From 192d32f9359e15098f1097d96f06e0c904ac972d Mon Sep 17 00:00:00 2001 From: Luca Bassi Date: Tue, 23 Apr 2024 10:59:25 +0200 Subject: [PATCH] Support deployment behind nginx reverse proxy --- data/webdav-defaults.yaml | 3 +- files/etc/storm/nginx/nginx.conf | 33 +++++++++ manifests/webdav.pp | 2 + manifests/webdav/config.pp | 17 +++++ manifests/webdav/install.pp | 33 +++++++++ manifests/webdav/service.pp | 6 ++ .../storm/storm_webdav_install_spec.rb | 7 ++ .../storm/storm_webdav_service_spec.rb | 5 ++ spec/classes/storm/storm_webdav_spec.rb | 68 +++++++++++++++++++ templates/etc/nginx/storm.location.erb | 35 ++++++++++ .../storm-webdav.conf.erb | 8 ++- 11 files changed, 214 insertions(+), 3 deletions(-) create mode 100644 files/etc/storm/nginx/nginx.conf create mode 100644 templates/etc/nginx/storm.location.erb diff --git a/data/webdav-defaults.yaml b/data/webdav-defaults.yaml index 38ca3b1..b797642 100644 --- a/data/webdav-defaults.yaml +++ b/data/webdav-defaults.yaml @@ -41,4 +41,5 @@ storm::webdav::file_buffer_size: 1048576 storm::webdav::voms_trust_store_dir: '/etc/grid-security/vomsdir' storm::webdav::voms_trust_store_refresh_interval_sec: 43200 storm::webdav::voms_cache_enabled: true -storm::webdav::voms_cache_entry_lifetime_sec: 300 \ No newline at end of file +storm::webdav::voms_cache_entry_lifetime_sec: 300 +storm::webdav::nginx_reverse_proxy: false diff --git a/files/etc/storm/nginx/nginx.conf b/files/etc/storm/nginx/nginx.conf new file mode 100644 index 0000000..a174f64 --- /dev/null +++ b/files/etc/storm/nginx/nginx.conf @@ -0,0 +1,33 @@ +user storm storm; +worker_processes auto; + +error_log /var/log/nginx/error.log debug; + +load_module /usr/lib64/nginx/modules/ngx_http_voms_module.so; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + resolver 127.0.0.11 ipv6=off; + + log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> ' + '$ssl_protocol/$ssl_cipher ' + '"$ssl_client_s_dn" ' + '"$ssl_client_ee_s_dn" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log storm; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/manifests/webdav.pp b/manifests/webdav.pp index 0489a15..538f90c 100644 --- a/manifests/webdav.pp +++ b/manifests/webdav.pp @@ -193,6 +193,8 @@ String $tape_wellknown_source, + Boolean $nginx_reverse_proxy, + ) { contain storm::webdav::install contain storm::webdav::config diff --git a/manifests/webdav/config.pp b/manifests/webdav/config.pp index 3f5bef3..2d74503 100644 --- a/manifests/webdav/config.pp +++ b/manifests/webdav/config.pp @@ -83,6 +83,23 @@ notice('Empty storage area list. No storage area has been defined and initialized.') } + if $storm::webdav::nginx_reverse_proxy { + file { '/etc/nginx/nginx.conf' : + ensure => file, + owner => 'storm', + group => 'storm', + mode => '0644', + source => "puppet:///modules/storm/etc/storm/nginx/nginx.conf", + } + file { '/etc/nginx/conf.d/storm.location' : + ensure => file, + content => template('storm/etc/nginx/storm.location.erb'), + owner => 'storm', + group => 'storm', + mode => '0644', + } + } + # Directory '/etc/systemd/system/storm-webdav.service.d' is created by rpm $service_dir='/etc/systemd/system/storm-webdav.service.d' diff --git a/manifests/webdav/install.pp b/manifests/webdav/install.pp index f9f05c0..a62a0f3 100644 --- a/manifests/webdav/install.pp +++ b/manifests/webdav/install.pp @@ -6,4 +6,37 @@ package { 'storm-webdav': ensure => '>=1.4.2', } + if $storm::webdav::nginx_reverse_proxy { + $el = $facts['os']['distro']['release']['major'] + yumrepo { 'nginx-stable-repo': + ensure => present, + descr => 'nginx stable repo', + enabled => 1, + gpgcheck => 1, + baseurl => "http://nginx.org/packages/centos/${el}/x86_64/", + gpgkey => 