+"""Plugin for authenticating directly out of Varnish's VCL."""
+import os
+import logging
+import re
+import subprocess
+
+import zope.component
+import zope.interface
+
+from acme import challenges
+
+from letsencrypt import errors
+from letsencrypt import interfaces
+from letsencrypt.plugins import common
+
+
+logger = logging.getLogger(__name__)
+
+def vcl_recv_line(achall):
+ # Don't bother checking for the right host, we could be coming in through a redirect.
+ return 'if (req.url == "/%s/%s") { return (synth(999, "Challenge")); } # Added by letsencrypt Varnish plugin for authentication\n' % (achall.URI_ROOT_PATH, achall.chall.encode("token"))
+
+def vcl_synth_line(validation):
+ return 'if (resp.status == 999) { set resp.status = 200; set resp.http.Content-Type = "text/plain"; synthetic("%s"); return (deliver); } # Added by letsencrypt Varnish plugin for authentication\n' % (validation);
+
+class Authenticator(common.Plugin):
+ zope.interface.implements(interfaces.IAuthenticator)
+ zope.interface.classProvides(interfaces.IPluginFactory)
+ hidden = True
+
+ description = "Manual configuration, authentication via Varnish VCL"
+
+ def __init__(self, *args, **kwargs):
+ super(Authenticator, self).__init__(*args, **kwargs)
+ self._httpd = None
+
+ def prepare(self): # pylint: disable=missing-docstring,no-self-use
+ pass # pragma: no cover
+
+ def more_info(self): # pylint: disable=missing-docstring,no-self-use
+ return ("")
+
+ def get_chall_pref(self, domain):
+ # pylint: disable=missing-docstring,no-self-use,unused-argument
+ return [challenges.HTTP01]
+
+ def perform(self, achalls): # pylint: disable=missing-docstring
+ responses = []
+ for achall in achalls:
+ responses.append(self._perform_single(achall))
+ return responses
+
+ def _perform_single(self, achall):
+ # same path for each challenge response would be easier for
+ # users, but will not work if multiple domains point at the
+ # same server: default command doesn't support virtual hosts
+ response, validation = achall.response_and_validation()
+
+ with open("/etc/varnish/default.vcl") as vcl:
+ content = vcl.readlines()
+
+ self.old_content = content
+
+ found_vcl_recv = False
+ found_vcl_synth = False
+ new_content = []
+ for line in content:
+ if re.search("# Added by letsencrypt Varnish plugin", line):
+ # Don't include this line; left by a previous run.
+ continue
+ new_content.append(line)
+ if re.search("^sub\s+vcl_recv\s+{\s*$", line):
+ new_content.append(vcl_recv_line(achall))
+ found_vcl_recv = True
+ if re.search("^sub\s+vcl_synth\s+{\s*$", line):
+ new_content.append(vcl_synth_line(validation))
+ found_vcl_synth = True
+
+ if not found_vcl_recv:
+ new_content.append("sub vcl_recv { # Added by letsencrypt Varnish plugin for authentication\n")
+ new_content.append(vcl_recv_line(achall))
+ new_content.append("} # Added by letsencrypt Varnish plugin for authentication\n")
+
+ if not found_vcl_synth:
+ new_content.append("sub vcl_synth { # Added by letsencrypt Varnish plugin for authentication\n")
+ new_content.append(vcl_synth_line(validation))
+ new_content.append("} # Added by letsencrypt Varnish plugin for authentication\n")
+
+ with open("/etc/varnish/default.vcl", "w") as vcl:
+ vcl.writelines(new_content)
+
+ subprocess.call(["systemctl", "reload", "varnish.service"])
+
+ if response.simple_verify(
+ achall.chall, achall.domain,
+ achall.account_key.public_key(), self.config.http01_port):
+ return response
+ else:
+ logger.error(
+ "Self-verify of challenge failed, authorization abandoned!")
+ return None
+
+ def cleanup(self, achalls):
+ # pylint: disable=missing-docstring,no-self-use,unused-argument
+ with open("/etc/varnish/default.vcl", "w") as vcl:
+ vcl.writelines(self.old_content)
+
+ subprocess.call(["systemctl", "reload", "varnish.service"])
projects / letsencrypt-varnish-plugin / commitdiff