Support optional parameter to not enable ssl
This server can be started in two different ways:
1. Via systemd socket, which can itself come in two different paths:
a. Direct bind to external HTTPS port 443
b. Reverse proxy to local port like 8081
2. Via command line call
This commit keeps backward compatibility and allows this new --no-ssl
option to be passed in when using a proxy.
Change-Id: I713b53e492862684eb6db45c602ce3c9e8e2f453
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/servers/gevent/phosphor-gevent b/servers/gevent/phosphor-gevent
index 5fa26fd..54e788b 100644
--- a/servers/gevent/phosphor-gevent
+++ b/servers/gevent/phosphor-gevent
@@ -27,11 +27,23 @@
except ImportError:
have_wsock = False
+# Parameters
+# <wsgi application> REQUIRED Application to import and run (e.g. rest_dbus)
+# <--no-ssl> OPTIONAL Don't use SSL
+#
+# NOTE: If not activated via a systemd socket then this server will bind
+# by default to all address's at port 443 or 80(--no-ssl)
if __name__ == '__main__':
+
if len(sys.argv) < 2:
sys.stderr.write('WSGI application required!')
sys.exit(1)
+ if (len(sys.argv) > 2) and (sys.argv[2] == "--no-ssl"):
+ use_ssl = False
+ else:
+ use_ssl = True
+
exec('from obmc.wsgi.apps.%s import App' % sys.argv[1])
default_cert = os.path.join(
@@ -42,20 +54,27 @@
kw['have_wsock'] = True
app = App(**kw)
- # ECDH - Allow Elliptic Curve Diffie Hellman
- # kDH - Allow Key Exchange algorithm as Diffie Hellman
- # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
- # kRSA - Allow Key Exchange algorithm as RSA
- # !SSLv3 - Disallows any ciphers specific to SSLv3
- # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
- # !aNULL - Disallows anonymous authentication or no authentication
- # !eNULL - Disallows connection with NULL encryption
- # !LOW - Disallows any low strength ciphers
- # !MEDIUM- Disallows medium strength ciphers
+ # repurpose for WSGIServer usage below
+ kw = {}
- ssl_ciphers = (
- 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
- )
+ if use_ssl:
+ # ECDH - Allow Elliptic Curve Diffie Hellman
+ # kDH - Allow Key Exchange algorithm as Diffie Hellman
+ # kEDH - Allow Key Exchange algorithm as Ephemeral Diffie Hellman
+ # kRSA - Allow Key Exchange algorithm as RSA
+ # !SSLv3 - Disallows any ciphers specific to SSLv3
+ # !SSLv2 - Disallows any ciphers specific to SSLv2 protocol
+ # !aNULL - Disallows anonymous authentication or no authentication
+ # !eNULL - Disallows connection with NULL encryption
+ # !LOW - Disallows any low strength ciphers
+ # !MEDIUM- Disallows medium strength ciphers
+
+ kw['ciphers'] = (
+ 'ECDH:kDH:kEDH:kRSA:!SSLv3:!SSLv2:!aNULL:!eNULL:!LOW:!MEDIUM:@STRENGTH'
+ )
+
+ kw['keyfile'] = default_cert
+ kw['certfile'] = default_cert
if os.environ.get('LISTEN_PID', None) == str(os.getpid()):
FIRST_SYSTEMD_SOCKET_FD = 3
@@ -63,12 +82,14 @@
gevent.socket.AF_INET,
gevent.socket.SOCK_STREAM)
else:
- bind = ('', 443)
+ if use_ssl:
+ bind = ('', 443)
+ else:
+ bind = ('', 80)
- kw = {}
if have_wsock:
kw['handler_class'] = WebSocketHandler
- server = WSGIServer(
- bind, app, keyfile=default_cert, certfile=default_cert,
- ciphers=ssl_ciphers, **kw)
+
+ server = WSGIServer( bind, app, **kw )
+
server.serve_forever()