'https://nginx.org/keys/nginx_signing.key', + } + package { 'nginx': + ensure => 'installed', + require => Yumrepo['nginx-stable-repo'], + } + yumrepo { 'voms': + ensure => present, + descr => 'VOMS stable repo', + baseurl => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos${el}/", + enabled => 1, + gpgcheck => 0, + } + yumrepo { 'storage-generic': + ensure => present, + descr => 'Storage Generic repo managed by Puppet', + baseurl => 'http://os-server.cnaf.infn.it/distro/Storage/generic/', + enabled => 1, + gpgcheck => 0, + } + package { 'nginx-module-http-voms': + ensure => 'installed', + require => Yumrepo['storage-generic'], + } + } } diff --git a/manifests/webdav/service.pp b/manifests/webdav/service.pp index 77f179f..b0de1ed 100644 --- a/manifests/webdav/service.pp +++ b/manifests/webdav/service.pp @@ -5,4 +5,10 @@ ensure => running, enable => true, } + if $storm::webdav::nginx_reverse_proxy { + service { 'nginx': + ensure => running, + enable => true, + } + } } diff --git a/spec/classes/storm/storm_webdav_install_spec.rb b/spec/classes/storm/storm_webdav_install_spec.rb index 292213a..ab59f12 100644 --- a/spec/classes/storm/storm_webdav_install_spec.rb +++ b/spec/classes/storm/storm_webdav_install_spec.rb @@ -3,6 +3,13 @@ describe 'storm::webdav::install' do on_supported_os.each do |os, facts| context "on #{os}" do + let(:pre_condition) do + <<-EOF + class { 'storm::webdav': + nginx_reverse_proxy => false, + } + EOF + end let(:facts) do facts end diff --git a/spec/classes/storm/storm_webdav_service_spec.rb b/spec/classes/storm/storm_webdav_service_spec.rb index 16537b1..4927e06 100644 --- a/spec/classes/storm/storm_webdav_service_spec.rb +++ b/spec/classes/storm/storm_webdav_service_spec.rb @@ -5,6 +5,11 @@ context "on #{os}" do let(:pre_condition) do 'include storm::webdav::install' + <<-EOF + class { 'storm::webdav': + nginx_reverse_proxy => false, + } + EOF end let(:facts) do diff --git a/spec/classes/storm/storm_webdav_spec.rb b/spec/classes/storm/storm_webdav_spec.rb index 9d90dfb..26d2e5a 100644 --- a/spec/classes/storm/storm_webdav_spec.rb +++ b/spec/classes/storm/storm_webdav_spec.rb @@ -68,6 +68,8 @@ 'voms_trust_store_refresh_interval_sec' => 43201, 'voms_cache_enabled' => false, 'voms_cache_entry_lifetime_sec' => 301, + + 'nginx_reverse_proxy' => false, } end @@ -302,6 +304,72 @@ ) end end + + context 'Check deployment behind nginx reverse proxy' do + let(:params) do + { + 'http_port' => 8080, + 'nginx_reverse_proxy' => true, + } + end + + case facts[:operatingsystemmajrelease] + when '7' + it 'nginx-stable-repo is installed and enabled' do + is_expected.to contain_yumrepo('nginx-stable-repo').with( + ensure: 'present', + baseurl: 'http://nginx.org/packages/centos/7/x86_64/', + enabled: 1, + gpgcheck: 1, + ) + end + it 'voms is installed and enabled' do + is_expected.to contain_yumrepo('voms').with( + ensure: 'present', + baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos7/', + enabled: 1, + gpgcheck: 0, + ) + end + it 'storage-generic is installed and enabled' do + is_expected.to contain_yumrepo('storage-generic').with( + ensure: 'present', + baseurl: 'http://os-server.cnaf.infn.it/distro/Storage/generic/', + enabled: 1, + gpgcheck: 0, + ) + end + end + it 'check sysconfig file' do + service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf' + is_expected.to contain_file(service_file).with( + ensure: 'file', + ) + is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=true"}) + end + it 'check nginx configuration files' do + nginx_conf_file = '/etc/nginx/nginx.conf' + is_expected.to contain_file(nginx_conf_file).with( + ensure: 'file', + ) + nginx_storm_location_file = '/etc/nginx/conf.d/storm.location' + is_expected.to