From 3a81465255b76f2e917a8640ee401b39eda99a00 Mon Sep 17 00:00:00 2001 From: Ed Tanous Date: Fri, 28 Sep 2018 14:15:49 -0700 Subject: meta-ibm: remove nginx from IBM platforms. Nginx on OpenBMC has a number of issues that matter to openbmc. 1. It increases the binary size. This is an issue given that OpenBMC targets a relatively minimal flash footprint. 2. It increases the runtime overhead. Running nginx as a reverse proxy to the application servers causes a runtime overhead, and context switch for every single page load, as well as an extra socket. 3. nginx doesn't implement any kind of authentication, so auth needs to be implemented in every application server. This removes a lot of the advantages of the reverse proxy, and duplicates a lot of code amongst multiple application servers 4. A number of nginx parameters run from the nginx config file. Some of these parameters (like cipher suite support) are desired to be changed at runtime, rather than fixed at compile time. Related to commit here to move system to bmcweb: https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/12933/ (From meta-ibm rev: b6639a209f0089864bef4fc86dcad97880bce682) Change-Id: I21848eb3a8dfa85968c6c96d6a78f5145402db1d Signed-off-by: Ed Tanous (cherry picked from commit 699e296eb0dbd421bcb2fff4be9d446f47ae7195) Signed-off-by: Brad Bishop --- meta-ibm/recipes-httpd/nginx/files/gen-cert.sh | 9 -- meta-ibm/recipes-httpd/nginx/files/nginx.conf | 128 --------------------- meta-ibm/recipes-httpd/nginx/files/nginx.service | 20 ---- meta-ibm/recipes-httpd/nginx/files/nginx.socket | 8 -- meta-ibm/recipes-httpd/nginx/nginx_%.bbappend | 38 ------ .../packagegroups/packagegroup-obmc-apps.bbappend | 3 +- .../phosphor-gevent/phosphor-gevent.service | 11 -- .../phosphor-gevent/phosphor-gevent.socket | 8 -- 8 files changed, 2 insertions(+), 223 deletions(-) delete mode 100644 meta-ibm/recipes-httpd/nginx/files/gen-cert.sh delete mode 100644 meta-ibm/recipes-httpd/nginx/files/nginx.conf delete mode 100644 meta-ibm/recipes-httpd/nginx/files/nginx.service delete mode 100644 meta-ibm/recipes-httpd/nginx/files/nginx.socket delete mode 100644 meta-ibm/recipes-httpd/nginx/nginx_%.bbappend delete mode 100644 meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service delete mode 100644 meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket (limited to 'meta-ibm') diff --git a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh b/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh deleted file mode 100644 index 480266f3b2..0000000000 --- a/meta-ibm/recipes-httpd/nginx/files/gen-cert.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -PEM="/etc/ssl/certs/nginx/cert.pem" - -if [ ! -f $PEM ]; then - openssl req -x509 -sha256 -newkey rsa:2048 -keyout $PEM -out $PEM \ - -days 3650 -subj "/O=openbmc-project.xyz/CN=localhost" \ - -nodes -fi diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.conf b/meta-ibm/recipes-httpd/nginx/files/nginx.conf deleted file mode 100644 index befe98626d..0000000000 --- a/meta-ibm/recipes-httpd/nginx/files/nginx.conf +++ /dev/null @@ -1,128 +0,0 @@ - -user www-data; -worker_processes 1; - -error_log stderr; - -pid /run/nginx/nginx.pid; - - -# Nginx requires this section, even if no options -events { -} - -# Note that a lot of these settings come from the OWASP Secure -# Configuration guide for nginx -# https://www.owasp.org/index.php/SCG_WS_nginx -# and the OWASP Secure Headers project -# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project -# and the mozilla security guidelines -# https://wiki.mozilla.org/Security/Server_Side_TLS - -http { - include mime.types; - - # For certain locations, only allow one connection per IP - limit_conn_zone $binary_remote_addr zone=addr:10m; - - # Default log format - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - # Comment out to enable access log in /var/log/nginx/ - access_log off; - - client_body_timeout 30; - client_header_timeout 10; - keepalive_timeout 5 5; - send_timeout 30; - - # Do not return nginx version to clients - server_tokens off; - - client_max_body_size 100k; - client_body_buffer_size 100K; - client_header_buffer_size 1k; - large_client_header_buffers 4 8k; - - # redirect all http traffic to https - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl; - server_name 127.0.0.1; - - ssl on; - ssl_certificate @CERTPATH@/cert.pem; - ssl_certificate_key @CERTPATH@/cert.pem; - ssl_session_timeout 5m; - ssl_protocols TLSv1.2; - ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"; - ssl_prefer_server_ciphers on; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; - - location / { - # This location lets us serve the static pre-compressed webui - # content (rooted at /usr/share/www). Also if the URI points to - # something else (that is unmatched by other locations), we - # fallback to the rest server. This approach is based on the - # guide at https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content. - root /usr/share/www; - # For clients that support gzip encoding, serve them - # pre-compressed gzip content. For clients that don't, - # uncompress on the BMC. The module gunzip requires - # gzip_static to be set to 'always'; gzip_static is the - # module that serves