@@ -1 +1 @@

-stud

+apache2

@@ -2304,6 +2304,16 @@ function stop_service {

     fi

 }

+# Service wrapper to stop services

+# reload_service service-name

+function reload_service {

+    if [ -x /bin/systemctl ]; then

+        sudo /bin/systemctl reload $1

+    else

+        sudo service $1 reload

+    fi

+}

+

 # Test with a finite retry loop.

 #

 function test_with_retry {

@@ -42,24 +42,40 @@ fi

 # Functions

 # ---------

+

+# Enable apache mod and restart apache if it isn't already enabled.

+function enable_apache_mod {

+    local mod=$1

+    # Apache installation, because we mark it NOPRIME

+    if is_ubuntu || is_suse ; then

+        if ! a2query -m $mod ; then

+            sudo a2enmod $mod

+            restart_apache_server

+        fi

+    elif is_fedora; then

+        # pass

+        true

+    else

+        exit_distro_not_supported "apache enable mod"

+    fi

+}

+

 # install_apache_wsgi() - Install Apache server and wsgi module

 function install_apache_wsgi {

     # Apache installation, because we mark it NOPRIME

     if is_ubuntu; then

         # Install apache2, which is NOPRIME'd

         install_package apache2 libapache2-mod-wsgi

-        # WSGI isn't enabled by default, enable it

-        sudo a2enmod wsgi

     elif is_fedora; then

         sudo rm -f /etc/httpd/conf.d/000-*

         install_package httpd mod_wsgi

     elif is_suse; then

         install_package apache2 apache2-mod_wsgi

-        # WSGI isn't enabled by default, enable it

-        sudo a2enmod wsgi

     else

-        exit_distro_not_supported "apache installation"

+        exit_distro_not_supported "apache wsgi installation"

     fi

+    # WSGI isn't enabled by default, enable it

+    enable_apache_mod wsgi

     # ensure mod_version enabled for <IfVersion ...>.  This is

     # built-in statically on anything recent, but precise (2.2)

@@ -192,6 +208,11 @@ function restart_apache_server {

     time_stop "restart_apache_server"

 }

+# reload_apache_server

+function reload_apache_server {

+    reload_service $APACHE_NAME

+}

+

 # Restore xtrace

 $_XTRACE_LIB_APACHE

@@ -305,8 +305,8 @@ function configure_cinder {

     if is_service_enabled tls-proxy; then

         # Set the service port for a proxy to take the original

         iniset $CINDER_CONF DEFAULT osapi_volume_listen_port $CINDER_SERVICE_PORT_INT

-

         iniset $CINDER_CONF DEFAULT public_endpoint $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT

+        iniset $CINDER_CONF DEFAULT osapi_volume_base_URL $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT

     fi

     if [ "$SYSLOG" != "False" ]; then

@@ -534,7 +534,7 @@ function start_cinder {

     # Start proxies if enabled

     if is_service_enabled c-api && is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT &

+        start_tls_proxy cinder '*' $CINDER_SERVICE_PORT $CINDER_SERVICE_HOST $CINDER_SERVICE_PORT_INT

     fi

 }

@@ -383,8 +383,8 @@ function install_glance {

 function start_glance {

     local service_protocol=$GLANCE_SERVICE_PROTOCOL

     if is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT &

-        start_tls_proxy '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT &

+        start_tls_proxy glance-service '*' $GLANCE_SERVICE_PORT $GLANCE_SERVICE_HOST $GLANCE_SERVICE_PORT_INT

+        start_tls_proxy glance-registry '*' $GLANCE_REGISTRY_PORT $GLANCE_SERVICE_HOST $GLANCE_REGISTRY_PORT_INT

     fi

     run_process g-reg "$GLANCE_BIN_DIR/glance-registry --config-file=$GLANCE_CONF_DIR/glance-registry.conf"

@@ -611,8 +611,8 @@ function start_keystone {

     # Start proxies if enabled

     if is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT &

-        start_tls_proxy '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT &

+        start_tls_proxy keystone-service '*' $KEYSTONE_SERVICE_PORT $KEYSTONE_SERVICE_HOST $KEYSTONE_SERVICE_PORT_INT

+        start_tls_proxy keystone-auth '*' $KEYSTONE_AUTH_PORT $KEYSTONE_AUTH_HOST $KEYSTONE_AUTH_PORT_INT

     fi

     # (re)start memcached to make sure we have a clean memcache.

@@ -412,7 +412,7 @@ function start_neutron_api {

     # Start proxy if enabled

     if is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT &

+        start_tls_proxy neutron '*' $NEUTRON_SERVICE_PORT $NEUTRON_SERVICE_HOST $NEUTRON_SERVICE_PORT_INT

     fi

 }

@@ -462,7 +462,7 @@ function start_neutron_service_and_check {

     # Start proxy if enabled

     if is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $Q_PORT $Q_HOST $Q_PORT_INT &

