On 04/02/2015 18:08, Julien Goodwin wrote:
On 04/02/15 00:24, Royce Lv wrote:

Since apache reverse proxy configuration is included in this patch,
so I suppose you would like to substitute nginx with apache?
Would you pls compare these reverse proxy in a single mail so that we
can know why we want to choose it?

Personal preference really, many sites run a httpd on machines anyway,
often one integrated with an SSO auth system (see one of my other
feature requests), allowing them to run what they're used to is nice.

Also the apache config is more boilerplate, all practical users will
change this for their purposes, users where the generic would be fine
will almost certainly just use the integrated proxy anyway.


If we just want to give user another choice of reverse proxy,
I suggest we make "run_proxy" an enum so user can assign it to "apache",
"nginx" or "none".

I don't really think it makes sense to automatically launch multiple
proxy types, it's enough to offer a way so the normal nginx proxy can be
disabled so it's not taking up listening ports.

If the idea is only allowing disable the nginx proxy, why should we include an apache example?


      

        
To be a completed patch, we may want to include a testcase to test if
the reverse proxy works.


      

      
Hmm, possibly. My next patch set after this one will be a variety of
fixups to the test suite as I'd like to be able to run them cleanly on
my laptop which can't have a running libvirt (due to "reasons").

This is actually stalled while I muse about how best to deal with some
core bits in the model that call exit directly instead of raising
exceptions on some types of errors.



      

        
Some inline comments below:
On 02/03/2015 08:21 PM, Julien Goodwin wrote:


        

          
Also includes an example apache config.

Implements Issue #570

Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au>
---
  docs/Makefile.am        |  1 +
  docs/apache.conf.ex     | 35 +++++++++++++++++++++++++++++++++++
  src/kimchi.conf.in      |  3 +++
  src/kimchi/config.py.in |  1 +
  src/kimchi/proxy.py     |  6 ++++++
  5 files changed, 46 insertions(+)
  create mode 100644 docs/apache.conf.ex

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 679aa18..eb8b396 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -20,6 +20,7 @@
  docdir = $(datadir)/kimchi/doc

  dist_doc_DATA = \
+        apache.conf.ex \


        

        
I hope we can include a runnable configuration and install it to the
right place rather than just an example.


        

          
      API.md \
      README.md \
      README-federation.md \
diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
new file mode 100644
index 0000000..cd26907
--- /dev/null
+++ b/docs/apache.conf.ex
@@ -0,0 +1,35 @@
+# Although not a supported configuration you can use apache to proxy
kimchi traffic.
+# Here is an example of the required configuration.
+# This requires the following apache modules be enabled:
+# - mod_proxy
+# - mod_proxy_http
+# - mod_ssl
+# The port 80 redirect also requires mod_redirect
+# HTTP STS (Strict Transport Security) also requires mod_headers
+<VirtualHost *:443>
+        ServerName kimchi
+
+        SSLEngine On
+        SSLCertificateFile /etc/kimchi/kimchi-cert.pem
+        SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
+
+        ProxyRequests On


        

        
Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off"
is used to prevent anyone else to use apache as the anonymous proxy.


        

          
+        ProxyPass / http://127.0.0.1:8010/
+        ProxyPassReverse / http://127.0.0.1:8010/


        

        
Hope we can use variable rather than hard code, we may use port other
than 8010


        

          
+
+        <Proxy http://127.0.0.1:8010/>
+                Require all granted
+        </Proxy>
+
+        # HTTP STS
+        Header always set Strict-Transport-Security
"max-age=31536000; includeSubdomains;"
+</VirtualHost>
+
+<VirtualHost *:80>
+        ServerName kimchi
+
+        Redirect / https://kimchi/
+
+        # HTTP STS
+        Header always set Strict-Transport-Security
"max-age=31536000; includeSubdomains;"
+</VirtualHost>
diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
index 9f62ac0..e9e8628 100644
--- a/src/kimchi.conf.in
+++ b/src/kimchi.conf.in
@@ -3,6 +3,9 @@
  #

  [server]
+# Start the proxy service?
+#run_proxy = on
+
  # Hostname or IP address to listen on
  #host = 0.0.0.0

diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f2e1cac..41c5c89 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -287,6 +287,7 @@ class PluginConfig(dict):
  def _get_config():
      config = SafeConfigParser()
      config.add_section("server")
+    config.set("server", "run_proxy", "on")
      config.set("server", "host", "0.0.0.0")
      config.set("server", "port", "8000")
      config.set("server", "ssl_port", "8001")
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index fafa5bc..72497fe 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -88,6 +88,9 @@ def _create_proxy_config(options):

  def start_proxy(options):
      """Start nginx reverse proxy."""
+    if options.run_proxy == 'off':
+        return
+
      _create_proxy_config(options)
      config_dir = paths.conf_dir
      config_file = "%s/nginx_kimchi.conf" % config_dir
@@ -97,5 +100,8 @@ def start_proxy(options):

  def terminate_proxy():
      """Stop nginx process."""
+    if options.run_proxy == 'off':
+        return
+
      term_proxy_cmd = ['nginx', '-s', 'stop']
      subprocess.call(term_proxy_cmd)


        

        
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel


      

      



      

      

      

      
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel@ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel