Added the Postgres and Proxy services. Minor fixes in the docker-compose.

.gitignore

@@ -16,3 +16,4 @@ data*
 
 # DB conf
 services/webapp/db_conf.sh
+services/proxy/certificates

docker-compose.yml

@@ -37,6 +37,15 @@ services:
     ports:
       - "5000:5000"
 
+  postgres:
+    image: "rosetta/postgres"
+    container_name: postgres
+    hostname: postgres
+    environment:
+      - SAFEMODE=False
+    volumes:
+      - ./data_rosetta/postgres/data:/data    
+
   webapp:
     image: "rosetta/webapp"
     container_name: webapp
@@ -50,6 +59,9 @@ services:
       #- ROSETTA_WEBAPP_PORT=8080
       #- LOCAL_DOCKER_REGISTRY_HOST=
       #- LOCAL_DOCKER_REGISTRY_PORT=5000
+      #- DJANGO_EMAIL_APIKEY=""
+      #- DJANGO_EMAIL_FROM="Rosetta Platform <notifications@rosetta.platform>"
+      #- DJANGO_PUBLIC_HTTP_HOST=http://localhost:8080
     ports:
       - "8080:8080"
       - "8000:8590"
@@ -59,7 +71,19 @@ services:
       - ./data_rosetta/webapp/data:/data
       - ./data_rosetta/webapp/log:/var/log/webapp
       - /var/run/docker.sock:/var/run/docker.sock
-      #- ./services/webapp/code:/opt/webapp_code
+      - ./services/webapp/code:/opt/webapp_code
+
+  proxy:
+    image: "rosetta/proxy"
+    container_name: proxy
+    hostname: proxy
+    environment:
+      - SAFEMODE=False
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./data_rosetta/proxy/data:/data    
 
 
 

rosetta/build

@@ -36,7 +36,8 @@ if [[ "x$SERVICE" == "x" ]] ; then
     $BUILD_COMMAND services/slurmclusterworker -t rosetta/slurmclusterworker    
     $BUILD_COMMAND services/dregistry -t rosetta/dregistry
     $BUILD_COMMAND services/webapp -t rosetta/webapp
-
+    $BUILD_COMMAND services/postgres -t rosetta/postgres
+    $BUILD_COMMAND services/proxy -t rosetta/proxy
     
 else
 

rosetta/setup

@@ -7,3 +7,12 @@ if [ ! -f services/webapp/db_conf.sh ]; then
 else
     echo "Not using dev webapp database settings as settings are already present."
 fi
+
+
+# Use dev (local) database for backend
+if [ ! -d services/proxy/certificates ]; then
+    echo "Using dev certificates."
+    cp -a services/proxy/certificates-dev  services/proxy/certificates
+else
+    echo "Not using dev certificates as certificates are already present."
+fi

services/postgres/Dockerfile

+FROM rosetta/base
+MAINTAINER Stefano Alberto Russo <stefano.russo@gmail.com>
+
+# Always start with an apt-get update when extending Reyns images,
+# otherwise apt repositories might get outdated (404 not found)
+# and building without cache does not re-build Reyns services.
+RUN apt-get update
+
+#------------------------
+# Install Postgres 11
+#------------------------
+
+# Add repo
+RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ bionic-pgdg main" >> /etc/apt/sources.list.d/pgdg.list
+RUN wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
+
+RUN apt-get update
+RUN apt-get install -y postgresql-11
+
+# Copy conf 
+RUN mv /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf.or
+COPY pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
+COPY postgresql.conf /etc/postgresql/11/main/postgresql.conf
+
+# Chown conf
+RUN chown -R postgres:postgres /etc/postgresql
+
+# Create user/db script
+COPY create_rosetta_DB_and_user.sql /
+RUN chown postgres:postgres /create_rosetta_DB_and_user.sql
+
+# Prestartup
+COPY prestartup_postgres.sh /prestartup/
+
+#------------------------
+# Postgres on Supervisor
+#------------------------
+
+COPY run_postgres.sh /etc/supervisor/conf.d/
+RUN chmod 755 /etc/supervisor/conf.d/run_postgres.sh
+COPY supervisord_postgres.conf /etc/supervisor/conf.d/
+
+#------------------------
+# Security
+#------------------------
+
+# Disable SSH
+RUN rm /etc/supervisor/conf.d/supervisord_sshd.conf

