Extend install doc to cover nginx and improve nginx config

Makefile

@@ -84,7 +84,10 @@ install-generic:
 		install -m 644 etc/apache2/vhosts.d/$$i "$(DESTDIR)"/etc/apache2/vhosts.d ;\
 	done
 
-	install -D -m 644 etc/nginx/vhosts.d/openqa.conf "$(DESTDIR)"/etc/nginx/vhosts.d/openqa.conf
+	install -d -m 755 "$(DESTDIR)"/etc/nginx/vhosts.d
+	for i in openqa-locations.inc openqa-upstreams.inc openqa.conf.template; do \
+		install -m 644 etc/nginx/vhosts.d/$$i "$(DESTDIR)"/etc/nginx/vhosts.d ;\
+	done
 
 	install -D -m 640 etc/openqa/client.conf "$(DESTDIR)"/etc/openqa/client.conf
 	install -D -m 644 etc/openqa/workers.ini "$(DESTDIR)"/etc/openqa/workers.ini

dist/rpm/openQA.spec

@@ -461,7 +461,7 @@ fi
 
 if [ $1 -eq 1 ]; then
     echo "### copy and edit %{_sysconfdir}/apache2/vhosts.d/openqa.conf.template if using apache!"
-    echo "### see %{_sysconfdir}/nginx/vhosts.d/openqa.conf if using nginx!"
+    echo "### copy and edit %{_sysconfdir}/nginx/vhosts.d/openqa.conf.template if using nginx!"
     echo "### run sudo %{_datadir}/openqa/script/fetchneedles"
 else
     if [ -d "%{_localstatedir}/lib/openqa/share/testresults" ]; then
@@ -553,12 +553,14 @@ fi
 %dir %{_sysconfdir}/apache2
 %dir %{_sysconfdir}/apache2/vhosts.d
 %config %{_sysconfdir}/apache2/vhosts.d/openqa.conf.template
-%config %{_sysconfdir}/apache2/vhosts.d/openqa-common.inc
+%config(noreplace) %{_sysconfdir}/apache2/vhosts.d/openqa-common.inc
 %config %{_sysconfdir}/apache2/vhosts.d/openqa-ssl.conf.template
 # nginx vhost
 %dir %{_sysconfdir}/nginx
 %dir %{_sysconfdir}/nginx/vhosts.d
-%config %{_sysconfdir}/nginx/vhosts.d/openqa.conf
+%config %{_sysconfdir}/nginx/vhosts.d/openqa.conf.template
+%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/openqa-locations.inc
+%config(noreplace) %{_sysconfdir}/nginx/vhosts.d/openqa-upstreams.inc
 # apparmor profile
 %dir %{_sysconfdir}/apparmor.d
 %config %{_sysconfdir}/apparmor.d/usr.share.openqa.script.openqa

docs/Installing.asciidoc

@@ -305,15 +305,17 @@ For a local instance setup you can simply execute the script:
 /usr/share/openqa/script/configure-web-proxy
 ----
 
-This will automatically setup a local apache http proxy. Read on for more
+This will automatically setup a local Apache http proxy. Read on for more
 detailed setup instructions with all the details.
 
+If you wish to run openQA behind an http proxy (Apache, NGINX, …) then see the
+*openqa.conf.template* config file in */etc/apache2/vhosts.d* (openSUSE) or
+`/etc/httpd/conf.d` (Fedora) when using apache2 or the config files in
+`/etc/nginx/vhosts.d` for NGINX.
 
 === Apache proxy
 
-It is required to run openQA behind an http proxy (apache, nginx, etc..). See the
-*openqa.conf.template* config file in */etc/apache2/vhosts.d* (openSUSE) or
-`/etc/httpd/conf.d` (Fedora). To make everything work correctly on openSUSE, you
+To make everything work correctly on openSUSE when using Apache, you
 need to enable the 'headers', 'proxy', 'proxy_http', 'proxy_wstunnel' and 'rewrite'
 modules using the command 'a2enmod'. This is not necessary on Fedora.
 
@@ -328,14 +330,35 @@ a2enmod proxy_wstunnel
 a2enmod rewrite
 --------------------------------------------------------------------------------
 
-For a basic setup, you can copy *openqa.conf.template* to *openqa.conf* and modify the `ServerName` setting if
-required. This will direct all HTTP traffic to openQA.
+For a basic setup, you can copy *openqa.conf.template* to *openqa.conf*
+and modify the `ServerName` setting if required.
+This will direct all HTTP traffic to openQA.
 
