[Kimchi-devel] [PATCH v2][Wok] Bug fix #175: Do not generate nginx conf file on the fly

Ramon Medeiros ramonn at linux.vnet.ibm.com
Thu Nov 3 12:55:49 UTC 2016


---
Changes:

v2:
Correct typos in Makefile.am
Change wokd.in and docs 


 .gitignore                 |  1 -
 Makefile.am                |  2 ++
 contrib/wok.spec.fedora.in |  1 -
 contrib/wok.spec.suse.in   |  1 -
 docs/wokd.8.in             | 16 +++-------
 src/nginx/Makefile.am      |  7 ++--
 src/nginx/wok.conf         | 79 ++++++++++++++++++++++++++++++++++++++++++++++
 src/nginx/wok.conf.in      | 75 -------------------------------------------
 src/wok.conf.in            | 33 ++-----------------
 src/wok/config.py.in       |  2 +-
 src/wok/proxy.py           | 45 --------------------------
 src/wokd.in                | 21 +-----------
 12 files changed, 94 insertions(+), 189 deletions(-)
 create mode 100644 src/nginx/wok.conf
 delete mode 100644 src/nginx/wok.conf.in

diff --git a/.gitignore b/.gitignore
index d06f936..10754f9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,6 @@ wok-*.tar.gz
 wok.spec
 src/wokd
 src/wok.conf
-src/nginx/wok.conf
 src/wok/config.py
 tests/run_tests.sh
 tests/test_config.py
diff --git a/Makefile.am b/Makefile.am
index 5c8e69d..1609034 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -159,6 +159,8 @@ install-data-local:
 	touch $(DESTDIR)/etc/nginx/conf.d/wok.conf
 	mkdir -p $(DESTDIR)/etc/logrotate.d/
 	$(INSTALL_DATA) $(top_srcdir)/src/wok.logrotate $(DESTDIR)/etc/logrotate.d/wokd
+	mkdir -p $(DESTDIR)/etc/nginx/conf.d
+	$(INSTALL_DATA) $(top_srcdir)/src/nginx/wok.conf $(DESTDIR)/etc/nginx/conf.d/wok.conf
 
 uninstall-local:
 	@if test -f $(systemdsystemunitdir)/wokd.service; then \
diff --git a/contrib/wok.spec.fedora.in b/contrib/wok.spec.fedora.in
index fdf3484..c48899f 100644
--- a/contrib/wok.spec.fedora.in
+++ b/contrib/wok.spec.fedora.in
@@ -114,7 +114,6 @@ rm -rf $RPM_BUILD_ROOT
 %{_prefix}/share/locale/*/LC_MESSAGES/wok.mo
 %{_datadir}/wok/ui/
 %{_datadir}/wok
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
 %{_sysconfdir}/wok/wok.conf
 %{_sysconfdir}/wok/
 %{_sysconfdir}/logrotate.d/wokd
diff --git a/contrib/wok.spec.suse.in b/contrib/wok.spec.suse.in
index 70c295b..283f9c3 100644
--- a/contrib/wok.spec.suse.in
+++ b/contrib/wok.spec.suse.in
@@ -93,7 +93,6 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/wok
 %{_sysconfdir}/wok/wok.conf
 %{_sysconfdir}/wok/
-%{_sysconfdir}/nginx/conf.d/wok.conf.in
 %{_sysconfdir}/nginx/conf.d/wok.conf
 %{_sysconfdir}/logrotate.d/wokd
 %{_var}/lib/wok/
diff --git a/docs/wokd.8.in b/docs/wokd.8.in
index c7a6f3f..d4ca062 100644
--- a/docs/wokd.8.in
+++ b/docs/wokd.8.in
@@ -3,10 +3,10 @@
 Kimchi \- HTML5 based management tool for KVM
 .SH SYNOPSIS
 .B kimchid
-[\fB-h\fP|\fB--help\fP] [\fB--host\fP \fIhost\fP] [\fB--port\fP \fIport\fP]
-[\fB--ssl-port\fP \fIssl_port\fP] [\fB--cherrypy_port\fP \fIcherrypy_port\fP]
-[\fB--log-level\fP \fIlog_level\fP] [\fB--access-log\fP \fIaccess_log\fP]
-[\fB--error-log\fP \fIerror_log\fP] [\fB--environment\fP \fIenvironment\fP]
+[\fB-h\fP|\fB--help\fP] [\fB--nginx-port\fP \fInginx_port\fP]
+[\fB--cherrypy_port\fP \fIcherrypy_port\fP] [\fB--log-level\fP \fIlog_level\fP]
+[\fB--access-log\fP \fIaccess_log\fP] [\fB--error-log\fP \fIerror_log\fP]
+[\fB--environment\fP \fIenvironment\fP]
 .SH DESCRIPTION
 \fBKimchi\fP is an HTML5 based management tool for KVM. It is designed to make
 it as easy as possible to get started with KVM and create your first guest.
@@ -19,13 +19,7 @@ The following options are supported:
 \fB\-h\fP , \fB\-\-help\fP
 Show this help message and exit.
 .TP
-\fB\-\-host\fP \fIhost\fP
-Specify the hostname or IP to listen on.
-.TP
-\fB\-\-port\fP \fIport\fP
-Specify the HTTP port (default \fI8000\fP).
-.TP
-\fB\-\-ssl-port\fP \fIssl_port\fP
+\fB\-\-nginx-port\fP \fInginx_port\fP
 Specify the HTTPS port (default \fI8001\fP).
 .TP
 \fB\-\-cherrypy_port\fP \fIcherrypy_port\fP
diff --git a/src/nginx/Makefile.am b/src/nginx/Makefile.am
index a376a74..3a47a5f 100644
--- a/src/nginx/Makefile.am
+++ b/src/nginx/Makefile.am
@@ -1,7 +1,7 @@
 #
 # Project Wok
 #
-# Copyright IBM Corp, 2015
+# Copyright IBM Corp, 2015-2016
 #
 # Code derived from Project Kimchi
 #
@@ -19,9 +19,8 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 
-EXTRA_DIST = wok.conf.in
+EXTRA_DIST = wok.conf
 
