[PATCH][Wok] Bug fix #175: Do not generate nginx conf file on the fly
--- .gitignore | 1 - Makefile.am | 3 ++ contrib/wok.spec.fedora.in | 1 - contrib/wok.spec.suse.in | 1 - src/nginx/Makefile.am | 7 ++-- src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++ src/nginx/wok.conf.in | 75 ------------------------------------------- src/wok.conf.in | 34 -------------------- src/wok/proxy.py | 45 -------------------------- 9 files changed, 85 insertions(+), 161 deletions(-) create mode 100644 src/nginx/wok.conf delete mode 100644 src/nginx/wok.conf.in diff --git a/.gitignore b/.gitignore index d06f936..10754f9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ wok-*.tar.gz wok.spec src/wokd src/wok.conf -src/nginx/wok.conf src/wok/config.py tests/run_tests.sh tests/test_config.py diff --git a/Makefile.am b/Makefile.am index 5c8e69d..3754547 100644 --- a/Makefile.am +++ b/Makefile.am @@ -159,6 +159,8 @@ install-data-local: touch $(DESTDIR)/etc/nginx/conf.d/wok.conf mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd + mkdir -p $(DESTDIR)/etc/nginx/conf.d + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf uninstall-local: @if test -f $(systemdsystemunitdir)/wokd.service; then \ @@ -175,6 +177,7 @@ uninstall-local: $(RM) -rf $(DESTDIR)/etc/wok $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf $(RM) $(DESTDIR)/etc/logrotate.d/wokd + $(DESTDIR)/etc/nginx/conf.d/wok.conf VERSION: @if $(GIT) rev-parse &> /dev/null ; then \ diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fdf3484..c48899f 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo %{_datadir}/wok/ui/ %{_datadir}/wok -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ %{_sysconfdir}/logrotate.d/wokd diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index 70c295b..283f9c3 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/wok %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/nginx/conf.d/wok.conf %{_sysconfdir}/logrotate.d/wokd %{_var}/lib/wok/ diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am index a376a74..3a47a5f 100644 --- a/src/nginx/Makefile.am +++ b/src/nginx/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015 +# Copyright IBM Corp, 2015-2016 # # Code derived from Project Kimchi # @@ -19,9 +19,8 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -EXTRA_DIST = wok.conf.in +EXTRA_DIST = wok.conf confdir = $(sysconfdir)/nginx/conf.d -dist_conf_DATA = wok.conf.in +dist_conf_DATA = wok.conf -CLEANFILES = wok.conf diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf new file mode 100644 index 0000000..d191746 --- /dev/null +++ b/src/nginx/wok.conf @@ -0,0 +1,79 @@ +# Project Wok +# +# Copyright IBM Corp, 2016 +# +# Code derived from Project Kimchi +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA + +# This is a template file to be used to generate a nginx +# proxy config file at wokd script. + +client_max_body_size 4194304k; + +# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout +# when Wok is processing a request. +proxy_connect_timeout 10m; +proxy_send_timeout 10m; +proxy_read_timeout 10m; +send_timeout 10m; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream websocket { + server 127.0.0.1:64667; +} + +server { + listen 0.0.0.0:8001 ssl; + + ssl_certificate /etc/wok/wok-cert.pem; + ssl_certificate_key /etc/wok/wok-key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/wok/dhparams.pem; + ssl_session_timeout 10m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/; + } + + location /websockify { + proxy_pass http://websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} + +server { + listen 0.0.0.0:8000; + rewrite ^/(.*)$ https://$host:8001/$1 redirect; +} + diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in deleted file mode 100644 index 5d2bb17..0000000 --- a/src/nginx/wok.conf.in +++ /dev/null @@ -1,75 +0,0 @@ -# Project Wok -# -# Copyright IBM Corp, 2015-2016 -# -# Code derived from Project Kimchi -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 USA - -# This is a template file to be used to generate a nginx -# proxy config file at wokd script. - -client_max_body_size ${max_body_size}k; - -# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout -# when Wok is processing a request. -proxy_connect_timeout ${session_timeout}m; -proxy_send_timeout ${session_timeout}m; -proxy_read_timeout ${session_timeout}m; -send_timeout ${session_timeout}m; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream websocket { - server 127.0.0.1:${websockets_port}; -} - -server { - listen ${host_addr}:${proxy_ssl_port} ssl; - - ssl_certificate ${cert_pem}; - ssl_certificate_key ${cert_key}; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; - ssl_prefer_server_ciphers on; - ssl_dhparam ${dhparams_pem}; - ssl_session_timeout ${session_timeout}m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - location ${server_root}/ { - proxy_pass http://127.0.0.1:${cherrypy_port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}${server_root}/; - } - - location ${server_root}/websockify { - proxy_pass http://websocket; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -${http_config} diff --git a/src/wok.conf.in b/src/wok.conf.in index 254f786..d3b7b2d 100644 --- a/src/wok.conf.in +++ b/src/wok.conf.in @@ -3,46 +3,12 @@ # [server] -# Hostname or IP address to listen on -#host = 0.0.0.0 - -# Port to