services/postgres/create_rosetta_DB_and_user.sql

+CREATE DATABASE rosetta;
+CREATE USER rosetta_master WITH PASSWORD '949fa84a';
+ALTER USER rosetta_master CREATEDB;
+GRANT ALL PRIVILEGES ON DATABASE rosetta to rosetta_master;
+\c rosetta
+GRANT CREATE ON SCHEMA PUBLIC TO rosetta_master;

services/postgres/pg_hba.conf

+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+
+
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     peer
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            md5
+# IPv6 local connections:
+host    all             all             ::1/128                 md5
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+
+# Accept from all
+host all all 0.0.0.0/0 trust
+
+# Accept from Docker subnet
+#host all all 172.17.0.0/16 trust
+
+

services/postgres/prestartup_postgres.sh

+#!/bin/bash
+set -e
+
+echo 'Executing Postgres Prestartup'
+
+#------------------------------
+# Postgres-specific (data dir)
+#------------------------------
+
+if [ ! -d "/data/postgres/11" ]; then
+    echo "Data dir does not exist"
+    # Setup /data/postgres
+    mkdir -p /data/postgres
+    chown postgres:postgres  /data/postgres
+    chmod 700 /data/postgres
+
+    # Setup /data/postgres/11
+    mkdir -p /data/postgres/11
+    chown postgres:postgres /data/postgres/11
+    chmod 700 /data/postgres/11
+
+    # Copy files
+    mv /var/lib/postgresql/11/main /data/postgres/11/
+
+    # Create link
+    ln -s /data/postgres/11/main /var/lib/postgresql/11/main
+
+    # Move conf
+    mv /etc/postgresql/11/main/pg_hba.conf /data/postgres
+    ln -s /data/postgres/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
+    chown postgres:postgres /data/postgres/pg_hba.conf
+
+    # Move conf
+    mv /etc/postgresql/11/main/postgresql.conf /data/postgres
+    ln -s /data/postgres/postgresql.conf /etc/postgresql/11/main/postgresql.conf
+    chown postgres:postgres /data/postgres/postgresql.conf
+
+else
+    echo "Data dir does exist"
+    mv /var/lib/postgresql/11/main /var/lib/postgresql/11/main_or
+    ln -s /data/postgres/11/main /var/lib/postgresql/11/main
+
+    mv /etc/postgresql/11/main/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf_or
+    ln -s /data/postgres/pg_hba.conf /etc/postgresql/11/main/pg_hba.conf
+    chown postgres:postgres /data/postgres/pg_hba.conf
+
+    mv /etc/postgresql/11/main/postgresql.conf /etc/postgresql/11/main/postgresql.conf_or
+    ln -s /data/postgres/postgresql.conf /etc/postgresql/11/main/postgresql.conf
+    chown postgres:postgres /data/postgres/postgresql.conf
+
+fi
+
+
+# Check correct permissions. Incorrect permissions might occur when changing base images,
+# as the user "postgres" might get mapped to a differend uid / guid.
+PERMISSIONS=$(ls -alh /data/postgres | grep main | awk '{print $3 ":" $4}')
+if [[ "x$PERMISSIONS" == "xpostgres:postgres" ]] ; then
+    # Everything ok
+    :
+else
+    # Fix permissions
+    chown -R postgres:postgres /data/postgres/
+    #chown -R postgres:postgres /data/postgres/11 
+    #chown -R postgres:postgres /data/postgres/pg_hba.conf  
+    #chown -R postgres:postgres /data/postgres/postgresql.conf
+    chown -R postgres:postgres /var/run/postgresql
+fi
+
+
+# Configure Postgres (create user etc.)
+if [ ! -f /data/postgres/configured_flag ]; then
+    echo 'Configuring as /data/postgres/configured_flag is not found...'   
+    echo "Running postgres server in standalone mode for configuring users..."
+    # Run Postgres. Use > /dev/null or a file, otherwise Reyns prestarup scripts end detection will fail
+    /etc/supervisor/conf.d/run_postgres.sh &> /dev/null &
+
+    # Save PID
+    PID=$!
+
+    echo "PID=$PID"
+
+    # Wait for postgres to become ready (should be improved)
+    sleep 5
+
+    echo 'Creating user/db...'
+    # Execute sql commands for rosetta user/db
+    su postgres -c "psql -f /create_rosetta_DB_and_user.sql"
+
+    # Set configured flag
+    touch /data/postgres/configured_flag
+
+    echo "Stopping Postgres"
+
+    # Stop Postgres
+    kill $PID
+
+    echo "Ok, configured"
+else
+    echo ' Not configuring as /data/postgres/configured_flag is found.'
+fi
+
+
+
+
+
+
+
+