 confdir = $(sysconfdir)/nginx/conf.d
-dist_conf_DATA = wok.conf.in
+dist_conf_DATA = wok.conf
 
-CLEANFILES = wok.conf
diff --git a/src/nginx/wok.conf b/src/nginx/wok.conf
new file mode 100644
index 0000000..d191746
--- /dev/null
+++ b/src/nginx/wok.conf
@@ -0,0 +1,79 @@
+# Project Wok
+#
+# Copyright IBM Corp, 2016
+#
+# Code derived from Project Kimchi
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+# 02110-1301  USA
+
+# This is a template file to be used to generate a nginx
+# proxy config file at wokd script.
+
+client_max_body_size 4194304k;
+
+# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
+# when Wok is processing a request.
+proxy_connect_timeout       10m;
+proxy_send_timeout          10m;
+proxy_read_timeout          10m;
+send_timeout                10m;
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+upstream websocket {
+    server 127.0.0.1:64667;
+}
+
+server {
+    listen 0.0.0.0:8001 ssl;
+
+    ssl_certificate /etc/wok/wok-cert.pem;
+    ssl_certificate_key /etc/wok/wok-key.pem;
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam /etc/wok/dhparams.pem;
+    ssl_session_timeout 10m;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    location / {
+        proxy_pass http://127.0.0.1:8010;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_redirect http://127.0.0.1:8010/ https://$host:8001/;
+    }
+
+    location /websockify {
+        proxy_pass http://websocket;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
+
+server {
+    listen 0.0.0.0:8000;
+    rewrite ^/(.*)$ https://$host:8001/$1 redirect;
+}
+
diff --git a/src/nginx/wok.conf.in b/src/nginx/wok.conf.in
deleted file mode 100644
index 5d2bb17..0000000
--- a/src/nginx/wok.conf.in
+++ /dev/null
@@ -1,75 +0,0 @@
-# Project Wok
-#
-# Copyright IBM Corp, 2015-2016
-#
-# Code derived from Project Kimchi
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
-# 02110-1301  USA
-
-# This is a template file to be used to generate a nginx
-# proxy config file at wokd script.
-
-client_max_body_size ${max_body_size}k;
-
-# Set timeout, based on configuration values, to avoid the 504 Gateway Timeout
-# when Wok is processing a request.
-proxy_connect_timeout       ${session_timeout}m;
-proxy_send_timeout          ${session_timeout}m;
-proxy_read_timeout          ${session_timeout}m;
-send_timeout                ${session_timeout}m;
-
-map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-}
-
-upstream websocket {
-    server 127.0.0.1:${websockets_port};
-}
-
-server {
-    listen ${host_addr}:${proxy_ssl_port} ssl;
-
-    ssl_certificate ${cert_pem};
-    ssl_certificate_key ${cert_key};
-    ssl_protocols TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:@STRENGTH';
-    ssl_prefer_server_ciphers on;
-    ssl_dhparam ${dhparams_pem};
-    ssl_session_timeout ${session_timeout}m;
-
-    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-
-    location ${server_root}/ {
-        proxy_pass http://127.0.0.1:${cherrypy_port};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_redirect http://127.0.0.1:${cherrypy_port}/ https://$host:${proxy_ssl_port}${server_root}/;
-    }
-
-    location ${server_root}/websockify {
-        proxy_pass http://websocket;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-    }
-}
-
-${http_config}
diff --git a/src/wok.conf.in b/src/wok.conf.in
index 254f786..1d26e8c 100644
--- a/src/wok.conf.in
+++ b/src/wok.conf.in
@@ -3,46 +3,19 @@
 #
 
