[Kimchi-devel] [PATCH][Wok] Bug fix #175: Do not generate nginx conf file on the fly
Aline Manera
alinefm at linux.vnet.ibm.com
Tue Nov 1 15:55:23 UTC 2016
On 11/01/2016 01:43 PM, Aline Manera wrote:
> Hi Ramon:
>
> You also need to update the files below to reflect those changes:
> - wokd.in
> - docs/wokd.8.in
> - src/wok/config.py.in
>
> And more comments below:
>
> On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
>> ---
>> .gitignore | 1 -
>> Makefile.am | 3 ++
>> contrib/wok.spec.fedora.in | 1 -
>> contrib/wok.spec.suse.in | 1 -
>> src/nginx/Makefile.am | 7 ++--
>> src/nginx/wok.conf | 79
>> ++++++++++++++++++++++++++++++++++++++++++++++
>> src/nginx/wok.conf.in | 75
>> -------------------------------------------
>> src/wok.conf.in | 34 --------------------
>> src/wok/proxy.py | 45 --------------------------
>> 9 files changed, 85 insertions(+), 161 deletions(-)
>> create mode 100644 src/nginx/wok.conf
>> delete mode 100644 src/nginx/wok.conf.in
>>
>> diff --git a/.gitignore b/.gitignore
>> index d06f936..10754f9 100644
>> --- a/.gitignore
>> +++ b/.gitignore
>> @@ -31,7 +31,6 @@ wok-*.tar.gz
>> wok.spec
>> src/wokd
>> src/wok.conf
>> -src/nginx/wok.conf
>> src/wok/config.py
>> tests/run_tests.sh
>> tests/test_config.py
>> diff --git a/Makefile.am b/Makefile.am
>> index 5c8e69d..3754547 100644
>> --- a/Makefile.am
>> +++ b/Makefile.am
>> @@ -159,6 +159,8 @@ install-data-local:
>> touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
>> mkdir -p $(DESTDIR)/etc/logrotate.d/
>> $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate
>> $(DESTDIR)/etc/logrotate.d/wokd
>> + mkdir -p $(DESTDIR)/etc/nginx/conf.d
>> + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf
>> $(DESTDIR)/etc/nginx/conf.d/wok.conf
>>
>> uninstall-local:
>> @if test -f $(systemdsystemunitdir)/wokd.service; then \
>> @@ -175,6 +177,7 @@ uninstall-local:
>> $(RM) -rf $(DESTDIR)/etc/wok
>> $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
>> $(RM) $(DESTDIR)/etc/logrotate.d/wokd
>
>> + $(DESTDIR)/etc/nginx/conf.d/wok.conf
>
> The $(RM) is missing
>
>> VERSION:
>> @if $(GIT) rev-parse &> /dev/null ; then \
>> diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
>> index fdf3484..c48899f 100644
>> --- a/contrib/wok.spec.fedora.in
>> +++ b/contrib/wok.spec.fedora.in
>> @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
>> %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
>> %{_datadir}/wok/ui/
>> %{_datadir}/wok
>> -%{_sysconfdir}/nginx/conf.d/wok.conf.in
>> %{_sysconfdir}/wok/wok.conf
>> %{_sysconfdir}/wok/
>> %{_sysconfdir}/logrotate.d/wokd
>> diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
>> index 70c295b..283f9c3 100644
>> --- a/contrib/wok.spec.suse.in
>> +++ b/contrib/wok.spec.suse.in
>> @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
>> %{_datadir}/wok
>> %{_sysconfdir}/wok/wok.conf
>> %{_sysconfdir}/wok/
>> -%{_sysconfdir}/nginx/conf.d/wok.conf.in
>> %{_sysconfdir}/nginx/conf.d/wok.conf
>> %{_sysconfdir}/logrotate.d/wokd
>> %{_var}/lib/wok/
>> diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
>> index a376a74..3a47a5f 100644
>> --- a/src/nginx/Makefile.am
>> +++ b/src/nginx/Makefile.am
>> @@ -1,7 +1,7 @@
>> #
>> # Project Wok
>> #
>> -# Copyright IBM Corp, 2015
>> +# Copyright IBM Corp, 2015-2016
>> #
>> # Code derived from Project Kimchi
>> #
>> @@ -19,9 +19,8 @@
>> # License along with this library; if not, write to the Free Software
>> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> 02110-1301 USA
>>
>> -EXTRA_DIST = wok.conf.in
>> +EXTRA_DIST = wok.conf
>>
>> confdir = $(sysconfdir)/nginx/conf.d
>> -dist_conf_DATA = wok.conf.in
>> +dist_conf_DATA = wok.conf
>>
>> -CLEANFILES = wok.conf
>> diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
>> new file mode 100644
>> index 0000000..d191746
>> --- /dev/null
>> +++ b/src/nginx/wok.conf
>> @@ -0,0 +1,79 @@
>> +# Project Wok
>> +#
>> +# Copyright IBM Corp, 2016
>> +#
>> +# Code derived from Project Kimchi
>> +#
>> +# This library is free software; you can redistribute it and/or
>> +# modify it under the terms of the GNU Lesser General Public
>> +# License as published by the Free Software Foundation; either
>> +# version 2.1 of the License, or (at your option) any later version.
>> +#
>> +# This library is distributed in the hope that it will be useful,
>> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> +# Lesser General Public License for more details.
>> +#
>> +# You should have received a copy of the GNU Lesser General Public
>> +# License along with this library; if not, write to the Free Software
>> +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> +# 02110-1301 USA
>> +
>> +# This is a template file to be used to generate a nginx
>> +# proxy config file at wokd script.
>> +
>> +client_max_body_size 4194304k;
>> +
>> +# Set timeout, based on configuration values, to avoid the 504
>> Gateway Timeout
>> +# when Wok is processing a request.
>> +proxy_connect_timeout 10m;
>> +proxy_send_timeout 10m;
>> +proxy_read_timeout 10m;
>> +send_timeout 10m;
>> +
>> +map $http_upgrade $connection_upgrade {
>> + default upgrade;
>> + '' close;
>> +}
>> +
>> +upstream websocket {
>> + server 127.0.0.1:64667;
>> +}
>> +
>> +server {
>> + listen 0.0.0.0:8001 ssl;
>> +
>> + ssl_certificate /etc/wok/wok-cert.pem;
>> + ssl_certificate_key /etc/wok/wok-key.pem;
>> + ssl_protocols TLSv1.1 TLSv1.2;
>> + ssl_ciphers
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
>> + ssl_prefer_server_ciphers on;
>> + ssl_dhparam /etc/wok/dhparams.pem;
>> + ssl_session_timeout 10m;
>> +
>> + add_header Strict-Transport-Security "max-age=31536000;
>> includeSubdomains;";
>> + add_header X-Frame-Options DENY;
>> + add_header X-Content-Type-Options nosniff;
>> + add_header X-XSS-Protection "1; mode=block";
>> +
>> + location / {
>> + proxy_pass http://127.0.0.1:8010;
>> + proxy_set_header Host $host;
>> + proxy_set_header X-Real-IP $remote_addr;
>> + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
>> + }
>> +
>> + location /websockify {
>> + proxy_pass http://websocket;
>> + proxy_http_version 1.1;
>> + proxy_set_header Upgrade $http_upgrade;
>> + proxy_set_header Connection $connection_upgrade;
>> + }
>> +}
>> +
>> +server {
>> + listen 0.0.0.0:8000;
>> + rewrite ^/(.*)$ https://$host:8001/$1 redirect;
>> +}
>> +
>> diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
>> deleted file mode 100644
>> index 5d2bb17..0000000
>> --- a/src/nginx/wok.conf.in
>> +++ /dev/null
>> @@ -1,75 +0,0 @@
>> -# Project Wok
>> -#
>> -# Copyright IBM Corp, 2015-2016
>> -#
>> -# Code derived from Project Kimchi
>> -#
>> -# This library is free software; you can redistribute it and/or
>> -# modify it under the terms of the GNU Lesser General Public
>> -# License as published by the Free Software Foundation; either
>> -# version 2.1 of the License, or (at your option) any later version.