+        start_tls_proxy neutron '*' $Q_PORT $Q_HOST $Q_PORT_INT

     fi

 }

@@ -808,7 +808,7 @@ function start_nova_api {

     # Start proxies if enabled

     if is_service_enabled tls-proxy; then

-        start_tls_proxy '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT &

+        start_tls_proxy nova '*' $NOVA_SERVICE_PORT $NOVA_SERVICE_HOST $NOVA_SERVICE_PORT_INT

     fi

     export PATH=$old_path

@@ -806,7 +806,7 @@ function start_swift {

     done

     if is_service_enabled tls-proxy; then

         local proxy_port=${SWIFT_DEFAULT_BIND_PORT}

-        start_tls_proxy '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT &

+        start_tls_proxy swift '*' $proxy_port $SERVICE_HOST $SWIFT_DEFAULT_BIND_PORT_INT

     fi

     run_process s-proxy "$SWIFT_DIR/bin/swift-proxy-server ${SWIFT_CONF_DIR}/proxy-server.conf -v"

     if [[ ${SWIFT_REPLICAS} == 1 ]]; then

@@ -16,7 +16,6 @@

 #

 # - configure_CA

 # - init_CA

-# - cleanup_CA

 # - configure_proxy

 # - start_tls_proxy

@@ -221,19 +220,6 @@ function init_CA {

     fi

 }

-# Clean up the CA files

-# cleanup_CA

-function cleanup_CA {

-    if is_fedora; then

-        sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem

-        sudo update-ca-trust

-    elif is_ubuntu; then

-        sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt

-        sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt

-        sudo update-ca-certificates

-    fi

-}

-

 # Create an initial server cert

 # init_cert

 function init_cert {

@@ -455,26 +441,72 @@ function enable_mod_ssl {

 # Starts the TLS proxy for the given IP/ports

 # start_tls_proxy front-host front-port back-host back-port

 function start_tls_proxy {

-    local f_host=$1

-    local f_port=$2

-    local b_host=$3

-    local b_port=$4

-

-    stud $STUD_PROTO -f $f_host,$f_port -b $b_host,$b_port $DEVSTACK_CERT 2>/dev/null

+    local b_service="$1-tls-proxy"

+    local f_host=$2

+    local f_port=$3

+    local b_host=$4

+    local b_port=$5

+

+    local config_file

+    config_file=$(apache_site_config_for $b_service)

+    local listen_string

+    # Default apache configs on ubuntu and centos listen on 80 and 443

+    # newer apache seems fine with duplicate listen directive but older

+    # apache does not so special case 80 and 443.

+    if [[ "$f_port" == "80" ]] || [[ "$f_port" == "443" ]]; then

+        listen_string=""

+    elif [[ "$f_host" == '*' ]] ; then

+        listen_string="Listen $f_port"

+    else

+        listen_string="Listen $f_host:$f_port"

+    fi

+    sudo bash -c "cat >$config_file" << EOF

+$listen_string

+

+<VirtualHost $f_host:$f_port>

+    SSLEngine On

+    SSLCertificateFile $DEVSTACK_CERT

+

+    <Location />

+        ProxyPass http://$b_host:$b_port/ retry=5 nocanon

+        ProxyPassReverse http://$b_host:$b_port/

+    </Location>

+</VirtualHost>

+EOF

+    for mod in ssl proxy proxy_http; do

+        enable_apache_mod $mod

+    done

+    enable_apache_site $b_service

+    # Only a reload is required to pull in new vhosts

+    # Note that a restart reliably fails on centos7 and trusty

+    # because apache can't open port 80 because the old apache

+    # still has it open. Using reload fixes trusty but centos7

+    # still doesn't work.

+    reload_apache_server

 }

 # Cleanup Functions

 # =================

-# Stops all stud processes. This should be done only after all services

+# Stops the apache service. This should be done only after all services

 # using tls configuration are down.

 function stop_tls_proxy {

-    killall stud

+    stop_apache_server

 }

-# Remove CA along with configuration, as well as the local server certificate

+# Clean up the CA files

+# cleanup_CA

 function cleanup_CA {

+    if is_fedora; then

+        sudo rm -f /usr/share/pki/ca-trust-source/anchors/devstack-chain.pem

+        sudo update-ca-trust

+    elif is_ubuntu; then

+        sudo rm -f /usr/local/share/ca-certificates/devstack-int.crt

+        sudo rm -f /usr/local/share/ca-certificates/devstack-root.crt

+        sudo update-ca-certificates

+    fi

+

     rm -rf "$DATA_DIR/CA" "$DEVSTACK_CERT"

 }

@@ -1052,6 +1052,7 @@ EOF

     if is_service_enabled tls-proxy; then

         echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early

+        start_tls_proxy http-services '*' 443 $SERVICE_HOST 80

     fi

     source $TOP_DIR/userrc_early