5:33 p.m.
---
.gitignore | 1 -
Makefile.am | 3 ++
contrib/wok.spec.fedora.in | 1 -
contrib/wok.spec.suse.in | 1 -
src/nginx/Makefile.am | 7 ++--
src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++
src/nginx/wok.conf.in | 75 -------------------------------------------
src/wok.conf.in | 34 --------------------
src/wok/proxy.py | 45 --------------------------
9 files changed, 85 insertions(+), 161 deletions(-)
create mode 100644 src/nginx/wok.conf
delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore
index d06f936..10754f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,6 @@ wok-*.tar.gz
wok.spec
src/wokd
src/wok.conf
-src/nginx/wok.conf
src/wok/config.py
tests/run_tests.sh
tests/test_config.py
diff --git a/Makefile.am b/Makefile.am
index 5c8e69d..3754547 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -159,6 +159,8 @@ install-data-local:
touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
+ mkdir -p $(DESTDIR)/etc/nginx/conf.d
+ $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local:
@if test -f $(systemdsystemunitdir)/wokd.service; then \
@@ -175,6 +177,7 @@ uninstall-local:
$(RM) -rf $(DESTDIR)/etc/wok
$(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
$(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
VERSION:
@if $(GIT) rev-parse &> /dev/null ; then \
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fdf3484..c48899f 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
%{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
%{_datadir}/wok/ui/
%{_datadir}/wok
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
%{_sysconfdir}/logrotate.d/wokd
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index 70c295b..283f9c3 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/wok
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/nginx/conf.d/wok.conf
%{_sysconfdir}/logrotate.d/wokd
%{_var}/lib/wok/
diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
index a376a74..3a47a5f 100644
--- a/src/nginx/Makefile.am
+++ b/src/nginx/Makefile.am
@@ -1,7 +1,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2015
+# Copyright IBM Corp, 2015-2016
#
# Code derived from Project Kimchi
#
@@ -19,9 +19,8 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in
+EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d
-dist_conf_DATA = wok.conf.in
+dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf
diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
new file mode 100644
index 0000000..d191746
--- /dev/null
+++ b/src/nginx/wok.conf
@@ -0,0 +1,79 @@
+# Project Wok
+#
+# Copyright IBM Corp, 2016
+#
+# Code derived from Project Kimchi
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA
+
+# This is a template file to be used to generate a nginx
+# proxy config file at wokd script.
+
+client_max_body_size 4194304k;
+
+# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
+# when Wok is processing a request.
+proxy_connect_timeout 10m;
+proxy_send_timeout 10m;
+proxy_read_timeout 10m;
+send_timeout 10m;
+
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+upstream websocket {
+ server 127.0.0.1:64667;
+}
+
+server {
+ listen 0.0.0.0:8001 ssl;
+
+ ssl_certificate /etc/wok/wok-cert.pem;
+ ssl_certificate_key /etc/wok/wok-key.pem;
+ ssl_protocols TLSv1.1 TLSv1.2;
+ ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
+ ssl_prefer_server_ciphers on;
+ ssl_dhparam /etc/wok/dhparams.pem;
+ ssl_session_timeout 10m;
+
+ add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ location / {
+ proxy_pass http://127.0.0.1:8010;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
+ }
+
+ location /websockify {
+ proxy_pass http://websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ }
+}
+
+server {
+ listen 0.0.0.0:8000;
+ rewrite ^/(.*)$ https://$host:8001/$1 redirect;
+}
+
diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
deleted file mode 100644
index 5d2bb17..0000000
--- a/src/nginx/wok.conf.in
+++ /dev/null
@@ -1,75 +0,0 @@
-# Project Wok
-#
-# Copyright IBM Corp, 2015-2016
-#
-# Code derived from Project Kimchi
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301 USA
-
-# This is a template file to be used to generate a nginx
-# proxy config file at wokd script.
-
-client_max_body_size ${max_body_size}k;
-
-# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
-# when Wok is processing a request.
-proxy_connect_timeout ${session_timeout}m;
-proxy_send_timeout ${session_timeout}m;
-proxy_read_timeout ${session_timeout}m;
-send_timeout ${session_timeout}m;
-
-map $http_upgrade $connection_upgrade {
- default upgrade;
- '' close;
-}
-
-upstream websocket {
- server 127.0.0.1:${websockets_port};
-}
-
-server {
- listen ${host_addr}:${proxy_ssl_port} ssl;
-
- ssl_certificate ${cert_pem};
- ssl_certificate_key ${cert_key};
- ssl_protocols TLSv1.1 TLSv1.2;
- ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
- ssl_prefer_server_ciphers on;
- ssl_dhparam ${dhparams_pem};
- ssl_session_timeout ${session_timeout}m;
-
- add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
-
- location ${server_root}/ {
- proxy_pass http://127.0.0.1:${cherrypy_port};
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_redirect http://127.0.0.1:${cherrypy_port}/
https://$host:${proxy_ssl_port}${server_root}/;
- }
-
- location ${server_root}/websockify {
- proxy_pass http://websocket;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- }
-}
-
-${http_config}
diff --git a/src/wok.conf.in b/src/wok.conf.in
index 254f786..d3b7b2d 100644
--- a/src/wok.conf.in
+++ b/src/wok.conf.in
@@ -3,46 +3,12 @@
#
[server]
-# Hostname or IP address to listen on
-#host = 0.0.0.0
-
-# Port to listen on
-#port = 8000
-
-# Start an SSL-enabled server on the given port
-#ssl_port = 8001
-
-# Allow user disables HTTP port. In that case, all the connections
-# will be done directly through HTTPS port (values: true|false)
-#https_only = false
-
# Cherrypy server port
#cherrypy_port = 8010
-# Port for websocket proxy to listen on
-#websockets_port = 64667
-
-# Number of minutes that a session can remain idle before the server
-# terminates it automatically.
-#session_timeout = 10
-
-# The full path to an SSL Certificate or chain of certificates in
-# PEM format. When a chain is used, the server's certificate must be
-# the first certificate in the file with the chain concatenated into
-# the end of that certificate. If left unspecified, Wok will generate
-# a self-signed certificate automatically.
