4:40 a.m.
Kimchi Dev,
I didn't want to post an issue, because I solved it, but I think it'd be
useful to post a README update on how to update Wok to to listen on all
network devices so as to be accessed outside of localhost.
I was able to do so by updating /etc/nginx/conf.d/wok.conf to change
127.0.0.1 to 0.0.0.0 and then updating semanage rules:
(on Centos 7)
sudo systemctl stop wokd
sudo systemctl stop nginx
sudo sed -ri 's/127.0.0.1/0.0.0.0/g' /etc/nginx/conf.d/wok.conf
sudo semanage port -a -t http_port_t -p tcp 8001
sudo semanage port -a -t http_port_t -p tcp 8010
sudo semanage port -m -t http_port_t -p tcp 8000
sudo systemctl start wokd
Then after accessing from another machine I had to accept the SSL
certificates first, where it redirected me to
http://127.0.0.1:8010/login.html, which was confusing. Back after going
back to https://my-kimchi-host:8001 the login page successfully loaded.
I found this confusing and couldn't find any documentation or guide. I
think others may find this information useful. Should I post this to
the issue board for feedback?
Sincerely,
Jason
5:36 p.m.
Hi Jason,
Sorry about the late reply! I usually reply fast on kimchi-devel ML :-)
Let me try to explain the content of /etc/nginx/conf.d/wok.conf
I am not sure what is the exactly version you are using, but the current
upstream file content is
https://github.com/kimchi-project/wok/blob/master/src/nginx/wok.conf
I will take it as reference.
As you can see in this file, there are 2 server instances described
there: lines 28 and 79.
The server on line 28 is for HTTPS access and is properly defined as
0.0.0.0 on port 8001
The server on line 79 is for HTTP access and it is also properly defined
as 0.0.0.0 on port 8000.
The HTTP server will *always* redirect the requests to HTTPS.
The lines 24-26 are for websockets connection and should not be expose
outside, ie, it should run on localhost and proxy by nginx to the right
port.
So you should not change it to 0.0.0.0
The lines 52-62 describe what to do on requests received.
There you will see '127.0.0.1:8010' because it is where the cherrypy
instance launched by Wok is running. You should not change it to 0.0.0.0
because you will expose the whole API which runs as root to outside
which is bad IMO. :-)
So basically, you should not change the content of
/etc/nginx/conf.d/wok.conf unless you want to change the ports to listen on.
The SElinux configuration needed to expose the server outside is really
needed and are described at
https://github.com/kimchi-project/wok/blob/master/docs/troubleshooting.md
So hope all that helps you understand how the things work together.
Please, let me know on any other doubt or feedback.
Regards,
Aline Manera
On 05/04/2017 10:40 PM, Jason Jack wrote:
Kimchi Dev,
I didn't want to post an issue, because I solved it, but I think it'd
be useful to post a README update on how to update Wok to to listen on
all network devices so as to be accessed outside of localhost.
I was able to do so by updating /etc/nginx/conf.d/wok.conf to change
127.0.0.1 to 0.0.0.0 and then updating semanage rules:
(on Centos 7)
sudo systemctl stop wokd
sudo systemctl stop nginx
sudo sed -ri 's/127.0.0.1/0.0.0.0/g' /etc/nginx/conf.d/wok.conf
sudo semanage port -a -t http_port_t -p tcp 8001
sudo semanage port -a -t http_port_t -p tcp 8010
sudo semanage port -m -t http_port_t -p tcp 8000
sudo systemctl start wokd
Then after accessing from another machine I had to accept the SSL
certificates first, where it redirected me to
http://127.0.0.1:8010/login.html, which was confusing. Back after
going back to https://my-kimchi-host:8001 the login page successfully
loaded.
I found this confusing and couldn't find any documentation or guide.
I think others may find this information useful. Should I post this
to the issue board for feedback?
Sincerely,
Jason
_______________________________________________
Kimchi-users mailing list
Kimchi-users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-users
2692
days inactive
2759
days old
1 comments
2 participants
participants (2)
-
Aline Manera -
Jason Jack