 [server]
-# Hostname or IP address to listen on
-#host = 0.0.0.0
-
-# Port to listen on
-#port = 8000
-
-# Start an SSL-enabled server on the given port
-#ssl_port = 8001
-
-# Allow user disables HTTP port. In that case, all the connections
-# will be done directly through HTTPS port (values: true|false)
-#https_only = false
 
 # Cherrypy server port
 #cherrypy_port = 8010
 
+# Start an SSL-enabled server on the given port
+#nginx_port = 8001
+
 # Port for websocket proxy to listen on
 #websockets_port = 64667
 
-# Number of minutes that a session can remain idle before the server
-# terminates it automatically.
-#session_timeout = 10
-
-# The full path to an SSL Certificate or chain of certificates in
-# PEM format. When a chain is used, the server's certificate must be
-# the first certificate in the file with the chain concatenated into
-# the end of that certificate. If left unspecified, Wok will generate
-# a self-signed certificate automatically.
-#ssl_cert =
-
-# The corresponding private key in PEM format for the SSL Certificate supplied
-# above.  If left blank, Wok will generate a self-signed certificate.
-#ssl_key =
-
 # Running environment of the server
 #environment = production
 
-# Max request body size in KB, default value is 4GB
-#max_body_size = 4 * 1024 * 1024
-
 # Wok server root. Set the following variable to configure any relative path to
 # the server. For example, to have Wok pointing to https://localhost:8001/wok/
 # uncomment the following:
diff --git a/src/wok/config.py.in b/src/wok/config.py.in
index f1167f4..3e67269 100644
--- a/src/wok/config.py.in
+++ b/src/wok/config.py.in
@@ -263,7 +263,7 @@ def _get_config():
     config.add_section("server")
     config.set("server", "host", "0.0.0.0")
     config.set("server", "port", "8000")
-    config.set("server", "ssl_port", "8001")
+    config.set("server", "nginx_port", "8001")
     config.set("server", "https_only", "false")
     config.set("server", "cherrypy_port", "8010")
     config.set("server", "websockets_port", "64667")
diff --git a/src/wok/proxy.py b/src/wok/proxy.py
index 5f646e4..1c11b9b 100644
--- a/src/wok/proxy.py
+++ b/src/wok/proxy.py
@@ -25,8 +25,6 @@
 # and configure the Nginx proxy.
 
