<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 04/02/2015 18:08, Julien Goodwin
wrote:<br>
</div>
<blockquote cite="mid:54D27C40.5050309@studio442.com.au" type="cite">
<pre wrap="">On 04/02/15 00:24, Royce Lv wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Since apache reverse proxy configuration is included in this patch,
so I suppose you would like to substitute nginx with apache?
Would you pls compare these reverse proxy in a single mail so that we
can know why we want to choose it?
</pre>
</blockquote>
<pre wrap="">
Personal preference really, many sites run a httpd on machines anyway,
often one integrated with an SSO auth system (see one of my other
feature requests), allowing them to run what they're used to is nice.
Also the apache config is more boilerplate, all practical users will
change this for their purposes, users where the generic would be fine
will almost certainly just use the integrated proxy anyway.
</pre>
<blockquote type="cite">
<pre wrap="">If we just want to give user another choice of reverse proxy,
I suggest we make "run_proxy" an enum so user can assign it to "apache",
"nginx" or "none".
</pre>
</blockquote>
<pre wrap="">
I don't really think it makes sense to automatically launch multiple
proxy types, it's enough to offer a way so the normal nginx proxy can be
disabled so it's not taking up listening ports.
</pre>
</blockquote>
<br>
If the idea is only allowing disable the nginx proxy, why should we
include an apache example?<br>
<br>
<blockquote cite="mid:54D27C40.5050309@studio442.com.au" type="cite">
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">To be a completed patch, we may want to include a testcase to test if
the reverse proxy works.
</pre>
</blockquote>
<pre wrap="">
Hmm, possibly. My next patch set after this one will be a variety of
fixups to the test suite as I'd like to be able to run them cleanly on
my laptop which can't have a running libvirt (due to "reasons").
This is actually stalled while I muse about how best to deal with some
core bits in the model that call exit directly instead of raising
exceptions on some types of errors.
</pre>
<blockquote type="cite">
<pre wrap="">Some inline comments below:
On 02/03/2015 08:21 PM, Julien Goodwin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <a class="moz-txt-link-rfc2396E" href="mailto:jgoodwin@studio442.com.au"><jgoodwin@studio442.com.au></a>
---
docs/Makefile.am | 1 +
docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++
src/kimchi.conf.in | 3 +++
src/kimchi/config.py.in | 1 +
src/kimchi/proxy.py | 6 ++++++
5 files changed, 46 insertions(+)
create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 679aa18..eb8b396 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -20,6 +20,7 @@
docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \
+ apache.conf.ex \
</pre>
</blockquote>
<pre wrap="">I hope we can include a runnable configuration and install it to the
right place rather than just an example.
</pre>
<blockquote type="cite">
<pre wrap=""> API.md \
README.md \
README-federation.md \
diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
new file mode 100644
index 0000000..cd26907
--- /dev/null
+++ b/docs/apache.conf.ex
@@ -0,0 +1,35 @@
+# Although not a supported configuration you can use apache to proxy
kimchi traffic.
+# Here is an example of the required configuration.
+# This requires the following apache modules be enabled:
+# - mod_proxy
+# - mod_proxy_http
+# - mod_ssl
+# The port 80 redirect also requires mod_redirect
+# HTTP STS (Strict Transport Security) also requires mod_headers
+<VirtualHost *:443>
+ ServerName kimchi
+
+ SSLEngine On
+ SSLCertificateFile /etc/kimchi/kimchi-cert.pem
+ SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
+
+ ProxyRequests On
</pre>
</blockquote>
<pre wrap="">Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off"
is used to prevent anyone else to use apache as the anonymous proxy.
</pre>
<blockquote type="cite">
<pre wrap="">+ ProxyPass / <a class="moz-txt-link-freetext" href="http://127.0.0.1:8010/">http://127.0.0.1:8010/</a>
+ ProxyPassReverse / <a class="moz-txt-link-freetext" href="http://127.0.0.1:8010/">http://127.0.0.1:8010/</a>
</pre>
</blockquote>
<pre wrap="">Hope we can use variable rather than hard code, we may use port other
than 8010
</pre>
<blockquote type="cite">
<pre wrap="">+
+ <Proxy <a class="moz-txt-link-freetext" href="http://127.0.0.1:8010/">http://127.0.0.1:8010/</a>>
+ Require all granted
+ </Proxy>
+
+ # HTTP STS
+ Header always set Strict-Transport-Security
"max-age=31536000; includeSubdomains;"
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName kimchi
+
+ Redirect / <a class="moz-txt-link-freetext" href="https://kimchi/">https://kimchi/</a>
+
+ # HTTP STS
+ Header always set Strict-Transport-Security
"max-age=31536000; includeSubdomains;"
+</VirtualHost>
diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
index 9f62ac0..e9e8628 100644
--- a/src/kimchi.conf.in
+++ b/src/kimchi.conf.in
@@ -3,6 +3,9 @@
#
[server]
+# Start the proxy service?
+#run_proxy = on
+
# Hostname or IP address to listen on
#host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f2e1cac..41c5c89 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -287,6 +287,7 @@ class PluginConfig(dict):
def _get_config():
config = SafeConfigParser()
config.add_section("server")
+ config.set("server", "run_proxy", "on")
config.set("server", "host", "0.0.0.0")
config.set("server", "port", "8000")
config.set("server", "ssl_port", "8001")
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index fafa5bc..72497fe 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options):
"""Start nginx reverse proxy."""
+ if options.run_proxy == 'off':
+ return
+
_create_proxy_config(options)
config_dir = paths.conf_dir
config_file = "%s/nginx_kimchi.conf" % config_dir
@@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy():
"""Stop nginx process."""
+ if options.run_proxy == 'off':
+ return
+
term_proxy_cmd = ['nginx', '-s', 'stop']
subprocess.call(term_proxy_cmd)
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
Kimchi-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kimchi-devel@ovirt.org">Kimchi-devel@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kimchi-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kimchi-devel@ovirt.org">Kimchi-devel@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>