contain_file(nginx_storm_location_file).with( + ensure: 'file', + ) + is_expected.to contain_file(nginx_storm_location_file).with(content: %r{location /internal-get}) + end + it 'check nginx rpm is installed' do + is_expected.to contain_package('nginx') + end + it 'check nginx-module-http-voms rpm is installed' do + is_expected.to contain_package('nginx-module-http-voms') + end + it { is_expected.to contain_service('nginx').with(ensure: 'running') } + it 'check environment file' do + service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf' + is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_HTTP_PORT=8081"}) + end + end end end end diff --git a/templates/etc/nginx/storm.location.erb b/templates/etc/nginx/storm.location.erb new file mode 100644 index 0000000..a681b75 --- /dev/null +++ b/templates/etc/nginx/storm.location.erb @@ -0,0 +1,35 @@ +server { + location /internal-get { + internal; + alias /; + sendfile on; + tcp_nopush on; + keepalive_timeout 65; + tcp_nodelay on; + } + location / { + proxy_pass http://127.0.0.1:<%=scope['storm::webdav::http_port'] + 1%>; + proxy_set_header X-VOMS-voms_user $voms_user; + proxy_set_header X-VOMS-ssl_client_ee_s_dn $ssl_client_ee_s_dn; + proxy_set_header X-VOMS-voms_user_ca $voms_user_ca; + proxy_set_header X-VOMS-ssl_client_ee_i_dn $ssl_client_ee_i_dn; + proxy_set_header X-VOMS-voms_fqans $voms_fqans; + proxy_set_header X-VOMS-voms_server $voms_server; + proxy_set_header X-VOMS-voms_server_ca $voms_server_ca; + proxy_set_header X-VOMS-voms_vo $voms_vo; + proxy_set_header X-VOMS-voms_server_uri $voms_server_uri; + proxy_set_header X-VOMS-voms_not_before $voms_not_before; + proxy_set_header X-VOMS-voms_not_after $voms_not_after; + proxy_set_header X-VOMS-voms_generic_attributes $voms_generic_attributes; + proxy_set_header X-VOMS-voms_serial $voms_serial; + } + listen [::]:<%=scope['storm::webdav::https_port']%> ssl http2; + listen <%=scope['storm::webdav::https_port']%> ssl http2; + ssl_certificate /etc/grid-security/hostcert.pem; + ssl_certificate_key /etc/grid-security/hostkey.pem; + ssl_client_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle-all.pem; + ssl_verify_client optional; + ssl_verify_depth 10; + client_max_body_size 0; + error_page 497 https://$host:<%=scope['storm::webdav::https_port']%>$request_uri; +} diff --git a/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb b/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb index 24fd04b..9379468 100644 --- a/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb +++ b/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb @@ -27,7 +27,7 @@ Environment="STORM_WEBDAV_HOSTNAME_<%= idx %>=<%= hostname %>" Environment="STORM_WEBDAV_HTTPS_PORT=<%=scope.lookupvar('storm::webdav::https_port')%>" # HTTP connector port -Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port')%>" +Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port') + (scope.lookupvar('storm::webdav::nginx_reverse_proxy') ? 1 : 0)%>" # Path to the service certificate. Environment="STORM_WEBDAV_CERTIFICATE_PATH=/etc/grid-security/storm-webdav/hostcert.pem" @@ -176,4 +176,8 @@ Environment="STORM_WEBDAV_VOMS_CACHE_ENABLE=<%=scope.lookupvar('storm::webdav::v # Cache entries lifetime, used if caching for VOMS certificate validation is enabled # Default: 300 -Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('storm::webdav::voms_cache_entry_lifetime_sec')%>" \ No newline at end of file +Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('storm::webdav::voms_cache_entry_lifetime_sec')%>" + +# Use nginx as a reverse proxy +# Default: false +Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=<%=scope.lookupvar('storm::webdav::nginx_reverse_proxy')%>"