 import os
-import pwd
-from string import Template
 
 from wok import sslcert
 from wok.config import paths
@@ -53,17 +51,6 @@ def _create_proxy_config(options):
     Arguments:
     options - OptionParser object with Wok config options
     """
-    # User that will run the worker process of the proxy. Fedora,
-    # RHEL and Suse creates an user called 'nginx' when installing
-    # the proxy. Ubuntu creates an user 'www-data' for it.
-    user_proxy = None
-    user_list = ('nginx', 'www-data', 'http')
-    sys_users = [p.pw_name for p in pwd.getpwall()]
-    common_users = list(set(user_list) & set(sys_users))
-    if len(common_users) == 0:
-        raise Exception("No common user found")
-    else:
-        user_proxy = common_users[0]
     config_dir = paths.conf_dir
     nginx_config_dir = paths.nginx_conf_dir
     cert = options.ssl_cert
@@ -81,38 +68,6 @@ def _create_proxy_config(options):
             with open(key, "w") as f:
                 f.write(ssl_gen.key_pem())
 
-    # Setting up Diffie-Hellman group with 2048-bit file
-    dhparams_pem = os.path.join(config_dir, "dhparams.pem")
-
-    http_config = ''
-    if options.https_only == 'false':
-        http_config = HTTP_CONFIG % {'host_addr': options.host,
-                                     'proxy_port': options.port,
-                                     'proxy_ssl_port': options.ssl_port,
-                                     'rel_path': options.server_root}
-
-    # Read template file and create a new config file
-    # with the specified parameters.
-    with open(os.path.join(nginx_config_dir, "wok.conf.in")) as template:
-        data = template.read()
-    data = Template(data)
-    data = data.safe_substitute(user=user_proxy,
-                                host_addr=options.host,
-                                proxy_ssl_port=options.ssl_port,
-                                http_config=http_config,
-                                cherrypy_port=options.cherrypy_port,
-                                websockets_port=options.websockets_port,
-                                cert_pem=cert, cert_key=key,
-                                max_body_size=eval(options.max_body_size),
-                                session_timeout=options.session_timeout,
-                                dhparams_pem=dhparams_pem,
-                                server_root=options.server_root)
-
-    # Write file to be used for nginx.
-    config_file = open(os.path.join(nginx_config_dir, "wok.conf"), "w")
-    config_file.write(data)
-    config_file.close()
-
     # If not running from the installed path (from a cloned and builded source
     # code), create a symbolic link in  system's dir to prevent errors on read
     # SSL certifications.
diff --git a/src/wokd.in b/src/wokd.in
index c1b302c..5552b79 100644
--- a/src/wokd.in
+++ b/src/wokd.in
@@ -43,37 +43,18 @@ def main(options):
     if not os.geteuid() == 0:
         sys.exit("\nMust be root to run this script. Exiting ...\n")
 
-    host = config.config.get("server", "host")
-    port = config.config.get("server", "port")
-    ssl_port = config.config.get("server", "ssl_port")
-    https_only = config.config.get("server", "https_only")
+    ssl_port = config.config.get("server", "nginx_port")
     cherrypy_port = config.config.get("server", "cherrypy_port")
-    websockets_port = config.config.get("server", "websockets_port")
-    session_timeout = config.config.get("server", "session_timeout")
     runningEnv = config.config.get("server", "environment")
     server_root = config.config.get("server", "server_root")
     logDir = config.config.get("logging", "log_dir")
     logLevel = config.config.get("logging", "log_level")
 
     parser = OptionParser()
-    parser.add_option('--host', type="string", default=host,
-                      help="Hostname to listen on")
-    parser.add_option('--port', type="int", default=port,
-                      help="Port to listen on (default %s)" % port)
     parser.add_option('--ssl-port', type="int", default=ssl_port,
                       help="Port to enable SSL (default %s)" % ssl_port)
-    parser.add_option('--https_only', type="choice", default=https_only,
-                      choices=['false', 'true'],
-                      help="Disable HTTP port (default %s)" % ssl_port)
     parser.add_option('--cherrypy_port', type="int", default=cherrypy_port,
                       help="Cherrypy server port (default %s)" % cherrypy_port)
-    parser.add_option('--websockets_port', type="int", default=websockets_port,
-                      help="Websockets port to listen on (default %s)" %
-                            websockets_port)
-    parser.add_option('--session_timeout', type="int", default=session_timeout,
-                      help="Number of minutes that a session can remain idle "
-                           "before the server terminates it automatically. "
-                           "(default %s)" % session_timeout)
     parser.add_option('--log-level', default=logLevel,
                       help="Logging level")
     parser.add_option('--access-log',
-- 
2.7.4




More information about the Kimchi-devel mailing list