Revert "Add public TLS endpoint for blobstore"

This reverts commit 332abbb. Co-authored-by: Amelia Downs <[email protected]>
cloudfoundry · Jan 30, 2024 · 85c26d6 · 85c26d6
1 parent a6dc4a8
commit 85c26d6
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 101 deletions.
diff --git a/jobs/blobstore/spec b/jobs/blobstore/spec
@@ -12,8 +12,6 @@ templates:
   write_users.erb:      config/write_users
   blobstore.crt.erb:    ssl/blobstore.crt
   blobstore.key.erb:    ssl/blobstore.key
-  blobstore_public.crt.erb:    ssl/blobstore_public.crt
-  blobstore_public.key.erb:    ssl/blobstore_public.key
   pre-start.sh.erb:     bin/pre-start
   backup.erb:           bin/bbr/backup
   restore.erb:          bin/bbr/restore
@@ -54,9 +52,6 @@ properties:
   blobstore.port:
     description: TCP port on which the blobstore server (nginx) listens
     default: 8080
-  blobstore.public_tls_port:
-    description: TCP port on which the blobstore server (nginx) listens
-    default: 8081
   blobstore.tls.port:
     description: The TCP port on which the internal blobstore server listens
     default: 4443
@@ -67,13 +62,6 @@ properties:
   blobstore.tls.private_key:
     description: The PEM-encoded private key for signing TLS/SSL traffic
 
-  blobstore.public_tls.cert:
-    description: The PEM-encoded certificate (optionally as a certificate chain) for serving blobs over TLS/SSL
-
-  blobstore.public_tls.private_key:
-    description: The PEM-encoded private key for signing TLS/SSL traffic
-
-
   blobstore.admin_users:
     description: |
      List of Username and Password pairs that have admin access to the blobstore. Cloud Controller must use one of these to access the blobstore via HTTP Basic Auth.

diff --git a/jobs/blobstore/templates/blobstore.conf.erb b/jobs/blobstore/templates/blobstore.conf.erb
@@ -1,26 +1,10 @@
-# Default server
-#
-
 <% unless p('temporary_disable_non_tls_endpoints')  %>
-
+# Default server
 server {
-  listen      <%= p('blobstore.port') %>;
-  return 404;
-}
-<% end %>
-
-server {
-  listen      <%= p('blobstore.public_tls_port') %> ssl;
-
-  ssl_certificate     /var/vcap/jobs/blobstore/ssl/blobstore_public.crt;
-  ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key;
-
-  ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
-  ssl_protocols TLSv1.2;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
+  listen      <%= p("blobstore.port") %>;
   return 404;
 }
+<% end  %>
 
 upstream blob_url_signer {
   server unix:/var/vcap/data/blobstore/signer.sock;
@@ -111,78 +95,11 @@ server {
   }
 }
 
-# Public server
-#
-
 <% unless p('temporary_disable_non_tls_endpoints')  %>
+# Public server
 server {
-  server_name blobstore.<%= p('system_domain') %>;
-
   listen      <%= p('blobstore.port') %>;
-
-  root        /var/vcap/store/shared/;
-
-  access_log /var/vcap/sys/log/blobstore/public_access.log;
-  error_log  /var/vcap/sys/log/blobstore/public_error.log;
-
-  # ensure the contents of this location block always match the internal server /read/ location block
-  location /read/ {
-    if ( $request_method !~ ^(GET|HEAD)$ ) {
-      return 405;
-    }
-
-    secure_link $arg_md5,$arg_expires;
-    secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>";
-
-    if ($secure_link = "") {
-      return 403;
-    }
-
-    if ($secure_link = "0") {
-      return 410;
-    }
-
-    alias /var/vcap/store/shared/;
-  }
-
-  # ensure the contents of this location block always match the internal server /write/ location block
-  location /write/ {
-    dav_methods PUT;
-    create_full_put_path on;
-
-    if ( $request_method !~ ^(PUT)$ ) {
-      return 405;
-    }
-
-    secure_link $arg_md5,$arg_expires;
-    secure_link_md5 "$secure_link_expires$uri <%= p('blobstore.secure_link.secret') %>";
-
-    if ($secure_link = "") {
-      return 403;
-    }
-
-    if ($secure_link = "0") {
-      return 410;
-    }
-
-    alias /var/vcap/store/shared/;
-  }
-}
-
-<% end %>
-
-server {
-  listen      <%= p('blobstore.public_tls_port') %> ssl;
   server_name blobstore.<%= p('system_domain') %>;
-
-  ssl_certificate     /var/vcap/jobs/blobstore/ssl/blobstore_public.crt;
-  ssl_certificate_key /var/vcap/jobs/blobstore/ssl/blobstore_public.key;
-
-  ssl_ciphers DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
-  ssl_protocols TLSv1.2;
-  ssl_session_cache shared:SSL:10m;
-  ssl_session_timeout 10m;
-
   root        /var/vcap/store/shared/;
 
   access_log /var/vcap/sys/log/blobstore/public_access.log;
@@ -231,3 +148,4 @@ server {
     alias /var/vcap/store/shared/;
   }
 }
+<% end %>
diff --git a/jobs/blobstore/templates/blobstore_public.crt.erb b/jobs/blobstore/templates/blobstore_public.crt.erb
diff --git a/jobs/blobstore/templates/blobstore_public.key.erb b/jobs/blobstore/templates/blobstore_public.key.erb