-#ssl_cert =
-
-# The corresponding private key in PEM format for the SSL Certificate supplied
-# above. If left blank, Wok will generate a self-signed certificate.
-#ssl_key =
-
# Running environment of the server
#environment = production
-# Max request body size in KB, default value is 4GB
-#max_body_size = 4 * 1024 * 1024
-
# Wok server root. Set the following variable to configure any relative path to
# the server. For example, to have Wok pointing to https://localhost:8001/wok/
# uncomment the following:
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 5f646e4..1c11b9b 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -25,8 +25,6 @@
# and configure the Nginx proxy.
import os
-import pwd
-from string import Template
from wok import sslcert
from wok.config import paths
@@ -53,17 +51,6 @@ def _create_proxy_config(options):
Arguments:
options - OptionParser object with Wok config options
"""
- # User that will run the worker process of the proxy. Fedora,
- # RHEL and Suse creates an user called 'nginx' when installing
- # the proxy. Ubuntu creates an user 'www-data' for it.
- user_proxy = None
- user_list = ('nginx', 'www-data', 'http')
- sys_users = [p.pw_name for p in pwd.getpwall()]
- common_users = list(set(user_list) & set(sys_users))
- if len(common_users) == 0:
- raise Exception("No common user found")
- else:
- user_proxy = common_users[0]
config_dir = paths.conf_dir
nginx_config_dir = paths.nginx_conf_dir
cert = options.ssl_cert
@@ -81,38 +68,6 @@ def _create_proxy_config(options):
with open(key, "w") as f:
f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file
- dhparams_pem = os.path.join(config_dir, "dhparams.pem")
-
- http_config = ''
- if options.https_only == 'false':
- http_config = HTTP_CONFIG % {'host_addr': options.host,
- 'proxy_port': options.port,
- 'proxy_ssl_port': options.ssl_port,
- 'rel_path': options.server_root}
-
- # Read template file and create a new config file
- # with the specified parameters.
- with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template:
- data = template.read()
- data = Template(data)
- data = data.safe_substitute(user=user_proxy,
- host_addr=options.host,
- proxy_ssl_port=options.ssl_port,
- http_config=http_config,
- cherrypy_port=options.cherrypy_port,
- websockets_port=options.websockets_port,
- cert_pem=cert, cert_key=key,
- max_body_size=eval(options.max_body_size),
- session_timeout=options.session_timeout,
- dhparams_pem=dhparams_pem,
- server_root=options.server_root)
-
- # Write file to be used for nginx.
- config_file = open(os.path.join(nginx_config_dir, "wok.conf"),
"w")
- config_file.write(data)
- config_file.close()
-
# If not running from the installed path (from a cloned and builded source
# code), create a symbolic link in system's dir to prevent errors on read
# SSL certifications.
--
2.7.4
5:43 p.m.
Hi Ramon:
You also need to update the files below to reflect those changes:
- wokd.in
- docs/wokd.8.in
- src/wok/config.py.in
And more comments below:
On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
---
.gitignore | 1 -
Makefile.am | 3 ++
contrib/wok.spec.fedora.in | 1 -
contrib/wok.spec.suse.in | 1 -
src/nginx/Makefile.am | 7 ++--
src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++
src/nginx/wok.conf.in | 75 -------------------------------------------
src/wok.conf.in | 34 --------------------
src/wok/proxy.py | 45 --------------------------
9 files changed, 85 insertions(+), 161 deletions(-)
create mode 100644 src/nginx/wok.conf
delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore
index d06f936..10754f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,6 @@ wok-*.tar.gz
wok.spec
src/wokd
src/wok.conf
-src/nginx/wok.conf
src/wok/config.py
tests/run_tests.sh
tests/test_config.py
diff --git a/Makefile.am b/Makefile.am
index 5c8e69d..3754547 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -159,6 +159,8 @@ install-data-local:
touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
+ mkdir -p $(DESTDIR)/etc/nginx/conf.d
+ $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local:
@if test -f $(systemdsystemunitdir)/wokd.service; then \
@@ -175,6 +177,7 @@ uninstall-local:
$(RM) -rf $(DESTDIR)/etc/wok
$(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
$(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing
VERSION:
@if $(GIT) rev-parse &> /dev/null ; then \
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fdf3484..c48899f 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
%{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
%{_datadir}/wok/ui/
%{_datadir}/wok
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
%{_sysconfdir}/logrotate.d/wokd
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index 70c295b..283f9c3 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/wok
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/nginx/conf.d/wok.conf
%{_sysconfdir}/logrotate.d/wokd
%{_var}/lib/wok/
diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
index a376a74..3a47a5f 100644
--- a/src/nginx/Makefile.am
+++ b/src/nginx/Makefile.am
@@ -1,7 +1,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2015
+# Copyright IBM Corp, 2015-2016
#
# Code derived from Project Kimchi
#
@@ -19,9 +19,8 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in
+EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d
-dist_conf_DATA = wok.conf.in
+dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf
diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
new file mode 100644
index 0000000..d191746
--- /dev/null
+++ b/src/nginx/wok.conf
@@ -0,0 +1,79 @@
+# Project Wok
+#
+# Copyright IBM Corp, 2016
+#
+# Code derived from Project Kimchi
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA
+
+# This is a template file to be used to generate a nginx
+# proxy config file at wokd script.
+
+client_max_body_size 4194304k;
+
+# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
+# when Wok is processing a request.
