This patch adds a new option to wok.conf file - https_only - to allow user disable HTTP port. The default value for https_only option is false, which means HTTP and HTTPS are allowed. When set to true, all the connections will be done through HTTPS. Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/nginx/wok.conf.in | 7 +------ src/wok.conf.in | 6 +++++- src/wok/config.py.in | 1 + src/wok/proxy.py | 16 +++++++++++++++- src/wokd.in | 4 ++++ tests/utils.py | 10 +++++----- 6 files changed, 31 insertions(+), 13 deletions(-) diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in index 501377e..8dd5d7c 100644 --- a/src/nginx/wok.conf.in +++ b/src/nginx/wok.conf.in @@ -32,7 +32,6 @@ events { } http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; @@ -88,9 +87,5 @@ http { proxy_set_header Connection $connection_upgrade; } } - - server { - listen ${host_addr}:${proxy_port}; - rewrite ^/(.*)$ https://$host:${proxy_ssl_port}/$1 redirect; - } + ${http_config} } diff --git a/src/wok.conf.in b/src/wok.conf.in index 7d479d3..77a79b6 100644 --- a/src/wok.conf.in +++ b/src/wok.conf.in @@ -9,9 +9,13 @@ # Port to listen on #port = 8000 -# If present, start an SSL-enabled server on the given port +# Start an SSL-enabled server on the given port #ssl_port = 8001 +# Allow user disables HTTP port. In that case, all the connections +# will be done directly through HTTPS port (values: true|false) +#https_only = false + # Cherrypy server port #cherrypy_port = 8010 diff --git a/src/wok/config.py.in b/src/wok/config.py.in index 5d32ba4..40fbcda 100644 --- a/src/wok/config.py.in +++ b/src/wok/config.py.in @@ -232,6 +232,7 @@ def _get_config(): config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") + config.set("server", "https_only", "false") config.set("server", "cherrypy_port", "8010") config.set("server", "websockets_port", "64667") config.set("server", "ssl_cert", "") diff --git a/src/wok/proxy.py b/src/wok/proxy.py index c7bc665..9d39dbd 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -33,6 +33,14 @@ from wok import sslcert from wok.config import paths +HTTP_CONFIG = """ +server { + listen %(host_addr)s:%(proxy_port)s; + rewrite ^/(.*)$ https://$host:%(proxy_ssl_port)s/$1 redirect; +} +""" + + def _create_proxy_config(options): """Create nginx configuration file based on current ports config @@ -75,6 +83,12 @@ def _create_proxy_config(options): # Setting up Diffie-Hellman group with 2048-bit file dhparams_pem = os.path.join(config_dir, "dhparams.pem") + http_config = '' + if options.https_only == 'false': + http_config = HTTP_CONFIG % {'host_addr': options.host, + 'proxy_port': options.port, + 'proxy_ssl_port': options.ssl_port} + # Read template file and create a new config file # with the specified parameters. with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: @@ -82,8 +96,8 @@ def _create_proxy_config(options): data = Template(data) data = data.safe_substitute(user=user_proxy, host_addr=options.host, - proxy_port=options.port, proxy_ssl_port=options.ssl_port, + http_config=http_config, cherrypy_port=options.cherrypy_port, websockets_port=options.websockets_port, cert_pem=cert, cert_key=key, diff --git a/src/wokd.in b/src/wokd.in index 59a81f8..7255d3c 100644 --- a/src/wokd.in +++ b/src/wokd.in @@ -46,6 +46,7 @@ def main(options): host = config.config.get("server", "host") port = config.config.get("server", "port") ssl_port = config.config.get("server", "ssl_port") + https_only = config.config.get("server", "https_only") cherrypy_port = config.config.get("server", "cherrypy_port") websockets_port = config.config.get("server", "websockets_port") runningEnv = config.config.get("server", "environment") @@ -59,6 +60,9 @@ def main(options): help="Port to listen on (default %s)" % port) parser.add_option('--ssl-port', type="int", default=ssl_port, help="Port to enable SSL (default %s)" % ssl_port) + parser.add_option('--https_only', type="choice", default=https_only, + choices=['false', 'true'], + help="Disable HTTP port (default %s)" % ssl_port) parser.add_option('--cherrypy_port', type="int", default=cherrypy_port, help="Cherrypy server port (default %s)" % cherrypy_port) parser.add_option('--websockets_port', type="int", default=websockets_port, diff --git a/tests/utils.py b/tests/utils.py index bb9efb0..d158ba1 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -115,11 +115,11 @@ def run_server(host, port, ssl_port, test_mode, cherrypy_port=None, args = type('_', (object,), {'host': host, 'port': port, 'ssl_port': ssl_port, - 'cherrypy_port': cherrypy_port, 'max_body_size': '4*1024', - 'websockets_port': 64667, 'ssl_cert': '', - 'ssl_key': '', 'test': test_mode, 'access_log': '/dev/null', - 'error_log': '/dev/null', 'environment': environment, - 'log_level': 'debug'})() + 'https_only': 'false', 'cherrypy_port': cherrypy_port, + 'websockets_port': 64667, 'ssl_cert': '', 'ssl_key': '', + 'max_body_size': '4*1024', 'test': test_mode, + 'access_log': '/dev/null', 'error_log': '/dev/null', + 'environment': environment, 'log_level': 'debug'})() if model is not None: setattr(args, 'model', model) -- 2.5.0