compressed content for clients that - # support gzip. - gunzip on; - gzip_static always; - try_files $uri $uri/ @rest_server; - - add_header X-Frame-Options deny; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Content-Type-Options nosniff; - add_header Content-Security-Policy "frame-ancestors 'none'; default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'"; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; - add_header Cache-Control "no-store,no-cache"; - add_header Pragma "no-cache"; - add_header Expires 0; - } - location @rest_server { - # Use 127.0.0.1 instead of localhost since nginx will - # first use ipv6 address of ::1 which the upstream server - # is not listening on. This generates an error msg to - # the journal. Nginx then uses the 127.0.0.1 and everything - # works fine but want to avoid the error msg to the log. - proxy_pass http://127.0.0.1:8081; - - # WebSocket support - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-For $remote_addr; - } - location ~ (/org/openbmc/control/flash/bmc/action/update|/upload/image|/download/dump) { - # Marked as 33MB to allow for firmware image updating and dump - # downloads - client_max_body_size 33M; - - # Only 1 connection at a time here from an IP - limit_conn addr 1; - - proxy_pass http://127.0.0.1:8081; - } - location /redfish { - proxy_pass http://127.0.0.1:8082; - proxy_http_version 1.1; - } - - include /etc/nginx/sites-enabled/443_*.conf; - } -} diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.service b/meta-ibm/recipes-httpd/nginx/files/nginx.service deleted file mode 100644 index a502026a46..0000000000 --- a/meta-ibm/recipes-httpd/nginx/files/nginx.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=The NGINX HTTP and reverse proxy server -After=network.target - -[Service] -Type=forking -SyslogIdentifier=nginx -ExecStartPre=/usr/bin/env gen-cert.sh -ExecStartPre=-/usr/bin/env mkdir /var/volatile/nginx/ -ExecStartPre=/usr/bin/env nginx -t -p /var/volatile/nginx -ExecStart=/usr/bin/env nginx -p /var/volatile/nginx -ExecReload=/usr/bin/env gen-cert.sh ; /usr/bin/env kill -s HUP $MAINPID -ExecStop=/usr/bin/env kill -s QUIT $MAINPID -PrivateTmp=true -# First time on system takes longer for initial setup so -# give double normal timeout -TimeoutStartSec=180 - -[Install] -WantedBy={SYSTEMD_DEFAULT_TARGET} diff --git a/meta-ibm/recipes-httpd/nginx/files/nginx.socket b/meta-ibm/recipes-httpd/nginx/files/nginx.socket deleted file mode 100644 index 24be604dac..0000000000 --- a/meta-ibm/recipes-httpd/nginx/files/nginx.socket +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Nginx - -[Socket] -ListenStream=8081 - -[Install] -WantedBy=sockets.target diff --git a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend b/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend deleted file mode 100644 index ee5ffd5da8..0000000000 --- a/meta-ibm/recipes-httpd/nginx/nginx_%.bbappend +++ /dev/null @@ -1,38 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -inherit systemd -inherit obmc-phosphor-systemd - -SRC_URI += " \ - file://nginx.conf \ - file://nginx.service \ - file://gen-cert.sh \ - " - -RDEPENDS_${PN} += " \ - openssl-bin \ - ${VIRTUAL-RUNTIME_base-utils} \ - " - -EXTRA_OECONF =+ " --without-select_module --with-http_gunzip_module" - -SSLCERTPATH = "/etc/ssl/certs/nginx/" - - -do_install_append() { - - install -m 644 ${WORKDIR}/nginx.conf ${D}${sysconfdir}/nginx - install -m 0755 ${WORKDIR}/gen-cert.sh ${D}${sbindir}/gen-cert.sh - - install -d ${D}${SSLCERTPATH} - chown -R www:www-data ${D}${SSLCERTPATH} - - - echo SSLCERTPATH - echo ${SSLCERTPATH} - sed -i 's,@CERTPATH@,${SSLCERTPATH},g' ${D}${sysconfdir}/nginx/nginx.conf -} - -FILES_${PN} += " ${SSLCERTPATH} " - -SYSTEMD_SERVICE_${PN} += " nginx.service" diff --git a/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend b/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend index 0b0a9c9f2b..27c647a077 100644 --- a/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend +++ b/meta-ibm/recipes-phosphor/packagegroups/packagegroup-obmc-apps.bbappend @@ -1,2 +1,3 @@ RDEPENDS_${PN}-logging += "ibm-logging" -RDEPENDS_${PN}-extras += "nginx bmcweb" +RDEPENDS_${PN}-extras += " bmcweb" +RDEPENDS_${PN}-remove += " phosphor-rest phosphor-gevent" diff --git a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service b/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service deleted file mode 100644 index 6b4e77ffe5..0000000000 --- a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Phosphor REST Server -After=network.target -After=obmc-webserver-pre.target - -[Service] -Restart=always -ExecStart=/usr/bin/env phosphor-gevent $APPLICATION --no-ssl -SyslogIdentifier=phosphor-gevent -Environment="PYTHONUNBUFFERED=1" -EnvironmentFile={envfiledir}/obmc/wsgi_app diff --git a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket b/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket deleted file mode 100644 index f7fde31beb..0000000000 --- a/meta-ibm/recipes-phosphor/phosphor-gevent/phosphor-gevent/phosphor-gevent.socket +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Phosphor Webserver socket - -[Socket] -ListenStream=127.0.0.1:8081 - -[Install] -WantedBy=sockets.target -- cgit v1.2.3