diff --git a/.gitignore b/.gitignore index 0098fc0a6f..a6318e378e 100644 --- a/.gitignore +++ b/.gitignore @@ -40,25 +40,6 @@ services/nginz/src services/.env tools/api-simulations/mailboxes.json tools/api-simulations/reports -brig-schema.yaml -brig.yaml -brig.integration-aws.yaml -cannon.yaml -cannon.integration-aws.yaml -cannon2.integration-aws.yaml -cargohold.yaml -cargohold.integration-aws.yaml -galley-schema.yaml -galley.yaml -galley.integration-aws.yaml -gundeck-schema.yaml -gundeck.yaml -gundeck.integration-aws.yaml -proxy.yaml -proxy.integration-aws.yaml -spar.yaml -spar.integration-aws.yaml -integration-aws.yaml DOCKER_ID* swagger-ui diff --git a/changelog.d/5-internal/docker-mandarin b/changelog.d/5-internal/docker-mandarin new file mode 100644 index 0000000000..b9d0ac4857 --- /dev/null +++ b/changelog.d/5-internal/docker-mandarin @@ -0,0 +1 @@ +Deploy a backend with federation API V0 while setting up services for local testing \ No newline at end of file diff --git a/deploy/dockerephemeral/coredns-config/db.example.com b/deploy/dockerephemeral/coredns-config/db.example.com index f52268e7ff..1c33e941fb 100644 --- a/deploy/dockerephemeral/coredns-config/db.example.com +++ b/deploy/dockerephemeral/coredns-config/db.example.com @@ -17,3 +17,4 @@ _wire-server-federator._tcp.b IN SRV 0 0 9443 localhost. _wire-server-federator._tcp.d1 IN SRV 0 0 10443 localhost. _wire-server-federator._tcp.d2 IN SRV 0 0 11443 localhost. _wire-server-federator._tcp.d3 IN SRV 0 0 12443 localhost. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 localhost. diff --git a/deploy/dockerephemeral/docker-compose.yaml b/deploy/dockerephemeral/docker-compose.yaml index a988af62ca..564141eebc 100644 --- a/deploy/dockerephemeral/docker-compose.yaml +++ b/deploy/dockerephemeral/docker-compose.yaml @@ -1,14 +1,23 @@ version: '2' networks: - demo_wire: - external: false - redis: driver: bridge ipam: config: - subnet: 172.20.0.0/24 + coredns: + driver: bridge + ipam: + config: + - subnet: 172.20.1.0/24 + + demo_wire: + driver: bridge + ipam: + config: + - subnet: 172.20.2.0/24 + services: fake_dynamodb: container_name: demo_wire_dynamodb @@ -67,20 +76,6 @@ services: networks: - demo_wire - # activemq: - # image: rmohr/activemq:5.15.4 - # ports: - # - "61613:61613" - - # FIXME: replace redis image with one we build. - redis: - container_name: demo_wire_redis - image: redis:3.0.7-alpine - ports: - - "127.0.0.1:6379:6379" - networks: - - demo_wire - redis-cluster: image: 'redis:6.0-alpine' command: redis-cli --cluster create 172.20.0.31:6373 172.20.0.32:6374 172.20.0.33:6375 172.20.0.34:6376 172.20.0.35:6377 172.20.0.36:6378 --cluster-replicas 1 --cluster-yes @@ -197,6 +192,12 @@ services: environment: - "CS_JVM_OPTIONS=-Xmx1024M -Xms1024M -Xmn200M" + healthcheck: + test: "nodetool status" + interval: 10s + start_period: 20s + timeout: 2s + # on nixos, you also may need to run # sysctl -w vm.max_map_count=1048576 # or add that to your `configuration.nix` @@ -247,6 +248,7 @@ services: - ./:/scripts networks: - demo_wire + coredns: image: docker.io/coredns/coredns:1.8.4 volumes: @@ -258,6 +260,9 @@ services: ports: - "9053:53" - "9053:53/udp" + networks: + coredns: + ipv4_address: 172.20.1.2 volumes: redis-node-1-data: diff --git a/deploy/dockerephemeral/federation-v0.yaml b/deploy/dockerephemeral/federation-v0.yaml new file mode 100644 index 0000000000..e262a4693a --- /dev/null +++ b/deploy/dockerephemeral/federation-v0.yaml @@ -0,0 +1,269 @@ +version: '2.3' + +networks: + demo_wire: + external: false + +services: + brig_schema: + container_name: brig-schema-federation-v0 + image: quay.io/wire/brig-schema:4.38.51 + command: --host cassandra --keyspace brig_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + brig: + container_name: brig-federation-v0 + image: quay.io/wire/brig:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/brig/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21082:8080' + healthcheck: &haskell_health_check + test: "curl --fail localhost:8080/i/status" + depends_on: + brig_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + galley_schema: + container_name: galley-schema-federation-v0 + image: quay.io/wire/galley-schema:4.38.51 + command: --host cassandra --keyspace galley_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + galley: + container_name: galley-federation-v0 + image: quay.io/wire/galley:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/galley/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21085:8080' + healthcheck: *haskell_health_check + depends_on: + galley_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + init_vhosts: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + cargohold: + container_name: cargohold-federation-v0 + image: quay.io/wire/cargohold:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cargohold/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21084:8080' + healthcheck: *haskell_health_check + depends_on: + aws_cli: + condition: service_completed_successfully + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + gundeck_schema: + container_name: gundeck-schema-federation-v0 + image: quay.io/wire/gundeck-schema:4.38.51 + command: --host cassandra --keyspace gundeck_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + gundeck: + container_name: gundeck-federation-v0 + image: quay.io/wire/gundeck:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/gundeck/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21086:8080' + healthcheck: *haskell_health_check + depends_on: + gundeck_schema: + condition: service_completed_successfully + aws_cli: + condition: service_completed_successfully + redis: + condition: service_started + + environment: + - AWS_REGION=eu-west-1 + - AWS_ACCESS_KEY_ID=dummykey + - AWS_SECRET_ACCESS_KEY=dummysecret + + spar_schema: + container_name: spar-schema-federation-v0 + image: quay.io/wire/spar-schema:4.38.51 + command: --host cassandra --keyspace spar_test_federation_v0 --replication-factor 1 + depends_on: + cassandra: + condition: service_healthy + deploy: + restart_policy: + condition: on-failure + networks: + - demo_wire + + spar: + container_name: spar-federation-v0 + image: quay.io/wire/spar:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/spar/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21088:8080' + healthcheck: *haskell_health_check + depends_on: + spar_schema: + condition: service_completed_successfully + + cannon: + container_name: cannon-federation-v0 + image: quay.io/wire/cannon:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/cannon/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21083:8080' + healthcheck: *haskell_health_check + + federator: + container_name: federator-federation-v0 + image: quay.io/wire/federator:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/federator/conf + networks: + - demo_wire + - coredns + ports: + - '127.0.0.1:21097:8080' + - '127.0.0.1:21098:8081' + healthcheck: *haskell_health_check + depends_on: + coredns-federation: + condition: service_started + + background_worker: + container_name: background-worker-federation-v0 + image: quay.io/wire/background-worker:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/background-worker/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21089:8080' + depends_on: + init_vhosts: + condition: service_completed_successfully + environment: + - RABBITMQ_USERNAME=${RABBITMQ_USERNAME} + - RABBITMQ_PASSWORD=${RABBITMQ_PASSWORD} + + proxy: + container_name: proxy-federation-v0 + image: quay.io/wire/proxy:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/proxy/conf + networks: + - demo_wire + ports: + - '127.0.0.1:21087:8080' + healthcheck: *haskell_health_check + + nginz: + container_name: nginz-federation-v0 + image: quay.io/wire/nginz:4.38.0-mandarin.14 + volumes: + - ./federation-v0:/etc/wire/ + networks: + - demo_wire + ports: + - '127.0.0.1:21080:8080' + - '127.0.0.1:21443:8443' + depends_on: + brig: + condition: service_healthy + galley: + condition: service_healthy + gundeck: + condition: service_healthy + cargohold: + condition: service_healthy + cannon: + condition: service_healthy + spar: + condition: service_healthy + federator: + condition: service_healthy + proxy: + condition: service_healthy + + # We have to run a separate redis instance for each version of wire-server we + # want. This is because gundeck just assumes the whole redis is for itself + redis: + container_name: redis-federation-v0 + image: redis:6.0-alpine + networks: + - demo_wire + + # This coredns serves slightly different SRV records, so federator running in + # a docker container can talk to federator running on the host. + coredns-federation: + image: docker.io/coredns/coredns:1.8.4 + volumes: + - ./federation-v0/coredns-config:/coredns-config + entrypoint: + - /coredns + - -conf + - /coredns-config/Corefile + networks: + coredns: + ipv4_address: 172.20.1.3 + diff --git a/deploy/dockerephemeral/federation-v0/background-worker.yaml b/deploy/dockerephemeral/federation-v0/background-worker.yaml new file mode 100644 index 0000000000..e0fd5113d6 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/background-worker.yaml @@ -0,0 +1,27 @@ +logLevel: Debug + +backgroundWorker: + host: 0.0.0.0 + port: 8080 + +federatorInternal: + host: federator-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +brig: + host: brig-federation-v0 + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + adminPort: 15672 + +backendNotificationPusher: + pushBackoffMinWait: 1000 + pushBackoffMaxWait: 1000000 diff --git a/deploy/dockerephemeral/federation-v0/brig.yaml b/deploy/dockerephemeral/federation-v0/brig.yaml new file mode 100644 index 0000000000..693ba49278 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/brig.yaml @@ -0,0 +1,215 @@ +brig: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: brig_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +elasticsearch: + url: http://demo_wire_elasticsearch:9200 + index: directory_test + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + +cargohold: + host: cargohold-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +federatorInternal: + host: federator-federation-v0 + port: 8080 + +# You can set up local SQS/Dynamo running e.g. `../../deploy/dockerephemeral/run.sh` +aws: + userJournalQueue: integration-user-events.fifo-federation-v0 + # ^ Comment this out if you don't want to journal user events + prekeyTable: integration-brig-prekeys-federation-v0 + sqsEndpoint: http://fake_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + # dynamoDBEndpoint: http://localhost:4567 # https://dynamodb.eu-west-1.amazonaws.com + +# Uncomment to use the randomPrekey allocation strategy instead of dynamoDB +randomPrekeys: true + +# Uncomment this if you want STOMP. +# +# stomp: +# stompHost: localhost +# stompPort: 61613 +# stompTls: false + +# TODO: possibly move 'userJournalQueue' to the top level as well +internalEvents: + queueType: sqs + queueName: integration-brig-events-internal-federation-v0 + # queueType: stomp + # queueName: /queue/integration-brig-events-internal + +emailSMS: + # You can either use SES directly (in which case, ensure a feedback queue is configured) + # or you can use SMTP directly (blacklisting of email/phone must be otherwise handled by + # the operator). + email: + sesQueue: integration-brig-events-federation-v0 + sesEndpoint: http://ses:4569 # https://email.eu-west-1.amazonaws.com + # If you prefer to use SMTP directly, uncomment the following lines + # and set the correct credentials. + # NOTE: In case a user tries to supply config values for both SES and SMTP, + # SES takes precedence and gets used instead + # smtpEndpoint: + # host: localhost + # port: 2500 + # smtpCredentials: + # username: + # password: test/resources/smtp-secret.txt + # smtpConnType: plain + # ^ NOTE: blacklisting of emails (processing of bounces and complaints) is only done + # automatically IF sesQueue/sesEndpoint are used. If SMTP is used directly, the + # operator must handle these notifications "manually" (there are internal endpoints) + # that may be used for this + + general: + templateDir: /usr/share/wire/templates + emailSender: backend-integration@wire.com + smsSender: "+123456789" # or MG123456789... (twilio alphanumeric sender id) + templateBranding: + brand: Wire + brandUrl: https://wire.com + brandLabelUrl: wire.com # This is the text in the label for the above URL + brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png + brandService: Wire Service Provider + copyright: © WIRE SWISS GmbH + misuse: misuse@wire.com + legal: https://wire.com/legal/ + forgot: https://wire.com/forgot/ + support: https://support.wire.com/ + user: + activationUrl: http://127.0.0.1:8080/activate?key=${key}&code=${code} + smsActivationUrl: http://127.0.0.1:8080/v/${code} + passwordResetUrl: http://127.0.0.1:8080/password-reset/${key}?code=${code} + invitationUrl: http://127.0.0.1:8080/register?invitation_code=${code} + deletionUrl: http://127.0.0.1:8080/users/delete?key=${key}&code=${code} + + provider: + homeUrl: https://provider.localhost/ + providerActivationUrl: http://127.0.0.1:8080/provider/activate?key=${key}&code=${code} + approvalUrl: http://127.0.0.1:8080/provider/approve?key=${key}&code=${code} + approvalTo: success@simulator.amazonses.com + providerPwResetUrl: http://127.0.0.1:8080/provider/password-reset?key=${key}&code=${code} + + team: + tInvitationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tActivationUrl: http://127.0.0.1:8080/register?team=${team}&team_code=${code} + tCreatorWelcomeUrl: http://127.0.0.1:8080/creator-welcome-website + tMemberWelcomeUrl: http://127.0.0.1:8080/member-welcome-website + +zauth: + privateKeys: /etc/wire/brig/conf/zauth-privkeys.txt + publicKeys: /etc/wire/brig/conf/zauth-pubkeys.txt + authSettings: + keyIndex: 1 + userTokenTimeout: 120 + sessionTokenTimeout: 20 + accessTokenTimeout: 30 + providerTokenTimeout: 60 + legalHoldUserTokenTimeout: 120 + legalHoldAccessTokenTimeout: 30 + +turn: + serversSource: dns # files | dns + baseDomain: example.com + discoveryIntervalSeconds: 100 + + # This should be the same secret as used by the TURN servers + secret: /etc/wire/brig/conf/turn-secret.txt + configTTL: 3600 + tokenTTL: 21600 + +optSettings: + setActivationTimeout: 10 + setVerificationTimeout: 10 + setTeamInvitationTimeout: 10 + setExpiredUserCleanupTimeout: 1 + setTwilio: /etc/wire/brig/conf/twilio-credentials.yaml + setNexmo: /etc/wire/brig/conf/nexmo-credentials.yaml + # setStomp: test/resources/stomp-credentials.yaml + setUserMaxConnections: 16 + setCookieInsecure: true + setUserCookieRenewAge: 2 + setUserCookieLimit: 5 + setUserCookieThrottle: + stdDev: 5 + retryAfter: 3 + setLimitFailedLogins: + timeout: 5 # seconds. if you reach the limit, how long do you have to wait to try again. + retryLimit: 5 # how many times can you have a failed login in that timeframe. + setSuspendInactiveUsers: # if this is omitted: never suspend inactive users. + suspendTimeout: 10 + setRichInfoLimit: 5000 # should be in sync with Spar + setDefaultUserLocale: en + setMaxTeamSize: 32 + setMaxConvSize: 16 + setEmailVisibility: visible_to_self + setPropertyMaxKeyLen: 1024 + setPropertyMaxValueLen: 4096 + setDeleteThrottleMillis: 0 + setSqsThrottleMillis: 1000 + setRestrictUserCreation: false + # setSearchSameTeamOnly: false + # ^ NOTE: this filters out search results for team users, + # i.e., if you are a team user the search endpoints will + # return only users part of the same team. For name search, + # this is slightly more inefficient as it requires 2 extra DB lookups + # setUserMaxPermClients: 7 + # ^ You can limit the max number of permanent clients that a user is allowed + # to register, per account. The default value is '7' if the option is unset. + + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Galley. + setFederationDomain: federation-v0.example.com + setFeatureFlags: # see #RefConfigOptions in `/docs/reference` + setFederationDomainConfigsUpdateFreq: 1 + setFederationStrategy: allowAll + setFederationDomainConfigs: + - domain: example.com + search_policy: full_search + set2FACodeGenerationDelaySecs: 5 + setNonceTtlSecs: 5 + setDpopMaxSkewSecs: 1 + setDpopTokenExpirationTimeSecs: 300 # 5 minutes + setPublicKeyBundle: /etc/wire/brig/conf/jwt-ed25519-bundle.pem + setEnableMLS: true + # To only allow specific email address domains to register, uncomment and update the setting below + # setAllowlistEmailDomains: + # - wire.com + # To only allow specific phone number prefixes to register uncomment and update the settings below + # setAllowlistPhonePrefixes: + # - "+1555555" + # needs to be kept in sync with services/nginz/integration-test/resources/oauth/ed25519_public.jwk + setOAuthJwkKeyPair: /etc/wire/brig/conf/oauth-ed25519.jwk + setOAuthAuthCodeExpirationTimeSecs: 3 # 3 secs + setOAuthAccessTokenExpirationTimeSecs: 3 # 3 secs + setOAuthEnabled: true + setOAuthRefreshTokenExpirationTimeSecs: 14515200 # 24 weeks + setOAuthMaxActiveRefreshTokens: 10 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/cannon.yaml b/deploy/dockerephemeral/federation-v0/cannon.yaml new file mode 100644 index 0000000000..3ad681fefc --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cannon.yaml @@ -0,0 +1,25 @@ +# Example yaml-formatted configuration for cannon used in integration tests + +# cannon can be started with a config file (e.g. ./dist/cannon -c cannon.yaml.example) + +cannon: + host: 0.0.0.0 + port: 8080 + + # Each cannon instance advertises its own location (ip or dns name) to gundeck. + # Either externalHost or externalHostFile must be set (externalHost takes precedence if both are defined) + # externalHostFile expects a file with a single line containing the IP or dns name of this instance of cannon + externalHost: cannon-federation-v0 + #externalHostFile: /etc/wire/cannon/cannon-host.txt + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +drainOpts: + gracePeriodSeconds: 1 + millisecondsBetweenBatches: 500 + minBatchSize: 5 + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/cargohold.yaml b/deploy/dockerephemeral/federation-v0/cargohold.yaml new file mode 100644 index 0000000000..f3a5099a33 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/cargohold.yaml @@ -0,0 +1,28 @@ +cargohold: + host: 0.0.0.0 + port: 8080 + +federator: + host: federator-federation-v0 + port: 8080 + +aws: + s3Bucket: dummy-bucket-federation-v0 # <-- insert-bucket-name-here + s3Endpoint: http://fake_s3:4570 # https://s3-eu-west-1.amazonaws.com:443 + # s3DownloadEndpoint: http://fake-s3:4570 + # ^ When not using a real S3 service, we may need to use a different, + # publicly accessible endpoint for downloading assets. + # + # If you want to use cloudfront for asset downloads + # cloudFront: + # domain: + # keyPairId: + # privateKey: cf-pk.pem + +settings: + maxTotalBytes: 27262976 + downloadLinkTTL: 300 # Seconds + federationDomain: example.com + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/Corefile b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile new file mode 100644 index 0000000000..7bf495f2e8 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/Corefile @@ -0,0 +1,4 @@ +example.com { + file /coredns-config/db.example.com + log +} \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com new file mode 100644 index 0000000000..448d8b5f59 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/coredns-config/db.example.com @@ -0,0 +1,20 @@ +$ORIGIN example.com. +@ 3600 IN SOA sns.dns.icann.org. noc.dns.icann.org. ( + 2017042745 ; serial + 7200 ; refresh (2 hours) + 3600 ; retry (1 hour) + 1209600 ; expire (2 weeks) + 3600 ; minimum (1 hour) + ) + + 3600 IN NS a.iana-servers.net. + 3600 IN NS b.iana-servers.net. + +www IN A 127.0.0.1 + IN AAAA ::1 +_wire-server-federator._tcp IN SRV 0 0 8443 host.docker.internal. +_wire-server-federator._tcp.b IN SRV 0 0 9443 host.docker.internal. +_wire-server-federator._tcp.d1 IN SRV 0 0 10443 host.docker.internal. +_wire-server-federator._tcp.d2 IN SRV 0 0 11443 host.docker.internal. +_wire-server-federator._tcp.d3 IN SRV 0 0 12443 host.docker.internal. +_wire-server-federator._tcp.v0 IN SRV 0 0 21443 host.docker.internal. diff --git a/deploy/dockerephemeral/federation-v0/federator.yaml b/deploy/dockerephemeral/federation-v0/federator.yaml new file mode 100644 index 0000000000..6ff8d119ae --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/federator.yaml @@ -0,0 +1,29 @@ +federatorInternal: + host: 0.0.0.0 + port: 8080 +federatorExternal: + host: 0.0.0.0 + port: 8081 +brig: + host: brig-federation-v0 + port: 8080 +cargohold: + host: cargohold-federation-v0 + port: 8080 +galley: + host: galley-federation-v0 + port: 8080 + +logLevel: Warn +logNetStrings: false + +optSettings: + # Filepath to one or more PEM-encoded server certificates to use as a trust + # store when making requests to remote backends + remoteCAStore: "/etc/wire/federator/conf/integration-ca.pem" + useSystemCAStore: false + clientCertificate: "/etc/wire/federator/conf/integration-leaf.pem" + clientPrivateKey: "/etc/wire/federator/conf/integration-leaf-key.pem" + tcpConnectionTimeout: 5000000 + dnsHost: 172.20.1.3 + dnsPort: 53 diff --git a/deploy/dockerephemeral/federation-v0/galley.yaml b/deploy/dockerephemeral/federation-v0/galley.yaml new file mode 100644 index 0000000000..6879901c48 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/galley.yaml @@ -0,0 +1,93 @@ +galley: + host: 0.0.0.0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: galley_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +brig: + host: brig-federation-v0 + port: 8080 + +gundeck: + host: gundeck-federation-v0 + port: 8080 + +spar: + host: spar-federation-v0 + port: 8080 + +federator: + host: federator-federation-v0 + port: 8080 + +rabbitmq: + host: rabbitmq + port: 5672 + vHost: federation-v0 + +settings: + httpPoolSize: 128 + maxTeamSize: 32 + maxFanoutSize: 18 + exposeInvitationURLsTeamAllowlist: [] + maxConvSize: 16 + intraListing: false + conversationCodeURI: https://account.wire.com/conversation-join/ + concurrentDeletionEvents: 1024 + deleteConvThrottleMillis: 0 + # Federation domain is used to qualify local IDs and handles, + # e.g. 0c4d8944-70fa-480e-a8b7-9d929862d18c@wire.com and somehandle@wire.com. + # It should also match the SRV DNS records under which other wire-server installations can find this backend: + # _wire-server-federator._tcp. + # Once set, DO NOT change it: if you do, existing users may have a broken experience and/or stop working + # Remember to keep it the same in Brig + federationDomain: federation-v0.example.com + mlsPrivateKeyPaths: + removal: + ed25519: /etc/wire/galley/conf/mls-private-key-ed25519.pem + + featureFlags: # see #RefConfigOptions in `/docs/reference` + sso: disabled-by-default + legalhold: whitelist-teams-and-implicit-consent + teamSearchVisibility: disabled-by-default + appLock: + defaults: + status: enabled + config: + enforceAppLock: false + inactivityTimeoutSecs: 60 + classifiedDomains: + status: enabled + config: + domains: ["example.com"] + fileSharing: + defaults: + status: enabled + lockStatus: unlocked + conferenceCalling: + defaults: + status: enabled + outlookCalIntegration: + defaults: + status: disabled + lockStatus: locked + mlsE2EId: + defaults: + status: disabled + config: + verificationExpiration: 86400 + acmeDiscoveryUrl: null + lockStatus: unlocked + +logLevel: Warn +logNetStrings: false + +journal: # if set, journals; if not set, disables journaling + queueName: integration-team-events.fifo-federation-v0 + endpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + region: eu-west-1 diff --git a/deploy/dockerephemeral/federation-v0/gundeck.yaml b/deploy/dockerephemeral/federation-v0/gundeck.yaml new file mode 100644 index 0000000000..528fc38c1d --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/gundeck.yaml @@ -0,0 +1,45 @@ +gundeck: + host: 0.0.0.0 + port: 8080 + +brig: + host: brig-federation-v0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: gundeck_test_federation_v0 + # filterNodesByDatacentre: datacenter1 + +redis: + host: redis-federation-v0 + port: 6379 + connectionMode: master + +# redisAdditionalWrite: +# host: 127.0.0.1 +# port: 6379 +# connectionMode: master + +aws: + queueName: integration-gundeck-events-federation-v0 + region: eu-west-1 + account: "123456789012" # Default account nr used by localstack + arnEnv: integration + sqsEndpoint: http://demo_wire_sqs:4568 # https://sqs.eu-west-1.amazonaws.com + snsEndpoint: http://demo_wire_sns:4575 # https://sns.eu-west-1.amazonaws.com + +settings: + httpPoolSize: 1024 + notificationTTL: 24192200 + bulkPush: true + perNativePushConcurrency: 32 + sqsThrottleMillis: 1000 + maxConcurrentNativePushes: + hard: 30 # more than this number of threads will not be allowed + soft: 10 # more than this number of threads will be warned about + +logLevel: Warn +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/integration-ca.pem b/deploy/dockerephemeral/federation-v0/integration-ca.pem new file mode 100644 index 0000000000..2315c7c740 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF +7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su +9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 +gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 +bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP +ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 +JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O +JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb +lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp +x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA +qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be +z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH ++R0lNAyw +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem new file mode 100644 index 0000000000..8ed90523cd --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk ++RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y +uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J +4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR +qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa +27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI +sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 +2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 +UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY +/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz +SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt +Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl +yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ +wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv +UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg +PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 +lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB +TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e +tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT +7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF +ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 +DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 +Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 +90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 +xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== +-----END RSA PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/integration-leaf.pem b/deploy/dockerephemeral/federation-v0/integration-leaf.pem new file mode 100644 index 0000000000..d8e7ee0955 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/integration-leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk +iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE +0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX +lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux +Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ ++J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV +HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E +FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b +fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF +AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n +7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR +AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF +bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB +fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK +7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== +-----END CERTIFICATE----- diff --git a/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem new file mode 100644 index 0000000000..afbd4dfb0e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/jwt-ed25519-bundle.pem @@ -0,0 +1,6 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIFANnxZLNE4p+GDzWzR3wm/v8x/0bxZYkCyke1aTRucX +-----END PRIVATE KEY----- +-----BEGIN PUBLIC KEY----- +MCowBQYDK2VwAyEACPvhIdimF20tOPjbb+fXJrwS2RKDp7686T90AZ0+Th8= +-----END PUBLIC KEY----- diff --git a/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem new file mode 100644 index 0000000000..182df6f5a7 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/mls-private-key-ed25519.pem @@ -0,0 +1,3 @@ +-----BEGIN PRIVATE KEY----- +MC4CAQAwBQYDK2VwBCIEIKqoSUVW579Aw8Nz47CRwArSigl/25jg0suQmg6mOwdy +-----END PRIVATE KEY----- diff --git a/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml new file mode 100644 index 0000000000..1f83517f2e --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nexmo-credentials.yaml @@ -0,0 +1,2 @@ +key: "dummy" +secret: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/README.md b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md new file mode 100644 index 0000000000..c8e81957c6 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/README.md @@ -0,0 +1,7 @@ +# How to regenerate certificates in this directory + +Run from this directory: + +```bash +../../../../../hack/bin/selfsigned.sh +``` diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf new file mode 100644 index 0000000000..1b8a947f43 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response.conf @@ -0,0 +1,38 @@ + # remove access_token from logs, see 'Note sanitized_request'. + set $sanitized_request $request; + if ($sanitized_request ~ (.*)access_token=[^&]*(.*)) { + set $sanitized_request $1access_token=****$2; + } + + # Should be overriden when using websockets + proxy_set_header Connection ""; + proxy_set_header Z-Type $zauth_type; + proxy_set_header Z-User $zauth_user; + proxy_set_header Z-Client $zauth_client; + proxy_set_header Z-Connection $zauth_connection; + proxy_set_header Z-Provider $zauth_provider; + proxy_set_header Z-Bot $zauth_bot; + proxy_set_header Z-Conversation $zauth_conversation; + proxy_set_header Request-Id $request_id; + + # NOTE: This should only be used on endpoints where credentials are needed + more_set_headers 'Access-Control-Allow-Credentials: true'; + # NOTE: This allows all origins, you may want to tune this value + more_set_headers 'Access-Control-Allow-Origin: $http_origin'; + more_set_headers 'Access-Control-Expose-Headers: Request-Id, Location'; + more_set_headers 'Request-Id: $request_id'; + more_set_headers 'Strict-Transport-Security: max-age=31536000; preload'; + + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS"; + add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"; + add_header 'Content-Type' 'text/plain; charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + + + proxy_http_version 1.1; + + # NOTE: You may want to tune this + client_max_body_size 64M; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf new file mode 100644 index 0000000000..4277ede8c0 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_no_zauth.conf @@ -0,0 +1,2 @@ + zauth off; + include common_response.conf; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf new file mode 100644 