diff options
Diffstat (limited to 'meta-ibm/recipes-httpd/nginx')
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/gen-cert.sh | 9 | ||||
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.conf | 114 | ||||
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.service | 20 | ||||
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/files/nginx.socket | 8 | ||||
-rw-r--r-- | meta-ibm/recipes-httpd/nginx/nginx_%.bbappend | 33 |
5 files changed, 184 insertions, 0 deletions
diff --git a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh new file mode 100644 index 000000000..480266f3b --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +PEM="/etc/ssl/certs/nginx/cert.pem" + +if [ ! -f $PEM ]; then + openssl req -x509 -sha256 -newkey rsa:2048 -keyout $PEM -out $PEM \ + -days 3650 -subj "/O=openbmc-project.xyz/CN=localhost" \ + -nodes +fi diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf new file mode 100644 index 000000000..7d65183ec --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.conf @@ -0,0 +1,114 @@ + +user www-data; +worker_processes 1; + +error_log stderr; + +pid /run/nginx/nginx.pid; + + +# Nginx requires this section, even if no options +events { +} + +# Note that a lot of these settings come from the OWASP Secure +# Configuration guide for nginx +# https://www.owasp.org/index.php/SCG_WS_nginx +# and the mozilla security guidelines +# https://wiki.mozilla.org/Security/Server_Side_TLS + +http { + include mime.types; + + # For certain locations, only allow one connection per IP + limit_conn_zone $binary_remote_addr zone=addr:10m; + + # Default log format + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Comment out to enable access log in /var/log/nginx/ + access_log off; + + client_body_timeout 30; + client_header_timeout 10; + keepalive_timeout 5 5; + send_timeout 30; + + # Do not return nginx version to clients + server_tokens off; + + client_max_body_size 100k; + client_body_buffer_size 100K; + client_header_buffer_size 1k; + large_client_header_buffers 4 8k; + + # redirect all http traffic to https + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl; + server_name 127.0.0.1; + + ssl on; + ssl_certificate @CERTPATH@/cert.pem; + ssl_certificate_key @CERTPATH@/cert.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2; + ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; + ssl_prefer_server_ciphers on; + + location / { + # This location lets us serve the static pre-compressed webui + # content (rooted at /usr/share/www). Also if the URI points to + # something else (that is unmatched by other locations), we + # fallback to the rest server. This approach is based on the + # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content. + root /usr/share/www; + # For clients that support gzip encoding, serve them + # pre-compressed gzip content. For clients that don't, + # uncompress on the BMC. The module gunzip requires + # gzip_static to be set to 'always'; gzip_static is the + # module that serves compressed content for clients that + # support gzip. + gunzip on; + gzip_static always; + try_files $uri $uri/ @rest_server; + } + location @rest_server { + # Use 127.0.0.1 instead of localhost since nginx will + # first use ipv6 address of ::1 which the upstream server + # is not listening on. This generates an error msg to + # the journal. Nginx then uses the 127.0.0.1 and everything + # works fine but want to avoid the error msg to the log. + proxy_pass http://127.0.0.1:8081; + + # WebSocket support + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) { + # Marked as 33MB to allow for firmware image updating and dump + # downloads + client_max_body_size 33M; + + # Only 1 connection at a time here from an IP + limit_conn addr 1; + + proxy_pass http://127.0.0.1:8081; + } + location /redfish { + proxy_pass http://127.0.0.1:8082; + proxy_http_version 1.1; + } + + include /etc/nginx/sites-enabled/443_*.conf; + } +} diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.service b/meta-ibm/recipes-httpd/nginx/files/nginx.service new file mode 100644 index 000000000..3f9dd3de6 --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.service @@ -0,0 +1,20 @@ +[Unit] +Description=The NGINX HTTP and reverse proxy server +After=network.target + +[Service] +Type=forking +SyslogIdentifier=nginx +ExecStartPre=/usr/bin/env gen-cert.sh +ExecStartPre=-/usr/bin/env mkdir /var/volatile/nginx/ +ExecStartPre=/usr/bin/env nginx -t -p /var/volatile/nginx +ExecStart=/usr/bin/env nginx -p /var/volatile/nginx +ExecReload=/usr/bin/env kill -s HUP $MAINPID +ExecStop=/usr/bin/env kill -s QUIT $MAINPID +PrivateTmp=true +# First time on system takes longer for initial setup so +# give double normal timeout +TimeoutStartSec=180 + +[Install] +WantedBy={SYSTEMD_DEFAULT_TARGET} diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.socket b/meta-ibm/recipes-httpd/nginx/files/nginx.socket new file mode 100644 index 000000000..24be604da --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/files/nginx.socket @@ -0,0 +1,8 @@ +[Unit] +Description=Nginx + +[Socket] +ListenStream=8081 + +[Install] +WantedBy=sockets.target diff --git a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend new file mode 100644 index 000000000..8eb7e402b --- /dev/null +++ b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend @@ -0,0 +1,33 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +inherit systemd +inherit obmc-phosphor-systemd + +SRC_URI += " \ + file://nginx.conf \ + file://nginx.service \ + file://gen-cert.sh \ + " + +EXTRA_OECONF =+ " --without-select_module --with-http_gunzip_module" + +SSLCERTPATH = "/etc/ssl/certs/nginx/" + + +do_install_append() { + + install -m 644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx + install -m 0755 ${WORKDIR}/gen-cert.sh ${D}${sbindir}/gen-cert.sh + + install -d ${D}${SSLCERTPATH} + chown -R www:www-data ${D}${SSLCERTPATH} + + + echo SSLCERTPATH + echo ${SSLCERTPATH} + sed -i 's,@CERTPATH@,${SSLCERTPATH},g' ${D}${sysconfdir}/nginx/nginx.conf +} + +FILES_${PN} += " ${SSLCERTPATH} " + +SYSTEMD_SERVICE_${PN} += " nginx.service" |