>> -#
>> -# This library is distributed in the hope that it will be useful,
>> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
>> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
>> -# Lesser General Public License for more details.
>> -#
>> -# You should have received a copy of the GNU Lesser General Public
>> -# License along with this library; if not, write to the Free Software
>> -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
>> -# 02110-1301 USA
>> -
>> -# This is a template file to be used to generate a nginx
>> -# proxy config file at wokd script.
>> -
>> -client_max_body_size ${max_body_size}k;
>> -
>> -# Set timeout, based on configuration values, to avoid the 504
>> Gateway Timeout
>> -# when Wok is processing a request.
>> -proxy_connect_timeout ${session_timeout}m;
>> -proxy_send_timeout ${session_timeout}m;
>> -proxy_read_timeout ${session_timeout}m;
>> -send_timeout ${session_timeout}m;
>> -
>> -map $http_upgrade $connection_upgrade {
>> - default upgrade;
>> - '' close;
>> -}
>> -
>> -upstream websocket {
>> - server 127.0.0.1:${websockets_port};
>> -}
>> -
>> -server {
>> - listen ${host_addr}:${proxy_ssl_port} ssl;
>> -
>> - ssl_certificate ${cert_pem};
>> - ssl_certificate_key ${cert_key};
>> - ssl_protocols TLSv1.1 TLSv1.2;
>> - ssl_ciphers
>> 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
>> - ssl_prefer_server_ciphers on;
>> - ssl_dhparam ${dhparams_pem};
>> - ssl_session_timeout ${session_timeout}m;
>> -
>> - add_header Strict-Transport-Security "max-age=31536000;
>> includeSubdomains;";
>> - add_header X-Frame-Options DENY;
>> - add_header X-Content-Type-Options nosniff;
>> - add_header X-XSS-Protection "1; mode=block";
>> -
>> - location ${server_root}/ {
>> - proxy_pass http://127.0.0.1:${cherrypy_port};
>> - proxy_set_header Host $host;
>> - proxy_set_header X-Real-IP $remote_addr;
>> - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
>> - proxy_redirect http://127.0.0.1:${cherrypy_port}/
>> https://$host:${proxy_ssl_port}${server_root}/;
>> - }
>> -
>> - location ${server_root}/websockify {
>> - proxy_pass http://websocket;
>> - proxy_http_version 1.1;
>> - proxy_set_header Upgrade $http_upgrade;
>> - proxy_set_header Connection $connection_upgrade;
>> - }
>> -}
>> -
>> -${http_config}
>> diff --git a/src/wok.conf.in b/src/wok.conf.in
>> index 254f786..d3b7b2d 100644
>> --- a/src/wok.conf.in
>> +++ b/src/wok.conf.in
>> @@ -3,46 +3,12 @@
>> #
>>
>> [server]
>> -# Hostname or IP address to listen on
>> -#host = 0.0.0.0
>> -
>> -# Port to listen on
>> -#port = 8000
>> -
>
>> -# Start an SSL-enabled server on the given port
>> -#ssl_port = 8001
>> -
>
> The ssl_port is being used by /config API so we will need to keep it
> there too.
Maybe it is also good to rename it to nginx_port
>
>> -# Allow user disables HTTP port. In that case, all the connections
>> -# will be done directly through HTTPS port (values: true|false)
>> -#https_only = false
>> -
>> # Cherrypy server port
>> #cherrypy_port = 8010
>
>> -# Port for websocket proxy to listen on
>> -#websockets_port = 64667
>
> We will need to keep websockets_port as it needed by /config API and
> to Kimchi knows on which port to launch websocikfy
>
>> -
>> -# Number of minutes that a session can remain idle before the server
>> -# terminates it automatically.
