[Kimchi-devel] [PATCH] Issue #<570: Make nginx proxy optional

Aline Manera alinefm at linux.vnet.ibm.com
Wed Mar 11 15:50:35 UTC 2015 


On 10/03/2015 14:39, Frédéric Bonnard wrote:
> From: Frederic Bonnard <frediz at linux.vnet.ibm.com>
>
> Hi,
> I'm using the patch from Julien for this one : http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009840.html
> and it wasn't taking the option into account, here is some changes that worked for me.
>
> Also, I think that the goal of disabling nginx in this patch is not to use kimchi
> directly, but to use another instance of nginx as I did or apache as Julien does.

I have some points on it:

1) If we allow user to disable nginx proxy we need to make sure kimchi 
server will continue working as expected whatever is the user reason to 
do that.

Based on that, please consider: 
http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009705.html

2) If the idea is allow using other proxy instead of nginx, what are the 
options? How would user use them? How does Kimchi will deal with them?

Royce also comments on that: 
http://lists.ovirt.org/pipermail/kimchi-devel/2015-February/009655.html

Remember, Kimchi is focused on entry level users which means it must be 
easy and simple since installation/configuration time and it affects all 
changes we do.

> F.
>
> ---
>   docs/Makefile.am        |  1 +
>   docs/apache.conf.ex     | 35 +++++++++++++++++++++++++++++++++++
>   src/kimchi.conf.in      |  3 +++
>   src/kimchi/config.py.in |  1 +
>   src/kimchi/proxy.py     |  8 +++++++-
>   5 files changed, 47 insertions(+), 1 deletion(-)
>   create mode 100644 docs/apache.conf.ex
>
> diff --git a/docs/Makefile.am b/docs/Makefile.am
> index 679aa18..09a4fcc 100644
> --- a/docs/Makefile.am
> +++ b/docs/Makefile.am
> @@ -20,6 +20,7 @@
>   docdir = $(datadir)/kimchi/doc
>
>   dist_doc_DATA = \
> +	apache.conf.ex \
>   	API.md \
>   	README.md \
>   	README-federation.md \
> diff --git a/docs/apache.conf.ex b/docs/apache.conf.ex
> new file mode 100644
> index 0000000..cd26907
> --- /dev/null
> +++ b/docs/apache.conf.ex
> @@ -0,0 +1,35 @@
> +# Although not a supported configuration you can use apache to proxy kimchi traffic.
> +# Here is an example of the required configuration.
> +# This requires the following apache modules be enabled:
> +# - mod_proxy
> +# - mod_proxy_http
> +# - mod_ssl
> +# The port 80 redirect also requires mod_redirect
> +# HTTP STS (Strict Transport Security) also requires mod_headers
> +<VirtualHost *:443>
> +        ServerName kimchi
> +
> +        SSLEngine On
> +        SSLCertificateFile /etc/kimchi/kimchi-cert.pem
> +        SSLCertificateKeyFile /etc/kimchi/kimchi-key.pem
> +
> +        ProxyRequests On
> +        ProxyPass / http://127.0.0.1:8010/
> +        ProxyPassReverse / http://127.0.0.1:8010/
> +
> +        <Proxy http://127.0.0.1:8010/>
> +                Require all granted
> +        </Proxy>
> +
> +        # HTTP STS
> +        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
> +</VirtualHost>
> +
> +<VirtualHost *:80>
> +        ServerName kimchi
> +
> +        Redirect / https://kimchi/
> +
> +        # HTTP STS
> +        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
> +</VirtualHost>
> diff --git a/src/kimchi.conf.in b/src/kimchi.conf.in
> index 9f62ac0..e9e8628 100644
> --- a/src/kimchi.conf.in
> +++ b/src/kimchi.conf.in
> @@ -3,6 +3,9 @@
>   #
>
>   [server]
> +# Start the proxy service?
> +#run_proxy = on
> +
>   # Hostname or IP address to listen on
>   #host = 0.0.0.0
>
> diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in
> index f2e1cac..41c5c89 100644
> --- a/src/kimchi/config.py.in
> +++ b/src/kimchi/config.py.in
> @@ -287,6 +287,7 @@ class PluginConfig(dict):
>   def _get_config():
>       config = SafeConfigParser()
>       config.add_section("server")
> +    config.set("server", "run_proxy", "on")
>       config.set("server", "host", "0.0.0.0")
>       config.set("server", "port", "8000")
>       config.set("server", "ssl_port", "8001")
> diff --git a/src/kimchi/proxy.py b/src/kimchi/proxy.py
> index fafa5bc..c8085dd 100644
> --- a/src/kimchi/proxy.py
> +++ b/src/kimchi/proxy.py
> @@ -29,7 +29,7 @@ from string import Template
>
>   from kimchi import sslcert
>   from kimchi.config import paths
> -
> +import kimchi.config as config
>
>   def _create_proxy_config(options):
>       """Create nginx configuration file based on current ports config
> @@ -88,6 +88,9 @@ def _create_proxy_config(options):
>
>   def start_proxy(options):
>       """Start nginx reverse proxy."""
> +    if config.config.get("server", "run_proxy") == 'off':
> +        return
> +
>       _create_proxy_config(options)
>       config_dir = paths.conf_dir
>       config_file = "%s/nginx_kimchi.conf" % config_dir
> @@ -97,5 +100,8 @@ def start_proxy(options):
>
>   def terminate_proxy():
>       """Stop nginx process."""
> +    if config.config.get("server", "run_proxy") == 'off':
> +        return
> +
>       term_proxy_cmd = ['nginx', '-s', 'stop']
>       subprocess.call(term_proxy_cmd)

More information about the Kimchi-devel mailing list