services/postgres/run_postgres.sh

+#!/bin/bash
+
+# This script is run by Supervisor to start PostgreSQL 11 in foreground mode
+# https://github.com/Karumi/docker-sentry/blob/master/conf/run_postgres.sh
+
+if [ -d /var/run/postgresql ]; then
+    chmod 2775 /var/run/postgresql
+else
+    install -d -m 2775 -o postgres -g postgres /var/run/postgresql
+fi
+
+exec su postgres -c "/usr/lib/postgresql/11/bin/postgres -D /var/lib/postgresql/11/main -c config_file=/etc/postgresql/11/main/postgresql.conf"
\ No newline at end of file

services/postgres/supervisord_postgres.conf

+[program:postgres]
+
+; Process definition
+process_name = postgres
+command      = /etc/supervisor/conf.d/run_postgres.sh
+autostart    = true
+autorestart  = true
+startsecs    = 5
+stopwaitsecs = 10
+
+; Log files
+stdout_logfile          = /var/log/supervisor/%(program_name)s_out.log
+stdout_logfile_maxbytes = 10MB
+stdout_logfile_backups  = 5
+stderr_logfile          = /var/log/supervisor/%(program_name)s_err.log
+stderr_logfile_maxbytes = 10MB
+stderr_logfile_backups  = 5

services/proxy/000-default.conf

+<VirtualHost *:80>
+    # The ServerName directive sets the request scheme, hostname and port that
+    # the server uses to identify itself. This is used when creating
+    # redirection URLs. In the context of virtual hosts, the ServerName
+    # specifies what hostname must appear in the request's Host: header to
+    # match this virtual host. For the default virtual host (this file) this
+    # value is not decisive as it is used as a last resort host regardless.
+    # However, you must set it for any further virtual host explicitly.
+    #ServerName www.example.com
+
+    ServerAdmin webmaster@backfrontend
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+
+    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+    # error, crit, alert, emerg.
+    # It is also possible to configure the loglevel for particular
+    # modules, e.g.
+    #LogLevel info ssl:warn
+
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    # For most configuration files from conf-available/, which are
+    # enabled or disabled at a global level, it is possible to
+    # include a line for only one particular virtual host. For example the
+    # following line enables the CGI configuration for this host only
+    # after it has been globally disabled with "a2disconf".
+    #Include conf-available/serve-cgi-bin.conf
+    
+    #----------------------------------
+    # Force https except on localhost
+    #----------------------------------
+
+    # This is somehow a bad idea, as
+    #  1) dev env is different than staging/production, and
+    #  2) other roules in 001-proxy.conf are never reached
+
+    #RewriteEngine On
+    #RewriteCond %{HTTPS} off
+    #RewriteCond %{HTTP_HOST} !=localhost
+    #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+    
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/ 
+       
+</VirtualHost>
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file

services/proxy/001-proxy.conf

+
+#---------------------------
+#  Rosetta platform 
+#---------------------------
+
+# Non-SSL
+<VirtualHost *:80>
+    ServerName rosetta.platform
+    Redirect 301 / https://rosetta.platform/
+</VirtualHost>
+
+# SSL
+<VirtualHost *:443>
+    
+    ServerName rosetta.platform
+
+    SSLEngine on
+    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+    
+</VirtualHost>
+
+
+#---------------------------
+#  Localhost
+#---------------------------
+
+# Non-SSL 
+<VirtualHost *:80>
+
+    ServerName localhost
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+
+</VirtualHost>
+
+# SSL
+<VirtualHost *:443>
+
+    ServerName localhost
+     
+    SSLEngine on
+
+    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+    #SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+    #SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
+
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+
+</VirtualHost>
+
+
+#---------------------------
+#  Anything
+#---------------------------
+
+# Non-SSL 
+<VirtualHost *:80>
+
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+
+</VirtualHost>
+
+# SSL
+<VirtualHost *:443>
+  
+    SSLEngine on
+
+    SSLCertificateFile /root/certificates/rosetta_platform/rosetta_platform.crt
+    SSLCertificateKeyFile /root/certificates/rosetta_platform/rosetta_platform.key
+    SSLCACertificateFile /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+    #SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+    #SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt
+
+    ProxyPass / http://cloud:8080/
+    ProxyPassReverse / http://cloud:8080/
+
+</VirtualHost>
+
+
+
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
+

services/proxy/Dockerfile

+FROM rosetta/base
+MAINTAINER Stefano Alberto Russo <stefano.russo@gmail.com>
+
+# Always start with an apt-get update when extending Reyns images,
+# otherwise apt repositories might get outdated (404 not found)
+# and building without cache does not re-build Reyns services.
+RUN apt-get update
+
+# Install Apache
+RUN apt-get install -y apache2
+RUN apt-get install apache2-utils
+
+# Copy conf
+COPY supervisord_apache.conf /etc/supervisor/conf.d/
+COPY run_Apache.sh /etc/supervisor/conf.d/
+RUN chmod 755 /etc/supervisor/conf.d/run_Apache.sh
+
+# Enable mod_proxy and SSL
+RUN a2enmod proxy
+RUN a2enmod proxy_http
+RUN sudo a2enmod ssl
+RUN a2enmod rewrite
+RUN a2enmod headers
+RUN a2enmod proxy_wstunnel
+ 
+# Copy and enable conf for proxy
+COPY 001-proxy.conf /etc/apache2/sites-available/
+RUN ln -s /etc/apache2/sites-available/001-proxy.conf /etc/apache2/sites-enabled/001-proxy.conf
+
+# We overwrite default Apache conf as we force https
+COPY 000-default.conf /etc/apache2/sites-available/
+
+# Copy and enable conf for ssl. Not enabling ssl default site causes the first ssl
+# site in sites-avaialbe to be used as default. "Check with apachectl -t -D DUMP_VHOSTS".
+# A custom conf is not really necessary as defaults are ok (it is the original file)
+# Note: not naming this file with "000" causes to load other sites-available before, same problem.
+COPY default-ssl.conf /etc/apache2/sites-available/
+RUN ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
+
+# Copy certificates (snakeoil or real)
+RUN mkdir /certificates
+COPY certificates/rosetta_platform.crt /root/certificates/rosetta_platform/rosetta_platform.crt
+COPY certificates/rosetta_platform.key /root/certificates/rosetta_platform/rosetta_platform.key
+COPY certificates/rosetta_platform.ca-bundle /root/certificates/rosetta_platform/rosetta_platform.ca-bundle
+
+# Copy index and norobots.txt
+COPY index.html /var/www/html/
+COPY norobots.txt /var/www/html/
+
+# Prestartup
+COPY prestartup_proxy.sh /prestartup/
+
+# reyns: expose 80/tcp
+# reyns: expose 443/tcp

