diff --git a/datafiles/opennsa.conf b/datafiles/opennsa.conf
index 3d42e4350d8b573e6371eae20b0f9b1d20b18894..8e2669b9d50db9b66d67df125880fcb030bfee94 100644
--- a/datafiles/opennsa.conf
+++ b/datafiles/opennsa.conf
@@ -16,6 +16,9 @@
# host=example.org
# port=9443
+## in a proxied setup specify base_url
+# base_url=https://opennsa.example.domain/
+
## security settings
#tls=true # defaults to true
diff --git a/opennsa/config.py b/opennsa/config.py
index 5fc080ab100c102a82a3215478ff7ac96c780d67..90ba7e5a9a8e11853b366b057d4855305e81adfc 100644
--- a/opennsa/config.py
+++ b/opennsa/config.py
@@ -44,6 +44,7 @@ LOG_FILE = 'logfile'
HOST = 'host'
PORT = 'port'
TLS = 'tls'
+BASE_URL = 'base_url'
REST = 'rest'
NRM_MAP_FILE = 'nrmmap'
PEERS = 'peers'
@@ -309,6 +310,21 @@ class Config(object):
vc[TLS] = cfg.getboolean(BLOCK_SERVICE, TLS, fallback=DEFAULT_TLS)
vc[PORT] = cfg.getint(BLOCK_SERVICE, PORT, fallback=DEFAULT_TLS_PORT if vc[TLS] else DEFAULT_TCP_PORT)
+ try:
+ vc[BASE_URL] = cfg.get(BLOCK_SERVICE, BASE_URL)
+ except configparser.NoOptionError:
+ vc[BASE_URL] = None
+
+ try:
+ vc[KEY] = cfg.get(BLOCK_SERVICE, KEY)
+ except configparser.NoOptionError:
+ vc[KEY] = None
+
+ try:
+ vc[CERTIFICATE] = cfg.get(BLOCK_SERVICE, CERTIFICATE)
+ except configparser.NoOptionError:
+ vc[CERTIFICATE] = None
+
try:
policies = cfg.get(BLOCK_SERVICE, POLICY).split(',')
for policy in policies:
@@ -350,18 +366,19 @@ class Config(object):
# tls
if vc[TLS]:
try:
- hostkey = cfg.get(BLOCK_SERVICE, KEY)
- hostcert = cfg.get(BLOCK_SERVICE, CERTIFICATE)
-
- if not os.path.exists(hostkey):
+ if not vc[KEY]:
raise ConfigurationError(
- 'Specified hostkey does not exist (%s)' % hostkey)
- if not os.path.exists(hostcert):
+ 'must specify a key when TLS is enabled')
+ elif not os.path.exists(vc[KEY]):
raise ConfigurationError(
- 'Specified hostcert does not exist (%s)' % hostcert)
+ 'Specified key does not exist (%s)' % vc[KEY])
- vc[KEY] = hostkey
- vc[CERTIFICATE] = hostcert
+ if not vc[CERTIFICATE]:
+ raise ConfigurationError(
+ 'must specify a certificate when TLS is enabled')
+ elif not os.path.exists(vc[CERTIFICATE]):
+ raise ConfigurationError(
+ 'Specified certificate does not exist (%s)' % vc[CERTIFICATE])
try:
allowed_hosts_cfg = cfg.get(BLOCK_SERVICE, ALLOWED_HOSTS)
diff --git a/opennsa/setup.py b/opennsa/setup.py
index 198c34a65193b018aa0594695f10d2d26caa088c..e1624fa90ad762fc10beeab2d26dcfd14867a620 100644
--- a/opennsa/setup.py
+++ b/opennsa/setup.py
@@ -99,20 +99,16 @@ def setupBackend(backend_cfg, network_name, nrm_ports, parent_requester):
def setupTLSContext(vc):
# ssl/tls contxt
- if vc[config.TLS]:
+ if vc[config.KEY] and vc[config.CERTIFICATE]:
+ log.msg('setup full 2Way TLS context')
from opennsa.opennsaTlsContext import opennsa2WayTlsContext
ctx_factory = opennsa2WayTlsContext(
vc[config.KEY], vc[config.CERTIFICATE], vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
- elif vc[config.CERTIFICATE_DIR]:
- # create a context so we can verify https urls
- if not os.path.isdir(vc[config.CERTIFICATE_DIR]):
- raise config.ConfigurationError(
- 'certdir value {} is not a directory'.format(vc[config.CERTIFICATE_DIR]))
+ else:
from opennsa.opennsaTlsContext import opennsaTlsContext
+ log.msg('setup client TLS context without client authentication')
ctx_factory = opennsaTlsContext(
vc[config.CERTIFICATE_DIR], vc[config.VERIFY_CERT])
- else:
- ctx_factory = None
return ctx_factory
@@ -168,8 +164,11 @@ class OpenNSAService(twistedservice.MultiService):
nsa_name = domain_name + ':nsa'
# base url
- base_protocol = 'https://' if vc[config.TLS] else 'http://'
- base_url = base_protocol + vc[config.HOST] + ':' + str(vc[config.PORT])
+ if vc[config.BASE_URL]:
+ base_url = vc[config.BASE_URL]
+ else:
+ base_protocol = 'https://' if vc[config.TLS] else 'http://'
+ base_url = base_protocol + vc[config.HOST] + ':' + str(vc[config.PORT])
# nsi endpoint and agent
provider_endpoint = base_url + '/NSI/services/CS2' # hardcode for now