[prev in list] [next in list] [prev in thread] [next in thread]
List: calendarserver-users
Subject: Re: [CalendarServer-users] MacPorts port of calendarserver
From: Steven Smith <steve.t.smith () gmail ! com>
Date: 2019-08-09 10:21:10
Message-ID: 325CA459-BEAA-4410-87AC-73ED2D572026 () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks for your comments.
For TLS and the reverse proxy, I'm referring to three things:
1. I do not see how to enable or configure TLSv1.2 or 1.3 in the ccs-calendarserver \
configuration code. See, for example, the default configuration plist and the \
associated Python code:
<!-- SSL method: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD -->
<key>SSLMethod</key>
<string>SSLv23_METHOD</string>
https://github.com/apple/ccs-calendarserver/blob/15561ced74a7a45cfffa0610201b43179f6afa5c/contrib/conf/calendarserver.plist#L53-L55
2. I do not see how to specify Diffie-Hellman parameters for PFS. A search through \
the code doesn't yield any hits, and it doesn't appear to be a configuration key:
https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam \
<https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam>
3. In my own Server.app version 3.7, Apache was used as a reverse proxy for Calendar \
and Contacts Server. I do not know what went into this design decision, but I \
inferred that this is related to configuring a central web server for Server.app that \
also provides the benefits of a reverse proxy.
Because of the issues mentioned above, I configured an nginx reverse proxy for a \
MacPorts port of Calendar and Contacts Server. Here's the nginx.conf:
https://github.com/macports/macports-ports/pull/4978/files#diff-ec7e62c591a23b72c54b4eb10b089440
Yes, "isolate" is too strong for a reverse proxy (should say "help isolate"), but \
they do have several benefits, which may or may not also be a part of the \
ccs-calendarserver backend: mod_security, rate limiting, routing through a single \
exposed http/https port, and the like. I don't know how to do any of this with the \
ccs-calendarserver code, but a lot of reasonable features like these are used in \
Server.app's apache2 .conf files in its reverse proxy design.
If there's a way to configure ccs-calendarserver to use native twisted capabilities, \
that would be good to have a for simplified setup without using an nginx front-end.
I also see that Twisted has already migrated to python3—ccs-calendarserver is still \
on Python 2.7 which is EOL in four months!—so python3 migration could be part of \
this.
Should ccs-calendarserver's Twisted TLS config be raised as an issue at \
https://github.com/apple/ccs-calendarserver/issues \
<https://github.com/apple/ccs-calendarserver/issues> ?
> On Aug 8, 2019, at 11:31 PM, Glyph <glyph@twistedmatrix.com> wrote:
>
>
>
> > On Aug 8, 2019, at 4:33 AM, Steven Smith <steve.t.smith@gmail.com \
> > <mailto:steve.t.smith@gmail.com>> wrote:
> > This port is completely independent of Server.app, and uses an nginx reverse \
> > proxy for modern crypto and to isolate the backend server. I have it deployed and \
> > it's working well.
>
> What 'modern crypto' are you referring to? Twisted (upon which CalendarServer is \
> based) ought to be able to get an A+ on SSLLabs and use all the most modern \
> ciphersuites (including TLS 1.3). I'm not up on CalendarServer's configuration \
> these days, but it should be possible to adjust it to be as fancy and modern as it \
> needs to be...
> (I'm not sure what you mean by "isolating" the server?)
