Age | Commit message (Collapse) | Author | Files | Lines |
|
Nginx on OpenBMC has a number of issues that matter to openbmc.
1. It increases the binary size. This is an issue given that OpenBMC
targets a relatively minimal flash footprint.
2. It increases the runtime overhead. Running nginx as a reverse proxy
to the application servers causes a runtime overhead, and context switch
for every single page load, as well as an extra socket.
3. nginx doesn't implement any kind of authentication, so auth needs to
be implemented in every application server. This removes a lot of the
advantages of the reverse proxy, and duplicates a lot of code amongst
multiple application servers
4. A number of nginx parameters run from the nginx config file. Some of
these parameters (like cipher suite support) are desired to be changed
at runtime, rather than fixed at compile time.
Related to commit here to move system to bmcweb:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/12933/
(From meta-ibm rev: b6639a209f0089864bef4fc86dcad97880bce682)
Change-Id: I21848eb3a8dfa85968c6c96d6a78f5145402db1d
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
(cherry picked from commit 699e296eb0dbd421bcb2fff4be9d446f47ae7195)
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The IBM layer bbappend for nginx brings in the shell and openssl. Add
missing runtime dependencies.
(From meta-ibm rev: f6d19e0c30ec918d7c0288a6270ce7e3679e4dec)
Change-Id: I01d1727ccbe91fad68407b0c18f3e10282a4d847
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
This changes the nginx configuration so the HTTP response headers
for the phosphor-webui web applicaton will allow wss (secure
WebSocket) connections back to the host. This is needed for the
Serial Over Lan (SOL) function.
A recent fix used Content-Security-Policy default-src 'self'
which unfortunately does not allow to wss connections. For
details see https://github.com/openbmc/openbmc/issues/3409
Tested: The web app SOL function works
Resolves: openbmc/openbmc#3409
(From meta-ibm rev: ba115c67c50b8e9691bbdbc4132dfef563c327c0)
Change-Id: Ic46693c1c17ce83f422bc388ef1338894eeadb4d
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The nginx service would generate a self-certificate upon restart (if
there's not already an existing certificate), but not upon reload.
Enable this for reload as well : the phosphor certificate management app
requires services that want to generate self-signed certificates to do
it upon reload (if reload is supported).
(From meta-ibm rev: bbcf9e563c1a1215434c89fc1cc626a7b3d7fdb6)
Change-Id: Ib3625f256fbae1721e4a9f8ac318287a2b6c03fd
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Nginx now adds security-related headers to HTTP responses per
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
and consistent with openbmc/bmcweb (see header file
include/security_headers_middleware.hpp).
Tested:
curl -D headers http://${bmc}
redirects to https
No security headers apply, and none are sent
curl https://${bmc}
contains security headers and works properly
curl https://${bmc}/xyz/openbmc_project/software
contains Strict-Transport-Security header, and works
curl ... -X POST -T ${image} https://${bmc}/upload/image"
works
firefox http redirects to https
firefox https://${bmc}/ logs in and works
Resolves openbmc/openbmc#3195
(From meta-ibm rev: 8202b2639cba28a71640db48e38f6b7f1d3eaed0)
Change-Id: Ie20169abbca02471fa5dc89bebba8a6cdf722cd6
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
When we use the webui/rest from the remote host, we connect to the nginx
and the system log at the BMC always contains `127.0.0.1` as the remote
address in corresponded records.
This commit resolve it.
Tested:
- Login to the WebUI
- `journalctl` should contain record like:
```
Sep 12 11:11:33 phosphor-gevent[1374]: YOR-IP-ADDRESS user:root
POST http://127.0.0.1:8081/login json:None 200 OK
```
(From meta-ibm rev: 77722e5c97faf43c6f41b52bfcadc140273eab5c)
Change-Id: Ib9a5bdaec5c5f07eceb0ba2b0ee4d572a85e889d
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The new subtree model brings the subtrees up from the openbmc-machines
layer.
Change-Id: I58a03ae1be374bc79ae1438e65e888375d12d0c0
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|