[Kimchi-devel] [PATCH] [Wok 2/6] Configure nginx to proxy connections to the websocket server
Aline Manera
alinefm at linux.vnet.ibm.com
Mon Jan 18 21:05:50 UTC 2016
From: Rob Lemley <rob.lemley at rochester.edu>
This helps in networks with restrictive firewalls.
- modify the nginx config file and code to support changes
- update README files
- update firewalld config
Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
Signed-off-by: Rob Lemley <rob.lemley at rochester.edu>
---
docs/README.md | 5 +----
src/firewalld.xml | 1 -
src/nginx/wok.conf.in | 20 ++++++++++++++++++--
src/wok/proxy.py | 5 +++--
src/wokd.in | 4 ++++
tests/utils.py | 6 +++---
6 files changed, 29 insertions(+), 12 deletions(-)
diff --git a/docs/README.md b/docs/README.md
index 4c0009d..04ef2fa 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -132,26 +132,23 @@ Run
If you cannot access Wok, take a look at these 2 points:
1. Firewall:
-Wok uses by default the ports 8000, 8001 and 64667. To allow incoming connections:
+Wok uses by default the ports 8000 and 8001. To allow incoming connections:
For system using firewalld, do:
$ sudo firewall-cmd --add-port=8000/tcp --permanent
$ sudo firewall-cmd --add-port=8001/tcp --permanent
- $ sudo firewall-cmd --add-port=64667/tcp --permanent
$ sudo firewall-cmd --reload
For openSUSE systems, do:
$ sudo /sbin/SuSEfirewall2 open EXT TCP 8000
$ sudo /sbin/SuSEfirewall2 open EXT TCP 8001
- $ sudo /sbin/SuSEfirewall2 open EXT TCP 64667
For system using iptables, do:
$ sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT
- $ sudo iptables -A INPUT -p tcp --dport 64667 -j ACCEPT
Don't forget to correctly save the rules.
diff --git a/src/firewalld.xml b/src/firewalld.xml
index ff9fafe..3a564fe 100644
--- a/src/firewalld.xml
+++ b/src/firewalld.xml
@@ -4,5 +4,4 @@
<description>wokd is a daemon service for wok which is a web framework.</description>
<port protocol="tcp" port="8000"/>
<port protocol="tcp" port="8001"/>
- <port protocol="tcp" port="64667"/>
</service>
diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
index db68893..bb5b1ed 100644
--- a/src/nginx/wok.conf.in
+++ b/src/nginx/wok.conf.in
@@ -49,6 +49,15 @@ http {
proxy_read_timeout 600;
send_timeout 600;
+ map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+ }
+
+ upstream websocket {
+ server 127.0.0.1:${websockets_port};
+ }
+
server {
listen ${proxy_ssl_port} ssl;
@@ -65,11 +74,18 @@ http {
add_header X-XSS-Protection "1; mode=block";
location / {
- proxy_pass http://127.0.0.1:${wokd_port};
+ proxy_pass http://127.0.0.1:${cherrypy_port};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_redirect http://127.0.0.1:${wokd_port}/ https://$host:${proxy_ssl_port}/;
+ proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}/;
+ }
+
+ location /websockify {
+ proxy_pass http://websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
}
}
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index f281522..f5351e3 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -2,7 +2,7 @@
#
# Project Wok
#
-# Copyright IBM, Corp. 2014-2015
+# Copyright IBM, Corp. 2014-2016
#
# Code derived from Project Kimchi
#
@@ -82,8 +82,9 @@ def _create_proxy_config(options):
data = Template(data)
data = data.safe_substitute(user=user_proxy,
proxy_port=options.port,
- wokd_port=options.cherrypy_port,
proxy_ssl_port=options.ssl_port,
+ cherrypy_port=options.cherrypy_port,
+ websockets_port=options.websockets_port,
cert_pem=cert, cert_key=key,
max_body_size=eval(options.max_body_size),
dhparams_pem=dhparams_pem)
diff --git a/src/wokd.in b/src/wokd.in
index c5510fd..1108445 100644
--- a/src/wokd.in
+++ b/src/wokd.in
@@ -47,6 +47,7 @@ def main(options):
port = config.config.get("server", "port")
ssl_port = config.config.get("server", "ssl_port")
cherrypy_port = config.config.get("server", "cherrypy_port")
+ websockets_port = config.config.get("server", "websockets_port")
runningEnv = config.config.get("server", "environment")
federation = config.config.get("server", "federation")
isopool = config.config.get("server", "create_iso_pool")
@@ -62,6 +63,9 @@ def main(options):
help="Port to enable SSL (default %s)" % ssl_port)
parser.add_option('--cherrypy_port', type="int", default=cherrypy_port,
help="Cherrypy server port (default %s)" % cherrypy_port)
+ parser.add_option('--websockets_port', type="int", default=websockets_port,
+ help="Websockets port to listen on (default %s)" %
+ websockets_port)
parser.add_option('--log-level', default=logLevel,
help="Logging level")
parser.add_option('--access-log',
diff --git a/tests/utils.py b/tests/utils.py
index 50d423f..686b13b 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -1,7 +1,7 @@
#
# Project Wok
#
-# Copyright IBM, Corp. 2013-2015
+# Copyright IBM, Corp. 2013-2016
#
# Code delivered from Project Kimchi
#
@@ -116,8 +116,8 @@ def run_server(host, port, ssl_port, test_mode, cherrypy_port=None,
args = type('_', (object,),
{'host': host, 'port': port, 'ssl_port': ssl_port,
'cherrypy_port': cherrypy_port, 'max_body_size': '4*1024',
- 'ssl_cert': '', 'ssl_key': '',
- 'test': test_mode, 'access_log': '/dev/null',
+ 'websockets_port': 64667, 'ssl_cert': '',
+ 'ssl_key': '', 'test': test_mode, 'access_log': '/dev/null',
'error_log': '/dev/null', 'environment': environment,
'log_level': 'debug'})()
if model is not None:
--
2.5.0
More information about the Kimchi-devel
mailing list