listen on -#port = 8000 - -# Start an SSL-enabled server on the given port -#ssl_port = 8001 - -# Allow user disables HTTP port. In that case, all the connections -# will be done directly through HTTPS port (values: true|false) -#https_only = false - # Cherrypy server port #cherrypy_port = 8010 -# Port for websocket proxy to listen on -#websockets_port = 64667 - -# Number of minutes that a session can remain idle before the server -# terminates it automatically. -#session_timeout = 10 - -# The full path to an SSL Certificate or chain of certificates in -# PEM format. When a chain is used, the server's certificate must be -# the first certificate in the file with the chain concatenated into -# the end of that certificate. If left unspecified, Wok will generate -# a self-signed certificate automatically. -#ssl_cert = - -# The corresponding private key in PEM format for the SSL Certificate supplied -# above. If left blank, Wok will generate a self-signed certificate. -#ssl_key = - # Running environment of the server #environment = production -# Max request body size in KB, default value is 4GB -#max_body_size = 4 * 1024 * 1024 - # Wok server root. Set the following variable to configure any relative path to # the server. For example, to have Wok pointing to https://localhost:8001/wok/ # uncomment the following: diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 5f646e4..1c11b9b 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -25,8 +25,6 @@ # and configure the Nginx proxy. import os -import pwd -from string import Template from wok import sslcert from wok.config import paths @@ -53,17 +51,6 @@ def _create_proxy_config(options): Arguments: options - OptionParser object with Wok config options """ - # User that will run the worker process of the proxy. Fedora, - # RHEL and Suse creates an user called 'nginx' when installing - # the proxy. Ubuntu creates an user 'www-data' for it. - user_proxy = None - user_list = ('nginx', 'www-data', 'http') - sys_users = [p.pw_name for p in pwd.getpwall()] - common_users = list(set(user_list) & set(sys_users)) - if len(common_users) == 0: - raise Exception("No common user found") - else: - user_proxy = common_users[0] config_dir = paths.conf_dir nginx_config_dir = paths.nginx_conf_dir cert = options.ssl_cert @@ -81,38 +68,6 @@ def _create_proxy_config(options): with open(key, "w") as f: f.write(ssl_gen.key_pem()) - # Setting up Diffie-Hellman group with 2048-bit file - dhparams_pem = os.path.join(config_dir, "dhparams.pem") - - http_config = '' - if options.https_only == 'false': - http_config = HTTP_CONFIG % {'host_addr': options.host, - 'proxy_port': options.port, - 'proxy_ssl_port': options.ssl_port, - 'rel_path': options.server_root} - - # Read template file and create a new config file - # with the specified parameters. - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: - data = template.read() - data = Template(data) - data = data.safe_substitute(user=user_proxy, - host_addr=options.host, - proxy_ssl_port=options.ssl_port, - http_config=http_config, - cherrypy_port=options.cherrypy_port, - websockets_port=options.websockets_port, - cert_pem=cert, cert_key=key, - max_body_size=eval(options.max_body_size), - session_timeout=options.session_timeout, - dhparams_pem=dhparams_pem, - server_root=options.server_root) - - # Write file to be used for nginx. - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w") - config_file.write(data) - config_file.close() - # If not running from the installed path (from a cloned and builded source # code), create a symbolic link in system's dir to prevent errors on read # SSL certifications. -- 2.7.4
Hi Ramon: You also need to update the files below to reflect those changes: - wokd.in - docs/wokd.8.in - src/wok/config.py.in And more comments below: On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
--- .gitignore | 1 - Makefile.am | 3 ++ contrib/wok.spec.fedora.in | 1 - contrib/wok.spec.suse.in | 1 - src/nginx/Makefile.am | 7 ++-- src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++ src/nginx/wok.conf.in | 75 ------------------------------------------- src/wok.conf.in | 34 -------------------- src/wok/proxy.py | 45 -------------------------- 9 files changed, 85 insertions(+), 161 deletions(-) create mode 100644 src/nginx/wok.conf delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore index d06f936..10754f9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ wok-*.tar.gz wok.spec src/wokd src/wok.conf -src/nginx/wok.conf src/wok/config.py tests/run_tests.sh tests/test_config.py diff --git a/Makefile.am b/Makefile.am index 5c8e69d..3754547 100644 --- a/Makefile.am +++ b/Makefile.am @@ -159,6 +159,8 @@ install-data-local: touch $(DESTDIR)/etc/nginx/conf.d/wok.conf mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd + mkdir -p $(DESTDIR)/etc/nginx/conf.d + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local: @if test -f $(systemdsystemunitdir)/wokd.service; then \ @@ -175,6 +177,7 @@ uninstall-local: $(RM) -rf $(DESTDIR)/etc/wok $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf $(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing
VERSION: @if $(GIT) rev-parse &> /dev/null ; then \ diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fdf3484..c48899f 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo %{_datadir}/wok/ui/ %{_datadir}/wok -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ %{_sysconfdir}/logrotate.d/wokd diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index 70c295b..283f9c3 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/wok %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/nginx/conf.d/wok.conf %{_sysconfdir}/logrotate.d/wokd %{_var}/lib/wok/ diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am index a376a74..3a47a5f 100644 --- a/src/nginx/Makefile.am +++ b/src/nginx/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015 +# Copyright IBM Corp, 2015-2016 # # Code derived from Project Kimchi # @@ -19,9 +19,8 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in +EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d -dist_conf_DATA = wok.conf.in +dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf new file mode 100644 index 0000000..d191746 --- /dev/null +++ b/src/nginx/wok.conf @@ -0,0 +1,79 @@ +# Project Wok +# +# Copyright IBM Corp, 2016 +# +# Code derived from Project Kimchi +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA + +# This is a template file to be used to generate a nginx +# proxy config file at wokd script. + +client_max_body_size 4194304k; + +# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout +# when Wok is processing a request. +proxy_connect_timeout 10m; +proxy_send_timeout 10m; +proxy_read_timeout 10m; +send_timeout 10m; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream websocket { + server 127.0.0.1:64667; +} + +server { + listen 0.0.0.0:8001 ssl; + + ssl_certificate /etc/wok/wok-cert.pem; + ssl_certificate_key /etc/wok/wok-key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/wok/dhparams.pem; + ssl_session_timeout 10m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/; + } + + location /websockify { + proxy_pass http://websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} + +server { + listen 0.0.0.0:8000; + rewrite ^/(.*)$ https://$host:8001/$1 redirect; +} + diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in deleted file mode 100644 index 5d2bb17..0000000 --- a/src/nginx/wok.conf.in +++ /dev/null @@ -1,75 +0,0 @@ -# Project Wok -# -# Copyright IBM Corp, 2015-2016 -# -# Code derived from Project Kimchi -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 USA - -# This is a template file to be used to generate a nginx -# proxy config file at wokd script. - -client_max_body_size ${max_body_size}k; - -# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout -# when Wok is processing a request. -proxy_connect_timeout ${session_timeout}m; -proxy_send_timeout ${session_timeout}m; -proxy_read_timeout ${session_timeout}m; -send_timeout ${session_timeout}m; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream websocket { - server 127.0.0.1:${websockets_port}; -} - -server { - listen ${host_addr}:${proxy_ssl_port} ssl; - - ssl_certificate ${cert_pem}; - ssl_certificate_key ${cert_key}; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; - ssl_prefer_server_ciphers on; - ssl_dhparam ${dhparams_pem}; - ssl_session_timeout ${session_timeout}m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - location ${server_root}/ { - proxy_pass http://127.0.0.1:${cherrypy_port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}${server_root}/; - } - - location ${server_root}/websockify { - proxy_pass http://websocket; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -${http_config} diff --git a/src/wok.conf.in b/src/wok.conf.in index 254f786..d3b7b2d 100644 --- a/src/wok.conf.in +++ b/src/wok.conf.in @@ -3,46 +3,12 @@ #
[server] -# Hostname or IP address to listen on -#host = 0.0.0.0 - -# Port to listen on -#port = 8000 -
-# Start an SSL-enabled server on the given port -#ssl_port = 8001 -
The ssl_port is being used by /config API so we will need to keep it there too.
-# Allow user disables HTTP port. In that case, all the connections -# will be done directly through HTTPS port (values: true|false) -#https_only = false - # Cherrypy server port #cherrypy_port = 8010
-# Port for websocket proxy to listen on -#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and to Kimchi knows on which port to launch websocikfy
- -# Number of minutes that a session can remain idle before the server -# terminates it automatically. -#session_timeout = 10 - -# The full path to an SSL Certificate or chain of certificates in -# PEM format. When a chain is used, the server's certificate must be -# the first certificate in the file with the chain concatenated into -# the end of that certificate. If left unspecified, Wok will generate -# a self-signed certificate automatically. -#ssl_cert = - -# The corresponding private key in PEM format for the SSL Certificate supplied -# above. If left blank, Wok will generate a self-signed certificate. -#ssl_key = - # Running environment of the server #environment = production
-# Max request body size in KB, default value is 4GB -#max_body_size = 4 * 1024 * 1024 - # Wok server root. Set the following variable to configure any relative path to # the server. For example, to have Wok pointing to https://localhost:8001/wok/ # uncomment the following: diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 5f646e4..1c11b9b 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -25,8 +25,6 @@ # and configure the Nginx proxy.
