From: Rob Lemley <rob.lemley@rochester.edu> This helps in networks with restrictive firewalls. - modify the nginx config file and code to support changes - update README files - update firewalld config Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> Signed-off-by: Rob Lemley <rob.lemley@rochester.edu> --- docs/README.md | 5 +---- src/firewalld.xml | 1 - src/nginx/wok.conf.in | 20 ++++++++++++++++++-- src/wok/proxy.py | 5 +++-- src/wokd.in | 4 ++++ tests/utils.py | 6 +++--- 6 files changed, 29 insertions(+), 12 deletions(-) diff --git a/docs/README.md b/docs/README.md index 4c0009d..04ef2fa 100644 --- a/docs/README.md +++ b/docs/README.md @@ -132,26 +132,23 @@ Run If you cannot access Wok, take a look at these 2 points: 1. Firewall: -Wok uses by default the ports 8000, 8001 and 64667. To allow incoming connections: +Wok uses by default the ports 8000 and 8001. To allow incoming connections: For system using firewalld, do: $ sudo firewall-cmd --add-port=8000/tcp --permanent $ sudo firewall-cmd --add-port=8001/tcp --permanent - $ sudo firewall-cmd --add-port=64667/tcp --permanent $ sudo firewall-cmd --reload For openSUSE systems, do: $ sudo /sbin/SuSEfirewall2 open EXT TCP 8000 $ sudo /sbin/SuSEfirewall2 open EXT TCP 8001 - $ sudo /sbin/SuSEfirewall2 open EXT TCP 64667 For system using iptables, do: $ sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT - $ sudo iptables -A INPUT -p tcp --dport 64667 -j ACCEPT Don't forget to correctly save the rules. diff --git a/src/firewalld.xml b/src/firewalld.xml index ff9fafe..3a564fe 100644 --- a/src/firewalld.xml +++ b/src/firewalld.xml @@ -4,5 +4,4 @@ <description>wokd is a daemon service for wok which is a web framework.</description> <port protocol="tcp" port="8000"/> <port protocol="tcp" port="8001"/> - <port protocol="tcp" port="64667"/> </service> diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in index db68893..bb5b1ed 100644 --- a/src/nginx/wok.conf.in +++ b/src/nginx/wok.conf.in @@ -49,6 +49,15 @@ http { proxy_read_timeout 600; send_timeout 600; + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + upstream websocket { + server 127.0.0.1:${websockets_port}; + } + server { listen ${proxy_ssl_port} ssl; @@ -65,11 +74,18 @@ http { add_header X-XSS-Protection "1; mode=block"; location / { - proxy_pass http://127.0.0.1:${wokd_port}; + proxy_pass http://127.0.0.1:${cherrypy_port}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect http://127.0.0.1:${wokd_port}/ https://$host:${proxy_ssl_port}/; + proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}/; + } + + location /websockify { + proxy_pass http://websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; } } diff --git a/src/wok/proxy.py b/src/wok/proxy.py index f281522..f5351e3 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -2,7 +2,7 @@ # # Project Wok # -# Copyright IBM, Corp. 2014-2015 +# Copyright IBM, Corp. 2014-2016 # # Code derived from Project Kimchi # @@ -82,8 +82,9 @@ def _create_proxy_config(options): data = Template(data) data = data.safe_substitute(user=user_proxy, proxy_port=options.port, - wokd_port=options.cherrypy_port, proxy_ssl_port=options.ssl_port, + cherrypy_port=options.cherrypy_port, + websockets_port=options.websockets_port, cert_pem=cert, cert_key=key, max_body_size=eval(options.max_body_size), dhparams_pem=dhparams_pem) diff --git a/src/wokd.in b/src/wokd.in index c5510fd..1108445 100644 --- a/src/wokd.in +++ b/src/wokd.in @@ -47,6 +47,7 @@ def main(options): port = config.config.get("server", "port") ssl_port = config.config.get("server", "ssl_port") cherrypy_port = config.config.get("server", "cherrypy_port") + websockets_port = config.config.get("server", "websockets_port") runningEnv = config.config.get("server", "environment") federation = config.config.get("server", "federation") isopool = config.config.get("server", "create_iso_pool") @@ -62,6 +63,9 @@ def main(options): help="Port to enable SSL (default %s)" % ssl_port) parser.add_option('--cherrypy_port', type="int", default=cherrypy_port, help="Cherrypy server port (default %s)" % cherrypy_port) + parser.add_option('--websockets_port', type="int", default=websockets_port, + help="Websockets port to listen on (default %s)" % + websockets_port) parser.add_option('--log-level', default=logLevel, help="Logging level") parser.add_option('--access-log', diff --git a/tests/utils.py b/tests/utils.py index 50d423f..686b13b 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM, Corp. 2013-2015 +# Copyright IBM, Corp. 2013-2016 # # Code delivered from Project Kimchi # @@ -116,8 +116,8 @@ def run_server(host, port, ssl_port, test_mode, cherrypy_port=None, args = type('_', (object,), {'host': host, 'port': port, 'ssl_port': ssl_port, 'cherrypy_port': cherrypy_port, 'max_body_size': '4*1024', - 'ssl_cert': '', 'ssl_key': '', - 'test': test_mode, 'access_log': '/dev/null', + 'websockets_port': 64667, 'ssl_cert': '', + 'ssl_key': '', 'test': test_mode, 'access_log': '/dev/null', 'error_log': '/dev/null', 'environment': environment, 'log_level': 'debug'})() if model is not None: -- 2.5.0