'4844d36c9a0f587172d9fa10f4f1c9518e3bcfa1947379f155e16a70a728c21a',
Finish work on #4718. * Update in response to changes in #4720. * Update ALL_SSL_OPTIONS_HASHES. * Add warning to Apache's SSL options files.
2017-06-01 12:12:50 -04:00
'5a922826719981c0a234b1fbcd495f3213e49d2519e845ea0748ba513044b65b',
'4066b90268c03c9ba0201068eaa39abbc02acf9558bb45a788b630eb85dadf27',
'f175e2e7c673bd88d0aff8220735f385f916142c44aa83b09f1df88dd4767a88',
'cfdd7c18d2025836ea3307399f509cfb1ebf2612c87dd600a65da2a8e2f2797b',
update Apache ciphersuites (#5383)
2018-01-09 10:46:21 -05:00
'80720bd171ccdc2e6b917ded340defae66919e4624962396b992b7218a561791',
'c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082',
Disable TLS session tickets for Apache 2.4.11+ (#7191) * Implement the logic * Update tests * Fix lint and changelog * Update configurator.py * Move the TLS configs in a dedicated folder. Fix the formalism of their naming and location. * Improve existing test to check all TLS config have their hash registered in Certbot * Corrections after review * Improve a test * Remove commented useless lines in TLS configs * Add a nice warning. Because I am nice. * Fix lint * Add a test
2019-07-29 15:54:51 -04:00
'717b0a89f5e4c39b09a42813ac6e747cfbdeb93439499e73f4f70a1fe1473f20',
'0fcdc81280cd179a07ec4d29d3595068b9326b455c488de4b09f585d5dafc137',
'86cc09ad5415cd6d5f09a947fe2501a9344328b1e8a8b458107ea903e80baa6c',
'06675349e457eae856120cdebb564efe546f0b87399f2264baeb41e442c724c7',
Disable old SSL versions and ciphersuites to follow Mozilla recommendations in Apache (#7712) Part of #7204. Makes the smaller changes described at https://github.com/certbot/certbot/issues/7204#issuecomment-571838185 to disable many old ciphersuites and TLS versions < 1.2. Does not add checks for OpenSSL version or modify session tickets. Since Apache uses TLS protocol blacklisting instead of whitelisting (as in NGINX), we additionally may not need to determine if the server supports TLS1.3 and turn it on or off based on Apache version. * Update SSL versions and ciphersuites based on Mozilla intermediate recommendations for apache * Update constants with hashes of new config files * Update changelog
2020-01-24 16:37:42 -05:00
'5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf',
'007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73',
Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity
2020-03-23 19:49:52 -04:00
'34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3',
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
]
"""SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""
constants.AUGEAS_LENS_DIR
2015-11-04 15:12:39 -05:00
AUGEAS_LENS_DIR = pkg_resources.resource_filename(
Make the contents of the apache plugin private (#7579) Part of #5775. Tree: ``` certbot-apache/certbot_apache ├── __init__.py ├── _internal │   ├── apache_util.py │   ├── augeas_lens │   │   ├── httpd.aug │   │   └── README │   ├── centos-options-ssl-apache.conf │   ├── configurator.py │   ├── constants.py │   ├── display_ops.py │   ├── entrypoint.py │   ├── http_01.py │   ├── __init__.py │   ├── obj.py │   ├── options-ssl-apache.conf │   ├── override_arch.py │   ├── override_centos.py │   ├── override_darwin.py │   ├── override_debian.py │   ├── override_fedora.py │   ├── override_gentoo.py │   ├── override_suse.py │   └── parser.py └── tests ├── ... ``` * Create _internal folder for certbot_apache * Move apache_util.py to _internal * Move display_ops.py to _internal * Move override_centos.py to _internal * Move override_gentoo.py to _internal * Move override_darwin.py to _internal * Move override_suse.py to _internal * Move override_debian.py to _internal * Move override_fedora.py to _internal * Move override_arch.py to _internal * Move parser.py to _internal * Move obj.py to _internal * Move http_01.py to _internal * Move entrypoint.py to _internal * Move constants.py to _internal * Move configurator.py to _internal * Move augeas_lens to _internal * Move options-ssl-apache.conf files to _internal * move augeas_lens in MANIFEST * Clean up some stray references to certbot_apache that could use _internal * Correct imports and lint
2019-11-25 12:44:40 -05:00
"certbot_apache", os.path.join("_internal", "augeas_lens"))
constants.AUGEAS_LENS_DIR
2015-11-04 15:12:39 -05:00
"""Path to the Augeas lens directory"""
load augeas httpd lens from inside of lets encrypt
2015-11-02 19:22:58 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
REWRITE_HTTPS_ARGS: List[str] = [
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
"^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,NE,R=permanent]"]
Pep8 love
2016-01-14 06:25:15 -05:00
"""Apache version<2.3.9 rewrite rule arguments used for redirections to
https vhost"""
Add HSTS header enhancement to Apache
2015-11-06 17:31:30 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
REWRITE_HTTPS_ARGS_WITH_END: List[str] = [
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
"^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,NE,R=permanent]"]
delete unneeded tests
2015-12-01 19:16:13 -05:00
"""Apache version >= 2.3.9 rewrite rule arguments used for redirections to
alter redirect_verification to raise only when an exact Letsencrypt redirction rewrite rule is encountered
2015-12-01 19:05:15 -05:00
https vhost"""
Generalized http-header enhancement
2015-11-07 23:37:57 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
OLD_REWRITE_HTTPS_ARGS: List[List[str]] = [
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
["^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,QSA,R=permanent]"],
["^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,QSA,R=permanent]"]]
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
HSTS_ARGS: List[str] = ["always", "set", "Strict-Transport-Security",
Pep8 love
2016-01-14 06:25:15 -05:00
"\"max-age=31536000\""]
Add HSTS header enhancement to Apache
2015-11-06 17:31:30 -05:00
"""Apache header arguments for HSTS"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
UIR_ARGS: List[str] = ["always", "set", "Content-Security-Policy", "upgrade-insecure-requests"]
Generalized http-header enhancement
2015-11-07 23:37:57 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
HEADER_ARGS: Dict[str, List[str]] = {
"Strict-Transport-Security": HSTS_ARGS, "Upgrade-Insecure-Requests": UIR_ARGS,
}
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_STEPS: List[int] = [60, 300, 900, 3600, 21600, 43200, 86400]
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""AutoHSTS increase steps: 1min, 5min, 15min, 1h, 6h, 12h, 24h"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_PERMANENT: int = 31536000
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Value for the last max-age of HSTS"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_FREQ: int = 172800
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Minimum time since last increase to perform a new one: 48h"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
MANAGED_COMMENT: str = "DO NOT REMOVE - Managed by Certbot"
MANAGED_COMMENT_ID: str = MANAGED_COMMENT + ", VirtualHost id: {0}"
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Managed by Certbot comments and the VirtualHost identification template"""
Reference in a new issue Copy permalink