index 0000000000..699dd263b3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/common_response_with_zauth.conf @@ -0,0 +1,3 @@ + include common_response.conf; + proxy_set_header Authorization ""; + proxy_set_header Z-Host $host; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf new file mode 100644 index 0000000000..baae352c92 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/integration.conf @@ -0,0 +1,19 @@ +# plain TCP/http listening for integration tests only. +listen 8080; +listen 8081; + +# for nginx-without-tls, we need to use a separate port for http2 traffic, +# as nginx cannot handle unencrypted http1 and http2 trafic on the same +# port. +# This port is only used for trying out nginx http2 forwarding without TLS locally and should not +# be ported to any production nginz config. +listen 8090 http2; + +######## TLS/SSL block start ############## +# +# Most integration tests simply use the http ports 8080 and 8081 +# But to also test tls forwarding, this port can be used. +# This applies only locally, as for kubernetes (helm chart) based deployments, +# TLS is terminated at the ingress level, not at nginz level +listen 8443 ssl http2; +listen [::]:8443 ssl http2; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf new file mode 100644 index 0000000000..b05c0cbe94 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/nginx.conf @@ -0,0 +1,496 @@ +worker_processes 4; +worker_rlimit_nofile 1024; +include pid.conf; # for easy overriding + +# nb. start up errors (eg. misconfiguration) may still end up in /$(LOG_PATH)/error.log +error_log stderr warn; + +events { + worker_connections 1024; + multi_accept off; +} + +http { + # + # Some temporary paths (by default, will use the `prefix` path given when starting nginx) + # + + client_body_temp_path /tmp; + fastcgi_temp_path /tmp; + proxy_temp_path /tmp; + scgi_temp_path /tmp; + uwsgi_temp_path /tmp; + + # + # Sockets + # + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + # + # Timeouts + # + + client_body_timeout 60; + client_header_timeout 60; + keepalive_timeout 75; + send_timeout 60; + + ignore_invalid_headers off; + + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + server_name_in_redirect off; + + large_client_header_buffers 4 8k; + + + # + # Security + # + + server_tokens off; + + # + # Logging + # + # Note sanitized_request: + # We allow passing access_token as query parameter for e.g. websockets + # However we do not want to log access tokens. + # + + log_format custom_zeta '$remote_addr - $remote_user [$time_local] "$sanitized_request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" - $connection $request_time $upstream_response_time $upstream_cache_status $zauth_user $zauth_connection $request_id $proxy_protocol_addr'; + access_log /dev/stdout custom_zeta; + + # + # Monitoring + # + vhost_traffic_status_zone; + + # + # Gzip + # + + gzip on; + gzip_disable msie6; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 1024; + gzip_types 'text/plain text/css application/json text/xml'; + + # + # Proxied Upstream Services + # + + include ../upstreams; + + # + # Mapping for websocket connections + # + + map $http_upgrade $connection_upgrade { + websocket upgrade; + default ''; + } + + + + # + # Locations + # + + server { + include integration.conf; + + # self-signed certificates generated using wire-server/hack/bin/selfsigned.sh + ssl_certificate /etc/wire/integration-leaf.pem; + ssl_certificate_key /etc/wire/integration-leaf-key.pem; + + ssl_verify_client on; + ssl_client_certificate /etc/wire/integration-ca.pem; + ######## TLS/SSL block end ############## + + zauth_keystore /etc/wire/zauth-pubkeys.txt; + zauth_acl /etc/wire/nginz/conf/zauth_acl.txt; + # needs to be kept in sync with services/brig/test/resources/oauth/ed25519.jwk + oauth_pub_key /etc/wire/oauth-ed25519_public.jwk; + + location /status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /i/status { + set $sanitized_request $request; + zauth off; + return 200; + } + + location /vts { + set $sanitized_request $request; + zauth off; + vhost_traffic_status_display; + vhost_traffic_status_display_format html; + } + + # + # Service Routing + # + + # Federator endpoints: expose the federatorExternal port (Inward service) + location /federation { + set $sanitized_request $request; + zauth off; + + proxy_set_header "X-SSL-Certificate" $ssl_client_escaped_cert; + proxy_pass http://federator_external; + + # FUTUREWORK(federation): are any other settings + # (e.g. timeouts, body size, buffers, headers,...) + # useful/recommended/important-for-security?) + } + + # Brig Endpoints + # + ## brig unauthenticated endpoints + + location ~* ^(/v[0-9]+)?/api/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger-ui { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/api-internal/swagger.json { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /register { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /access { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /activate { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /login { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/teams/invitations/([^/]*)$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /verification-code/send { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + ## brig authenticated endpoints + + location ~* ^(/v[0-9]+)?/self$ { + include common_response_with_zauth.conf; + oauth_scope self; + proxy_pass http://brig; + } + + location /users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-users { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /search { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /list-connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]+)/search$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /connections { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/clients { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/mls/key-packages { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /properties { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /calls/config { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/teams/([^/]*)/size$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings/unauthorized$ { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^(/v[0-9]+)?/system/settings$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/clients/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location ~* ^/oauth/authorization/codes$ { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/token { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/revoke { + include common_response_no_zauth.conf; + proxy_pass http://brig; + } + + location /oauth/applications { + include common_response_with_zauth.conf; + proxy_pass http://brig; + } + + # Cargohold Endpoints + + location /assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /bot/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + location /provider/assets { + include common_response_with_zauth.conf; + proxy_pass http://cargohold; + } + + # Galley Endpoints + + location ~* ^(/v[0-9]+)?/legalhold/conversations/(.*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations$ { + include common_response_with_zauth.conf; + oauth_scope conversations; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations/([^/]*)/code { + include common_response_with_zauth.conf; + oauth_scope conversations_code; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/conversations.* { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/otr/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/conversations/([^/]*)/([^/]*)/proteus/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /broadcast { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/conversation { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /bot/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/conversations(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/features/([^/]*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs$ { + include common_response_with_zauth.conf; + oauth_scope feature_configs; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/feature-configs(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/legalhold(.*) { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^/teams/([^/]*)/members/csv$ { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/welcome { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location /mls/messages { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/commit-bundles { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + location ~* ^(/v[0-9]+)?/mls/public-keys { + include common_response_with_zauth.conf; + proxy_pass http://galley; + } + + # Gundeck Endpoints + + location /push { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location /presences { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + location ~* ^(/v[0-9]+)?/notifications$ { + include common_response_with_zauth.conf; + proxy_pass http://gundeck; + } + + # Proxy Endpoints + + location /proxy { + include common_response_with_zauth.conf; + proxy_pass http://proxy; + } + + # Cannon Endpoints + + location /await { + include common_response_with_zauth.conf; + proxy_pass http://cannon; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 1h; + } + + # Spar Endpoints + + location /sso { + include common_response_no_zauth.conf; + proxy_pass http://spar; + } + + location /identity-providers { + include common_response_with_zauth.conf; + proxy_pass http://spar; + } + } +} diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf new file mode 100644 index 0000000000..e722aa5ae2 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/pid.conf @@ -0,0 +1 @@ +pid /tmp/nginz.pid; diff --git a/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt new file mode 100644 index 0000000000..3b644bf3d9 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/conf/zauth_acl.txt @@ -0,0 +1,15 @@ +a (blacklist (regex "(/v[0-9]+)?/provider(/.*)?") + (regex "(/v[0-9]+)?/bot(/.*)?") + (regex "(/v[0-9]+)?/i/.*")) + +b (whitelist (regex "(/v[0-9]+)?/bot(/.*)?")) + +p (whitelist (regex "(/v[0-9]+)?/provider(/.*)?")) + +# LegalHold Access Tokens +# FUTUREWORK: remove /legalhold/conversations/ when support for v1 dropped +la (whitelist (regex "(/v[0-9]+)?/notifications") + (regex "(/v[0-9]+)?/assets/v3/.*") + (regex "(/v[0-9]+)?/users(/.*)?") + (regex "(/v[0-9]+)?/legalhold/conversations/[^/]+") + (regex "(/v[0-9]+)?/conversations/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$")) diff --git a/deploy/dockerephemeral/federation-v0/nginz/upstreams b/deploy/dockerephemeral/federation-v0/nginz/upstreams new file mode 100644 index 0000000000..a3e6afada3 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/nginz/upstreams @@ -0,0 +1,38 @@ +upstream cargohold { + least_conn; + keepalive 32; + server cargohold:8080 max_fails=3 weight=1; +} +upstream gundeck { + least_conn; + keepalive 32; + server gundeck:8080 max_fails=3 weight=1; +} +upstream cannon { + least_conn; + keepalive 32; + server cannon:8080 max_fails=3 weight=1; +} +upstream galley { + least_conn; + keepalive 32; + server galley:8080 max_fails=3 weight=1; +} +upstream proxy { + least_conn; + keepalive 32; + server proxy:8080 max_fails=3 weight=1; +} +upstream brig { + least_conn; + keepalive 32; + server brig:8080 max_fails=3 weight=1; +} +upstream spar { + least_conn; + keepalive 32; + server spar:8080 max_fails=3 weight=1; +} +upstream federator_external { + server federator:8081 max_fails=3 weight=1; +} diff --git a/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk new file mode 100644 index 0000000000..c00a8270aa --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/oauth-ed25519.jwk @@ -0,0 +1 @@ +{"kty":"OKP","crv":"Ed25519","x":"mhP-NgFw3ifIXGZqJVB0kemt9L3BtD5P8q4Gah4Iklc","d":"R8-pV2-sPN7dykV8HFJ73S64F3kMHTNnJiSN8UdWk_o"} diff --git a/deploy/dockerephemeral/federation-v0/proxy.config b/deploy/dockerephemeral/federation-v0/proxy.config new file mode 100644 index 0000000000..d2225ca26c --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.config @@ -0,0 +1,8 @@ +secrets { + youtube = "my-youtube-secret" + googlemaps = "my-googlemaps-secret" + soundcloud = "my-soundcloud-secret" + giphy = "my-giphy-secret" + # Base64 encoded client ID and secret: `Bearer id:secret`: + spotify = "my-spotify-secret" +} diff --git a/deploy/dockerephemeral/federation-v0/proxy.yaml b/deploy/dockerephemeral/federation-v0/proxy.yaml new file mode 100644 index 0000000000..c5824166a5 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/proxy.yaml @@ -0,0 +1,18 @@ +# Example yaml-formatted configuration for proxy +# proxy can be started with a config file (e.g. ./dist/proxy -c proxy.yaml.example) + +host: 0.0.0.0 +port: 8080 + +# number of connections for the http pool +httpPoolSize: 1000 + +# maximum number of incoming connections +maxConns: 5000 + +# File containing upstream secrets. +secretsConfig: /etc/wire/proxy/conf/proxy.config + +# Logging settings +logLevel: Info +logNetStrings: false diff --git a/deploy/dockerephemeral/federation-v0/spar.yaml b/deploy/dockerephemeral/federation-v0/spar.yaml new file mode 100644 index 0000000000..4a7024d0c6 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/spar.yaml @@ -0,0 +1,42 @@ +saml: + version: SAML2.0 + logLevel: Warn + + spHost: 0.0.0.0 + spPort: 8080 + # TODO: change these + spAppUri: http://localhost:8080/ + spSsoUri: http://localhost:8080/sso + + contacts: + - type: ContactBilling + company: evil corp. + givenName: Dr. + surname: Girlfriend + email: email:president@evil.corp + +brig: + host: brig-federation-v0 + port: 8080 + +galley: + host: galley-federation-v0 + port: 8080 + +cassandra: + endpoint: + host: demo_wire_cassandra + port: 9042 + keyspace: spar_test_federation_v0 + filterNodesByDatacentre: datacenter1 + +# Wire/AWS specific, optional +# discoUrl: "https://" + +maxttlAuthreq: 5 # seconds. don't set this too large, it is also the run time of one TTL test. +maxttlAuthresp: 7200 # seconds. do not set this to 1h or less, as that is what the mock idp wants. + +maxScimTokens: 2 # Token limit {#RefScimToken} +richInfoLimit: 5000 # should be in sync with Brig + +logNetStrings: False # log using netstrings encoding (see http://cr.yp.to/proto/netstrings.txt) diff --git a/deploy/dockerephemeral/federation-v0/turn-secret.txt b/deploy/dockerephemeral/federation-v0/turn-secret.txt new file mode 100644 index 0000000000..5e558cab2c --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/turn-secret.txt @@ -0,0 +1 @@ +xMtZyTpu=Leb?YKCoq#BXQR:gG^UrE83dNWzFJ2VcD \ No newline at end of file diff --git a/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml new file mode 100644 index 0000000000..d64e0ec4f2 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/twilio-credentials.yaml @@ -0,0 +1,2 @@ +sid: "dummy" +token: "dummy" diff --git a/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt new file mode 100644 index 0000000000..373e316cb8 --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-privkeys.txt @@ -0,0 +1,4 @@ +qjIAZtKrpXInwyqgM7JCZ3QeK9B4JGBYAv0_63YjTtgDylLfTTpdwvDYSy32is13biThD03QZAUOhBO042Odrw== +dNLsH_oIA6hJCyw-AwokLz3AukHNghlP3H-pW5Ao1Wy06OI2MGgBwRnvjgfI2l1mgCLPJQflUR-7DsYO0p6zoQ== +drShe2GnggBy-VAW1gdE6myf4UAFcN1ZdixCO8NRuYLv_TO-xNQzRj-8RfemJ4R6Oz-R5KTfP6Oj_Tj0qezDTw== +tZWlAKOCe5-vlQl0TbECvxeIptEBGRrnGSiej-olAFe-46gXpFkWTas2Ci84VUWyhWzRJj4rtBmyJkAm-TMvwQ== diff --git a/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt new file mode 100644 index 0000000000..661fcfc71b --- /dev/null +++ b/deploy/dockerephemeral/federation-v0/zauth-pubkeys.txt @@ -0,0 +1,4 @@ +A8pS3006XcLw2Est9orNd24k4Q9N0GQFDoQTtONjna8= +tOjiNjBoAcEZ744HyNpdZoAizyUH5VEfuw7GDtKes6E= +7_0zvsTUM0Y_vEX3pieEejs_keSk3z-jo_049Knsw08= +vuOoF6RZFk2rNgovOFVFsoVs0SY-K7QZsiZAJvkzL8E= diff --git a/deploy/dockerephemeral/init.sh b/deploy/dockerephemeral/init.sh index b22e9b7ed1..f10067319a 100755 --- a/deploy/dockerephemeral/init.sh +++ b/deploy/dockerephemeral/init.sh @@ -18,7 +18,7 @@ while (! aws --endpoint-url=http://dynamodb:8000 --cli-connect-timeout=1 dynamod done echo " [ok!]" -for suffix in "" "2" "3" "4" "5"; do +for suffix in "" "2" "3" "4" "5" "-federation-v0"; do aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-userkey-blacklist$suffix || true aws --endpoint-url=http://dynamodb:8000 dynamodb delete-table --table-name integration-brig-prekeys$suffix || true diff --git a/deploy/dockerephemeral/init_vhosts.sh b/deploy/dockerephemeral/init_vhosts.sh index 4c169ba443..9323e6f5a4 100755 --- a/deploy/dockerephemeral/init_vhosts.sh +++ b/deploy/dockerephemeral/init_vhosts.sh @@ -11,5 +11,6 @@ exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://ra exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d1.