[Kimchi-devel] [PATCH] Issue #<570: Make nginx proxy optional

Frédéric Bonnard frediz at linux.vnet.ibm.com
Tue Mar 10 17:39:24 UTC 2015


From: Frederic Bonnard <frediz at linux.vnet.ibm.com>

Hi,
I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html
and it wasn't taking the option into account, here is some changes that worked for me.

Also, I think that the goal of disabling nginx in this patch is not to use kimchi
directly, but to use another instance of nginx as I did or apache as Julien does.

F.

---
 docs/Makefile.am        |  1 +
 docs/apache.conf.ex     | 35 +++++++++++++++++++++++++++++++++++
 src/kimchi.conf.in      |  3 +++
 src/kimchi/config.py.in |  1 +
 src/kimchi/proxy.py     |  8 +++++++-
 5 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 docs/apache.conf.ex

diff --git a/docs/Makefile.am b/docs/Makefile.am
index 679aa18..09a4fcc 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -20,6 +20,7 @@
 docdir = $(datadir)/kimchi/doc
 
 dist_doc_DATA = \
+	apache.conf.ex \
 	API.md \
 	README.md \
 	README-federation.md \
diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
new file mode 100644
index 0000000..cd26907
--- /dev/null
+++ b/docs/apache.conf.ex
@@ -0,0 +1,35 @@
+# Although not a supported configuration you can use apache to proxy kimchi traffic.
+# Here is an example of the required configuration.
+# This requires the following apache modules be enabled:
+# - mod_proxy
+# - mod_proxy_http
+# - mod_ssl
+# The port 80 redirect also requires mod_redirect
+# HTTP STS (Strict Transport Security) also requires mod_headers
+<VirtualHost *:443>
+        ServerName kimchi
+
+        SSLEngine On
+        SSLCertificateFile /etc/kimchi/kimchi-cert.pem
+        SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
+
+        ProxyRequests On
+        ProxyPass / http://127.0.0.1:8010/
+        ProxyPassReverse / http://127.0.0.1:8010/
+
+        <Proxy http://127.0.0.1:8010/>
+                Require all granted
+        </Proxy>
+
+        # HTTP STS
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+</VirtualHost>
+
+<VirtualHost *:80>
+        ServerName kimchi
+
+        Redirect / https://kimchi/
+
+        # HTTP STS
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+</VirtualHost>
diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
index 9f62ac0..e9e8628 100644
--- a/src/kimchi.conf.in
+++ b/src/kimchi.conf.in
@@ -3,6 +3,9 @@
 #
 
 [server]
+# Start the proxy service?
+#run_proxy = on
+
 # Hostname or IP address to listen on
 #host = 0.0.0.0
 
diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
index f2e1cac..41c5c89 100644
--- a/src/kimchi/config.py.in
+++ b/src/kimchi/config.py.in
@@ -287,6 +287,7 @@ class PluginConfig(dict):
 def _get_config():
     config = SafeConfigParser()
     config.add_section("server")
+    config.set("server", "run_proxy", "on")
     config.set("server", "host", "0.0.0.0")
     config.set("server", "port", "8000")
     config.set("server", "ssl_port", "8001")
diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
index fafa5bc..c8085dd 100644
--- a/src/kimchi/proxy.py
+++ b/src/kimchi/proxy.py
@@ -29,7 +29,7 @@ from string import Template
 
 from kimchi import sslcert
 from kimchi.config import paths
-
+import kimchi.config as config
 
 def _create_proxy_config(options):
     """Create nginx configuration file based on current ports config
@@ -88,6 +88,9 @@ def _create_proxy_config(options):
 
 def start_proxy(options):
     """Start nginx reverse proxy."""
+    if config.config.get("server", "run_proxy") == 'off':
+        return
+
     _create_proxy_config(options)
     config_dir = paths.conf_dir
     config_file = "%s/nginx_kimchi.conf" % config_dir
@@ -97,5 +100,8 @@ def start_proxy(options):
 
 def terminate_proxy():
     """Stop nginx process."""
+    if config.config.get("server", "run_proxy") == 'off':
+        return
+
     term_proxy_cmd = ['nginx', '-s', 'stop']
     subprocess.call(term_proxy_cmd)
-- 
1.9.1




More information about the Kimchi-devel mailing list