[PATCH] RFC patch to make nginx proxy optional
Sending this as an RFC patch, I expect people will want changes from this. Implements Issue #570. Julien Goodwin (1): Initial prototype, make nginx proxy optional. docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex -- 2.1.4
Also includes an example apache config. Implements Issue #570 Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 2.1.4
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ I hope we can include a runnable configuration and install it to the right place rather than just an example. API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off" is used to prevent anyone else to use apache as the anonymous proxy. + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ Hope we can use variable rather than hard code, we may use port other
Since apache reverse proxy configuration is included in this patch, so I suppose you would like to substitute nginx with apache? Would you pls compare these reverse proxy in a single mail so that we can know why we want to choose it? If we just want to give user another choice of reverse proxy, I suggest we make "run_proxy" an enum so user can assign it to "apache", "nginx" or "none". To be a completed patch, we may want to include a testcase to test if the reverse proxy works. Some inline comments below: On 02/03/2015 08:21 PM, Julien Goodwin wrote: than 8010
+ + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)
On 04/02/15 00:24, Royce Lv wrote:
Since apache reverse proxy configuration is included in this patch, so I suppose you would like to substitute nginx with apache? Would you pls compare these reverse proxy in a single mail so that we can know why we want to choose it?
Personal preference really, many sites run a httpd on machines anyway, often one integrated with an SSO auth system (see one of my other feature requests), allowing them to run what they're used to is nice. Also the apache config is more boilerplate, all practical users will change this for their purposes, users where the generic would be fine will almost certainly just use the integrated proxy anyway.
If we just want to give user another choice of reverse proxy, I suggest we make "run_proxy" an enum so user can assign it to "apache", "nginx" or "none".
I don't really think it makes sense to automatically launch multiple proxy types, it's enough to offer a way so the normal nginx proxy can be disabled so it's not taking up listening ports.
To be a completed patch, we may want to include a testcase to test if the reverse proxy works.
Hmm, possibly. My next patch set after this one will be a variety of fixups to the test suite as I'd like to be able to run them cleanly on my laptop which can't have a running libvirt (due to "reasons"). This is actually stalled while I muse about how best to deal with some core bits in the model that call exit directly instead of raising exceptions on some types of errors.
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ I hope we can include a runnable configuration and install it to the right place rather than just an example. API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off" is used to prevent anyone else to use apache as the anonymous proxy. + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ Hope we can use variable rather than hard code, we may use port other
Some inline comments below: On 02/03/2015 08:21 PM, Julien Goodwin wrote: than 8010
+ + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Julien Goodwin Studio442 "Blue Sky Solutioneering"
On 04/02/2015 18:08, Julien Goodwin wrote:
On 04/02/15 00:24, Royce Lv wrote:
Since apache reverse proxy configuration is included in this patch, so I suppose you would like to substitute nginx with apache? Would you pls compare these reverse proxy in a single mail so that we can know why we want to choose it? Personal preference really, many sites run a httpd on machines anyway, often one integrated with an SSO auth system (see one of my other feature requests), allowing them to run what they're used to is nice.
Also the apache config is more boilerplate, all practical users will change this for their purposes, users where the generic would be fine will almost certainly just use the integrated proxy anyway.
If we just want to give user another choice of reverse proxy, I suggest we make "run_proxy" an enum so user can assign it to "apache", "nginx" or "none". I don't really think it makes sense to automatically launch multiple proxy types, it's enough to offer a way so the normal nginx proxy can be disabled so it's not taking up listening ports.
If the idea is only allowing disable the nginx proxy, why should we include an apache example?
To be a completed patch, we may want to include a testcase to test if the reverse proxy works. Hmm, possibly. My next patch set after this one will be a variety of fixups to the test suite as I'd like to be able to run them cleanly on my laptop which can't have a running libvirt (due to "reasons").
This is actually stalled while I muse about how best to deal with some core bits in the model that call exit directly instead of raising exceptions on some types of errors.