+proxy_connect_timeout 10m;
+proxy_send_timeout 10m;
+proxy_read_timeout 10m;
+send_timeout 10m;
+
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+upstream websocket {
+ server 127.0.0.1:64667;
+}
+
+server {
+ listen 0.0.0.0:8001 ssl;
+
+ ssl_certificate /etc/wok/wok-cert.pem;
+ ssl_certificate_key /etc/wok/wok-key.pem;
+ ssl_protocols TLSv1.1 TLSv1.2;
+ ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
+ ssl_prefer_server_ciphers on;
+ ssl_dhparam /etc/wok/dhparams.pem;
+ ssl_session_timeout 10m;
+
+ add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ location / {
+ proxy_pass http://127.0.0.1:8010;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
+ }
+
+ location /websockify {
+ proxy_pass http://websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ }
+}
+
+server {
+ listen 0.0.0.0:8000;
+ rewrite ^/(.*)$ https://$host:8001/$1 redirect;
+}
+
diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
deleted file mode 100644
index 5d2bb17..0000000
--- a/src/nginx/wok.conf.in
+++ /dev/null
@@ -1,75 +0,0 @@
-# Project Wok
-#
-# Copyright IBM Corp, 2015-2016
-#
-# Code derived from Project Kimchi
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301 USA
-
-# This is a template file to be used to generate a nginx
-# proxy config file at wokd script.
-
-client_max_body_size ${max_body_size}k;
-
-# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
-# when Wok is processing a request.
-proxy_connect_timeout ${session_timeout}m;
-proxy_send_timeout ${session_timeout}m;
-proxy_read_timeout ${session_timeout}m;
-send_timeout ${session_timeout}m;
-
-map $http_upgrade $connection_upgrade {
- default upgrade;
- '' close;
-}
-
-upstream websocket {
- server 127.0.0.1:${websockets_port};
-}
-
-server {
- listen ${host_addr}:${proxy_ssl_port} ssl;
-
- ssl_certificate ${cert_pem};
- ssl_certificate_key ${cert_key};
- ssl_protocols TLSv1.1 TLSv1.2;
- ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
- ssl_prefer_server_ciphers on;
- ssl_dhparam ${dhparams_pem};
- ssl_session_timeout ${session_timeout}m;
-
- add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
-
- location ${server_root}/ {
- proxy_pass http://127.0.0.1:${cherrypy_port};
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_redirect http://127.0.0.1:${cherrypy_port}/
https://$host:${proxy_ssl_port}${server_root}/;
- }
-
- location ${server_root}/websockify {
- proxy_pass http://websocket;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- }
-}
-
-${http_config}
diff --git a/src/wok.conf.in b/src/wok.conf.in
index 254f786..d3b7b2d 100644
--- a/src/wok.conf.in
+++ b/src/wok.conf.in
@@ -3,46 +3,12 @@
#
[server]
-# Hostname or IP address to listen on
-#host = 0.0.0.0
-
-# Port to listen on
-#port = 8000
-
-# Start an SSL-enabled server on the given port
-#ssl_port = 8001
-
The ssl_port is being used by /config API so we will need to keep it
there too.
-# Allow user disables HTTP port. In that case, all the connections
-# will be done directly through HTTPS port (values: true|false)
-#https_only = false
-
# Cherrypy server port
#cherrypy_port = 8010
-# Port for websocket proxy to listen on
-#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and to
Kimchi knows on which port to launch websocikfy
-
-# Number of minutes that a session can remain idle before the server
-# terminates it automatically.
-#session_timeout = 10
-
-# The full path to an SSL Certificate or chain of certificates in
-# PEM format. When a chain is used, the server's certificate must be
-# the first certificate in the file with the chain concatenated into
-# the end of that certificate. If left unspecified, Wok will generate
-# a self-signed certificate automatically.
-#ssl_cert =
-
-# The corresponding private key in PEM format for the SSL Certificate supplied
-# above. If left blank, Wok will generate a self-signed certificate.
-#ssl_key =
-
# Running environment of the server
#environment = production
-# Max request body size in KB, default value is 4GB
-#max_body_size = 4 * 1024 * 1024
-
# Wok server root. Set the following variable to configure any relative path to
# the server. For example, to have Wok pointing to https://localhost:8001/wok/
# uncomment the following:
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 5f646e4..1c11b9b 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -25,8 +25,6 @@
# and configure the Nginx proxy.
import os
-import pwd
-from string import Template
from wok import sslcert
from wok.config import paths
@@ -53,17 +51,6 @@ def _create_proxy_config(options):
Arguments:
options - OptionParser object with Wok config options
"""
- # User that will run the worker process of the proxy. Fedora,
- # RHEL and Suse creates an user called 'nginx' when installing
- # the proxy. Ubuntu creates an user 'www-data' for it.
- user_proxy = None
- user_list = ('nginx', 'www-data', 'http')
- sys_users = [p.pw_name for p in pwd.getpwall()]
- common_users = list(set(user_list) & set(sys_users))
- if len(common_users) == 0:
- raise Exception("No common user found")
- else:
- user_proxy = common_users[0]
config_dir = paths.conf_dir
nginx_config_dir = paths.nginx_conf_dir
cert = options.ssl_cert
@@ -81,38 +68,6 @@ def _create_proxy_config(options):
with open(key, "w") as f:
f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file
- dhparams_pem = os.path.join(config_dir, "dhparams.pem")
-
- http_config = ''
- if options.https_only == 'false':
- http_config = HTTP_CONFIG % {'host_addr': options.host,
- 'proxy_port': options.port,
- 'proxy_ssl_port': options.ssl_port,
- 'rel_path': options.server_root}
-
- # Read template file and create a new config file
- # with the specified parameters.
- with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template:
- data = template.read()
- data = Template(data)
- data = data.safe_substitute(user=user_proxy,
- host_addr=options.host,
- proxy_ssl_port=options.ssl_port,
- http_config=http_config,
- cherrypy_port=options.cherrypy_port,
- websockets_port=options.websockets_port,
- cert_pem=cert, cert_key=key,
- max_body_size=eval(options.max_body_size),
- session_timeout=options.session_timeout,
- dhparams_pem=dhparams_pem,
- server_root=options.server_root)
-
- # Write file to be used for nginx.
- config_file = open(os.path.join(nginx_config_dir, "wok.conf"),
"w")
- config_file.write(data)
- config_file.close()
-
# If not running from the installed path (from a cloned and builded source
# code), create a symbolic link in system's dir to prevent errors on read
# SSL certifications.
5:55 p.m.
