Skip to content

Commit

Permalink
Support deployment behind nginx reverse proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
Luca Bassi committed Oct 17, 2024
1 parent e47ada0 commit f757c5a
Show file tree
Hide file tree
Showing 11 changed files with 236 additions and 2 deletions.
1 change: 1 addition & 0 deletions data/webdav-defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,4 @@ storm::webdav::voms_trust_store_refresh_interval_sec: 43200
storm::webdav::voms_cache_enabled: true
storm::webdav::voms_cache_entry_lifetime_sec: 300
storm::webdav::scitag_enabled: false
storm::webdav::nginx_reverse_proxy: false
33 changes: 33 additions & 0 deletions files/etc/storm/nginx/nginx.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
user storm storm;
worker_processes auto;

error_log /var/log/nginx/error.log debug;

load_module /usr/lib64/nginx/modules/ngx_http_voms_module.so;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;

resolver 127.0.0.11 ipv6=off;

log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
'$ssl_protocol/$ssl_cipher '
'"$ssl_client_s_dn" '
'"$ssl_client_ee_s_dn" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log storm;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

include /etc/nginx/conf.d/*.conf;
}
2 changes: 2 additions & 0 deletions manifests/webdav.pp
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,8 @@

Boolean $scitag_enabled,

Boolean $nginx_reverse_proxy,

) {
contain storm::webdav::install
contain storm::webdav::config
Expand Down
16 changes: 16 additions & 0 deletions manifests/webdav/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,22 @@
source => "puppet:///modules/storm/etc/storm/flowd.cfg",
}
}
if $storm::webdav::nginx_reverse_proxy {
file { '/etc/nginx/nginx.conf' :
ensure => file,
owner => 'storm',
group => 'storm',
mode => '0644',
source => "puppet:///modules/storm/etc/storm/nginx/nginx.conf",
}
file { '/etc/nginx/conf.d/storm.location' :
ensure => file,
content => template('storm/etc/nginx/storm.location.erb'),
owner => 'storm',
group => 'storm',
mode => '0644',
}
}

# Directory '/etc/systemd/system/storm-webdav.service.d' is created by rpm
$service_dir='/etc/systemd/system/storm-webdav.service.d'
Expand Down
46 changes: 46 additions & 0 deletions manifests/webdav/install.pp
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,50 @@
require => Yumrepo['scitags-repo'],
}
}
if $storm::webdav::nginx_reverse_proxy {
$el = $facts['os']['distro']['release']['major']
yumrepo { 'nginx-stable-repo':
ensure => present,
descr => 'nginx stable repo',
enabled => 1,
gpgcheck => 1,
baseurl => "http://nginx.org/packages/centos/${el}/x86_64/",
gpgkey => 'https://nginx.org/keys/nginx_signing.key',
}
package { 'nginx':
ensure => 'installed',
require => Yumrepo['nginx-stable-repo'],
}
case $facts['os']['name'] {
'CentOS', 'Scientific': {
yumrepo { 'voms':
ensure => present,
descr => 'VOMS stable repo',
baseurl => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos${el}/",
enabled => 1,
gpgcheck => 0,
}
}
'RedHat', 'AlmaLinux': {
yumrepo { 'voms':
ensure => present,
descr => 'VOMS stable repo',
baseurl => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/redhat${el}/",
enabled => 1,
gpgcheck => 0,
}
}
}
yumrepo { 'storage-generic':
ensure => present,
descr => 'Storage Generic repo managed by Puppet',
baseurl => 'http://os-server.cnaf.infn.it/distro/Storage/generic/',
enabled => 1,
gpgcheck => 0,
}
package { 'nginx-module-http-voms':
ensure => 'installed',
require => Yumrepo['storage-generic'],
}
}
}
6 changes: 6 additions & 0 deletions manifests/webdav/service.pp
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,10 @@
enable => true,
}
}
if $storm::webdav::nginx_reverse_proxy {
service { 'nginx':
ensure => running,
enable => true,
}
}
}
1 change: 1 addition & 0 deletions spec/classes/storm/storm_webdav_install_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
<<-EOF
class { 'storm::webdav':
scitag_enabled => false,
nginx_reverse_proxy => false,
}
EOF
end
Expand Down
1 change: 1 addition & 0 deletions spec/classes/storm/storm_webdav_service_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
<<-EOF
class { 'storm::webdav':
scitag_enabled => false,
nginx_reverse_proxy => false,
}
EOF
end
Expand Down
91 changes: 90 additions & 1 deletion spec/classes/storm/storm_webdav_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@
'voms_cache_entry_lifetime_sec' => 301,