services/proxy/certificates-dev/rosetta_platform.crt

+-----BEGIN CERTIFICATE-----
+MIICvjCCAaagAwIBAgIJAM9K5eCAXmjJMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
+BAMTDDAyNWQ5YzY3ZThlZDAeFw0xNzEwMjMxODM2NTdaFw0yNzEwMjExODM2NTda
+MBcxFTATBgNVBAMTDDAyNWQ5YzY3ZThlZDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAMe3pfnmJEpE8GZKRZ/XO034gRlTgmylpmWRQ59wYArujUmNRAB3
+43GsdQvxavponG2x97HKHtDfrPdLycwWxyDFKIQw0e6GY0H4gMBJq5UjA9O7sznF
+Sy1fjUIfhz2tIbBdo1BgW9EUzgq6sKBN8H6RnzSat+DTcP3xzUhkTFS6EPi8MFXw
+gvBlEUWGjjesaaylLfD5/eDPhEeciKN8mlVi4I84QkPgu/O4NHXcqT1LaZUUPojs
+Ca2bq87yyuSQljQby2c/4GqPue2PF3EU3gp051lWbOvTPkPuA0HC5VsDFZKxJHfL
+b5gyN+I1tKjkKe8BpTNmQ8DP5SDi/ut4ltcCAwEAAaMNMAswCQYDVR0TBAIwADAN
+BgkqhkiG9w0BAQsFAAOCAQEACf5KUw0rM9jgyJWa1g2mhGpmqY4aiaMwJrwYYZza
+DtYS2MQoiCyIpO3PHlPfLVHtvrU+5OX+YMPfA1wWRtSWu86Vh+JVU/56ZdEul0y5
+aH1s8aYDaiDJa2ee5MBnqMMNbkcoMLuKens4+uOTTKolJduZNfZI/yk2JQQvMdTi
+qYB7dg/V5fe/lba8OoUjN+m3J4KS/bqEOZ32/PLTHFwv1/z4osXXUEkzD2hQzBR2
+ru2XD/7+oeR729r7YcskHRdJd8LVERQOi0JK1qyr4gEB67JvaCiOFFc6qzwqntdx
+UwVRxLa5KbetgD1Fw/ic+9TNHmB9Y/9mBtpGx8KufWpoYg==
+-----END CERTIFICATE-----

