Also includes an example apache config. Implements Issue #570 Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 2.1.4