[Kimchi-users] Wok Feedback
Aline Manera
alinefm at linux.vnet.ibm.com
Tue Jul 11 14:36:38 UTC 2017
Hi Jason,
Sorry about the late reply! I usually reply fast on kimchi-devel ML :-)
Let me try to explain the content of /etc/nginx/conf.d/wok.conf
I am not sure what is the exactly version you are using, but the current
upstream file content is
https://github.com/kimchi-project/wok/blob/master/src/nginx/wok.conf
I will take it as reference.
As you can see in this file, there are 2 server instances described
there: lines 28 and 79.
The server on line 28 is for HTTPS access and is properly defined as
0.0.0.0 on port 8001
The server on line 79 is for HTTP access and it is also properly defined
as 0.0.0.0 on port 8000.
The HTTP server will *always* redirect the requests to HTTPS.
The lines 24-26 are for websockets connection and should not be expose
outside, ie, it should run on localhost and proxy by nginx to the right
port.
So you should not change it to 0.0.0.0
The lines 52-62 describe what to do on requests received.
There you will see '127.0.0.1:8010' because it is where the cherrypy
instance launched by Wok is running. You should not change it to 0.0.0.0
because you will expose the whole API which runs as root to outside
which is bad IMO. :-)
So basically, you should not change the content of
/etc/nginx/conf.d/wok.conf unless you want to change the ports to listen on.
The SElinux configuration needed to expose the server outside is really
needed and are described at
https://github.com/kimchi-project/wok/blob/master/docs/troubleshooting.md
So hope all that helps you understand how the things work together.
Please, let me know on any other doubt or feedback.
Regards,
Aline Manera
On 05/04/2017 10:40 PM, Jason Jack wrote:
> Kimchi Dev,
>
> I didn't want to post an issue, because I solved it, but I think it'd
> be useful to post a README update on how to update Wok to to listen on
> all network devices so as to be accessed outside of localhost.
>
> I was able to do so by updating /etc/nginx/conf.d/wok.conf to change
> 127.0.0.1 to 0.0.0.0 and then updating semanage rules:
>
> (on Centos 7)
>
> sudo systemctl stop wokd
> sudo systemctl stop nginx
> sudo sed -ri 's/127.0.0.1/0.0.0.0/g' /etc/nginx/conf.d/wok.conf
> sudo semanage port -a -t http_port_t -p tcp 8001
> sudo semanage port -a -t http_port_t -p tcp 8010
> sudo semanage port -m -t http_port_t -p tcp 8000
> sudo systemctl start wokd
>
> Then after accessing from another machine I had to accept the SSL
> certificates first, where it redirected me to
> http://127.0.0.1:8010/login.html, which was confusing. Back after
> going back to https://my-kimchi-host:8001 the login page successfully
> loaded.
>
> I found this confusing and couldn't find any documentation or guide.
> I think others may find this information useful. Should I post this
> to the issue board for feedback?
>
> Sincerely,
> Jason
> _______________________________________________
> Kimchi-users mailing list
> Kimchi-users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-users
>
More information about the Kimchi-users
mailing list