On 11/01/2016 01:43 PM, Aline Manera wrote:
Hi Ramon:
You also need to update the files below to reflect those changes:
- wokd.in
- docs/wokd.8.in
- src/wok/config.py.in
And more comments below:
On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
> ---
> .gitignore | 1 -
> Makefile.am | 3 ++
> contrib/wok.spec.fedora.in | 1 -
> contrib/wok.spec.suse.in | 1 -
> src/nginx/Makefile.am | 7 ++--
> src/nginx/wok.conf | 79
> ++++++++++++++++++++++++++++++++++++++++++++++
> src/nginx/wok.conf.in | 75
> -------------------------------------------
> src/wok.conf.in | 34 --------------------
> src/wok/proxy.py | 45 --------------------------
> 9 files changed, 85 insertions(+), 161 deletions(-)
> create mode 100644 src/nginx/wok.conf
> delete mode 100644 src/nginx/wok.conf.in
>
> diff --git a/.gitignore b/.gitignore
> index d06f936..10754f9 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -31,7 +31,6 @@ wok-*.tar.gz
> wok.spec
> src/wokd
> src/wok.conf
> -src/nginx/wok.conf
> src/wok/config.py
> tests/run_tests.sh
> tests/test_config.py
> diff --git a/Makefile.am b/Makefile.am
> index 5c8e69d..3754547 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -159,6 +159,8 @@ install-data-local:
> touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
> mkdir -p $(DESTDIR)/etc/logrotate.d/
> $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate
> $(DESTDIR)/etc/logrotate.d/wokd
> + mkdir -p $(DESTDIR)/etc/nginx/conf.d
> + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf
> $(DESTDIR)/etc/nginx/conf.d/wok.conf
>
> uninstall-local:
> @if test -f $(systemdsystemunitdir)/wokd.service; then \
> @@ -175,6 +177,7 @@ uninstall-local:
> $(RM) -rf $(DESTDIR)/etc/wok
> $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
> $(RM) $(DESTDIR)/etc/logrotate.d/wokd
> + $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing
> VERSION:
> @if $(GIT) rev-parse &> /dev/null ; then \
> diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
> index fdf3484..c48899f 100644
> --- a/contrib/wok.spec.fedora.in
> +++ b/contrib/wok.spec.fedora.in
> @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
> %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
> %{_datadir}/wok/ui/
> %{_datadir}/wok
> -%{_sysconfdir}/nginx/conf.d/wok.conf.in
> %{_sysconfdir}/wok/wok.conf
> %{_sysconfdir}/wok/
> %{_sysconfdir}/logrotate.d/wokd
> diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
> index 70c295b..283f9c3 100644
> --- a/contrib/wok.spec.suse.in
> +++ b/contrib/wok.spec.suse.in
> @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
> %{_datadir}/wok
> %{_sysconfdir}/wok/wok.conf
> %{_sysconfdir}/wok/
> -%{_sysconfdir}/nginx/conf.d/wok.conf.in
> %{_sysconfdir}/nginx/conf.d/wok.conf
> %{_sysconfdir}/logrotate.d/wokd
> %{_var}/lib/wok/
> diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
> index a376a74..3a47a5f 100644
> --- a/src/nginx/Makefile.am
> +++ b/src/nginx/Makefile.am
> @@ -1,7 +1,7 @@
> #
> # Project Wok
> #
> -# Copyright IBM Corp, 2015
> +# Copyright IBM Corp, 2015-2016
> #
> # Code derived from Project Kimchi
> #
> @@ -19,9 +19,8 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> 02110-1301 USA
>
> -EXTRA_DIST = wok.conf.in
> +EXTRA_DIST = wok.conf
>
> confdir = $(sysconfdir)/nginx/conf.d
> -dist_conf_DATA = wok.conf.in
> +dist_conf_DATA = wok.conf
>
> -CLEANFILES = wok.conf
> diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
> new file mode 100644
> index 0000000..d191746
> --- /dev/null
> +++ b/src/nginx/wok.conf
> @@ -0,0 +1,79 @@
> +# Project Wok
> +#
> +# Copyright IBM Corp, 2016
> +#
> +# Code derived from Project Kimchi
> +#
> +# This library is free software; you can redistribute it and/or
> +# modify it under the terms of the GNU Lesser General Public
> +# License as published by the Free Software Foundation; either
> +# version 2.1 of the License, or (at your option) any later version.
> +#
> +# This library is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +# Lesser General Public License for more details.
> +#
> +# You should have received a copy of the GNU Lesser General Public
> +# License along with this library; if not, write to the Free Software
> +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> +# 02110-1301 USA
> +
> +# This is a template file to be used to generate a nginx
> +# proxy config file at wokd script.
> +
> +client_max_body_size 4194304k;
> +
> +# Set timeout, based on configuration values, to avoid the 504
> Gateway Timeout
> +# when Wok is processing a request.
> +proxy_connect_timeout 10m;
> +proxy_send_timeout 10m;
> +proxy_read_timeout 10m;
> +send_timeout 10m;
> +
> +map $http_upgrade $connection_upgrade {
> + default upgrade;
> + '' close;
> +}
> +
> +upstream websocket {
> + server 127.0.0.1:64667;
> +}
> +
> +server {
> + listen 0.0.0.0:8001 ssl;
> +
> + ssl_certificate /etc/wok/wok-cert.pem;
> + ssl_certificate_key /etc/wok/wok-key.pem;
> + ssl_protocols TLSv1.1 TLSv1.2;
> + ssl_ciphers
>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
> + ssl_prefer_server_ciphers on;
> + ssl_dhparam /etc/wok/dhparams.pem;
> + ssl_session_timeout 10m;
> +
> + add_header Strict-Transport-Security "max-age=31536000;
> includeSubdomains;";
> + add_header X-Frame-Options DENY;
> + add_header X-Content-Type-Options nosniff;
> + add_header X-XSS-Protection "1; mode=block";
> +
> + location / {
> + proxy_pass http://127.0.0.1:8010;
> + proxy_set_header Host $host;
> + proxy_set_header X-Real-IP $remote_addr;
> + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
> + }
> +
> + location /websockify {
> + proxy_pass http://websocket;
> + proxy_http_version 1.1;
> + proxy_set_header Upgrade $http_upgrade;
> + proxy_set_header Connection $connection_upgrade;
> + }
> +}
> +
> +server {
> + listen 0.0.0.0:8000;
> + rewrite ^/(.*)$ https://$host:8001/$1 redirect;
> +}
> +
> diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
> deleted file mode 100644
> index 5d2bb17..0000000
> --- a/src/nginx/wok.conf.in
> +++ /dev/null
> @@ -1,75 +0,0 @@
> -# Project Wok
> -#
> -# Copyright IBM Corp, 2015-2016
> -#
> -# Code derived from Project Kimchi
> -#
> -# This library is free software; you can redistribute it and/or
> -# modify it under the terms of the GNU Lesser General Public
> -# License as published by the Free Software Foundation; either
> -# version 2.1 of the License, or (at your option) any later version.