'scitag_enabled' => false,

'nginx_reverse_proxy' => false,
}
end

Expand Down Expand Up @@ -311,7 +313,6 @@
'scitag_enabled' => true,
}
end

case facts[:operatingsystemmajrelease]
when '9'
it 'scitags-repo is installed and enabled' do
Expand Down Expand Up @@ -341,6 +342,94 @@
end
it { is_expected.to contain_service('flowd').with(ensure: 'running') }
end

context 'Check deployment behind nginx reverse proxy' do
let(:params) do
{
'http_port' => 8080,
'nginx_reverse_proxy' => true,
}
end
case facts[:operatingsystem]
when 'CentOS', 'Scientific'
case facts[:operatingsystemmajrelease]
when '7'
it 'nginx-stable-repo is installed and enabled' do
is_expected.to contain_yumrepo('nginx-stable-repo').with(
ensure: 'present',
baseurl: 'http://nginx.org/packages/centos/7/x86_64/',
enabled: 1,
gpgcheck: 1,
)
end
it 'voms is installed and enabled' do
is_expected.to contain_yumrepo('voms').with(
ensure: 'present',
baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos7/',
enabled: 1,
gpgcheck: 0,
)
end
end
when 'RedHat', 'AlmaLinux'
case facts[:operatingsystemmajrelease]
when '9'
it 'nginx-stable-repo is installed and enabled' do
is_expected.to contain_yumrepo('nginx-stable-repo').with(
ensure: 'present',
baseurl: 'http://nginx.org/packages/centos/9/x86_64/',
enabled: 1,
gpgcheck: 1,
)
end
it 'voms is installed and enabled' do
is_expected.to contain_yumrepo('voms').with(
ensure: 'present',
baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/redhat9/',
enabled: 1,
gpgcheck: 0,
)
end
end
end
it 'storage-generic is installed and enabled' do
is_expected.to contain_yumrepo('storage-generic').with(
ensure: 'present',
baseurl: 'http://os-server.cnaf.infn.it/distro/Storage/generic/',
enabled: 1,
gpgcheck: 0,
)
end
it 'check sysconfig file' do
service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf'
is_expected.to contain_file(service_file).with(
ensure: 'file',
)
is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=true"})
end
it 'check nginx configuration files' do
nginx_conf_file = '/etc/nginx/nginx.conf'
is_expected.to contain_file(nginx_conf_file).with(
ensure: 'file',
)
nginx_storm_location_file = '/etc/nginx/conf.d/storm.location'
is_expected.to contain_file(nginx_storm_location_file).with(
ensure: 'file',
)
is_expected.to contain_file(nginx_storm_location_file).with(content: %r{location /internal-get})
end
it 'check nginx rpm is installed' do
is_expected.to contain_package('nginx')
end
it 'check nginx-module-http-voms rpm is installed' do
is_expected.to contain_package('nginx-module-http-voms')
end
it { is_expected.to contain_service('nginx').with(ensure: 'running') }
it 'check environment file' do
service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf'
is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_HTTP_PORT=8081"})
end
end
end
end
end
35 changes: 35 additions & 0 deletions templates/etc/nginx/storm.location.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
server {
location /internal-get {
internal;
alias /;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
tcp_nodelay on;
}
location / {
proxy_pass http://127.0.0.1:<%=scope['storm::webdav::http_port'] + 1%>;
proxy_set_header X-VOMS-voms_user $voms_user;
proxy_set_header X-VOMS-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
proxy_set_header X-VOMS-voms_user_ca $voms_user_ca;
proxy_set_header X-VOMS-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
proxy_set_header X-VOMS-voms_fqans $voms_fqans;
proxy_set_header X-VOMS-voms_server $voms_server;
proxy_set_header X-VOMS-voms_server_ca $voms_server_ca;
proxy_set_header X-VOMS-voms_vo $voms_vo;
proxy_set_header X-VOMS-voms_server_uri $voms_server_uri;
proxy_set_header X-VOMS-voms_not_before $voms_not_before;
proxy_set_header X-VOMS-voms_not_after $voms_not_after;
proxy_set_header X-VOMS-voms_generic_attributes $voms_generic_attributes;
proxy_set_header X-VOMS-voms_serial $voms_serial;
}
listen [::]:<%=scope['storm::webdav::https_port']%> ssl http2;
listen <%=scope['storm::webdav::https_port']%> ssl http2;
ssl_certificate /etc/grid-security/hostcert.pem;
ssl_certificate_key /etc/grid-security/hostkey.pem;
ssl_client_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle-all.pem;
ssl_verify_client optional;
ssl_verify_depth 10;
client_max_body_size 0;
error_page 497 https://$host:<%=scope['storm::webdav::https_port']%>$request_uri;
}
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Environment="STORM_WEBDAV_HOSTNAME_<%= idx %>=<%= hostname %>"
Environment="STORM_WEBDAV_HTTPS_PORT=<%=scope.lookupvar('storm::webdav::https_port')%>"

# HTTP connector port
Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port')%>"
Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port') + (scope.lookupvar('storm::webdav::nginx_reverse_proxy') ? 1 : 0)%>"

# Path to the service certificate.
Environment="STORM_WEBDAV_CERTIFICATE_PATH=/etc/grid-security/storm-webdav/hostcert.pem"
Expand Down Expand Up @@ -181,3 +181,7 @@ Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('stor
# Enable SciTags support
# Default: false
Environment="STORM_WEBDAV_SCITAG_ENABLED=<%=scope.lookupvar('storm::webdav::scitag_enabled')%>"

# Use nginx as a reverse proxy
# Default: false
Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=<%=scope.lookupvar('storm::webdav::nginx_reverse_proxy')%>"

0 comments on commit f757c5a

Please sign in to comment.