test/salt/pillar/examples/nginx_webshell_configuration.sls

   1 ---
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: Apache-2.0
   5
   6 # This parameter will be used here to generate a list of upstreams and vhosts.
   7 # This dict is here for convenience and should be managed some other way, but the
   8 # different ways of orchestration that can be used for this are outside the scope
   9 # of this formula and their examples.
  10 # These upstreams should match those defined in `arvados:cluster:resources:virtual_machines`
  11 {% set webshell_virtual_machines = {
  12   'shell1': {
  13     'name': 'webshell1',
  14     'backend': '1.2.3.4',
  15     'port': 4200,
  16   },
  17   'shell.internal': {},
  18   'webshell3': {
  19     'backend': '4.3.2.1',
  20     'port': 4500,
  21   }
  22 }
  23 %}
  24
  25 ### NGINX
  26 nginx:
  27   ### SERVER
  28   server:
  29     config:
  30       ### STREAMS
  31       http:
  32         {%- for vm, params in webshell_virtual_machines.items() %}
  33           {%- set vm_name = params.name | default(vm) %}
  34           {%- set vm_backend = params.backend | default(vm_name) %}
  35           {%- set vm_port = params.port | default(4200) %}
  36
  37         upstream {{ vm_name }}_upstream:
  38           - server: '{{ vm_backend }}:{{ vm_port }} fail_timeout=10s'
  39
  40         {%- endfor %}
  41
  42   ### SITES
  43   servers:
  44     managed:
  45       arvados_webshell_default.conf:
  46         enabled: true
  47         overwrite: true
  48         config:
  49           - server:
  50             - server_name: webshell.fixme.example.net
  51             - listen:
  52               - 80
  53             - location /.well-known:
  54               - root: /var/www
  55             - location /:
  56               - return: '301 https://$host$request_uri'
  57
  58       arvados_webshell_ssl.conf:
  59         enabled: true
  60         overwrite: true
  61         requires:
  62           file: nginx_snippet_arvados-snakeoil.conf
  63         config:
  64           - server:
  65             - server_name: webshell.fixme.example.net
  66             - listen:
  67               - 443 http2 ssl
  68             - index: index.html index.htm
  69             {%- for vm, params in webshell_virtual_machines.items() %}
  70               {%- set vm_name = params.name | default(vm) %}
  71             - location /{{ vm_name }}:
  72               - proxy_pass: 'http://{{ vm_name }}_upstream'
  73               - proxy_read_timeout: 90
  74               - proxy_connect_timeout: 90
  75               - proxy_set_header: 'Host $http_host'
  76               - proxy_set_header: 'X-Real-IP $remote_addr'
  77               - proxy_set_header: X-Forwarded-Proto https
  78               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
  79               - proxy_ssl_session_reuse: 'off'
  80
  81               - "if ($request_method = 'OPTIONS')":
  82                 - add_header: "'Access-Control-Allow-Origin' '*'"
  83                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  84                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  85                 - add_header: "'Access-Control-Max-Age' 1728000"
  86                 - add_header: "'Content-Type' 'text/plain charset=UTF-8'"
  87                 - add_header: "'Content-Length' 0"
  88                 - return: 204
  89
  90               - "if ($request_method = 'POST')":
  91                 - add_header: "'Access-Control-Allow-Origin' '*'"
  92                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  93                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  94
  95               - "if ($request_method = 'GET')":
  96                 - add_header: "'Access-Control-Allow-Origin' '*'"
  97                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  98                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  99             {%- endfor %}
 100             - include: 'snippets/ssl_hardening_default.conf'
 101             - include: 'snippets/arvados-snakeoil.conf'
 102             - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
 103             - error_log: /var/log/nginx/webshell.fixme.example.net.error.log
 104