From f30cc86557b8758d73ea88bec4bea9fb7019756f Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 29 Nov 2021 14:31:39 +0100 Subject: [PATCH] Terminate TLS on Nginx This is more efficient, and the eventlet's implementation has had substantial issues in the past. Change-Id: If5bccf360e7295cdcf145ca2b5402c168acc57af --- .../tasks/bootstrap.yml | 19 ++++++++-- .../templates/ironic-inspector.conf.j2 | 8 ++--- .../templates/ironic.conf.j2 | 8 ++++- .../nginx_conf.d_bifrost-ironic.conf.j2 | 35 +++++++++++++++++++ .../notes/nginx-proxy-a4aa77ff045060be.yaml | 5 +++ 5 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2 create mode 100644 releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml diff --git a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml index f557dd176..3f94a3799 100644 --- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml +++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml @@ -378,7 +378,7 @@ name: bifrost-nginx-install tasks_from: bootstrap -- name: "Place nginx configuration for ironic" +- name: "Place nginx configuration for HTTP directory" template: src: nginx_conf.d_bifrost-httpboot.conf.j2 dest: /etc/nginx/conf.d/bifrost-httpboot.conf @@ -386,6 +386,15 @@ group: "{{ nginx_user }}" mode: 0755 +- name: "Place nginx configuration for TLS" + template: + src: nginx_conf.d_bifrost-ironic.conf.j2 + dest: /etc/nginx/conf.d/bifrost-ironic.conf + owner: "{{ nginx_user }}" + group: "{{ nginx_user }}" + mode: 0755 + when: enable_tls | bool + - name: "Set permissions for /var/lib/ironic for the ironic user" file: path: "{{ item }}" @@ -456,11 +465,17 @@ - block: - name: "Allow nginx, ironic, inspector and IPA ports on SELinux" seport: - ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,5050,9999" + ports: "{{ file_url_port }},{{ file_url_port_tls }},6385,6388,5050,9999,15050" proto: tcp setype: http_port_t state: present + - name: "Allow nginx to connect to downstream servers" + seboolean: + name: httpd_can_network_connect + state: yes + persistent: yes + - name: "Add proper context on created data for tftpboot" sefcontext: target: "{{ item }}" diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 index aa75ee2c1..ead65522f 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/ironic-inspector.conf.j2 @@ -18,11 +18,9 @@ log_dir = {{ inspector_log_dir }} transport_url = fake:// {% if enable_tls | bool %} -use_ssl = True - -[ssl] -cert_file = {{ tls_certificate_path }} -key_file = {{ ironic_inspector_private_key_path }} +# TLS is handled by nginx is proxy mode +listen_address = 127.0.0.1 +listen_port = 15050 {% endif %} [database] diff --git a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 index 1354de707..64d6a57b1 100644 --- a/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 +++ b/playbooks/roles/bifrost-ironic-install/templates/ironic.conf.j2 @@ -51,12 +51,18 @@ grub_config_path = EFI/{{ efi_distro }}/grub.cfg {% if enable_tls | bool %} [api] -enable_ssl_api = True +# TLS is handled by nginx is proxy mode +host_ip = 127.0.0.1 +port = 6388 +public_endpoint = {{ api_protocol }}://{{ internal_ip }}:6385 +{% if expose_json_rpc | bool %} [ssl] +# Only used for JSON RPC when expose_json_rpc is true cert_file = {{ tls_certificate_path }} key_file = {{ ironic_private_key_path }} {% endif %} +{% endif %} [agent] {% if ironic_store_ramdisk_logs | bool %} diff --git a/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2 b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2 new file mode 100644 index 000000000..704a5ffe9 --- /dev/null +++ b/playbooks/roles/bifrost-ironic-install/templates/nginx_conf.d_bifrost-ironic.conf.j2 @@ -0,0 +1,35 @@ +server { + listen 6385 ssl http2; + server_name {{ ansible_hostname }}; + + ssl_certificate {{ tls_certificate_path }}; + ssl_certificate_key {{ ironic_private_key_path }}; + + location / { + proxy_pass http://127.0.0.1:6388; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port 6385; + } +} + +{% if enable_inspector | bool %} +server { + listen 5050 ssl http2; + server_name {{ ansible_hostname }}; + + ssl_certificate {{ tls_certificate_path }}; + ssl_certificate_key {{ ironic_inspector_private_key_path }}; + + location / { + proxy_pass http://127.0.0.1:15050; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port 5050; + } +} +{% endif %} diff --git a/releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml b/releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml new file mode 100644 index 000000000..254ce83b1 --- /dev/null +++ b/releasenotes/notes/nginx-proxy-a4aa77ff045060be.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + TLS (when enabled) is now handled by Nginx in proxy mode rather than + services themselves.