 [source,sh]
 --------------------------------------------------------------------------------
 cp /etc/apache2/vhosts.d/openqa.conf.template /etc/apache2/vhosts.d/openqa.conf
 --------------------------------------------------------------------------------
 
+=== NGINX proxy
+
+For a basic setup, you can copy *openqa.conf.template* to *openqa.conf*
+and modify the `server_name` setting if required.
+This will direct all HTTP traffic to openQA.
+
+[source,sh]
+--------------------------------------------------------------------------------
+cp /etc/nginx/vhosts.d/openqa.conf.template /etc/nginx/vhosts.d/openqa.conf
+--------------------------------------------------------------------------------
+
+Note that the default config in *openqa.conf.template* is using the keyword
+`default_server` in the `listen` statement. This will only change the behaviour
+when accessing the server via its IP address. This means that the default vhost
+for `localhost` in *nginx.conf* will take precedence when accessing the server
+via `localhost`. You might want to disable it.
+
+For openQA you need to set `httpsonly = 0` as described in the TLS/SSL section
+below, if you do not setup NGINX for SSL.
+
 === TLS/SSL
 
 By default openQA expects to be run with HTTPS. The `openqa-ssl.conf.template`

etc/nginx/vhosts.d/openqa-locations.inc

@@ -0,0 +1,58 @@
+root /usr/share/openqa/public;
+
+client_max_body_size 0;
+
+# The "client_body_buffer_size" value should usually be larger
+# than the UPLOAD_CHUNK_SIZE used by openQA workers, so there is
+# no excessive buffering to disk
+client_body_buffer_size 2m;
+
+# Default is exact which would need an exact match of Last-Modified
+if_modified_since before;
+
+## Optional faster assets downloads for large deployments
+#location /assets {
+#    alias /var/lib/openqa/share/factory;
+#    tcp_nopush         on;
+#    sendfile           on;
+#    sendfile_max_chunk 1m;
+#}
+#
+## Optional faster image downloads for large deployments
+#location /image {
+#    alias /var/lib/openqa/images;
+#    tcp_nopush         on;
+#    sendfile           on;
+#    sendfile_max_chunk 1m;
+#}
+
+location /api/v1/ws/ {
+    proxy_pass http://websocket;
+    proxy_http_version 1.1;
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+}
+
+location /liveviewhandler/ {
+    proxy_pass http://livehandler;
+    proxy_http_version 1.1;
+    proxy_read_timeout 3600;
+    proxy_send_timeout 3600;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $host;
+}
+
+location / {
+    proxy_pass "http://webui";
+    tcp_nodelay        on;
+    proxy_read_timeout 900;
+    proxy_send_timeout 900;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host:$server_port;
+    proxy_set_header X-Forwarded-Server $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+}

etc/nginx/vhosts.d/openqa-upstreams.inc

@@ -0,0 +1,14 @@
+# The "max_conns" value should be identical to the maximum number of
+# connections the webui is configured to handle concurrently
+upstream webui {
+    zone upstream_webui 64k;
+    server [::1]:9526 max_conns=30;
+}
+
+upstream websocket {
+    server [::1]:9527;
+}
+
+upstream livehandler {
+    server [::1]:9528;
+}

etc/nginx/vhosts.d/openqa.conf.template

@@ -0,0 +1,9 @@
+include vhosts.d/openqa-upstreams.inc;
+
+server {
+    listen       80 default_server;
+    listen       [::1]:80 default_server;
+    server_name  openqa.example.com;
+
+    include vhosts.d/openqa-locations.inc;
+}

script/configure-web-proxy

@@ -3,24 +3,39 @@
 usage() {
     cat << EOF
 Usage: configure-web-proxy
-Configure a local web proxy using apache for openQA.
+Configure a local web proxy for openQA.
 