import os -import pwd -from string import Template
from wok import sslcert from wok.config import paths @@ -53,17 +51,6 @@ def _create_proxy_config(options): Arguments: options - OptionParser object with Wok config options """ - # User that will run the worker process of the proxy. Fedora, - # RHEL and Suse creates an user called 'nginx' when installing - # the proxy. Ubuntu creates an user 'www-data' for it. - user_proxy = None - user_list = ('nginx', 'www-data', 'http') - sys_users = [p.pw_name for p in pwd.getpwall()] - common_users = list(set(user_list) & set(sys_users)) - if len(common_users) == 0: - raise Exception("No common user found") - else: - user_proxy = common_users[0] config_dir = paths.conf_dir nginx_config_dir = paths.nginx_conf_dir cert = options.ssl_cert @@ -81,38 +68,6 @@ def _create_proxy_config(options): with open(key, "w") as f: f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file - dhparams_pem = os.path.join(config_dir, "dhparams.pem") - - http_config = '' - if options.https_only == 'false': - http_config = HTTP_CONFIG % {'host_addr': options.host, - 'proxy_port': options.port, - 'proxy_ssl_port': options.ssl_port, - 'rel_path': options.server_root} - - # Read template file and create a new config file - # with the specified parameters. - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: - data = template.read() - data = Template(data) - data = data.safe_substitute(user=user_proxy, - host_addr=options.host, - proxy_ssl_port=options.ssl_port, - http_config=http_config, - cherrypy_port=options.cherrypy_port, - websockets_port=options.websockets_port, - cert_pem=cert, cert_key=key, - max_body_size=eval(options.max_body_size), - session_timeout=options.session_timeout, - dhparams_pem=dhparams_pem, - server_root=options.server_root) - - # Write file to be used for nginx. - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w") - config_file.write(data) - config_file.close() - # If not running from the installed path (from a cloned and builded source # code), create a symbolic link in system's dir to prevent errors on read # SSL certifications.
On 11/01/2016 01:43 PM, Aline Manera wrote:
Hi Ramon:
You also need to update the files below to reflect those changes: - wokd.in - docs/wokd.8.in - src/wok/config.py.in
And more comments below:
On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
--- .gitignore | 1 - Makefile.am | 3 ++ contrib/wok.spec.fedora.in | 1 - contrib/wok.spec.suse.in | 1 - src/nginx/Makefile.am | 7 ++-- src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++ src/nginx/wok.conf.in | 75 ------------------------------------------- src/wok.conf.in | 34 -------------------- src/wok/proxy.py | 45 -------------------------- 9 files changed, 85 insertions(+), 161 deletions(-) create mode 100644 src/nginx/wok.conf delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore index d06f936..10754f9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ wok-*.tar.gz wok.spec src/wokd src/wok.conf -src/nginx/wok.conf src/wok/config.py tests/run_tests.sh tests/test_config.py diff --git a/Makefile.am b/Makefile.am index 5c8e69d..3754547 100644 --- a/Makefile.am +++ b/Makefile.am @@ -159,6 +159,8 @@ install-data-local: touch $(DESTDIR)/etc/nginx/conf.d/wok.conf mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd + mkdir -p $(DESTDIR)/etc/nginx/conf.d + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local: @if test -f $(systemdsystemunitdir)/wokd.service; then \ @@ -175,6 +177,7 @@ uninstall-local: $(RM) -rf $(DESTDIR)/etc/wok $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf $(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing
VERSION: @if $(GIT) rev-parse &> /dev/null ; then \ diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fdf3484..c48899f 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo %{_datadir}/wok/ui/ %{_datadir}/wok -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ %{_sysconfdir}/logrotate.d/wokd diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index 70c295b..283f9c3 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/wok %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/nginx/conf.d/wok.conf %{_sysconfdir}/logrotate.d/wokd %{_var}/lib/wok/ diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am index a376a74..3a47a5f 100644 --- a/src/nginx/Makefile.am +++ b/src/nginx/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015 +# Copyright IBM Corp, 2015-2016 # # Code derived from Project Kimchi # @@ -19,9 +19,8 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in +EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d -dist_conf_DATA = wok.conf.in +dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf new file mode 100644 index 0000000..d191746 --- /dev/null +++ b/src/nginx/wok.conf @@ -0,0 +1,79 @@ +# Project Wok +# +# Copyright IBM Corp, 2016 +# +# Code derived from Project Kimchi +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA + +# This is a template file to be used to generate a nginx +# proxy config file at wokd script. + +client_max_body_size 4194304k; + +# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout +# when Wok is processing a request. +proxy_connect_timeout 10m; +proxy_send_timeout 10m; +proxy_read_timeout 10m; +send_timeout 10m; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream websocket { + server 127.0.0.1:64667; +} + +server { + listen 0.0.0.0:8001 ssl; + + ssl_certificate /etc/wok/wok-cert.pem; + ssl_certificate_key /etc/wok/wok-key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/wok/dhparams.pem; + ssl_session_timeout 10m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/; + } + + location /websockify { + proxy_pass http://websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} + +server { + listen 0.0.0.0:8000; + rewrite ^/(.*)$ https://$host:8001/$1 redirect; +} + diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in deleted file mode 100644 index 5d2bb17..0000000 --- a/src/nginx/wok.conf.in +++ /dev/null @@ -1,75 +0,0 @@ -# Project Wok -# -# Copyright IBM Corp, 2015-2016 -# -# Code derived from Project Kimchi -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 USA - -# This is a template file to be used to generate a nginx -# proxy config file at wokd script. - -client_max_body_size ${max_body_size}k; - -# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout -# when Wok is processing a request. -proxy_connect_timeout ${session_timeout}m; -proxy_send_timeout ${session_timeout}m; -proxy_read_timeout ${session_timeout}m; -send_timeout ${session_timeout}m; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream websocket { - server 127.0.0.1:${websockets_port}; -} - -server { - listen ${host_addr}:${proxy_ssl_port} ssl; - - ssl_certificate ${cert_pem}; - ssl_certificate_key ${cert_key}; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; - ssl_prefer_server_ciphers on; - ssl_dhparam ${dhparams_pem}; - ssl_session_timeout ${session_timeout}m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - location ${server_root}/ { - proxy_pass http://127.0.0.1:${cherrypy_port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}${server_root}/; - } - - location ${server_root}/websockify { - proxy_pass http://websocket; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -${http_config} diff --git a/src/wok.conf.in b/src/wok.conf.in index 254f786..d3b7b2d 100644 --- a/src/wok.conf.in +++ b/src/wok.conf.in @@ -3,46 +3,12 @@ #
[server] -# Hostname or IP address to listen on -#host = 0.0.0.0 - -# Port to listen on -#port = 8000 -
-# Start an SSL-enabled server on the given port -#ssl_port = 8001 -
The ssl_port is being used by /config API so we will need to keep it there too.
