3:56 p.m.
When disabling the nginx process, all the proxy configuration should be
placed to cherrypy configuration.
Otherwise, Kimchi (through cherrypy server) will be accessible only on
localhost and port 8010.
We should set the HTTP and HTTPS ports to cherrypy in case nginx is not
running.
Also there are some headers to prevent XSS attacks that must be on
cherrypy then.
add_header Strict-Transport-Security "max-age=31536000;
includeSubdomains;";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
On 03/02/2015 23:21, Julien Goodwin wrote:
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin(a)studio442.com.au>
---
docs/Makefile.am | 1 +
docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++
src/kimchi.conf.in | 3 +++
src/kimchi/config.py.in | 1 +
src/kimchi/proxy.py | 6 ++++++
5 files changed, 46 insertions(+)
create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 679aa18..eb8b396 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -20,6 +20,7 @@
docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \
+ apache.conf.ex \
API.md \
README.md \
README-federation.md \
diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
new file mode 100644
index 0000000..cd26907
--- /dev/null
+++ b/docs/apache.conf.ex
@@ -0,0 +1,35 @@
+# Although not a supported configuration you can use apache to proxy kimchi traffic.
+# Here is an example of the required configuration.
+# This requires the following apache modules be enabled:
+# - mod_proxy
+# - mod_proxy_http
+# - mod_ssl
+# The port 80 redirect also requires mod_redirect
+# HTTP STS (Strict Transport Security) also requires mod_headers
+<VirtualHost *:443>
+ ServerName kimchi
+
+ SSLEngine On
+ SSLCertificateFile /etc/kimchi/kimchi-cert.pem
+ SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
+
+ ProxyRequests On
+ ProxyPass / http://127.0.0.1:8010/
+ ProxyPassReverse / http://127.0.0.1:8010/
+
+ <Proxy http://127.0.0.1:8010/>
+ Require all granted
+ </Proxy>
+
+ # HTTP STS
+ Header always set Strict-Transport-Security "max-age=31536000;
includeSubdomains;"
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName kimchi
+
+ Redirect / https://kimchi/
+
+ # HTTP STS
+ Header always set Strict-Transport-Security "max-age=31536000;
includeSubdomains;"
+</VirtualHost>
diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
index 9f62ac0..e9e8628 100644
--- a/src/kimchi.conf.in
+++ b/src/kimchi.conf.in
@@ -3,6 +3,9 @@
#
[server]
+# Start the proxy service?
+#run_proxy = on
+
# Hostname or IP address to listen on
#host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f2e1cac..41c5c89 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -287,6 +287,7 @@ class PluginConfig(dict):
def _get_config():
config = SafeConfigParser()
config.add_section("server")
+ config.set("server", "run_proxy", "on")
config.set("server", "host", "0.0.0.0")
config.set("server", "port", "8000")
config.set("server", "ssl_port", "8001")
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index fafa5bc..72497fe 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options):
"""Start nginx reverse proxy."""
+ if options.run_proxy == 'off':
+ return
+
_create_proxy_config(options)
config_dir = paths.conf_dir
config_file = "%s/nginx_kimchi.conf" % config_dir
@@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy():
"""Stop nginx process."""
+ if options.run_proxy == 'off':
+ return
+
term_proxy_cmd = ['nginx', '-s', 'stop']
subprocess.call(term_proxy_cmd)