Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ I hope we can include a runnable configuration and install it to the right place rather than just an example. API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off" is used to prevent anyone else to use apache as the anonymous proxy. + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ Hope we can use variable rather than hard code, we may use port other
Since apache reverse proxy configuration is included in this patch, so I suppose you would like to substitute nginx with apache? Would you pls compare these reverse proxy in a single mail so that we can know why we want to choose it? If we just want to give user another choice of reverse proxy, I suggest we make "run_proxy" an enum so user can assign it to "apache", "nginx" or "none". To be a completed patch, we may want to include a testcase to test if the reverse proxy works. Some inline comments below: On 02/03/2015 08:21 PM, Julien Goodwin wrote: than 8010
+ + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)