services/proxy/certificates-dev/rosetta_platform.key

+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDHt6X55iRKRPBm
+SkWf1ztN+IEZU4JspaZlkUOfcGAK7o1JjUQAd+NxrHUL8Wr6aJxtsfexyh7Q36z3
+S8nMFscgxSiEMNHuhmNB+IDASauVIwPTu7M5xUstX41CH4c9rSGwXaNQYFvRFM4K
+urCgTfB+kZ80mrfg03D98c1IZExUuhD4vDBV8ILwZRFFho43rGmspS3w+f3gz4RH
+nIijfJpVYuCPOEJD4LvzuDR13Kk9S2mVFD6I7Amtm6vO8srkkJY0G8tnP+Bqj7nt
+jxdxFN4KdOdZVmzr0z5D7gNBwuVbAxWSsSR3y2+YMjfiNbSo5CnvAaUzZkPAz+Ug
+4v7reJbXAgMBAAECggEACG6hjFaCK7yTZc42+FOvBlC6qqYS+KFZ0Cn87+tfsrZ1
+sqhLObXWHYOJgZKU0LO//wWnjpMZD/qRo/NINtyzVZfdaQ9ina6A3FUwom2519cd
+nz/qhkLlNKo3HZaVMC5yIK8jaQ5YchBtzpgpQutnfwCI90CdCNoEiERARZEug9kw
+Km30UM3sh1fAvAQuynkaKKHzxF5j1pnNVDGWZSb3qBN7kTSaR1P6wBKYAJxPj1vP
+rL0PXLGfzkuryAXfgVq8hsYIyg6VwCmaontPItopmH5U9sYo0gB5RLDyv9++n3I6
+lkeSyCqQpGCA6ugiqsO8s4bL0thTi9YLL3ztg+sF8QKBgQDoc8W0ALSY+9YWV8r7
+K+BW0kVzatJmwUdLLEGw2l23ScjS6yQuNlxJCav2+n6bkM73VbM+lSjX1RaFsQty
+52EPefTf+7FADQnk7eanPXvlb1nDKb+vitl6MV5okJBz2jZRNPa7bcpFBUCejdGJ
+VZX32gdsxk+9VPjJQb2Y6tkoOQKBgQDb8vTvufcMiGC2q8Y7XrQ84ZSFHGQUHf4Z
+R909fPGprfWuGQG2/DFEX1R9lCIth+gioWGLrboU5Q7+u2cn81s0zPlZI6Kg2e2Q
+htVYaMSw731yWsilH7j6RftBbYUb/3jZadVT4FbDmxJqeiJVzQXlLJ3C9dExMj0n
+weZM2f4XjwKBgQC/CQZd3IaPg8h6LEShD3obYEu7gvrPf+B7oy+JjKygSX9F+AGQ
+CRTm4Y/2Nf9/Eg9FraTVtfgPCQytasch844NDgl1WoBdR1nuTqXUo+8Cq/R1NAZY
+2h/JEHGqNcTBsYAaVRDBEIW/G4XzyFGAMFpDi2e2uXQnAYJExEZxOfCl4QKBgDIH
+inU47JvaLX1/hwCcIw0yFnFMqur0g4bGlOlWkTWSTy7Bm2U+6gnuUS6bUkbfAgtW
+f/SgmJIGJCoHAIjSzu0sro77DxPdXi8grEiG1C6W2wb25WrB03aCEouoWL2sl5WE
+gDSq87FchYzYqRSxJOUjB+N/vIyfK8/uR+81Kpm7AoGBAJjZ0HGFuOn7FQfg1/gJ
+5jQz3/JvjemQO83xDuh/mczRWNvmeC3H0Few8MfcJuwORQRbZ1e5uTRG9DOOZKOk
+1/fEpJZvXdQxLtITwx6yq/BG857pA0C8rNCW+OzjfhSwbI4rt4COwjnZF8e9Lbi6
+0DANJf8JhgYxKPeUT2au+147
+-----END PRIVATE KEY-----

