From: Frederic Bonnard <frediz@linux.vnet.ibm.com> Hi, I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html and it wasn't taking the option into account, here is some changes that worked for me. Also, I think that the goal of disabling nginx in this patch is not to use kimchi directly, but to use another instance of nginx as I did or apache as Julien does. F. --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 8 +++++++- 5 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..09a4fcc 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..c8085dd 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -29,7 +29,7 @@ from string import Template from kimchi import sslcert from kimchi.config import paths - +import kimchi.config as config def _create_proxy_config(options): """Create nginx configuration file based on current ports config @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if config.config.get("server", "run_proxy") == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if config.config.get("server", "run_proxy") == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 1.9.1