From 53be439f26e1eab2a19578112ac55c58b3f4ec31 Mon Sep 17 00:00:00 2001 From: Sylvain Boily Date: Wed, 6 May 2020 14:10:17 -0400 Subject: [PATCH] add reverse proxy * The proxyfix is very important here, because of the IP-based authorization. Without it, all requests coming from nginx are authorized by 127.0.0.1. --- debian/wazo-phoned.dirs | 2 ++ debian/wazo-phoned.postinst | 8 ++++++++ etc/nginx/locations/http-available/wazo-phoned | 7 +++++++ etc/nginx/locations/https-available/wazo-phoned | 7 +++++++ wazo_phoned/http_server.py | 6 +++++- 5 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 etc/nginx/locations/http-available/wazo-phoned create mode 100644 etc/nginx/locations/https-available/wazo-phoned diff --git a/debian/wazo-phoned.dirs b/debian/wazo-phoned.dirs index 9bdc05c..6d747ea 100644 --- a/debian/wazo-phoned.dirs +++ b/debian/wazo-phoned.dirs @@ -1 +1,3 @@ etc/wazo-phoned/conf.d +etc/nginx/locations/http-enabled +etc/nginx/locations/https-enabled diff --git a/debian/wazo-phoned.postinst b/debian/wazo-phoned.postinst index 8ffec0c..0a6f19c 100644 --- a/debian/wazo-phoned.postinst +++ b/debian/wazo-phoned.postinst @@ -3,6 +3,7 @@ set -e LOG_FILENAME='/var/log/wazo-phoned.log' +DAEMONNAME='wazo-phoned' case "$1" in configure) @@ -28,6 +29,13 @@ case "$1" in fi # End of move files from wazo-dird-phoned + if dpkg --compare-versions "${previous_version}" lt '20.07'; then + ln -sf /etc/nginx/locations/https-available/$DAEMONNAME \ + /etc/nginx/locations/https-enabled/$DAEMONNAME + ln -sf /etc/nginx/locations/http-available/$DAEMONNAME \ + /etc/nginx/locations/http-enabled/$DAEMONNAME + fi + if [ ! -e "$LOG_FILENAME" ]; then touch "$LOG_FILENAME" fi diff --git a/etc/nginx/locations/http-available/wazo-phoned b/etc/nginx/locations/http-available/wazo-phoned new file mode 100644 index 0000000..7be2a0d --- /dev/null +++ b/etc/nginx/locations/http-available/wazo-phoned @@ -0,0 +1,7 @@ +location ^~ /api/phoned/ { + proxy_pass http://127.0.0.1:9498/; + + proxy_set_header Host $http_host; + proxy_set_header X-Script-Name /api/phoned; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} diff --git a/etc/nginx/locations/https-available/wazo-phoned b/etc/nginx/locations/https-available/wazo-phoned new file mode 100644 index 0000000..8a30581 --- /dev/null +++ b/etc/nginx/locations/https-available/wazo-phoned @@ -0,0 +1,7 @@ +location ^~ /api/phoned/ { + proxy_pass https://127.0.0.1:9499/; + + proxy_set_header Host $http_host; + proxy_set_header X-Script-Name /api/phoned; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +} diff --git a/wazo_phoned/http_server.py b/wazo_phoned/http_server.py index cf0007e..95c292d 100644 --- a/wazo_phoned/http_server.py +++ b/wazo_phoned/http_server.py @@ -16,7 +16,9 @@ from flask_babel import Babel from flask_cors import CORS from pkg_resources import iter_entry_points, resource_filename, resource_isdir +from werkzeug.contrib.fixers import ProxyFix from xivo import http_helpers +from xivo.http_helpers import ReverseProxied VERSION = 0.1 BABEL_DEFAULT_LOCALE = 'en' @@ -83,7 +85,9 @@ def run(self): http_config = self.config['http'] https_config = self.config['https'] - wsgi_app = wsgi.WSGIPathInfoDispatcher({'/': self.app}) + wsgi_app = ReverseProxied( + ProxyFix(wsgi.WSGIPathInfoDispatcher({'/': self.app})) + ) cherrypy.server.unsubscribe() cherrypy.config.update({'environment': 'production'})