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d2.example.com" exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/d3.example.com" +exec_until_ready "curl -u $RABBITMQ_USERNAME:$RABBITMQ_PASSWORD -X PUT http://rabbitmq:15672/api/vhosts/federation-v0" echo 'RabbitMQ resources created successfully!' diff --git a/deploy/dockerephemeral/run.sh b/deploy/dockerephemeral/run.sh index e982094a13..57d0e7223a 100755 --- a/deploy/dockerephemeral/run.sh +++ b/deploy/dockerephemeral/run.sh @@ -6,5 +6,12 @@ set -x SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" DOCKER_FILE="$SCRIPT_DIR/docker-compose.yaml" -docker-compose --file "$DOCKER_FILE" up -docker-compose --file "$DOCKER_FILE" down +cleanup () { + docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" down +} + +docker-compose --file "$DOCKER_FILE" --file "$SCRIPT_DIR/federation-v0.yaml" up -d +trap cleanup EXIT +echo "All Services started successfully, press Ctrl+C to stop them" +# Wait for something to kill this +while true; do sleep 100000000; done diff --git a/hack/bin/selfsigned.sh b/hack/bin/selfsigned.sh index 46332c72cb..a7107c436a 100755 --- a/hack/bin/selfsigned.sh +++ b/hack/bin/selfsigned.sh @@ -4,11 +4,15 @@ # Requires 'cfssl' to be on your PATH (see https://github.com/cloudflare/cfssl) # These certificates are only meant for integration tests that explicitly disable certificate checking -set -e -TEMP=${TEMP:-/tmp} +set -euo pipefail + +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +ROOT_DIR=$(cd -- "$SCRIPT_DIR/../../" &> /dev/null && pwd) + +TEMP=$(mktemp -d wire-server-self-signed-XXXXXX) CSR="$TEMP/csr.json" -OUTPUTNAME_CA="integration-ca" -OUTPUTNAME_LEAF_CERT="integration-leaf" +OUTPUTNAME_CA="$TEMP/integration-ca" +OUTPUTNAME_LEAF_CERT="$TEMP/integration-leaf" command -v cfssl >/dev/null 2>&1 || { echo >&2 "cfssl is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } command -v cfssljson >/dev/null 2>&1 || { echo >&2 "cfssljson is not installed, aborting. See https://github.com/cloudflare/cfssl"; exit 1; } @@ -32,10 +36,15 @@ echo '{ }' > "$CSR" # generate cert and key based on CA given comma-separated hostnames as SANs -cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" +cfssl gencert -ca "$OUTPUTNAME_CA.pem" -ca-key "$OUTPUTNAME_CA-key.pem" -hostname=*.integration.example.com,host.docker.internal,localhost "$CSR" | cfssljson -bare "$OUTPUTNAME_LEAF_CERT" -# cleanup unneeded files -rm "$OUTPUTNAME_LEAF_CERT.csr" -rm "$OUTPUTNAME_CA.csr" +cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_CA-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/services/nginz/integration-test/conf/nginz/" +cp "$OUTPUTNAME_CA.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$OUTPUTNAME_LEAF_CERT.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +cp "$OUTPUTNAME_LEAF_CERT-key.pem" "$ROOT_DIR/deploy/dockerephemeral/federation-v0/" +rm -rf "$TEMP" diff --git a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem index 774b9d30c9..c92a5f1359 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAoYyNk0aNoe2AYoWa4ey6P4LR4BxKGk0A9LeFiCP4tWqbU/aZ -DzDATytklxaQiDMDbZQboFngf5/X0S+pjSiZ+LSgIR30/g0yoDEubfUXvF+q+rEh -Om91OHnkwwNoSN1EK687N1nATFXd7YL6Lv2SOrMcyOCtqwnGFwRrH8MR3z87nL+H -vuot2ciXvyeJ3q4RG2G9t8UTjqo1jK/NJHyNZYSY4vGTGZTwGi1BCuNlizi6xzmI -Mh3HS/px/kihR7wLkQ7NpovqjfQVef3JwiJutrRYG6lJT9xXpNu2gKg8KKiZJUgb -gqnPWl+4IdRdZ/q/12Jsg9qAf8tbS+tQ2CnlLQIDAQABAoIBAQCJKkrm+me1Tm/M -tz4bh6FX3Z6Pl9V/YVRndA9n2YsJljvOXbn1wOH4FpLxChKr4gyOFMwkKUvJcRGQ -ptRia0/YcJzpoYLr1o7enwOaDxkZM218L7tT32D7E9wdjJ4WB/Ei2kUAKS9yYRHu -4V/FWD25o2zUTpiGeeT8lB7UuA9Lqg529dGlJcanlZjMe0Wj92ec1jjelERGuGdr -lujikHl8whZRwxCGC09WM48myWnsCVdJ1oqGhYM8nzqImsiMc10K6/8CmVrl3aXV -KrExPLtxCRK3pe5olyCLIkPn3OwSc/ZPSkxVQF4j/PwatqqHE98TQBi5bzKIF2JE -17+DBVxNAoGBAM4lR1WRAtXvAe6/jl5zYHr/v2D69o7v85PuXrnmSLK29h3ACSDM -svTsIkoPIZ/lotM8O/OpOHKWmbXH7MOIu9mRKQAKFlTKtw4xl36SPynegq1H5JBv -bd8N8pQtf8pLuh8qxZvZplBsg9HJHBPlbZo/dMQa8oYDI4BakMyYJEMbAoGBAMie -PyHPgI7RpE5GPXcl/rOxeMF++7qOsOX5XGUhoGoH2feYzj19V2/ptx4KdmD+M3NF -dT1ucmQKqocrE6U3sEMok3BmgajGoGOLQMPXsK18bs0VowI+mmt+uL2BwOr9hHPK -IuZrzwm9vtLYldBU3sdxGA1sLXPB2oUZalwCf7VXAoGAZo77X2GmtIKVRo98qBbk -sCzerMQOuGw+laFo9TnRf0AxT/nDUNMmUV3NbWT7yI45pLf5566Py8qLLHoLm/hB -5OsoJ8Hc/FBiJCieAzWFQTJXdxgmaYlWczuALSI5yo5ESc9AwtnUuXxTVKKmWmux -TKU3VX1GnU+gcPIdyfwDRnMCgYAWg8P8DGiWHqr86d8eDxKNoh42QQUJQ9hQhvK6 -mtKA886fffOvbPCyK52UboIokn69sg7dTRbjaVsH/mqfASfz8YrSc36brWb0pP0o -vX0jizJ4K7R2nQYBiGA9TGGVPcxunkHacED1C+ltikcN8WhrI6MaZoiXVCstAtQv -7Uvd0wKBgQDCC9xoSTr7kFiwp76f7dIBdxLKBiL1tZM/qJIP3lnX9TnLhBiHNxoR -4DbIF5yEdRRNBVfS4rJLa1zAAY3d5u4LENaZEvf7fmsjHTLEIf3gJVviHZSBMP6C -kSPQbfcNTNZaEt/40GAZzgjNiO0rTpsLLI4fGDiHeaMMBHEzAiXJmw== +MIIEpAIBAAKCAQEAxxSgxLUyMcwQHhE3ziEbPgn+m9L8EkXscvsWA6Ma4n5owK2m +Y7aG3n2ZRYlW+3VMBi0StrPh+lmXZWzgyw+bxHkaNYFTpK70xUGTx3lHfyu6EpKB +O0El1SNExnrx8ONUbLyY/LwnjlC5dWOB9l4PNylUf4DUr7eAlFrMIP2v2/FWVz9b +ffm5fWry4fW7iRcLGQRKNYrv/B798dVxEj9xoh2OiW6p8/tuEND6NMkJiGstHTJY +tmhwmF74WAxo7EQHD6iNgpr5errAQwrZheSGYNlbj078lA9mpE7BcPwEdDYgnI4R +Lblp0vcXvI3uw4Ne4+EMCDxJhXX+SvacAtBPMQIDAQABAoIBAQCCfuwPZTLc34Wl +H+YzsRHZbdW+sONY2wruJ9Y7VhwWYYQq4OkTrZ7kkvH4WdlxhWbrGXqN1oYHg9iw +vFjx4m5ZsIRUlEyOw7xg3OaQt9f87V3QNMaPX9n7x12auRaEr480o7+o03EeYZ3f +6/VR2EAjCW2BEqLX9/JJzObHrWMsSPMaXIV60V8K7kou1Ol3gdERG/+vAKhqzjFv +xdGQ0J6UHuYsZ5GP+xc1VLmE4WFQBAxcGbm+KWIHPeR/cq40JSsv5iRY5wBYRERK +szqDtwYAObf6DK4qSe8KKHMCfXP1RjWm5cvSebwyIjIqCnFXXUXpE0UNBkiUTVx6 +9xFpaJSRAoGBANuF2ucn0QwPNlyWdkAy9ItVmtwO+Rq8nlFai8KOt/Dauw5IqNye +xy6I8oEHCVrl7rHU6XRXqo3rJHrskcSJhYbiV+dYwusUnkqB27X/qv+CYJ/MQRC6 +v++ceNu/ybAF4UXxbIkEKR5BYaUAjXIN8kGp6Y1hF/wkUmjHQMQiwJP1AoGBAOgp +MOukoVDUQpu8Izzt9ff++S2531LUL66BCmxPQR3vhdxnYLFqs216uTevDrGTgLRS +mXwddVHLKW+zJiGZ0QssnCHmPzzg+USLQzCqJLUKCOoT9s3sDq/TsJwVuZy6sPcr +qWJ/sC9Ge+ZB6CRDrvZGdMSFvRkGT0cpT/mW4gTNAoGAX8ZxsCJmCV3luNWIeBAD +M3tA2jvKIQkkBZh8m4DK7dFwhRXcXo0Dl+D19KdORJNG5d1fkXviFJL/0oW+P0JE +uImuEmheelP/j8BCTJBkWZ/XakCiLptbvD3HWRC+/QZDt9FSKiFfkyyxXlz0WUuO +Y2mvVRiEb2Slc8NjFW+YF7UCgYAG2Pgtaxyq8qfISiNL78TafLXCyIGywrlpTzsM +eMX16ROsrYvnj7sdFoqR/uLTEAOyzeDjDUdhkzl0pvcP9KZ6yuUMBuuEkyonAGiJ +7erJQDOFG/OinTzNqNPDtsxTuBnyIGKNmjCLJGwRHY6IS0rEzs0w4rTyIQKDmc9X +EEE4XQKBgQDWr+hrUDfMa0JeiiB+mFCebNZptDMe0WN5oh+l1FkNlhSauaIb19Fu +qNtrC/F7ZihJW7i4xzEeakaZLpTEMjhdDLD4aQ+RiqW8iR7qmLKDYKWd8g2sanL1 +Tspko3Sj2Oq00BAU5tlNvVvxIaGraQ+HfNRi7p1HEPm7CeLg4ucmTg== -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-ca.pem b/services/nginz/integration-test/conf/nginz/integration-ca.pem index 2aff84d758..2315c7c740 100644 --- a/services/nginz/integration-test/conf/nginz/integration-ca.pem +++ b/services/nginz/integration-test/conf/nginz/integration-ca.