>
> -glyph
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class="">Thanks for your comments.<div class=""><br \
class=""></div><div class="">For TLS and the reverse proxy, I'm referring to three \
things:</div><div class=""><br class=""></div><div class="">1. I do not see how to \
enable or configure TLSv1.2 or 1.3 in the ccs-calendarserver configuration code. See, \
for example, the default configuration plist and the associated Python \
code:</div><div class=""><br class=""></div><div class=""><div class=""><!-- SSL \
method: SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or TLSv1_METHOD --></div><div \
class=""><key>SSLMethod</key></div><div \
class=""><string>SSLv23_METHOD</string></div><div class=""><a \
href="https://github.com/apple/ccs-calendarserver/blob/15561ced74a7a45cfffa0610201b43179f6afa5c/contrib/conf/calendarserver.plist#L53-L55" \
class="">https://github.com/apple/ccs-calendarserver/blob/15561ced74a7a45cfffa0610201b43179f6afa5c/contrib/conf/calendarserver.plist#L53-L55</a><br \
class=""><div><br class=""></div><div>2. I do not see how to specify Diffie-Hellman \
parameters for PFS. A search through the code doesn't yield any hits, and it doesn't \
appear to be a configuration key: </div><div><br class=""></div><div><a \
href="https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam" \
class="">https://github.com/apple/ccs-calendarserver/search?q=dhparam&unscoped_q=dhparam</a></div><div><br \
class=""></div><div>3. In my own Server.app version 3.7, Apache was used as a reverse \
proxy for Calendar and Contacts Server. I do not know what went into this design \
decision, but I inferred that this is related to configuring a central web server for \
Server.app that also provides the benefits of a reverse proxy.</div><div><br \
class=""></div><div>Because of the issues mentioned above, I configured an nginx \
reverse proxy for a MacPorts port of Calendar and Contacts Server. Here's the \
nginx.conf:</div><div><br \
class=""></div><div>https://github.com/macports/macports-ports/pull/4978/files#diff-ec7e62c591a23b72c54b4eb10b089440</div><div><br \
class=""></div><div>Yes, "isolate" is too strong for a reverse proxy (should say \
"help isolate"), but they do have several benefits, which may or may not also be a \
part of the ccs-calendarserver backend: mod_security, rate limiting, routing through \
a single exposed http/https port, and the like. I don't know how to do any of this \
with the ccs-calendarserver code, but a lot of reasonable features like these are \
used in Server.app's apache2 .conf files in its reverse proxy design.</div><div><br \
class=""></div><div>If there's a way to configure ccs-calendarserver to use native \
twisted capabilities, that would be good to have a for simplified setup without using \
an nginx front-end.</div><div><br class=""></div><div>I also see that Twisted has \
already migrated to python3—ccs-calendarserver is still on Python 2.7 which is EOL \
in four months!—so python3 migration could be part of this.</div><div><br \
class=""></div><div>Should ccs-calendarserver's Twisted TLS config be raised as an \
issue at <a href="https://github.com/apple/ccs-calendarserver/issues" \
class="">https://github.com/apple/ccs-calendarserver/issues</a> ?</div><div><br \
class=""></div><div><br class=""><blockquote type="cite" class=""><div class="">On \
Aug 8, 2019, at 11:31 PM, Glyph <glyph@twistedmatrix.com> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" \
content="text/html; charset=utf-8" class=""><div style="word-wrap: break-word; \
-webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div \
class=""><br class=""><blockquote type="cite" class=""><div class="">On Aug 8, 2019, \
at 4:33 AM, Steven Smith <<a href="mailto:steve.t.smith@gmail.com" \
class="">steve.t.smith@gmail.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><div dir="ltr" style="caret-color: \
rgb(0, 0, 0); font-family: Menlo-Regular; font-size: 12px; font-style: normal; \
font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: \
start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: \
0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">This port is \
completely independent of Server.app, and uses an nginx reverse proxy for modern \
crypto and to isolate the backend server. I have it deployed and it's working \
well.</div></div></blockquote><br class=""></div><div class="">What 'modern crypto' \
are you referring to? Twisted (upon which CalendarServer is based) ought to be \
able to get an A+ on SSLLabs and use all the most modern ciphersuites (including TLS \
1.3). I'm not up on CalendarServer's configuration these days, but it should be \
possible to adjust it to be as fancy and modern as it needs to be...</div><div \
class=""><br class=""></div><div class="">(I'm not sure what you mean by "isolating" \
the server?)</div><div class=""><br class=""></div><div \
class="">-glyph</div></div></div></blockquote></div><br \
class=""></div></div></body></html>
_______________________________________________
calendarserver-users mailing list
calendarserver-users@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/calendarserver-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic