install-reddit: Add HTTPS to the default install.

This is primarily to show how to set up reddit with HTTPS as well as to
make it possible to test HTTPS content. The default installation uses
the snakeoil cert and is therefore unauthenticated. A properly signed
certificate must be used for actual security.

install-reddit.sh

@@ -158,6 +158,7 @@ postgresql-client
 rabbitmq-server
 cassandra
 haproxy
+stunnel
 PACKAGES
 
 ###############################################################################
@@ -328,13 +329,20 @@ cat > /etc/haproxy/haproxy.cfg <<HAPROXY
 global
     maxconn 100
 
-frontend frontend 0.0.0.0:80
+frontend frontend
     mode http
+
+    bind 0.0.0.0:80
+    bind 0.0.0.0:8080
+
     timeout client 10000
     option forwardfor except 127.0.0.1
     option httpclose
 
+    # make sure that requests have x-forwarded-proto: https iff tls
     reqidel ^X-Forwarded-Proto:.*
+    acl is-ssl dst_port 8080
+    reqadd X-Forwarded-Proto:\ https if is-ssl
 
     default_backend dynamic
 
@@ -351,6 +359,50 @@ HAPROXY
 # this will start it even if currently stopped
 service haproxy restart
 
+###############################################################################
+# stunnel
+###############################################################################
+cat > /etc/stunnel/stunnel.conf <<STUNNELCONF
+foreground = no
+
+; replace these with real certificates
+cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
+key = /etc/ssl/private/ssl-cert-snakeoil.key
+
+; protocol version and ciphers
+sslVersion = all
+ciphers = ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5
+options = NO_SSLv2
+options = DONT_INSERT_EMPTY_FRAGMENTS
+options = CIPHER_SERVER_PREFERENCE
+
+; security
+chroot = /var/lib/stunnel4/
+setuid = stunnel4
+setgid = stunnel4
+pid = /stunnel4.pid
+
+; performance
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+
+; logging
+output = /var/log/stunnel4/stunnel.log
+syslog = no
+
+[https]
+accept = 443
+connect = 8080
+TIMEOUTclose = 0
+sslVersion = all
+; this requires a patched version of stunnel which is in the reddit ppa
+xforwardedfor = yes
+STUNNELCONF
+
+sed -i s/ENABLED=0/ENABLED=1/ /etc/default/stunnel4
+
+service stunnel4 restart
+
 ###############################################################################
 # Upstart Environment
 ###############################################################################