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDAjCCAeqgAwIBAgIUaq5Rk0z4WRqKc9dEtkxgVdL0LBIwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMwNDI0MDkzMTAwWhcN -MjgwNDIyMDkzMTAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKGMjZNGjaHtgGKFmuHsuj+C0eAcShpN -APS3hYgj+LVqm1P2mQ8wwE8rZJcWkIgzA22UG6BZ4H+f19EvqY0omfi0oCEd9P4N -MqAxLm31F7xfqvqxITpvdTh55MMDaEjdRCuvOzdZwExV3e2C+i79kjqzHMjgrasJ -xhcEax/DEd8/O5y/h77qLdnIl78nid6uERthvbfFE46qNYyvzSR8jWWEmOLxkxmU -8BotQQrjZYs4usc5iDIdx0v6cf5IoUe8C5EOzaaL6o30FXn9ycIibra0WBupSU/c -V6TbtoCoPCiomSVIG4Kpz1pfuCHUXWf6v9dibIPagH/LW0vrUNgp5S0CAwEAAaNC -MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBuq -33I+JaC5KOsrFeHkzhBuFqtzMA0GCSqGSIb3DQEBCwUAA4IBAQBaOq1YyLjpMz+O -mxw0yRpROgPaPt0QMsSbUCeNXPrlMFi+7QarmKfz0EGoGJEfU8Eu22+mqnAC2tTO -iSLy89tlR21i0+x+0V+qedzZCQfMlm00SS29wzbXomeUunQxlHNuGuRzkzh7g80G -+wIJuIZRvs+qgGofd4yp2BGGQNOlNRhPmc0LP5DSB+snmIscx+sDnVUn7MWunH80 -Doj+CL6wSbP79hfJXeK5LxSBmAtQU8dpZlgNaRCO5TAU10xgzFNCKWbKJ7nf4wC5 -cMGhRWFYP3babARd42KWViRYLZ7bxTtNBnKOvo7AtQJ3YIOUwk1ofq3/PhLHDxiG -XWlMKqrV +MIIDAjCCAeqgAwIBAgIULBRPt7tLLvsw7kciIdjbXB8tddQwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjgxMTE5MTM1ODAwWjAZMRcwFQYDVQQDEw5jYS5leGFtcGxlLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcUoMS1MjHMEB4RN84hGz4J/pvS/BJF +7HL7FgOjGuJ+aMCtpmO2ht59mUWJVvt1TAYtEraz4fpZl2Vs4MsPm8R5GjWBU6Su +9MVBk8d5R38ruhKSgTtBJdUjRMZ68fDjVGy8mPy8J45QuXVjgfZeDzcpVH+A1K+3 +gJRazCD9r9vxVlc/W335uX1q8uH1u4kXCxkESjWK7/we/fHVcRI/caIdjoluqfP7 +bhDQ+jTJCYhrLR0yWLZocJhe+FgMaOxEBw+ojYKa+Xq6wEMK2YXkhmDZW49O/JQP +ZqROwXD8BHQ2IJyOES25adL3F7yN7sODXuPhDAg8SYV1/kr2nALQTzECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJO6 +JJpzdazNjXtum3zX8UYWaQIJMA0GCSqGSIb3DQEBCwUAA4IBAQCoV7sw9CgICo9O +JacaB+P0Uk0dnISjsrKpcAKnuVdh1rN94+beXyttSBgQtDgVBehlESN+/B9fefLb +lhVxgCYq8inx4wZs22h8ZkjpJiOmBDjvHwgkCQOoh/Kog9gkmDr4qbFahU5GpaTp +x1rlNF3qaNRvZSVoxIVwYYiexKS5/KYMedII2EoBMHcFj0qKMhdDIT1Uw2PJZwiA +qjGDsSnLS+VeA8Zluc3m/os0ynjR6BEFQF1sn/OGO0eFaSMxXz0+Z4vT3J+c08Be +z2uZWQBgCiV/bL8F5xgokbHx+Vl0lz+1PEoFre8IJihmcnT8ZPWv/8eWPAr0gavH ++R0lNAyw -----END CERTIFICATE----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem index b1718af2d0..8ed90523cd 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf-key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAr8i0VsoPb1ITTQO1O+uZ4b3+19F42kwXSpaBmgGwK9PQMjiw -+mNGKQf0AM8HISPAEWN3+7ildrl7o9gaFW6e6L00LGyRrKr9hJ46yWNhLb7auJi6 -sq5WK6Wjt+BDMWHmokfKDGOTyh4d+Q5R3uoY/Smi+QQLxUb8VkAESy6lLvff1HXy -jmcvoHigCMedOX0ipgoDg0OOMUiwDaJslsKnJ+Irn7VpfUjmIPPz4J8VRRlqxK6u -tSktq8uzZEUP03elZvlDYGuKEar5qLwgVENJKjgWWG6+gSJniQRNFKIOEvMsybip -wGdA/+da/s27NLBZvnMCLfSKVe15PnBfcEi3FwIDAQABAoIBABM4gO+UfIeRk+ax -5xk8M8FJQxpaHzrPYySWvGkYkijYqkUzibZ3MG7AHeAQwxjOjevY0n/FuuH2ehx6 -Pq/lPp74QUIyRON6duoPWyI2KaQU4Fma6Z8sDOQM4o/yh6ZYrB1GeENOiBRrop9e -/3i+ZCkaamWMGbVig6jyqwWFfi5aYZmL9BB3g7mMYz+DAnSD9eAI0Fl+dCjY3PLq -I5+BjnjHDdA9ixjyNhobBPUN67qAQLox7b5+joM+dW9TD2+2wLF8ubBP/ZjZxJpR -WRGG9tikdyR0ojC9cx4hg9+tN1OV9lAfOgWZO4ZwgCMsDFrKCf76DpG8nNbGMkUi -D8mGmhECgYEA6M6mlQuax9jvd7PhN/E5pqgDDr9gT0+6i9JRSNdX2zGxcH8QPMuE -WQN9gIT+HGfgZQR9r7DvEtl58IzMadF3Jj+zq2C1UMQujWktTp2wA+Lj+JTmSkSx -OdhFwOnouWqeHacdrP+LDahrxTAoQLWkFY7gbzYJARhT8U+MD17yFOMCgYEAwUvG -KY2H4SHqA2V3gjxjaGpj01D4Q4zaK4cDdLYofkkEIECbDXQ0MBPrhEng0bH/P4ld -8H9Sbsfaave/kdTpQunrGRG6cUnLG2/b3NPwf2FcROJ6bVP2JjQLSHZroV1WNLbO -WokoLn61AllkjHisyHjgeBx1oCBE08OVCyJ43z0CgYEAvbUHkZSvQALKwGRYNlnf -fKqUM0RHmtmBTcbIbe7srLVFvkIMXT4KTu7FKiE1YLhU5nxOXwhzCI0nDJnvSJtj -2Es4gYKAvZvfw2Pdg56De+c7lajgL8ziDhzqWlVBSzZSOh+f0wU5rpt7lmezpWde -miKfSIBjvfyxCoajvzLDWbkCgYBtFY8yeg3ZzqLa4dNM6zmKfqfxZHuG26Fv+RTJ -M9esVRaAARW/xPmCvGsoT+0RSitrNuGNzLy/igfIYCJ7cTVmrs4farLWJjf6NulU -OUM7D73bnhhLRJvgOXS4oyPgf+UbgKL50vebLaSHO92TrLKNvDGpdx4mjK9q9rBR -BVZDXQKBgBxHESayFWS0tAyV67GlOaiy3mbjVvxpRT7IGwXZAX+3NMvRmCzN8sIB -zkYMuRC3P/9RAZkBQ2qp8Fu0W8G7b32ImWyP7/HJb0hnBIfwBnePSUA1nS8jEkMp -IkrYAiU2viJTMiHNcqoVuJUY/FmxiZPPewqnJwQYAE4nrUD/oU8F +MIIEpAIBAAKCAQEA1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk ++RAYeKupGF9eqGBkiYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7Y +uXYWfHw4NdFkSZoE0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J +4cU3JfXQQzdNCMiXlpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iR +qwdy4edjKhcvJxuxHw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa +27UrBdRSg+Wb3FDQ+J8IeS6PR5JwjBcwt+DAjQIDAQABAoIBAHXZSS/TOqZZeWXI +sbH4824xX7weu+pHHqHqQaiphNWllRmgyv72H6VU5YbTDdKiAaAV50LB2CtAQjT2 +2I2YRdpiMKEgblxkPYKxwCAlGU7rXayddVXG9y/O4vhIWomuJ4SS9U7DB4Gv7/C0 +UQuFtyM7ugwIdISWEwOLv7Q5nSn2DYYXapNSmCUYv2FJEd57MJFtZ+CTHPu+ALxY +/qCGga8WBQ9Io/4A6UWN76m5IREeGh/pBwwhestpvUB9hXXe037Z11G3j/mNjqmz +SoUdEXnXpqJMA4c73hrryZR7TRPjRQx2P7YTyMwwOaJenhCS2F7ohJrwXNEtfbXt +Tb4mAQECgYEA8Qc4YqbF+xDmav1Mw7tpQ34EW7U1BF6RW+zpaRVVYXc+hZq8Rscl +yhzvYI2F4b9qOXw73Vdj3Hbd3f3BRC2ayMUk82pmbFEhZjQR9cGaLH1JfNXBdgz+ +wenmdczUAhmDiIseXTYdXL0FFgc9F/UFzmAYmD/kkMHTO2wnfeAci00CgYEA5EDv +UJzW/hWUtawWfg0Bw+H5RR2W/28dGG+680zazZwVHtDF7sEiThmR8AlLu74tWUMg +PBREdxOui5qRhmZO3y3JLJ8mjmEUQqC4x1NWReZCAcWGTNXn/PHsWPlK82qp/Q98 +lYJLShtbOOgo1hUPYeQ3hFnDi8HM3QssEeYB6kECgYA0kdSUf7dyuQ7oivKxRjEB +TXz5254Co/WkTRnjl4mVxoJWdZdXAJyXZpQ3RObMhAlRHG2aKzNWpH5jqrL6gc/e +tlEG3lAUk+Vq+zRnm6Baz8C1f5HAg7kU5kUjsFcVVidAIseuoNzqmzd+xHlovkJT +7tWub1EU2ZGOxloetEDFiQKBgQCfPrp4OGQ6cp4EvaIXoUV4/0Aku0cswL3A3brF +ofoJdvq5PBjLwQ0JBgfuOt4OhtkmrJFhuRYnKaEeHuGmrdwbEtuG+SYyMYKsFWu1 +DOxk6gdlKwTOuHIY5EPrs0laWDFur45Q1M1oT3uuUTKkYZ8QweMFwIaQC8687N17 +Q0hUwQKBgQDu55deAXAAS9FCqT4qidyxmvjdpkn8BKZhetss+t0m7Rum9OJCiMI5 +90exbnlRtUP4soNOccS3w3ie2HPspdlIsllYnd4/KaHQbdEoGtvrF5rM77X+81N1 +xPgNsMJM167VEWWJJCE+rkeWiF+irrjiHj7QlLmKkK4bmEzp5XuLyg== -----END RSA PRIVATE KEY----- diff --git a/services/nginz/integration-test/conf/nginz/integration-leaf.pem b/services/nginz/integration-test/conf/nginz/integration-leaf.pem index 120d96cda5..d8e7ee0955 100644 --- a/services/nginz/integration-test/conf/nginz/integration-leaf.pem +++ b/services/nginz/integration-test/conf/nginz/integration-leaf.pem @@ -1,20 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAkSgAwIBAgIUV3PHvpBx77MqGBo+PM2RIuIcBfAwDQYJKoZIhvcNAQEL -BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMwNDI0MDkzMTAwWhcN -MjQwNDIzMDkzMTAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -r8i0VsoPb1ITTQO1O+uZ4b3+19F42kwXSpaBmgGwK9PQMjiw+mNGKQf0AM8HISPA -EWN3+7ildrl7o9gaFW6e6L00LGyRrKr9hJ46yWNhLb7auJi6sq5WK6Wjt+BDMWHm -okfKDGOTyh4d+Q5R3uoY/Smi+QQLxUb8VkAESy6lLvff1HXyjmcvoHigCMedOX0i -pgoDg0OOMUiwDaJslsKnJ+Irn7VpfUjmIPPz4J8VRRlqxK6utSktq8uzZEUP03el -ZvlDYGuKEar5qLwgVENJKjgWWG6+gSJniQRNFKIOEvMsybipwGdA/+da/s27NLBZ -vnMCLfSKVe15PnBfcEi3FwIDAQABo4G0MIGxMA4GA1UdDwEB/wQEAwIFoDAdBgNV +MIIDcjCCAlqgAwIBAgIUXlJ06fjgHbzEvIRscFvEwxpsioMwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAxMOY2EuZXhhbXBsZS5jb20wHhcNMjMxMTIxMTM1ODAwWhcN +MjQxMTIwMTM1ODAwWjAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +1ueRV5jCjz+AWOmFzKkkjqPrCj1GGz8VDm5HLm4e7EO/LGXk+RAYeKupGF9eqGBk +iYfw9eZrjbf+uf5mpe7qKGrP67iCEzyjkbMMB8I89dcLwp7YuXYWfHw4NdFkSZoE +0gmZ6Jh7EK+G2n+PZUaS9T43QoqMv0pFQ1roZpVMKkjnkW5J4cU3JfXQQzdNCMiX +lpGAIL0cKee6cwkPpGC1X3/6XQDyW7Q9nOjSw0mPmiZuK4iRqwdy4edjKhcvJxux +Hw215hVi0QVqbUcNzffS0mO+VIXz2IEbdzUwhSZJISsHQEOa27UrBdRSg+Wb3FDQ ++J8IeS6PR5JwjBcwt+DAjQIDAQABo4HKMIHHMA4GA1UdDwEB/wQEAwIFoDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUa7feIJTIqMh5UjDi0UR7Ub5MrvcwHwYDVR0jBBgwFoAUG6rfcj4loLko6ysV -4eTOEG4Wq3MwMgYDVR0RAQH/BCgwJoIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv -bYIJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAIfB/q/+jHWbN5goGMaPh8 -CL8kynzf0dmkwOs6f6sqDIRo+9BQneWCWVOTLbO3LK6ITsZhVTFmKT3bkEmj04sy -ZUnXfqi9CqDHjQKZU9OxIWoCgbe6r4siInI46K3rSYGsmP37x9jWop1fbJBLl1HC -ray3LR8zanzsR9ksbyfA9VbNmWY1nWxTkZZ5RM+IAlU0/8qRgo5Ypsl35Gd9RJiN -DtbU3+rU9bYQ1YgYDk0h1s2woEberjp1xnvGBJLhDjewv9jXXaQXr1GlwfnJBenO -TV+GWqTeXwPclK0mSKDGs/Ixh+dH3J+8GGCGd8CJTnQfCzGZIBf4I7re8QkeNsVb +FgQUWm43ORCCQGlDu3JaPIm15lsr5swwHwYDVR0jBBgwFoAUk7okmnN1rM2Ne26b +fNfxRhZpAgkwSAYDVR0RAQH/BD4wPIIZKi5pbnRlZ3JhdGlvbi5leGFtcGxlLmNv +bYIUaG9zdC5kb2NrZXIuaW50ZXJuYWyCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsF +AAOCAQEAfrlC1maUJMg5n61YEpBwIS9O0LLhNidZ6dBEPwDiBwskzkTKoWksSR+n +7OytNFQvrdclejxIyvoOvBhLqNY4pFYdNRUu42GESUpCA6cQlW3a9QchTEuNASWR +AdrmGmjXYwPFGjnVUVPR+Abs9lG7/8eDYoq1B1AdBkW1EJ7+0/DrLOLDtloxYmBF +bydmLcesdPvgBLkHfBlOG54jH/ILXHAHxskWmGqixY6L1svhrcnwsindxRcfT4QB +fAtNDfAfiftUdb96QJfpwN1/N1oEHFl2D0ynE8sFOuVFm0gQ6mblH+Vahune6cSK +7SDUwM9Ia1OAO/r2cdEAvCrQqaeDZQ== -----END CERTIFICATE-----