> -#
> -# This library is distributed in the hope that it will be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -# Lesser General Public License for more details.
> -#
> -# You should have received a copy of the GNU Lesser General Public
> -# License along with this library; if not, write to the Free Software
> -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
> -# 02110-1301 USA
> -
> -# This is a template file to be used to generate a nginx
> -# proxy config file at wokd script.
> -
> -client_max_body_size ${max_body_size}k;
> -
> -# Set timeout, based on configuration values, to avoid the 504
> Gateway Timeout
> -# when Wok is processing a request.
> -proxy_connect_timeout ${session_timeout}m;
> -proxy_send_timeout ${session_timeout}m;
> -proxy_read_timeout ${session_timeout}m;
> -send_timeout ${session_timeout}m;
> -
> -map $http_upgrade $connection_upgrade {
> - default upgrade;
> - '' close;
> -}
> -
> -upstream websocket {
> - server 127.0.0.1:${websockets_port};
> -}
> -
> -server {
> - listen ${host_addr}:${proxy_ssl_port} ssl;
> -
> - ssl_certificate ${cert_pem};
> - ssl_certificate_key ${cert_key};
> - ssl_protocols TLSv1.1 TLSv1.2;
> - ssl_ciphers
>
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
> - ssl_prefer_server_ciphers on;
> - ssl_dhparam ${dhparams_pem};
> - ssl_session_timeout ${session_timeout}m;
> -
> - add_header Strict-Transport-Security "max-age=31536000;
> includeSubdomains;";
> - add_header X-Frame-Options DENY;
> - add_header X-Content-Type-Options nosniff;
> - add_header X-XSS-Protection "1; mode=block";
> -
> - location ${server_root}/ {
> - proxy_pass http://127.0.0.1:${cherrypy_port};
> - proxy_set_header Host $host;
> - proxy_set_header X-Real-IP $remote_addr;
> - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> - proxy_redirect http://127.0.0.1:${cherrypy_port}/
> https://$host:${proxy_ssl_port}${server_root}/;
> - }
> -
> - location ${server_root}/websockify {
> - proxy_pass http://websocket;
> - proxy_http_version 1.1;
> - proxy_set_header Upgrade $http_upgrade;
> - proxy_set_header Connection $connection_upgrade;
> - }
> -}
> -
> -${http_config}
> diff --git a/src/wok.conf.in b/src/wok.conf.in
> index 254f786..d3b7b2d 100644
> --- a/src/wok.conf.in
> +++ b/src/wok.conf.in
> @@ -3,46 +3,12 @@
> #
>
> [server]
> -# Hostname or IP address to listen on
> -#host = 0.0.0.0
> -
> -# Port to listen on
> -#port = 8000
> -
> -# Start an SSL-enabled server on the given port
> -#ssl_port = 8001
> -
The ssl_port is being used by /config API so we will need to keep it
there too.
Maybe it is also good to rename it to nginx_port
> -# Allow user disables HTTP port. In that case, all the connections
> -# will be done directly through HTTPS port (values: true|false)
> -#https_only = false
> -
> # Cherrypy server port
> #cherrypy_port = 8010
> -# Port for websocket proxy to listen on
> -#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and
to Kimchi knows on which port to launch websocikfy
> -
> -# Number of minutes that a session can remain idle before the server
> -# terminates it automatically.
> -#session_timeout = 10
> -
> -# The full path to an SSL Certificate or chain of certificates in
> -# PEM format. When a chain is used, the server's certificate must be
> -# the first certificate in the file with the chain concatenated into
> -# the end of that certificate. If left unspecified, Wok will generate
> -# a self-signed certificate automatically.
> -#ssl_cert =
> -
> -# The corresponding private key in PEM format for the SSL
> Certificate supplied
> -# above. If left blank, Wok will generate a self-signed certificate.
> -#ssl_key =
> -
> # Running environment of the server
> #environment = production
>
> -# Max request body size in KB, default value is 4GB
> -#max_body_size = 4 * 1024 * 1024
> -
> # Wok server root. Set the following variable to configure any
> relative path to
> # the server. For example, to have Wok pointing to
> https://localhost:8001/wok/
> # uncomment the following:
> diff --git a/src/wok/proxy.py b/src/wok/proxy.py
> index 5f646e4..1c11b9b 100644
> --- a/src/wok/proxy.py
> +++ b/src/wok/proxy.py
> @@ -25,8 +25,6 @@
> # and configure the Nginx proxy.
>
> import os
> -import pwd
> -from string import Template
>
> from wok import sslcert
> from wok.config import paths
> @@ -53,17 +51,6 @@ def _create_proxy_config(options):
> Arguments:
> options - OptionParser object with Wok config options
> """
> - # User that will run the worker process of the proxy. Fedora,
> - # RHEL and Suse creates an user called 'nginx' when installing
> - # the proxy. Ubuntu creates an user 'www-data' for it.
