Commit Graph

7 Commits

Author SHA1 Message Date
Jenkins
c043818cad Merge "Document httpd for accept on /identity, /identity_admin" 2015-10-08 05:09:18 +00:00
Brant Knudson
f5e256b422 Add LimitRequestBody to sample httpd config
Web servers that are exposed to the Internet eventually gain a
security feature of limiting the amount of data in the request
body. In Apache Httpd, this is provided by the LimitRequestBody
directive. This is added to the sample Httpd config file.

The limit is set for only the keystone services so it won't
affect other services running in Httpd.

The value of 114688 was picked because it's the current limit
on request body that oslo.middleware's sizelimit function puts
on requests to keystone.

Use of oslo.middleware's sizelimit re-implementation can be
deprecated.

Docs:
- http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody

ReleaseNotesImpact

Closes-Bug: 1481048
Change-Id: I5509e4b65900c15dd0b5fda43b1d5bb4dc3ff5ff
2015-09-30 17:19:26 -05:00
Brant Knudson
4a034326ff Document httpd for accept on /identity, /identity_admin
Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone.

Closes-Bug: 1496041
Change-Id: Ie7b829eff16c0e839f8dd1e4ecef7fdc06c3f561
2015-09-15 11:00:32 -05:00
Brant Knudson
3624c2f5ad Use wsgi_scripts to create admin and public httpd files
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".

pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.

See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.

DocImpact

Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
2015-08-18 09:33:23 -05:00
Alan Pevec
0058b6e64f Run WSGI with group=keystone
This matches puppet-keystone[*] and is required for distributions
which properly restricted access to /etc/keystone

[*] https://github.com/stackforge/puppet-keystone/blob/master/manifests/wsgi/apache.pp#L167

Closes-Bug: #1456441

Change-Id: I7a80bdf1c1efaedfeba7d2834a858e3617f6529e
2015-06-03 19:29:08 +00:00
Brant Knudson
8aaaa64b17 Update sample httpd config file
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.

Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.

Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
2015-03-18 19:33:42 +00:00
Alan Pevec
64738924b8 separate paste-deploy configuration from parameters
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/

DocImpact

Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2
2013-05-26 17:36:08 +02:00