10:24 a.m.
Since apache reverse proxy configuration is included in this patch,
so I suppose you would like to substitute nginx with apache?
Would you pls compare these reverse proxy in a single mail so that we
can know why we want to choose it?
If we just want to give user another choice of reverse proxy,
I suggest we make "run_proxy" an enum so user can assign it to
"apache",
"nginx" or "none".
To be a completed patch, we may want to include a testcase to test if
the reverse proxy works.
Some inline comments below:
On 02/03/2015 08:21 PM, Julien Goodwin wrote:
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin(a)studio442.com.au>
---
docs/Makefile.am | 1 +
docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++
src/kimchi.conf.in | 3 +++
src/kimchi/config.py.in | 1 +
src/kimchi/proxy.py | 6 ++++++
5 files changed, 46 insertions(+)
create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 679aa18..eb8b396 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -20,6 +20,7 @@
docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \
+ apache.conf.ex \
I hope we can include a runnable configuration and
install it to the
right place rather than just an example.
API.md \
README.md \
README-federation.md \
diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
new file mode 100644
index 0000000..cd26907
--- /dev/null
+++ b/docs/apache.conf.ex
@@ -0,0 +1,35 @@
+# Although not a supported configuration you can use apache to proxy kimchi traffic.
+# Here is an example of the required configuration.
+# This requires the following apache modules be enabled:
+# - mod_proxy
+# - mod_proxy_http
+# - mod_ssl
+# The port 80 redirect also requires mod_redirect
+# HTTP STS (Strict Transport Security) also requires mod_headers
+<VirtualHost *:443>
+ ServerName kimchi
+
+ SSLEngine On
+ SSLCertificateFile /etc/kimchi/kimchi-cert.pem
+ SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
+
+ ProxyRequests On
Could you explain why we set "ProxyRequests" as
"on" here? AFAIK, "off"
is used to prevent anyone else to use apache as the anonymous proxy.
+ ProxyPass / http://127.0.0.1:8010/
+ ProxyPassReverse / http://127.0.0.1:8010/
Hope we can use variable rather
than hard code, we may use port other
than 8010
+
+ <Proxy http://127.0.0.1:8010/>
+ Require all granted
+ </Proxy>
+
+ # HTTP STS
+ Header always set Strict-Transport-Security "max-age=31536000;
includeSubdomains;"
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName kimchi
+
+ Redirect / https://kimchi/
+
+ # HTTP STS
+ Header always set Strict-Transport-Security "max-age=31536000;
includeSubdomains;"
+</VirtualHost>
diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
index 9f62ac0..e9e8628 100644
--- a/src/kimchi.conf.in
+++ b/src/kimchi.conf.in
@@ -3,6 +3,9 @@
#
[server]
+# Start the proxy service?
+#run_proxy = on
+
# Hostname or IP address to listen on
#host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f2e1cac..41c5c89 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -287,6 +287,7 @@ class PluginConfig(dict):
def _get_config():
config = SafeConfigParser()
config.add_section("server")
+ config.set("server", "run_proxy", "on")
config.set("server", "host", "0.0.0.0")
config.set("server", "port", "8000")
config.set("server", "ssl_port", "8001")
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index fafa5bc..72497fe 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options):
"""Start nginx reverse proxy."""
+ if options.run_proxy == 'off':
+ return
+
_create_proxy_config(options)
config_dir = paths.conf_dir
config_file = "%s/nginx_kimchi.conf" % config_dir
@@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy():
"""Stop nginx process."""
+ if options.run_proxy == 'off':
+ return
+
term_proxy_cmd = ['nginx', '-s', 'stop']
subprocess.call(term_proxy_cmd)