Maybe it is also good to rename it to nginx_port
-# Allow user disables HTTP port. In that case, all the connections -# will be done directly through HTTPS port (values: true|false) -#https_only = false - # Cherrypy server port #cherrypy_port = 8010
-# Port for websocket proxy to listen on -#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and to Kimchi knows on which port to launch websocikfy
- -# Number of minutes that a session can remain idle before the server -# terminates it automatically. -#session_timeout = 10 - -# The full path to an SSL Certificate or chain of certificates in -# PEM format. When a chain is used, the server's certificate must be -# the first certificate in the file with the chain concatenated into -# the end of that certificate. If left unspecified, Wok will generate -# a self-signed certificate automatically. -#ssl_cert = - -# The corresponding private key in PEM format for the SSL Certificate supplied -# above. If left blank, Wok will generate a self-signed certificate. -#ssl_key = - # Running environment of the server #environment = production
-# Max request body size in KB, default value is 4GB -#max_body_size = 4 * 1024 * 1024 - # Wok server root. Set the following variable to configure any relative path to # the server. For example, to have Wok pointing to https://localhost:8001/wok/ # uncomment the following: diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 5f646e4..1c11b9b 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -25,8 +25,6 @@ # and configure the Nginx proxy.
import os -import pwd -from string import Template
from wok import sslcert from wok.config import paths @@ -53,17 +51,6 @@ def _create_proxy_config(options): Arguments: options - OptionParser object with Wok config options """ - # User that will run the worker process of the proxy. Fedora, - # RHEL and Suse creates an user called 'nginx' when installing - # the proxy. Ubuntu creates an user 'www-data' for it. - user_proxy = None - user_list = ('nginx', 'www-data', 'http') - sys_users = [p.pw_name for p in pwd.getpwall()] - common_users = list(set(user_list) & set(sys_users)) - if len(common_users) == 0: - raise Exception("No common user found") - else: - user_proxy = common_users[0] config_dir = paths.conf_dir nginx_config_dir = paths.nginx_conf_dir cert = options.ssl_cert @@ -81,38 +68,6 @@ def _create_proxy_config(options): with open(key, "w") as f: f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file - dhparams_pem = os.path.join(config_dir, "dhparams.pem") - - http_config = '' - if options.https_only == 'false': - http_config = HTTP_CONFIG % {'host_addr': options.host, - 'proxy_port': options.port, - 'proxy_ssl_port': options.ssl_port, - 'rel_path': options.server_root} - - # Read template file and create a new config file - # with the specified parameters. - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: - data = template.read() - data = Template(data) - data = data.safe_substitute(user=user_proxy, - host_addr=options.host, - proxy_ssl_port=options.ssl_port, - http_config=http_config, - cherrypy_port=options.cherrypy_port, - websockets_port=options.websockets_port, - cert_pem=cert, cert_key=key, - max_body_size=eval(options.max_body_size), - session_timeout=options.session_timeout, - dhparams_pem=dhparams_pem, - server_root=options.server_root) - - # Write file to be used for nginx. - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w") - config_file.write(data) - config_file.close() - # If not running from the installed path (from a cloned and builded source # code), create a symbolic link in system's dir to prevent errors on read # SSL certifications.
