-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(nix): Startup/configure apache for renegotiate test under nix #4592
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If apache configuration is distribution specific, and can't be run with nix without a lot of assumptions, what is the benefit of running it with nix? Would another option be to just run apache in our ubuntu18 CI before running the renegotiate test with nix? If apache can only be run with nix on ubuntu18 anyway, I don't see much of a difference.
tests/integrationv2/apache2/nix/conf-enabled/localized-error-pages.conf
Outdated
Show resolved
Hide resolved
Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com>
Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com>
We discussed this offline. I was confused - the ubuntu18 configuration was used, but this should work with other environments using nix as well. |
Co-authored-by: Sam Clark <3758302+goatgoose@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this necessary? Wouldn't we just want the defaults?
Co-authored-by: Lindsay Stewart <stewart.r.lindsay@gmail.com>
SSLCipherSuite HIGH:!aNULL | ||
SSLProtocol all -SSLv3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this configuration needed? How does it interact with the site-specific configuration?
s2n-tls/codebuild/bin/apache2/sites-enabled/renegotiate.conf
Lines 33 to 37 in aacb0ab
SSLProtocol -ALL +TLSv1.2 | |
SSLHonorCipherOrder On | |
SSLCipherSuite HIGH:!aNULL:!MD5 | |
SSLCompression Off | |
SSLInsecureRenegotiation Off |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should only apply to the *:443/
default site
AddCharset ISO-8859-5 .iso8859-5 .cyr .iso-ru | ||
AddCharset ISO-8859-6 .iso8859-6 .arb .arabic | ||
AddCharset ISO-8859-7 .iso8859-7 .grk .greek | ||
AddCharset ISO-8859-8 .iso8859-8 .heb .hebrew |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no idea what most of these character sets are, but since we now only support english (and spanish?), why include the obviously non-english ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trimmed it down some more.
AddLanguage en .en | ||
# es is ecmascript in /etc/mime.types | ||
RemoveType es | ||
AddLanguage es .es |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does our integ test server need spanish :P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't - removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless this has to match some default, can we at least remove the commented out lines? This is almost 2k lines of config I don't think we understand or have really thought about. The most exotic type our integ test server needs is probably json...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trimmed the comments from mime.types
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still think we can get the apache config more focused and minimal (especially mime.types), but this is fine.
Resolved issues:
Partial for #3841
Description of changes:
This PR adds an Apache configuration and startup for the nix devShell, so the integration test renegotiate_apache will pass.
Call-outs:
Apache modules and configuration are somewhat distribution specific, in our current CI setup.
Instead of trying to patch/alter a distribution's apache configs, I've cat'ed together the minimum setup to get the renegotiate_apache test to pass, with as few configuration files as possible.
Testing:
Adhoc codebuild job of just the renegotiate_apache test.
How is this change tested (unit tests, fuzz tests, etc.)? locally, CI
Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.