| 1 | #!/usr/bin/python |
|---|
| 2 | # |
|---|
| 3 | # Converts an apacheConfig record from LDAP, as used by mod_vhost_ldap, |
|---|
| 4 | # into a <VirtualHost> record as used in an Apache conf.d directory. |
|---|
| 5 | # Useful for adding things like SSL server certs that mod_vhost_ldap |
|---|
| 6 | # doesn't support. |
|---|
| 7 | # |
|---|
| 8 | # Usage: |
|---|
| 9 | # scripts# cd /etc/httpd/vhosts.d |
|---|
| 10 | # scripts# ./reify-vhost.py geofft > geofft.conf |
|---|
| 11 | # scripts# service httpd graceful |
|---|
| 12 | # |
|---|
| 13 | # Geoffrey Thomas <geofft@mit.edu>, 2008, public domain. |
|---|
| 14 | |
|---|
| 15 | # Note: As of 1/2011 we are inserting SSLCertificateKeyFile into reified |
|---|
| 16 | # hosts, because previously-acqured certificates were signed with an |
|---|
| 17 | # older (1024-bit) key. Sometime around 2014 when our last cert with |
|---|
| 18 | # this key expires, we can update /etc/httpd/conf/httpd.conf to point to |
|---|
| 19 | # the current key instead of the old one, and stop inserting this into |
|---|
| 20 | # individual vhost records. -geofft |
|---|
| 21 | |
|---|
| 22 | import ldap |
|---|
| 23 | import ldap.filter |
|---|
| 24 | import pwd |
|---|
| 25 | import sys |
|---|
| 26 | |
|---|
| 27 | ll = ldap.initialize("ldapi://%2fvar%2frun%2fslapd-scripts.socket/") |
|---|
| 28 | ll.simple_bind_s("", "") |
|---|
| 29 | |
|---|
| 30 | host = sys.argv[1] |
|---|
| 31 | |
|---|
| 32 | r = ll.search_s( |
|---|
| 33 | "ou=VirtualHosts,dc=scripts,dc=mit,dc=edu", |
|---|
| 34 | ldap.SCOPE_SUBTREE, |
|---|
| 35 | ldap.filter.filter_format( |
|---|
| 36 | "(&(objectClass=apacheConfig)" + |
|---|
| 37 | "(|(apacheServerName=%s)" + |
|---|
| 38 | "(apacheServerAlias=%s)))", |
|---|
| 39 | [host, host])) |
|---|
| 40 | if len(r) != 0: |
|---|
| 41 | user = pwd.getpwuid(int(r[0][1]['apacheSuexecUid'][0])) |
|---|
| 42 | serveralias = "" |
|---|
| 43 | if 'apacheServerAlias' in r[0][1]: |
|---|
| 44 | serveralias = "ServerAlias "+" ".join(r[0][1]['apacheServerAlias']) |
|---|
| 45 | print """# do not trailing-slash DocumentRoot |
|---|
| 46 | |
|---|
| 47 | <VirtualHost *:80> |
|---|
| 48 | ServerName %(servername)s |
|---|
| 49 | %(serveralias)s |
|---|
| 50 | DocumentRoot %(docroot)s |
|---|
| 51 | Alias /~%(uname)s %(homedir)s/web_scripts |
|---|
| 52 | SuExecUserGroup %(uname)s %(uname)s |
|---|
| 53 | Include conf.d/vhosts-common.conf |
|---|
| 54 | </VirtualHost> |
|---|
| 55 | |
|---|
| 56 | <IfModule ssl_module> |
|---|
| 57 | <VirtualHost *:443> |
|---|
| 58 | ServerName %(servername)s |
|---|
| 59 | %(serveralias)s |
|---|
| 60 | DocumentRoot %(docroot)s |
|---|
| 61 | Alias /~%(uname)s %(homedir)s/web_scripts |
|---|
| 62 | SuExecUserGroup %(uname)s %(uname)s |
|---|
| 63 | Include conf.d/vhosts-common-ssl.conf |
|---|
| 64 | SSLCertificateFile /etc/pki/tls/certs/%(hname)s.pem |
|---|
| 65 | SSLCertificateKeyFile /etc/pki/tls/private/scripts.key |
|---|
| 66 | </VirtualHost> |
|---|
| 67 | <VirtualHost *:444> |
|---|
| 68 | ServerName %(servername)s |
|---|
| 69 | %(serveralias)s |
|---|
| 70 | DocumentRoot %(docroot)s |
|---|
| 71 | Alias /~%(uname)s %(homedir)s/web_scripts |
|---|
| 72 | SuExecUserGroup %(uname)s %(uname)s |
|---|
| 73 | Include conf.d/vhosts-common-ssl.conf |
|---|
| 74 | Include conf.d/vhosts-common-ssl-cert.conf |
|---|
| 75 | SSLCertificateFile /etc/pki/tls/certs/%(hname)s.pem |
|---|
| 76 | SSLCertificateKeyFile /etc/pki/tls/private/scripts.key |
|---|
| 77 | </VirtualHost> |
|---|
| 78 | </IfModule>""" % { |
|---|
| 79 | 'servername': r[0][1]['apacheServerName'][0], |
|---|
| 80 | 'serveralias': serveralias, |
|---|
| 81 | 'docroot': r[0][1]['apacheDocumentRoot'][0], |
|---|
| 82 | 'uname': user[0], |
|---|
| 83 | 'homedir': user[5], |
|---|
| 84 | 'hname': host |
|---|
| 85 | } |
|---|
| 86 | |
|---|
| 87 | # vim: set ts=4 sw=4 et: |
|---|
