[Kimchi-devel] [PATCH] Initial prototype, make nginx proxy optional.

Aline Manera alinefm at linux.vnet.ibm.com
Fri Feb 6 13:52:47 UTC 2015 

On 04/02/2015 18:08, Julien Goodwin wrote:
> On 04/02/15 00:24, Royce Lv wrote:
>> Since apache reverse proxy configuration is included in this patch,
>> so I suppose you would like to substitute nginx with apache?
>> Would you pls compare these reverse proxy in a single mail so that we
>> can know why we want to choose it?
> Personal preference really, many sites run a httpd on machines anyway,
> often one integrated with an SSO auth system (see one of my other
> feature requests), allowing them to run what they're used to is nice.
>
> Also the apache config is more boilerplate, all practical users will
> change this for their purposes, users where the generic would be fine
> will almost certainly just use the integrated proxy anyway.
>
>> If we just want to give user another choice of reverse proxy,
>> I suggest we make "run_proxy" an enum so user can assign it to "apache",
>> "nginx" or "none".
> I don't really think it makes sense to automatically launch multiple
> proxy types, it's enough to offer a way so the normal nginx proxy can be
> disabled so it's not taking up listening ports.

If the idea is only allowing disable the nginx proxy, why should we 
include an apache example?

>> To be a completed patch, we may want to include a testcase to test if
>> the reverse proxy works.
> Hmm, possibly. My next patch set after this one will be a variety of
> fixups to the test suite as I'd like to be able to run them cleanly on
> my laptop which can't have a running libvirt (due to "reasons").
>
> This is actually stalled while I muse about how best to deal with some
> core bits in the model that call exit directly instead of raising
> exceptions on some types of errors.
>
>> Some inline comments below:
>> On 02/03/2015 08:21 PM, Julien Goodwin wrote:
>>> Also includes an example apache config.
>>>
>>> Implements Issue #570
>>>
>>> Signed-off-by: Julien Goodwin <jgoodwin at studio442.com.au>
>>> ---
>>>    docs/Makefile.am        |  1 +
>>>    docs/apache.conf.ex     | 35 +++++++++++++++++++++++++++++++++++
>>>    src/kimchi.conf.in      |  3 +++
>>>    src/kimchi/config.py.in |  1 +
>>>    src/kimchi/proxy.py     |  6 ++++++
>>>    5 files changed, 46 insertions(+)
>>>    create mode 100644 docs/apache.conf.ex
>>>
>>> diff --git a/docs/Makefile.am b/docs/Makefile.am
>>> index 679aa18..eb8b396 100644
>>> --- a/docs/Makefile.am
>>> +++ b/docs/Makefile.am
>>> @@ -20,6 +20,7 @@
>>>    docdir = $(datadir)/kimchi/doc
>>>
>>>    dist_doc_DATA = \
>>> +        apache.conf.ex \
>> I hope we can include a runnable configuration and install it to the
>> right place rather than just an example.
>>>        API.md \
>>>        README.md \
>>>        README-federation.md \
>>> diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
>>> new file mode 100644
>>> index 0000000..cd26907
>>> --- /dev/null
>>> +++ b/docs/apache.conf.ex
>>> @@ -0,0 +1,35 @@
>>> +# Although not a supported configuration you can use apache to proxy
>>> kimchi traffic.
>>> +# Here is an example of the required configuration.
>>> +# This requires the following apache modules be enabled:
>>> +# - mod_proxy
>>> +# - mod_proxy_http
>>> +# - mod_ssl
>>> +# The port 80 redirect also requires mod_redirect
>>> +# HTTP STS (Strict Transport Security) also requires mod_headers
>>> +<VirtualHost *:443>
>>> +        ServerName kimchi
>>> +
>>> +        SSLEngine On
>>> +        SSLCertificateFile /etc/kimchi/kimchi-cert.pem
>>> +        SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
>>> +
>>> +        ProxyRequests On
>> Could you explain why we set "ProxyRequests" as "on" here? AFAIK, "off"
>> is used to prevent anyone else to use apache as the anonymous proxy.
>>> +        ProxyPass / http://127.0.0.1:8010/
>>> +        ProxyPassReverse / http://127.0.0.1:8010/
>> Hope we can use variable rather than hard code, we may use port other
>> than 8010
>>> +
>>> +        <Proxy http://127.0.0.1:8010/>
>>> +                Require all granted
>>> +        </Proxy>
>>> +
>>> +        # HTTP STS
>>> +        Header always set Strict-Transport-Security
>>> "max-age=31536000; includeSubdomains;"
>>> +</VirtualHost>
>>> +
>>> +<VirtualHost *:80>
>>> +        ServerName kimchi
>>> +
>>> +        Redirect / https://kimchi/
>>> +
>>> +        # HTTP STS
>>> +        Header always set Strict-Transport-Security
>>> "max-age=31536000; includeSubdomains;"
>>> +</VirtualHost>
>>> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
>>> index 9f62ac0..e9e8628 100644
>>> --- a/src/kimchi.conf.in
>>> +++ b/src/kimchi.conf.in
>>> @@ -3,6 +3,9 @@
>>>    #
>>>
>>>    [server]
>>> +# Start the proxy service?
>>> +#run_proxy = on
>>> +
>>>    # Hostname or IP address to listen on
>>>    #host = 0.0.0.0
>>>
>>> diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
>>> index f2e1cac..41c5c89 100644
>>> --- a/src/kimchi/config.py.in
>>> +++ b/src/kimchi/config.py.in
>>> @@ -287,6 +287,7 @@ class PluginConfig(dict):
>>>    def _get_config():
>>>        config = SafeConfigParser()
>>>        config.add_section("server")
>>> +    config.set("server", "run_proxy", "on")
>>>        config.set("server", "host", "0.0.0.0")
>>>        config.set("server", "port", "8000")
>>>        config.set("server", "ssl_port", "8001")
>>> diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
>>> index fafa5bc..72497fe 100644
>>> --- a/src/kimchi/proxy.py
>>> +++ b/src/kimchi/proxy.py
>>> @@ -88,6 +88,9 @@ def _create_proxy_config(options):
>>>
>>>    def start_proxy(options):
>>>        """Start nginx reverse proxy."""
>>> +    if options.run_proxy == 'off':
>>> +        return
>>> +
>>>        _create_proxy_config(options)
>>>        config_dir = paths.conf_dir
>>>        config_file = "%s/nginx_kimchi.conf" % config_dir
>>> @@ -97,5 +100,8 @@ def start_proxy(options):
>>>
>>>    def terminate_proxy():
>>>        """Stop nginx process."""
>>> +    if options.run_proxy == 'off':
>>> +        return
>>> +
>>>        term_proxy_cmd = ['nginx', '-s', 'stop']
>>>        subprocess.call(term_proxy_cmd)
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/kimchi-devel/attachments/20150206/b444d5f3/attachment.html>

More information about the Kimchi-devel mailing list