services/proxy/default-ssl.conf

+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+
+        ProxyPass / http://cloud:8080/
+        ProxyPassReverse / http://cloud:8080/
+
+        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+        # error, crit, alert, emerg.
+        # It is also possible to configure the loglevel for particular
+        # modules, e.g.
+        #LogLevel info ssl:warn
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        # For most configuration files from conf-available/, which are
+        # enabled or disabled at a global level, it is possible to
+        # include a line for only one particular virtual host. For example the
+        # following line enables the CGI configuration for this host only
+        # after it has been globally disabled with "a2disconf".
+        #Include conf-available/serve-cgi-bin.conf
+
+        #   SSL Engine Switch:
+        #   Enable/Disable SSL for this virtual host.
+        SSLEngine on
+
+        #   A self-signed (snakeoil) certificate can be created by installing
+        #   the ssl-cert package. See
+        #   /usr/share/doc/apache2/README.Debian.gz for more info.
+        #   If both key and certificate are stored in the same file, only the
+        #   SSLCertificateFile directive is needed.
+        SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+        #   Server Certificate Chain:
+        #   Point SSLCertificateChainFile at a file containing the
+        #   concatenation of PEM encoded CA certificates which form the
+        #   certificate chain for the server certificate. Alternatively
+        #   the referenced file can be the same as SSLCertificateFile
+        #   when the CA certificates are directly appended to the server
+        #   certificate for convinience.
+        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+        #   Certificate Authority (CA):
+        #   Set the CA certificate verification path where to find CA
+        #   certificates for client authentication or alternatively one
+        #   huge file containing all of them (file must be PEM encoded)
+        #   Note: Inside SSLCACertificatePath you need hash symlinks
+        #        to point to the certificate files. Use the provided
+        #        Makefile to update the hash symlinks after changes.
+        #SSLCACertificatePath /etc/ssl/certs/
+        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+        #   Certificate Revocation Lists (CRL):
+        #   Set the CA revocation path where to find CA CRLs for client
+        #   authentication or alternatively one huge file containing all
+        #   of them (file must be PEM encoded)
+        #   Note: Inside SSLCARevocationPath you need hash symlinks
+        #        to point to the certificate files. Use the provided
+        #        Makefile to update the hash symlinks after changes.
+        #SSLCARevocationPath /etc/apache2/ssl.crl/
+        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+        #   Client Authentication (Type):
+        #   Client certificate verification type and depth.  Types are
+        #   none, optional, require and optional_no_ca.  Depth is a
+        #   number which specifies how deeply to verify the certificate
+        #   issuer chain before deciding the certificate is not valid.
+        #SSLVerifyClient require
+        #SSLVerifyDepth  10
+
+        #   SSL Engine Options:
+        #   Set various options for the SSL engine.
+        #   o FakeBasicAuth:
+        #    Translate the client X.509 into a Basic Authorisation.  This means that
+        #    the standard Auth/DBMAuth methods can be used for access control.  The
+        #    user name is the `one line' version of the client's X.509 certificate.
+        #    Note that no password is obtained from the user. Every entry in the user
+        #    file needs this password: `xxj31ZMTZzkVA'.
+        #   o ExportCertData:
+        #    This exports two additional environment variables: SSL_CLIENT_CERT and
+        #    SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+        #    server (always existing) and the client (only existing when client
+        #    authentication is used). This can be used to import the certificates
+        #    into CGI scripts.
+        #   o StdEnvVars:
+        #    This exports the standard SSL/TLS related `SSL_*' environment variables.
+        #    Per default this exportation is switched off for performance reasons,
+        #    because the extraction step is an expensive operation and is usually
+        #    useless for serving static content. So one usually enables the
+        #    exportation for CGI and SSI requests only.
+        #   o OptRenegotiate:
+        #    This enables optimized SSL connection renegotiation handling when SSL
+        #    directives are used in per-directory context.
+        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+                SSLOptions +StdEnvVars
+        </Directory>
+
+        #   SSL Protocol Adjustments:
+        #   The safe and default but still SSL/TLS standard compliant shutdown
+        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
+        #   the close notify alert from client. When you need a different shutdown
+        #   approach you can use one of the following variables:
+        #   o ssl-unclean-shutdown:
+        #    This forces an unclean shutdown when the connection is closed, i.e. no
+        #    SSL close notify alert is send or allowed to received.  This violates
+        #    the SSL/TLS standard but is needed for some brain-dead browsers. Use
+        #    this when you receive I/O errors because of the standard approach where
+        #    mod_ssl sends the close notify alert.
+        #   o ssl-accurate-shutdown:
+        #    This forces an accurate shutdown when the connection is closed, i.e. a
+        #    SSL close notify alert is send and mod_ssl waits for the close notify
+        #    alert of the client. This is 100% SSL/TLS standard compliant, but in
+        #    practice often causes hanging connections with brain-dead browsers. Use
+        #    this only for browsers where you know that their SSL implementation
+        #    works correctly.
+        #   Notice: Most problems of broken clients are also related to the HTTP
+        #   keep-alive facility, so you usually additionally want to disable
+        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+        #   "force-response-1.0" for this.
+        BrowserMatch "MSIE [2-6]" \
+                nokeepalive ssl-unclean-shutdown \
+                downgrade-1.0 force-response-1.0
+        # MSIE 7 and newer should be able to use keepalive
+        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+        
+
+    </VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
\ No newline at end of file

services/proxy/norobots.txt

+User-agent: *
+Disallow: /