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ I hope we can include a runnable configuration and install it to the right place rather than just an example. API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off" is used to prevent anyone else to use apache as the anonymous proxy. + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ Hope we can use variable rather than hard code, we may use port other
Some inline comments below: On 02/03/2015 08:21 PM, Julien Goodwin wrote: than 8010
+ + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)
Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
When disabling the nginx process, all the proxy configuration should be placed to cherrypy configuration. Otherwise, Kimchi (through cherrypy server) will be accessible only on localhost and port 8010. We should set the HTTP and HTTPS ports to cherrypy in case nginx is not running. Also there are some headers to prevent XSS attacks that must be on cherrypy then. add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; On 03/02/2015 23:21, Julien Goodwin wrote:
Also includes an example apache config.
Implements Issue #570
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)
From: Frederic Bonnard <frediz@linux.vnet.ibm.com> Hi, I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html and it wasn't taking the option into account, here is some changes that worked for me. Also, I think that the goal of disabling nginx in this patch is not to use kimchi directly, but to use another instance of nginx as I did or apache as Julien does. F. --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 8 +++++++- 5 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..09a4fcc 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..c8085dd 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -29,7 +29,7 @@ from string import Template from kimchi import sslcert from kimchi.config import paths - +import kimchi.config as config def _create_proxy_config(options): """Create nginx configuration file based on current ports config @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if config.config.get("server", "run_proxy") == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if config.config.get("server", "run_proxy") == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 1.9.1
On 10/03/2015 14:39, Frédéric Bonnard wrote:
From: Frederic Bonnard <frediz@linux.vnet.ibm.com>
Hi, I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html and it wasn't taking the option into account, here is some changes that worked for me.
Also, I think that the goal of disabling nginx in this patch is not to use kimchi directly, but to use another instance of nginx as I did or apache as Julien does.
I have some points on it: 1) If we allow user to disable nginx proxy we need to make sure kimchi server will continue working as expected whatever is the user reason to do that. Based on that, please consider: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html 2) If the idea is allow using other proxy instead of nginx, what are the options? How would user use them? How does Kimchi will deal with them? Royce also comments on that: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009655.html Remember, Kimchi is focused on entry level users which means it must be easy and simple since installation/configuration time and it affects all changes we do.
F.
--- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 8 +++++++- 5 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 docs/apache.conf.ex
diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..09a4fcc 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc
dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ #
[server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..c8085dd 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -29,7 +29,7 @@ from string import Template
from kimchi import sslcert from kimchi.config import paths - +import kimchi.config as config
def _create_proxy_config(options): """Create nginx configuration file based on current ports config @@ -88,6 +88,9 @@ def _create_proxy_config(options):
def start_proxy(options): """Start nginx reverse proxy.""" + if config.config.get("server", "run_proxy") == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options):
def terminate_proxy(): """Stop nginx process.""" + if config.config.get("server", "run_proxy") == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd)
On 12/03/15 02:50, Aline Manera wrote:
On 10/03/2015 14:39, Frédéric Bonnard wrote:
From: Frederic Bonnard <frediz@linux.vnet.ibm.com>
Hi, I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html and it wasn't taking the option into account, here is some changes that worked for me.
Also, I think that the goal of disabling nginx in this patch is not to use kimchi directly, but to use another instance of nginx as I did or apache as Julien does.
I have some points on it:
1) If we allow user to disable nginx proxy we need to make sure kimchi server will continue working as expected whatever is the user reason to do that.
As long as someone uses a proxy (or some other way to make it accessible like using it on a desktop, or SSH port forwards) Kimchi just works, there's nothing special about nginx.
Based on that, please consider: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html
WRT that the X-* options are sensible, but cherrypy shouldn't be setting HSTS since it can't know if it'll be proxied using TLS. Obviously for the websockets based console to work it'll need to be via TLS. I've updated my patch to include them and will resend it, I could also look at setting them on the Kimchi side as well.
2) If the idea is allow using other proxy instead of nginx, what are the options? How would user use them? How does Kimchi will deal with them?
Royce also comments on that: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009655.html
Remember, Kimchi is focused on entry level users which means it must be easy and simple since installation/configuration time and it affects all changes we do.