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 11/01/2016 01:43 PM, Aline Manera wrote:
Hi Ramon:
You also need to update the files below to reflect those changes: - wokd.in - docs/wokd.8.in - src/wok/config.py.in
And more comments below:
On 11/01/2016 01:33 PM, Ramon Medeiros wrote:
--- .gitignore | 1 - Makefile.am | 3 ++ contrib/wok.spec.fedora.in | 1 - contrib/wok.spec.suse.in | 1 - src/nginx/Makefile.am | 7 ++-- src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++ src/nginx/wok.conf.in | 75 ------------------------------------------- src/wok.conf.in | 34 -------------------- src/wok/proxy.py | 45 -------------------------- 9 files changed, 85 insertions(+), 161 deletions(-) create mode 100644 src/nginx/wok.conf delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore index d06f936..10754f9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ wok-*.tar.gz wok.spec src/wokd src/wok.conf -src/nginx/wok.conf src/wok/config.py tests/run_tests.sh tests/test_config.py diff --git a/Makefile.am b/Makefile.am index 5c8e69d..3754547 100644 --- a/Makefile.am +++ b/Makefile.am @@ -159,6 +159,8 @@ install-data-local: touch $(DESTDIR)/etc/nginx/conf.d/wok.conf mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd + mkdir -p $(DESTDIR)/etc/nginx/conf.d + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local: @if test -f $(systemdsystemunitdir)/wokd.service; then \ @@ -175,6 +177,7 @@ uninstall-local: $(RM) -rf $(DESTDIR)/etc/wok $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf $(RM) $(DESTDIR)/etc/logrotate.d/wokd
+ $(DESTDIR)/etc/nginx/conf.d/wok.conf
The $(RM) is missing I did not add RM because it's already exists:
$(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf (now wok.conf.in does not exists)
VERSION:
- -# Port to listen on -#port = 8000 -
-# Start an SSL-enabled server on the given port -#ssl_port = 8001 -
The ssl_port is being used by /config API so we will need to keep it there too.
OK
-# Allow user disables HTTP port. In that case, all the connections -# will be done directly through HTTPS port (values: true|false) -#https_only = false - # Cherrypy server port #cherrypy_port = 8010
-# Port for websocket proxy to listen on -#websockets_port = 64667
We will need to keep websockets_port as it needed by /config API and to Kimchi knows on which port to launch websocikfy
- -# Number of minutes that a session can remain idle before the server -# terminates it automatically. -#session_timeout = 10 - -# The full path to an SSL Certificate or chain of certificates in -# PEM format. When a chain is used, the server's certificate must be -# the first certificate in the file with the chain concatenated into -# the end of that certificate. If left unspecified, Wok will generate -# a self-signed certificate automatically. -#ssl_cert = - -# The corresponding private key in PEM format for the SSL Certificate supplied -# above. If left blank, Wok will generate a self-signed certificate. -#ssl_key = - # Running environment of the server #environment = production
-# Max request body size in KB, default value is 4GB -#max_body_size = 4 * 1024 * 1024 - # Wok server root. Set the following variable to configure any relative path to # the server. For example, to have Wok pointing to https://localhost:8001/wok/ # uncomment the following: diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 5f646e4..1c11b9b 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -25,8 +25,6 @@ # and configure the Nginx proxy.
import os -import pwd -from string import Template
from wok import sslcert from wok.config import paths @@ -53,17 +51,6 @@ def _create_proxy_config(options): Arguments: options - OptionParser object with Wok config options """ - # User that will run the worker process of the proxy. Fedora, - # RHEL and Suse creates an user called 'nginx' when installing - # the proxy. Ubuntu creates an user 'www-data' for it. - user_proxy = None - user_list = ('nginx', 'www-data', 'http') - sys_users = [p.pw_name for p in pwd.getpwall()] - common_users = list(set(user_list) & set(sys_users)) - if len(common_users) == 0: - raise Exception("No common user found") - else: - user_proxy = common_users[0] config_dir = paths.conf_dir nginx_config_dir = paths.nginx_conf_dir cert = options.ssl_cert @@ -81,38 +68,6 @@ def _create_proxy_config(options): with open(key, "w") as f: f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file - dhparams_pem = os.path.join(config_dir, "dhparams.pem") - - http_config = '' - if options.https_only == 'false': - http_config = HTTP_CONFIG % {'host_addr': options.host, - 'proxy_port': options.port, - 'proxy_ssl_port': options.ssl_port, - 'rel_path': options.server_root} - - # Read template file and create a new config file - # with the specified parameters. - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: - data = template.read() - data = Template(data) - data = data.safe_substitute(user=user_proxy, - host_addr=options.host, - proxy_ssl_port=options.ssl_port, - http_config=http_config, - cherrypy_port=options.cherrypy_port, - websockets_port=options.websockets_port, - cert_pem=cert, cert_key=key, - max_body_size=eval(options.max_body_size), - session_timeout=options.session_timeout, - dhparams_pem=dhparams_pem, - server_root=options.server_root) - - # Write file to be used for nginx. - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w") - config_file.write(data) - config_file.close() - # If not running from the installed path (from a cloned and builded source # code), create a symbolic link in system's dir to prevent errors on read # SSL certifications.