 Options:
  -h, --help         display this help
+ -p, --proxy=PROXY  web proxy to configure (default: apache)
+                    choose from: nginx, apache
 EOF
     exit "$1"
 }
 
-opts=$(getopt -o h --long help -n "$0" -- "$@") || usage 1
+opts=$(getopt -o hp: -l help -l proxy: -n "$0" -- "$@") || usage 1
 eval set -- "$opts"
+web_proxy="apache"
 while true; do
   case "$1" in
-    -h | --help ) usage 0; shift ;;
+    -h | --help  ) usage 0; shift ;;
+    -p | --proxy ) web_proxy=${2#*=}; shift ;;
     -- ) shift; break ;;
     * ) break ;;
   esac
 done
 
-for i in headers proxy proxy_http proxy_wstunnel rewrite ; do a2enmod $i ; done
 sed -i -e 's/^.*httpsonly.*$/httpsonly = 0/g' /etc/openqa/openqa.ini
-sed "s/#ServerName.*$/ServerName $(hostname)/" /etc/apache2/vhosts.d/openqa.conf.template > /etc/apache2/vhosts.d/openqa.conf
+
+if [ "$web_proxy" = "nginx" ] ; then
+	echo "Setting up nginx"
+	sed "s/openqa.example.com/$(hostname)/" /etc/nginx/vhosts.d/openqa.conf.template > /etc/nginx/vhosts.d/openqa.conf
+	sed -i -e "s/\(^[^#]*server_name  localhost;\)/#\1/" /etc/nginx/nginx.conf
+elif [ "$web_proxy" = "apache" ] || [ "$web_proxy" = "apache2" ] ; then
+	echo "Setting up apache"
+	for i in headers proxy proxy_http proxy_wstunnel rewrite ; do a2enmod $i ; done
+	sed "s/#ServerName.*$/ServerName $(hostname)/" /etc/apache2/vhosts.d/openqa.conf.template > /etc/apache2/vhosts.d/openqa.conf
+else
+	echo "No supported proxy: $web_proxy"
+	exit 1
+fi

script/openqa-bootstrap

@@ -8,6 +8,7 @@ dbuser="${dbuser:="geekotest"}"
 running_systemd=
 skip_suse_specifics="${skip_suse_specifics:=""}"
 skip_suse_tests="${skip_suse_tests:=""}"
+setup_web_proxy="${setup_web_proxy:=""}"
 
 if [ "$(ps --no-headers -o comm 1)" = 'systemd' ]; then
     running_systemd=1
@@ -48,8 +49,9 @@ fi
 su postgres -c "/usr/share/openqa/script/setup-db" $dbuser $dbname
 
 # setup webserver and fake-auth
+[[ -n "$setup_web_proxy" ]] && proxy_args="--proxy=$setup_web_proxy"
 setup=/usr/share/openqa/script/configure-web-proxy
-(command -v $setup && sh -ex $setup) || (curl -s https://raw.githubusercontent.com/os-autoinst/openQA/master/script/configure-web-proxy | bash -ex)
+(command -v $setup && sh -ex $setup "$proxy_args") || (curl -s https://raw.githubusercontent.com/os-autoinst/openQA/master/script/configure-web-proxy | bash -ex -s "$proxy_args")
 sed -i -e 's/#*.*method.*=.*$/method = Fake/' /etc/openqa/openqa.ini
 
 
@@ -101,14 +103,22 @@ grep -q "$(hostname)" /etc/hosts || echo "127.0.0.1 $(hostname)" >> /etc/hosts
 
 # start daemons
 if [ -z "$running_systemd" ]; then
-  pgrep -f openqa-scheduler-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-scheduler-daemon &
-  pgrep -f openqa-websockets-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-websockets-daemon &
-  pgrep -f openqa-gru >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-gru &
-  pgrep -f openqa-livehandler-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-livehandler-daemon &
-  /usr/sbin/start_apache2 -k start
-  pgrep -f openqa-webui-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-webui-daemon &
+    pgrep -f openqa-scheduler-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-scheduler-daemon &
+    pgrep -f openqa-websockets-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-websockets-daemon &
+    pgrep -f openqa-gru >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-gru &
+    pgrep -f openqa-livehandler-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-livehandler-daemon &
+    if [[ $setup_web_proxy == "nginx" ]] ; then
+        nginx
+    else
+        /usr/sbin/start_apache2 -k start
+    fi
+    pgrep -f openqa-webui-daemon >/dev/null || su geekotest -c /usr/share/openqa/script/openqa-webui-daemon &
 else
-    systemctl enable --now apache2
+    if [[ $setup_web_proxy == "nginx" ]] ; then
+        systemctl enable --now nginx
+    else
+        systemctl enable --now apache2
+    fi
     systemctl enable --now openqa-webui
     systemctl enable --now openqa-scheduler
 fi