Add Nginx as a external facing reverse proxy
Ultimate goal is to allow anyone to add one or more http services.
Doing this still allows other groups to not be required to use
them
https://lists.ozlabs.org/pipermail/openbmc/2017-September/009231.html
Also note, this commit launches nginx on 8081. Once advice on
how to get it to launch I'll be moving it to 443 and gevent to
8081.
Initially this will only be used in the meta-ibm layer.
Signed-off-by: Chris Austen <austenc@us.ibm.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I34b076898469f2fa9a0186ca3fb3abc77ae52fe7
diff --git a/recipes-httpd/nginx/files/gen-cert.sh b/recipes-httpd/nginx/files/gen-cert.sh
new file mode 100644
index 0000000..480266f
--- /dev/null
+++ b/recipes-httpd/nginx/files/gen-cert.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+PEM="/etc/ssl/certs/nginx/cert.pem"
+
+if [ ! -f $PEM ]; then
+ openssl req -x509 -sha256 -newkey rsa:2048 -keyout $PEM -out $PEM \
+ -days 3650 -subj "/O=openbmc-project.xyz/CN=localhost" \
+ -nodes
+fi
diff --git a/recipes-httpd/nginx/files/nginx.conf b/recipes-httpd/nginx/files/nginx.conf
new file mode 100644
index 0000000..516973c
--- /dev/null
+++ b/recipes-httpd/nginx/files/nginx.conf
@@ -0,0 +1,79 @@
+
+user www-data;
+worker_processes 1;
+
+error_log stderr;
+
+pid /run/nginx/nginx.pid;
+
+
+# Nginx requires this section, even if no options
+events {
+}
+
+# Note that a lot of these settings come from the OWASP Secure
+# Configuration guide for nginx
+# https://www.owasp.org/index.php/SCG_WS_nginx
+
+http {
+ include mime.types;
+
+ # For certain locations, only allow one connection per IP
+ limit_conn_zone $binary_remote_addr zone=addr:10m;
+
+ # Default log format
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ # Comment out to enable access log in /var/log/nginx/
+ access_log off;
+
+ client_body_timeout 10;
+ client_header_timeout 10;
+ keepalive_timeout 5 5;
+ send_timeout 10;
+
+ # Do not return nginx version to clients
+ server_tokens off;
+
+ client_max_body_size 100k;
+ client_body_buffer_size 100K;
+ client_header_buffer_size 1k;
+ large_client_header_buffers 4 8k;
+
+ server {
+ listen 8081 ssl;
+ server_name 127.0.0.1;
+
+ ssl on;
+ ssl_certificate @CERTPATH@/cert.pem;
+ ssl_certificate_key @CERTPATH@/cert.pem;
+ ssl_session_timeout 5m;
+ ssl_protocols TLSv1.2;
+ ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
+
+ ssl_prefer_server_ciphers on;
+
+ location / {
+ # Use 127.0.0.1 instead of localhost since nginx will
+ # first use ipv6 address of ::1 which the upstream server
+ # is not listening on. This generates an error msg to
+ # the journal. Nginx then uses the 127.0.0.1 and everything
+ # works fine but want to avoid the error msg to the log.
+ proxy_pass https://127.0.0.1:443/;
+ }
+ location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) {
+ # Marked as 32MB to allow for firmware image updating and dump
+ # downloads
+ client_max_body_size 32M;
+
+ # Only 1 connection at a time here from an IP
+ limit_conn addr 1;
+
+ proxy_pass https://127.0.0.1:443;
+ }
+
+ include /etc/nginx/sites-enabled/443_*.conf;
+ }
+}
diff --git a/recipes-httpd/nginx/files/nginx.service b/recipes-httpd/nginx/files/nginx.service
new file mode 100644
index 0000000..5873491
--- /dev/null
+++ b/recipes-httpd/nginx/files/nginx.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=The NGINX HTTP and reverse proxy server
+After=network.target
+
+[Service]
+Type=forking
+ExecStartPre=/usr/bin/env gen-cert.sh
+ExecStartPre=-/usr/bin/env mkdir /var/volatile/nginx/
+ExecStartPre=/usr/bin/env nginx -t -p /var/volatile/nginx
+ExecStart=/usr/bin/env nginx -p /var/volatile/nginx
+ExecReload=/usr/bin/env kill -s HUP $MAINPID
+ExecStop=/usr/bin/env kill -s QUIT $MAINPID
+PrivateTmp=true
+
+[Install]
+WantedBy={SYSTEMD_DEFAULT_TARGET}
diff --git a/recipes-httpd/nginx/files/nginx.socket b/recipes-httpd/nginx/files/nginx.socket
new file mode 100644
index 0000000..24be604
--- /dev/null
+++ b/recipes-httpd/nginx/files/nginx.socket
@@ -0,0 +1,8 @@
+[Unit]
+Description=Nginx
+
+[Socket]
+ListenStream=8081
+
+[Install]
+WantedBy=sockets.target
diff --git a/recipes-httpd/nginx/nginx_%.bbappend b/recipes-httpd/nginx/nginx_%.bbappend
new file mode 100644
index 0000000..8a58341
--- /dev/null
+++ b/recipes-httpd/nginx/nginx_%.bbappend
@@ -0,0 +1,33 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+
+inherit systemd
+inherit obmc-phosphor-systemd
+
+SRC_URI += " \
+ file://nginx.conf \
+ file://nginx.service \
+ file://gen-cert.sh \
+ "
+
+EXTRA_OECONF =+ " --without-select_module"
+
+SSLCERTPATH = "/etc/ssl/certs/nginx/"
+
+
+do_install_append() {
+
+ install -m 644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx
+ install -m 0755 ${WORKDIR}/gen-cert.sh ${D}${sbindir}/gen-cert.sh
+
+ install -d ${D}${SSLCERTPATH}
+ chown -R www:www-data ${D}${SSLCERTPATH}
+
+
+ echo SSLCERTPATH
+ echo ${SSLCERTPATH}
+ sed -i 's,@CERTPATH@,${SSLCERTPATH},g' ${D}${sysconfdir}/nginx/nginx.conf
+}
+
+FILES_${PN} += " ${SSLCERTPATH} "
+
+SYSTEMD_SERVICE_${PN} += " nginx.service"