From bc5f0ca9457ff4f6c1f7e8d7aaa5ee2c4c586378 Mon Sep 17 00:00:00 2001
From: Christophe Siraut <csiraut@entrouvert.com>
Date: Fri, 11 Sep 2020 16:03:35 +0200
Subject: [PATCH] README: documentation update

---
 README                                      | 26 ++++++++++--------
 debian/haproxy/haproxy.conf-example.snippet | 10 +++++++
 debian/nginx/logtracker-example.conf        | 30 +++++++--------------
 3 files changed, 34 insertions(+), 32 deletions(-)
 create mode 100644 debian/haproxy/haproxy.conf-example.snippet

diff --git a/README b/README
index 9922fae..08bf75d 100644
--- a/README
+++ b/README
@@ -1,18 +1,22 @@
 Logtracker
 ===========
 
-Logtracker is a django application that aggregates and displays log entries
+Logtracker is a django application that aggregates and displays log entries.
 
-Post-install
-------------
-In order to allow clients writes :
+1. Server installation
 
-1. on the server :
+Clients upload using ssl certificates, ensure x-http-ssl* headers are added by
+upstream haproxy or nginx (see provided examples).
 
-  echo "create role rsyslog with login password 'ohGh6iec';
-    grant connect on database logtracker to rsyslog;
-    grant insert on table journal_entry to rsyslog;
-    grant usage, select on sequence journal_entry_id_seq TO rsyslog; " | sudo -u postgres psql logtracker
+2. Clients installation
 
-2. install rsyslog-logtracker, then
-    copy and adapt debian/rsyslog-logtracker.conf-example to debian/rsyslog-logtracker.conf
+2.1 using curl
+
+ $ journalctl -o export --no-pager --cursor-file=~/.config/logtracker.cursor | curl -sS -X POST --cacert /etc/ssl/certs/ca-certificates.crt --cert $CERT --key $KEY --data-binary @- https://$HOST/upload
+
+2.2
+ * using systemd-journal-upload:
+ ** install systemd-journal-remote
+ ** in order to upload containers journals, override systemd-journal-upload.service with :  ExecStart = /lib/systemd/systemd-journal-upload -m --save-state
+ ** in /etc/systemd/journal-upload.conf configure URL, ServerKeyFile, ServerCertificateFile and TrustedCertificateFile
+ ** enable and start systemd-journal-upload.service
diff --git a/debian/haproxy/haproxy.conf-example.snippet b/debian/haproxy/haproxy.conf-example.snippet
new file mode 100644
index 0000000..a40528c
--- /dev/null
+++ b/debian/haproxy/haproxy.conf-example.snippet
@@ -0,0 +1,10 @@
+ frontend https
+    ...
+    bind *:443 ssl crt /etc/ssl/bundles ca-file /usr/local/share/ca-certificates/entrouvert-ca.crt verify optional
+    http-request set-header X-SSL                  %[ssl_fc]
+    http-request set-header X-SSL-Client-Cert      %[ssl_fc_has_crt]
+    http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
+    http-request set-header X-SSL-Client-SHA1      %[ssl_c_sha1,hex]
+    http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
+    http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
+    http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
diff --git a/debian/nginx/logtracker-example.conf b/debian/nginx/logtracker-example.conf
index e548e68..dc169fa 100644
--- a/debian/nginx/logtracker-example.conf
+++ b/debian/nginx/logtracker-example.conf
@@ -6,6 +6,9 @@ server {
         ssl_certificate      /etc/ssl/certs/ssl-cert-snakeoil.pem;
         ssl_certificate_key  /etc/ssl/private/ssl-cert-snakeoil.key;
 
+        ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
+        ssl_verify_client    optional;
+
         access_log  /var/log/nginx/logtracker.example.org-access.log combined;
         error_log  /var/log/nginx/logtracker.example.org-error.log;
 
@@ -23,26 +26,11 @@ server {
             proxy_set_header   X-Forwarded-Proto https;
             proxy_set_header   X-Real-IP       $remote_addr;
             proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-        }
-}
-
-server {
-        listen   80;
-        server_name  _;
-
-        access_log  /var/log/nginx/logtracker.example.org-access.log combined;
-        error_log  /var/log/nginx/logtracker.example.org-error.log;
-
-        location ~ ^/static/(.+)$ {
-            root /;
-            try_files /var/lib/logtracker/collectstatic/$1
-                      =404;
-        }
-
-        location / {
-            proxy_pass         http://unix:/var/run/logtracker/logtracker.sock;
-            proxy_set_header   Host $http_host;
-            proxy_set_header   X-Real-IP       $remote_addr;
-            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            proxy_set_header X-SSL 1;
+            proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+            proxy_set_header X-SSL-Client-SHA1   $ssl_client_fingerprint;
+            proxy_set_header X-SSL-Issuer        $ssl_client_i_dn;
+            proxy_set_header X-SSL-Client-DN     $ssl_client_s_dn;
         }
 }