I don't think that's a real problem, the users likely to want to run their own proxy are those who would (predominantly at least) already know what they want to use, and how to configure it. Novice users will simply keep the default setting and continue using nginx unchanged. The inclusion of an apache2 configuration snippet is two-fold, first, it's the most common web server still and thus the most likely to be wanted as a proxy; second, being the most common it's common for other web servers to include a translation of apache terms in their documentation, or documents that others write.
Updated patch setting the missing anti-xss headers. Julien Goodwin (2): Initial prototype, make nginx proxy optional. Add additonal headers from: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html
Also includes an example apache config. Implements Issue #570 Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 2.1.4
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/apache.conf.ex | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex index cd26907..32a1114 100644 --- a/docs/apache.conf.ex +++ b/docs/apache.conf.ex @@ -23,6 +23,10 @@ # HTTP STS Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" + + Header always set X-Frame-Options "DENY" + Header always set X-Content-Type-Options "nosniff" + Header always set X-XSS-Protection "1; mode=block" </VirtualHost> <VirtualHost *:80> -- 2.1.4
On 17/03/15 16:30, Julien Goodwin wrote:
Updated patch setting the missing anti-xss headers.
I've finally got most of the test suite running on my laptop, and found various breakages due to this, the simpler hardcoded version worked fine since I wasn't using options. I'll hopefully have a v3 patch set in a few hours that does pass tests. One notable thing which broke is the test suite does test requests via nginx with SSL, and python (at least in Debian) now does certificate validation by default, which broke a lot of the tests. I'll include a fix for that as well.
Updates the missing plumbing so the tests pass, and add an SSL fix to the tests. Julien Goodwin (4): Initial prototype, make nginx proxy optional. Add additonal headers from: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html Disable SSL certificate validation in tests. Various missing plumbing for nginx proxy disabling.
Also includes an example apache config. Implements Issue #570 Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/Makefile.am | 1 + docs/apache.conf.ex | 35 +++++++++++++++++++++++++++++++++++ src/kimchi.conf.in | 3 +++ src/kimchi/config.py.in | 1 + src/kimchi/proxy.py | 6 ++++++ 5 files changed, 46 insertions(+) create mode 100644 docs/apache.conf.ex diff --git a/docs/Makefile.am b/docs/Makefile.am index 679aa18..eb8b396 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -20,6 +20,7 @@ docdir = $(datadir)/kimchi/doc dist_doc_DATA = \ + apache.conf.ex \ API.md \ README.md \ README-federation.md \ diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex new file mode 100644 index 0000000..cd26907 --- /dev/null +++ b/docs/apache.conf.ex @@ -0,0 +1,35 @@ +# Although not a supported configuration you can use apache to proxy kimchi traffic. +# Here is an example of the required configuration. +# This requires the following apache modules be enabled: +# - mod_proxy +# - mod_proxy_http +# - mod_ssl +# The port 80 redirect also requires mod_redirect +# HTTP STS (Strict Transport Security) also requires mod_headers +<VirtualHost *:443> + ServerName kimchi + + SSLEngine On + SSLCertificateFile /etc/kimchi/kimchi-cert.pem + SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem + + ProxyRequests On + ProxyPass / http://127.0.0.1:8010/ + ProxyPassReverse / http://127.0.0.1:8010/ + + <Proxy http://127.0.0.1:8010/> + Require all granted + </Proxy> + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> + +<VirtualHost *:80> + ServerName kimchi + + Redirect / https://kimchi/ + + # HTTP STS + Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" +</VirtualHost> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in index 9f62ac0..e9e8628 100644 --- a/src/kimchi.conf.in +++ b/src/kimchi.conf.in @@ -3,6 +3,9 @@ # [server] +# Start the proxy service? +#run_proxy = on + # Hostname or IP address to listen on #host = 0.0.0.0 diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f2e1cac..41c5c89 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -287,6 +287,7 @@ class PluginConfig(dict): def _get_config(): config = SafeConfigParser() config.add_section("server") + config.set("server", "run_proxy", "on") config.set("server", "host", "0.0.0.0") config.set("server", "port", "8000") config.set("server", "ssl_port", "8001") diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index fafa5bc..72497fe 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,6 +88,9 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + if options.run_proxy == 'off': + return + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -97,5 +100,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" + if options.run_proxy == 'off': + return + term_proxy_cmd = ['nginx', '-s', 'stop'] subprocess.call(term_proxy_cmd) -- 2.1.4
Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- docs/apache.conf.ex | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex index cd26907..32a1114 100644 --- a/docs/apache.conf.ex +++ b/docs/apache.conf.ex @@ -23,6 +23,10 @@ # HTTP STS Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" + + Header always set X-Frame-Options "DENY" + Header always set X-Content-Type-Options "nosniff" + Header always set X-XSS-Protection "1; mode=block" </VirtualHost> <VirtualHost *:80> -- 2.1.4
It appears that python (at least in debian) now validates SSL certificats by default, add an sslcontext to explicitly disable this. Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- tests/utils.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/utils.py b/tests/utils.py index 2a8929f..412487b 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -25,6 +25,7 @@ import httplib import json import os import socket +import ssl import sys import time import threading @@ -148,7 +149,9 @@ def _request(conn, path, data, method, headers): def request(host, port, path, data=None, method='GET', headers=None): - conn = httplib.HTTPSConnection(host, port) + context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + context.verify_mode = ssl.CERT_NONE + conn = httplib.HTTPSConnection(host, port, context=context) return _request(conn, path, data, method, headers) -- 2.1.4
- terminate_proxy is called without options (and must be currently), so set a global flag for it - Add the missing passthrough of the option to the command line parser - And the options as provided in the test util Signed-off-by: Julien Goodwin <jgoodwin@studio442.com.au> --- src/kimchi/proxy.py | 7 ++++++- src/kimchid.in | 1 + tests/utils.py | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py index 72497fe..050365e 100644 --- a/src/kimchi/proxy.py +++ b/src/kimchi/proxy.py @@ -88,9 +88,13 @@ def _create_proxy_config(options): def start_proxy(options): """Start nginx reverse proxy.""" + global run_proxy if options.run_proxy == 'off': + run_proxy = False return + run_proxy = True + _create_proxy_config(options) config_dir = paths.conf_dir config_file = "%s/nginx_kimchi.conf" % config_dir @@ -100,7 +104,8 @@ def start_proxy(options): def terminate_proxy(): """Stop nginx process.""" - if options.run_proxy == 'off': + global run_proxy + if not run_proxy: return term_proxy_cmd = ['nginx', '-s', 'stop'] diff --git a/src/kimchid.in b/src/kimchid.in index 57dc3c8..f6b66cc 100644 --- a/src/kimchid.in +++ b/src/kimchid.in @@ -85,6 +85,7 @@ def main(options): config.config.set(sec, item, str(getattr(options, item))) # Add non-option arguments + setattr(options, 'run_proxy', config.config.get('server', 'run_proxy')) setattr(options, 'ssl_cert', config.config.get('server', 'ssl_cert')) setattr(options, 'ssl_key', config.config.get('server', 'ssl_key')) setattr(options, 'max_body_size', diff --git a/tests/utils.py b/tests/utils.py index 412487b..5428371 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -110,7 +110,7 @@ def run_server(host, port, ssl_port, test_mode, cherrypy_port=None, args = type('_', (object,), {'host': host, 'port': port, 'ssl_port': ssl_port, 'cherrypy_port': cherrypy_port, 'max_body_size': '4*1024', - 'ssl_cert': '', 'ssl_key': '', + 'ssl_cert': '', 'ssl_key': '', 'run_proxy': 'on', 'test': test_mode, 'access_log': '/dev/null', 'error_log': '/dev/null', 'environment': environment, 'log_level': 'debug'})() -- 2.1.4
Were there any comments on this latest patch set? On 17/03/15 20:37, Julien Goodwin wrote:
Updates the missing plumbing so the tests pass, and add an SSL fix to the tests.
Julien Goodwin (4): Initial prototype, make nginx proxy optional. Add additonal headers from: http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html Disable SSL certificate validation in tests. Various missing plumbing for nginx proxy disabling.
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
participants (4)
-
Aline Manera -
Frédéric Bonnard -
Julien Goodwin -
Royce Lv