> - user_proxy = None
> - user_list = ('nginx', 'www-data', 'http')
> - sys_users = [p.pw_name for p in pwd.getpwall()]
> - common_users = list(set(user_list) & set(sys_users))
> - if len(common_users) == 0:
> - raise Exception("No common user found")
> - else:
> - user_proxy = common_users[0]
> config_dir = paths.conf_dir
> nginx_config_dir = paths.nginx_conf_dir
> cert = options.ssl_cert
> @@ -81,38 +68,6 @@ def _create_proxy_config(options):
> with open(key, "w") as f:
> f.write(ssl_gen.key_pem())
>
> - # Setting up Diffie-Hellman group with 2048-bit file
> - dhparams_pem = os.path.join(config_dir, "dhparams.pem")
> -
> - http_config = ''
> - if options.https_only == 'false':
> - http_config = HTTP_CONFIG % {'host_addr': options.host,
> - 'proxy_port': options.port,
> - 'proxy_ssl_port':
> options.ssl_port,
> - 'rel_path': options.server_root}
> -
> - # Read template file and create a new config file
> - # with the specified parameters.
> - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as
> template:
> - data = template.read()
> - data = Template(data)
> - data = data.safe_substitute(user=user_proxy,
> - host_addr=options.host,
> - proxy_ssl_port=options.ssl_port,
> - http_config=http_config,
> - cherrypy_port=options.cherrypy_port,
> - websockets_port=options.websockets_port,
> - cert_pem=cert, cert_key=key,
> - max_body_size=eval(options.max_body_size),
> - session_timeout=options.session_timeout,
> - dhparams_pem=dhparams_pem,
> - server_root=options.server_root)
> -
> - # Write file to be used for nginx.
> - config_file = open(os.path.join(nginx_config_dir, "wok.conf"),
"w")
> - config_file.write(data)
> - config_file.close()
> -
> # If not running from the installed path (from a cloned and
> builded source
> # code), create a symbolic link in system's dir to prevent
> errors on read
> # SSL certifications.
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
9:01 p.m.
On 11/01/2016 01:43 PM, Aline Manera wrote:
Hi Ramon:
You also need to update the files below to reflect those changes:
- wokd.in
- docs/wokd.8.in
- src/wok/config.py.in
And more comments below:
On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
> ---
> .gitignore | 1 -
> Makefile.am | 3 ++
> contrib/wok.spec.fedora.in | 1 -
> contrib/wok.spec.suse.in | 1 -
> src/nginx/Makefile.am | 7 ++--
> src/nginx/wok.conf | 79
> ++++++++++++++++++++++++++++++++++++++++++++++
> src/nginx/wok.conf.in | 75
> -------------------------------------------
> src/wok.conf.in | 34 --------------------
> src/wok/proxy.py | 45 --------------------------
> 9 files changed, 85 insertions(+), 161 deletions(-)
> create mode 100644 src/nginx/wok.conf
> delete mode 100644 src/nginx/wok.conf.in
>
> diff --git a/.gitignore b/.gitignore
> index d06f936..10754f9 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -31,7 +31,6 @@ wok-*.tar.gz
> wok.spec
> src/wokd
> src/wok.conf
> -src/nginx/wok.conf
> src/wok/config.py
> tests/run_tests.sh
> tests/test_config.py
> diff --git a/Makefile.am b/Makefile.am
> index 5c8e69d..3754547 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -159,6 +159,8 @@ install-data-local:
> touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
> mkdir -p $(DESTDIR)/etc/logrotate.d/
> $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate
> $(DESTDIR)/etc/logrotate.d/wokd
> + mkdir -p $(DESTDIR)/etc/nginx/conf.d
> + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf
> $(DESTDIR)/etc/nginx/conf.d/wok.conf
>
> uninstall-local:
> @if test -f $(systemdsystemunitdir)/wokd.service; then \
> @@ -175,6 +177,7 @@ uninstall-local:
> $(RM) -rf $(DESTDIR)/etc/wok
> $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
> $(RM) $(DESTDIR)/etc/logrotate.d/wokd
> + $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing
I did not add RM because it's already exists:
$(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf (now wok.conf.in does not exists)
> VERSION:
>
> -
> -# Port to listen on
> -#port = 8000
> -
> -# Start an SSL-enabled server on the given port
> -#ssl_port = 8001
> -
The ssl_port is being used by /config API so we will need to keep it
there too.
OK
> -# Allow user disables HTTP port. In that case, all the
connections
> -# will be done directly through HTTPS port (values: true|false)
> -#https_only = false
> -
> # Cherrypy server port
> #cherrypy_port = 8010
> -# Port for websocket proxy to listen on
> -#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and
to Kimchi knows on which port to launch websocikfy
> -
> -# Number of minutes that a session can remain idle before the server
> -# terminates it automatically.
> -#session_timeout = 10
> -
> -# The full path to an SSL Certificate or chain of certificates in
> -# PEM format. When a chain is used, the server's certificate must be
> -# the first certificate in the file with the chain concatenated into
> -# the end of that certificate. If left unspecified, Wok will generate
> -# a self-signed certificate automatically.
> -#ssl_cert =
> -
> -# The corresponding private key in PEM format for the SSL
> Certificate supplied
> -# above. If left blank, Wok will generate a self-signed certificate.
> -#ssl_key =
> -
> # Running environment of the server
> #environment = production
>
> -# Max request body size in KB, default value is 4GB
> -#max_body_size = 4 * 1024 * 1024
> -
> # Wok server root. Set the following variable to configure any
> relative path to
> # the server. For example, to have Wok pointing to
> https://localhost:8001/wok/
> # uncomment the following:
> diff --git a/src/wok/proxy.py b/src/wok/proxy.py
> index 5f646e4..1c11b9b 100644
> --- a/src/wok/proxy.py
> +++ b/src/wok/proxy.py
> @@ -25,8 +25,6 @@
> # and configure the Nginx proxy.
>
> import os
> -import pwd
> -from string import Template
>
> from wok import sslcert
> from wok.config import paths
> @@ -53,17 +51,6 @@ def _create_proxy_config(options):
> Arguments:
> options - OptionParser object with Wok config options
> """
> - # User that will run the worker process of the proxy. Fedora,
> - # RHEL and Suse creates an user called 'nginx' when installing
> - # the proxy. Ubuntu creates an user 'www-data' for it.
> - user_proxy = None
> - user_list = ('nginx', 'www-data', 'http')
> - sys_users = [p.pw_name for p in pwd.getpwall()]
> - common_users = list(set(user_list) & set(sys_users))
> - if len(common_users) == 0:
> - raise Exception("No common user found")
> - else:
> - user_proxy = common_users[0]
> config_dir = paths.conf_dir
> nginx_config_dir = paths.nginx_conf_dir
> cert = options.ssl_cert
> @@ -81,38 +68,6 @@ def _create_proxy_config(options):
> with open(key, "w") as f:
> f.write(ssl_gen.key_pem())
>
> - # Setting up Diffie-Hellman group with 2048-bit file
> - dhparams_pem = os.path.join(config_dir, "dhparams.pem")
> -
> - http_config = ''
> - if options.https_only == 'false':
> - http_config = HTTP_CONFIG % {'host_addr': options.host,
> - 'proxy_port': options.port,
> - 'proxy_ssl_port':
> options.ssl_port,
> - 'rel_path': options.server_root}
> -
> - # Read template file and create a new config file
> - # with the specified parameters.
> - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as
> template:
> - data = template.read()
> - data = Template(data)
> - data = data.safe_substitute(user=user_proxy,
> - host_addr=options.host,
> - proxy_ssl_port=options.ssl_port,
> - http_config=http_config,
> - cherrypy_port=options.cherrypy_port,
> - websockets_port=options.websockets_port,
> - cert_pem=cert, cert_key=key,
> - max_body_size=eval(options.max_body_size),
> - session_timeout=options.session_timeout,
> - dhparams_pem=dhparams_pem,
> - server_root=options.server_root)
> -
> - # Write file to be used for nginx.
> - config_file = open(os.path.join(nginx_config_dir, "wok.conf"),
"w")
> - config_file.write(data)
> - config_file.close()
> -
> # If not running from the installed path (from a cloned and
> builded source
> # code), create a symbolic link in system's dir to prevent
> errors on read
> # SSL certifications.
--
Ramon Nunes Medeiros
Kimchi Developer
Linux Technology Center Brazil
IBM Systems & Technology Group
Phone : +55 19 2132 7878
ramonn(a)br.ibm.com
5:48 p.m.
On 01/11/2016 13:33, Ramon Medeiros wrote:
---
.gitignore | 1 -
Makefile.am | 3 ++
contrib/wok.spec.fedora.in | 1 -
contrib/wok.spec.suse.in | 1 -
src/nginx/Makefile.am | 7 ++--
src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++
src/nginx/wok.conf.in | 75 -------------------------------------------
src/wok.conf.in | 34 --------------------
src/wok/proxy.py | 45 --------------------------
9 files changed, 85 insertions(+), 161 deletions(-)
create mode 100644 src/nginx/wok.conf
delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore
index d06f936..10754f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,6 @@ wok-*.tar.gz
wok.spec
src/wokd
src/wok.conf
-src/nginx/wok.conf
src/wok/config.py
tests/run_tests.sh
tests/test_config.py
diff --git a/Makefile.am b/Makefile.am
index 5c8e69d..3754547 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -159,6 +159,8 @@ install-data-local:
touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
mkdir -p $(DESTDIR)/etc/logrotate.d/
$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
+ mkdir -p $(DESTDIR)/etc/nginx/conf.d
+ $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local:
@if test -f $(systemdsystemunitdir)/wokd.service; then \
@@ -175,6 +177,7 @@ uninstall-local:
$(RM) -rf $(DESTDIR)/etc/wok
$(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf
$(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
missing $(RM)
VERSION:
@if $(GIT) rev-parse &> /dev/null ; then \
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fdf3484..c48899f 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
%{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
%{_datadir}/wok/ui/
%{_datadir}/wok
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
%{_sysconfdir}/logrotate.d/wokd
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index 70c295b..283f9c3 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/wok
%{_sysconfdir}/wok/wok.conf
%{_sysconfdir}/wok/
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
%{_sysconfdir}/nginx/conf.d/wok.conf
%{_sysconfdir}/logrotate.d/wokd
%{_var}/lib/wok/
diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
index a376a74..3a47a5f 100644
--- a/src/nginx/Makefile.am
+++ b/src/nginx/Makefile.am
@@ -1,7 +1,7 @@
#
# Project Wok
#
-# Copyright IBM Corp, 2015
+# Copyright IBM Corp, 2015-2016
#
# Code derived from Project Kimchi
#
@@ -19,9 +19,8 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in
+EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d
-dist_conf_DATA = wok.conf.in
+dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf
diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
new file mode 100644
index 0000000..d191746
--- /dev/null
+++ b/src/nginx/wok.conf
@@ -0,0 +1,79 @@
+# Project Wok
+#
+# Copyright IBM Corp, 2016
+#
+# Code derived from Project Kimchi
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301 USA
+
+# This is a template file to be used to generate a nginx
+# proxy config file at wokd script.
+
+client_max_body_size 4194304k;
+
+# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
+# when Wok is processing a request.
+proxy_connect_timeout 10m;
+proxy_send_timeout 10m;
+proxy_read_timeout 10m;
+send_timeout 10m;
+
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+
+upstream websocket {
+ server 127.0.0.1:64667;
+}
+
+server {
+ listen 0.0.0.0:8001 ssl;
+
+ ssl_certificate /etc/wok/wok-cert.pem;
+ ssl_certificate_key /etc/wok/wok-key.pem;
+ ssl_protocols TLSv1.1 TLSv1.2;
+ ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
+ ssl_prefer_server_ciphers on;
+ ssl_dhparam /etc/wok/dhparams.pem;
+ ssl_session_timeout 10m;
+
+ add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ location / {
+ proxy_pass http://127.0.0.1:8010;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
+ }
+
+ location /websockify {
+ proxy_pass http://websocket;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ }
+}
+
+server {
+ listen 0.0.0.0:8000;
+ rewrite ^/(.*)$ https://$host:8001/$1 redirect;
+}
+
diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
deleted file mode 100644
index 5d2bb17..0000000
--- a/src/nginx/wok.conf.in
+++ /dev/null
@@ -1,75 +0,0 @@
-# Project Wok
-#
-# Copyright IBM Corp, 2015-2016
-#
-# Code derived from Project Kimchi
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301 USA
-
-# This is a template file to be used to generate a nginx
-# proxy config file at wokd script.
-
-client_max_body_size ${max_body_size}k;
-
-# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
-# when Wok is processing a request.
-proxy_connect_timeout ${session_timeout}m;
-proxy_send_timeout ${session_timeout}m;
-proxy_read_timeout ${session_timeout}m;
-send_timeout ${session_timeout}m;
-
-map $http_upgrade $connection_upgrade {
- default upgrade;
- '' close;
-}
-
-upstream websocket {
- server 127.0.0.1:${websockets_port};
-}
-
-server {
- listen ${host_addr}:${proxy_ssl_port} ssl;
-
- ssl_certificate ${cert_pem};
- ssl_certificate_key ${cert_key};
- ssl_protocols TLSv1.1 TLSv1.2;
- ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
- ssl_prefer_server_ciphers on;
- ssl_dhparam ${dhparams_pem};
- ssl_session_timeout ${session_timeout}m;
-
- add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
- add_header X-Frame-Options DENY;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
-
- location ${server_root}/ {
- proxy_pass http://127.0.0.1:${cherrypy_port};
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_redirect http://127.0.0.1:${cherrypy_port}/
https://$host:${proxy_ssl_port}${server_root}/;
- }
-
- location ${server_root}/websockify {
- proxy_pass http://websocket;
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection $connection_upgrade;
- }
-}
-
-${http_config}
diff --git a/src/wok.conf.in b/src/wok.conf.in
index 254f786..d3b7b2d 100644
--- a/src/wok.conf.in
+++ b/src/wok.conf.in
@@ -3,46 +3,12 @@
#
[server]
-# Hostname or IP address to listen on
-#host = 0.0.0.0
-
-# Port to listen on
-#port = 8000
-
-# Start an SSL-enabled server on the given port
-#ssl_port = 8001
-
-# Allow user disables HTTP port. In that case, all the connections
-# will be done directly through HTTPS port (values: true|false)
-#https_only = false
-
# Cherrypy server port
#cherrypy_port = 8010
-# Port for websocket proxy to listen on
-#websockets_port = 64667
-
-# Number of minutes that a session can remain idle before the server
-# terminates it automatically.
-#session_timeout = 10
-
-# The full path to an SSL Certificate or chain of certificates in
-# PEM format. When a chain is used, the server's certificate must be
-# the first certificate in the file with the chain concatenated into
-# the end of that certificate. If left unspecified, Wok will generate
-# a self-signed certificate automatically.
-#ssl_cert =
-
-# The corresponding private key in PEM format for the SSL Certificate supplied
-# above. If left blank, Wok will generate a self-signed certificate.
-#ssl_key =
-
# Running environment of the server
#environment = production
-# Max request body size in KB, default value is 4GB
-#max_body_size = 4 * 1024 * 1024
-
# Wok server root. Set the following variable to configure any relative path to
# the server. For example, to have Wok pointing to https://localhost:8001/wok/
# uncomment the following:
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 5f646e4..1c11b9b 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -25,8 +25,6 @@
# and configure the Nginx proxy.
import os
-import pwd
-from string import Template
from wok import sslcert
from wok.config import paths
@@ -53,17 +51,6 @@ def _create_proxy_config(options):
Arguments:
options - OptionParser object with Wok config options
"""
- # User that will run the worker process of the proxy. Fedora,
- # RHEL and Suse creates an user called 'nginx' when installing
- # the proxy. Ubuntu creates an user 'www-data' for it.
- user_proxy = None
- user_list = ('nginx', 'www-data', 'http')
- sys_users = [p.pw_name for p in pwd.getpwall()]
- common_users = list(set(user_list) & set(sys_users))
- if len(common_users) == 0:
- raise Exception("No common user found")
- else:
- user_proxy = common_users[0]
config_dir = paths.conf_dir
nginx_config_dir = paths.nginx_conf_dir
cert = options.ssl_cert
@@ -81,38 +68,6 @@ def _create_proxy_config(options):
with open(key, "w") as f:
f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file
- dhparams_pem = os.path.join(config_dir, "dhparams.pem")
-
- http_config = ''
- if options.https_only == 'false':
- http_config = HTTP_CONFIG % {'host_addr': options.host,
- 'proxy_port': options.port,
- 'proxy_ssl_port': options.ssl_port,
- 'rel_path': options.server_root}
-
- # Read template file and create a new config file
- # with the specified parameters.
- with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template:
- data = template.read()
- data = Template(data)
- data = data.safe_substitute(user=user_proxy,
- host_addr=options.host,
- proxy_ssl_port=options.ssl_port,
- http_config=http_config,
- cherrypy_port=options.cherrypy_port,
- websockets_port=options.websockets_port,
- cert_pem=cert, cert_key=key,
- max_body_size=eval(options.max_body_size),
- session_timeout=options.session_timeout,
- dhparams_pem=dhparams_pem,
- server_root=options.server_root)
-
- # Write file to be used for nginx.
- config_file = open(os.path.join(nginx_config_dir, "wok.conf"),
"w")
- config_file.write(data)
- config_file.close()
-
# If not running from the installed path (from a cloned and builded source
# code), create a symbolic link in system's dir to prevent errors on read
# SSL certifications.
--
Lucio Correia
Software Engineer
IBM LTC Brazil
2944
days inactive
2944
days old
4 comments
3 participants
participants (3)
-
Aline Manera -
Lucio Correia -
Ramon Medeiros