>> -#session_timeout = 10
>> -
>> -# The full path to an SSL Certificate or chain of certificates in
>> -# PEM format. When a chain is used, the server's certificate must be
>> -# the first certificate in the file with the chain concatenated into
>> -# the end of that certificate. If left unspecified, Wok will generate
>> -# a self-signed certificate automatically.
>> -#ssl_cert =
>> -
>> -# The corresponding private key in PEM format for the SSL
>> Certificate supplied
>> -# above. If left blank, Wok will generate a self-signed certificate.
>> -#ssl_key =
>> -
>> # Running environment of the server
>> #environment = production
>>
>> -# Max request body size in KB, default value is 4GB
>> -#max_body_size = 4 * 1024 * 1024
>> -
>> # Wok server root. Set the following variable to configure any
>> relative path to
>> # the server. For example, to have Wok pointing to
>> https://localhost:8001/wok/
>> # uncomment the following:
>> diff --git a/src/wok/proxy.py b/src/wok/proxy.py
>> index 5f646e4..1c11b9b 100644
>> --- a/src/wok/proxy.py
>> +++ b/src/wok/proxy.py
>> @@ -25,8 +25,6 @@
>> # and configure the Nginx proxy.
>>
>> import os
>> -import pwd
>> -from string import Template
>>
>> from wok import sslcert
>> from wok.config import paths
>> @@ -53,17 +51,6 @@ def _create_proxy_config(options):
>> Arguments:
>> options - OptionParser object with Wok config options
>> """
>> - # User that will run the worker process of the proxy. Fedora,
>> - # RHEL and Suse creates an user called 'nginx' when installing
>> - # the proxy. Ubuntu creates an user 'www-data' for it.
>> - user_proxy = None
>> - user_list = ('nginx', 'www-data', 'http')
>> - sys_users = [p.pw_name for p in pwd.getpwall()]
>> - common_users = list(set(user_list) & set(sys_users))
>> - if len(common_users) == 0:
>> - raise Exception("No common user found")
>> - else:
>> - user_proxy = common_users[0]
>> config_dir = paths.conf_dir
>> nginx_config_dir = paths.nginx_conf_dir
>> cert = options.ssl_cert
>> @@ -81,38 +68,6 @@ def _create_proxy_config(options):
>> with open(key, "w") as f:
>> f.write(ssl_gen.key_pem())
>>
>> - # Setting up Diffie-Hellman group with 2048-bit file
>> - dhparams_pem = os.path.join(config_dir, "dhparams.pem")
>> -
>> - http_config = ''
>> - if options.https_only == 'false':
>> - http_config = HTTP_CONFIG % {'host_addr': options.host,
>> - 'proxy_port': options.port,
>> - 'proxy_ssl_port':
>> options.ssl_port,
>> - 'rel_path': options.server_root}
>> -
>> - # Read template file and create a new config file
>> - # with the specified parameters.
>> - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as
>> template:
>> - data = template.read()
>> - data = Template(data)
>> - data = data.safe_substitute(user=user_proxy,
>> - host_addr=options.host,
>> - proxy_ssl_port=options.ssl_port,
>> - http_config=http_config,
>> - cherrypy_port=options.cherrypy_port,
>> - websockets_port=options.websockets_port,
>> - cert_pem=cert, cert_key=key,
>> - max_body_size=eval(options.max_body_size),
>> - session_timeout=options.session_timeout,
>> - dhparams_pem=dhparams_pem,
>> - server_root=options.server_root)
>> -
>> - # Write file to be used for nginx.
>> - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w")
>> - config_file.write(data)
>> - config_file.close()
>> -
>> # If not running from the installed path (from a cloned and
>> builded source
>> # code), create a symbolic link in system's dir to prevent
>> errors on read
>> # SSL certifications.
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
More information about the Kimchi-devel
mailing list