-- Ramon Nunes Medeiros Kimchi Developer Linux Technology Center Brazil IBM Systems & Technology Group Phone : +55 19 2132 7878 ramonn@br.ibm.com
On 01/11/2016 13:33, Ramon Medeiros wrote:
--- .gitignore | 1 - Makefile.am | 3 ++ contrib/wok.spec.fedora.in | 1 - contrib/wok.spec.suse.in | 1 - src/nginx/Makefile.am | 7 ++-- src/nginx/wok.conf | 79 ++++++++++++++++++++++++++++++++++++++++++++++ src/nginx/wok.conf.in | 75 ------------------------------------------- src/wok.conf.in | 34 -------------------- src/wok/proxy.py | 45 -------------------------- 9 files changed, 85 insertions(+), 161 deletions(-) create mode 100644 src/nginx/wok.conf delete mode 100644 src/nginx/wok.conf.in
diff --git a/.gitignore b/.gitignore index d06f936..10754f9 100644 --- a/.gitignore +++ b/.gitignore @@ -31,7 +31,6 @@ wok-*.tar.gz wok.spec src/wokd src/wok.conf -src/nginx/wok.conf src/wok/config.py tests/run_tests.sh tests/test_config.py diff --git a/Makefile.am b/Makefile.am index 5c8e69d..3754547 100644 --- a/Makefile.am +++ b/Makefile.am @@ -159,6 +159,8 @@ install-data-local: touch $(DESTDIR)/etc/nginx/conf.d/wok.conf mkdir -p $(DESTDIR)/etc/logrotate.d/ $(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd + mkdir -p $(DESTDIR)/etc/nginx/conf.d + $(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
uninstall-local: @if test -f $(systemdsystemunitdir)/wokd.service; then \ @@ -175,6 +177,7 @@ uninstall-local: $(RM) -rf $(DESTDIR)/etc/wok $(RM) $(DESTDIR)/etc/nginx/conf.d/wok.conf $(RM) $(DESTDIR)/etc/logrotate.d/wokd + $(DESTDIR)/etc/nginx/conf.d/wok.conf
missing $(RM)
VERSION: @if $(GIT) rev-parse &> /dev/null ; then \ diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in index fdf3484..c48899f 100644 --- a/contrib/wok.spec.fedora.in +++ b/contrib/wok.spec.fedora.in @@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo %{_datadir}/wok/ui/ %{_datadir}/wok -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ %{_sysconfdir}/logrotate.d/wokd diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in index 70c295b..283f9c3 100644 --- a/contrib/wok.spec.suse.in +++ b/contrib/wok.spec.suse.in @@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/wok %{_sysconfdir}/wok/wok.conf %{_sysconfdir}/wok/ -%{_sysconfdir}/nginx/conf.d/wok.conf.in %{_sysconfdir}/nginx/conf.d/wok.conf %{_sysconfdir}/logrotate.d/wokd %{_var}/lib/wok/ diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am index a376a74..3a47a5f 100644 --- a/src/nginx/Makefile.am +++ b/src/nginx/Makefile.am @@ -1,7 +1,7 @@ # # Project Wok # -# Copyright IBM Corp, 2015 +# Copyright IBM Corp, 2015-2016 # # Code derived from Project Kimchi # @@ -19,9 +19,8 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
-EXTRA_DIST = wok.conf.in +EXTRA_DIST = wok.conf
confdir = $(sysconfdir)/nginx/conf.d -dist_conf_DATA = wok.conf.in +dist_conf_DATA = wok.conf
-CLEANFILES = wok.conf diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf new file mode 100644 index 0000000..d191746 --- /dev/null +++ b/src/nginx/wok.conf @@ -0,0 +1,79 @@ +# Project Wok +# +# Copyright IBM Corp, 2016 +# +# Code derived from Project Kimchi +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301 USA + +# This is a template file to be used to generate a nginx +# proxy config file at wokd script. + +client_max_body_size 4194304k; + +# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout +# when Wok is processing a request. +proxy_connect_timeout 10m; +proxy_send_timeout 10m; +proxy_read_timeout 10m; +send_timeout 10m; + +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +upstream websocket { + server 127.0.0.1:64667; +} + +server { + listen 0.0.0.0:8001 ssl; + + ssl_certificate /etc/wok/wok-cert.pem; + ssl_certificate_key /etc/wok/wok-key.pem; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; + ssl_prefer_server_ciphers on; + ssl_dhparam /etc/wok/dhparams.pem; + ssl_session_timeout 10m; + + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_pass http://127.0.0.1:8010; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect http://127.0.0.1:8010/ https://$host:8001/; + } + + location /websockify { + proxy_pass http://websocket; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} + +server { + listen 0.0.0.0:8000; + rewrite ^/(.*)$ https://$host:8001/$1 redirect; +} + diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in deleted file mode 100644 index 5d2bb17..0000000 --- a/src/nginx/wok.conf.in +++ /dev/null @@ -1,75 +0,0 @@ -# Project Wok -# -# Copyright IBM Corp, 2015-2016 -# -# Code derived from Project Kimchi -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of the GNU Lesser General Public -# License as published by the Free Software Foundation; either -# version 2.1 of the License, or (at your option) any later version. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA -# 02110-1301 USA - -# This is a template file to be used to generate a nginx -# proxy config file at wokd script. - -client_max_body_size ${max_body_size}k; - -# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout -# when Wok is processing a request. -proxy_connect_timeout ${session_timeout}m; -proxy_send_timeout ${session_timeout}m; -proxy_read_timeout ${session_timeout}m; -send_timeout ${session_timeout}m; - -map $http_upgrade $connection_upgrade { - default upgrade; - '' close; -} - -upstream websocket { - server 127.0.0.1:${websockets_port}; -} - -server { - listen ${host_addr}:${proxy_ssl_port} ssl; - - ssl_certificate ${cert_pem}; - ssl_certificate_key ${cert_key}; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH'; - ssl_prefer_server_ciphers on; - ssl_dhparam ${dhparams_pem}; - ssl_session_timeout ${session_timeout}m; - - add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - - location ${server_root}/ { - proxy_pass http://127.0.0.1:${cherrypy_port}; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}${server_root}/; - } - - location ${server_root}/websockify { - proxy_pass http://websocket; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } -} - -${http_config} diff --git a/src/wok.conf.in b/src/wok.conf.in index 254f786..d3b7b2d 100644 --- a/src/wok.conf.in +++ b/src/wok.conf.in @@ -3,46 +3,12 @@ #
[server] -# Hostname or IP address to listen on -#host = 0.0.0.0 - -# Port to listen on -#port = 8000 - -# Start an SSL-enabled server on the given port -#ssl_port = 8001 - -# Allow user disables HTTP port. In that case, all the connections -# will be done directly through HTTPS port (values: true|false) -#https_only = false - # Cherrypy server port #cherrypy_port = 8010
-# Port for websocket proxy to listen on -#websockets_port = 64667 - -# Number of minutes that a session can remain idle before the server -# terminates it automatically. -#session_timeout = 10 - -# The full path to an SSL Certificate or chain of certificates in -# PEM format. When a chain is used, the server's certificate must be -# the first certificate in the file with the chain concatenated into -# the end of that certificate. If left unspecified, Wok will generate -# a self-signed certificate automatically. -#ssl_cert = - -# The corresponding private key in PEM format for the SSL Certificate supplied -# above. If left blank, Wok will generate a self-signed certificate. -#ssl_key = - # Running environment of the server #environment = production
-# Max request body size in KB, default value is 4GB -#max_body_size = 4 * 1024 * 1024 - # Wok server root. Set the following variable to configure any relative path to # the server. For example, to have Wok pointing to https://localhost:8001/wok/ # uncomment the following: diff --git a/src/wok/proxy.py b/src/wok/proxy.py index 5f646e4..1c11b9b 100644 --- a/src/wok/proxy.py +++ b/src/wok/proxy.py @@ -25,8 +25,6 @@ # and configure the Nginx proxy.
import os -import pwd -from string import Template
from wok import sslcert from wok.config import paths @@ -53,17 +51,6 @@ def _create_proxy_config(options): Arguments: options - OptionParser object with Wok config options """ - # User that will run the worker process of the proxy. Fedora, - # RHEL and Suse creates an user called 'nginx' when installing - # the proxy. Ubuntu creates an user 'www-data' for it. - user_proxy = None - user_list = ('nginx', 'www-data', 'http') - sys_users = [p.pw_name for p in pwd.getpwall()] - common_users = list(set(user_list) & set(sys_users)) - if len(common_users) == 0: - raise Exception("No common user found") - else: - user_proxy = common_users[0] config_dir = paths.conf_dir nginx_config_dir = paths.nginx_conf_dir cert = options.ssl_cert @@ -81,38 +68,6 @@ def _create_proxy_config(options): with open(key, "w") as f: f.write(ssl_gen.key_pem())
- # Setting up Diffie-Hellman group with 2048-bit file - dhparams_pem = os.path.join(config_dir, "dhparams.pem") - - http_config = '' - if options.https_only == 'false': - http_config = HTTP_CONFIG % {'host_addr': options.host, - 'proxy_port': options.port, - 'proxy_ssl_port': options.ssl_port, - 'rel_path': options.server_root} - - # Read template file and create a new config file - # with the specified parameters. - with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template: - data = template.read() - data = Template(data) - data = data.safe_substitute(user=user_proxy, - host_addr=options.host, - proxy_ssl_port=options.ssl_port, - http_config=http_config, - cherrypy_port=options.cherrypy_port, - websockets_port=options.websockets_port, - cert_pem=cert, cert_key=key, - max_body_size=eval(options.max_body_size), - session_timeout=options.session_timeout, - dhparams_pem=dhparams_pem, - server_root=options.server_root) - - # Write file to be used for nginx. - config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w") - config_file.write(data) - config_file.close() - # If not running from the installed path (from a cloned and builded source # code), create a symbolic link in system's dir to prevent errors on read # SSL certifications.
-- Lucio Correia Software Engineer IBM LTC Brazil
participants (3)
-
Aline Manera -
Lucio Correia -
Ramon Medeiros