Add copyright headers to comply with Arvados
[arvados-formula.git] / test / salt / pillar / examples / nginx_webshell_configuration.sls
1 ---
2 # Copyright (C) The Arvados Authors. All rights reserved.
3 #
4 # SPDX-License-Identifier: Apache-2.0
5
6 # This parameter will be used here to generate a list of upstreams and vhosts.
7 # This dict is here for convenience and should be managed some other way, but the
8 # different ways of orchestration that can be used for this are outside the scope
9 # of this formula and their examples.
10 # These upstreams should match those defined in `arvados:cluster:resources:virtual_machines`
11 {% set webshell_virtual_machines = {
12   'shell1': {
13     'name': 'webshell1',
14     'backend': '1.2.3.4',
15     'port': 4200,
16   },
17   'shell.internal': {},
18   'webshell3': {
19     'backend': '4.3.2.1',
20     'port': 4500,
21   }
22 }
23 %}
24
25 ### NGINX
26 nginx:
27   ### SERVER
28   server:
29     config:
30       ### STREAMS
31       http:
32         {%- for vm, params in webshell_virtual_machines.items() %}
33           {%- set vm_name = params.name | default(vm) %}
34           {%- set vm_backend = params.backend | default(vm_name) %}
35           {%- set vm_port = params.port | default(4200) %}
36
37         upstream {{ vm_name }}_upstream:
38           - server: '{{ vm_backend }}:{{ vm_port }} fail_timeout=10s'
39
40         {%- endfor %}
41
42   ### SITES
43   servers:
44     managed:
45       arvados_webshell_default.conf:
46         enabled: true
47         overwrite: true
48         config:
49           - server:
50             - server_name: webshell.fixme.example.net
51             - listen:
52               - 80
53             - location /.well-known:
54               - root: /var/www
55             - location /:
56               - return: '301 https://$host$request_uri'
57
58       arvados_webshell_ssl.conf:
59         enabled: true
60         overwrite: true
61         config:
62           - server:
63             - server_name: webshell.fixme.example.net
64             - listen:
65               - 443 http2 ssl
66             - index: index.html index.htm
67             {%- for vm, params in webshell_virtual_machines.items() %}
68               {%- set vm_name = params.name | default(vm) %}
69             - location /{{ vm_name }}:
70               - proxy_pass: 'http://{{ vm_name }}_upstream'
71               - proxy_read_timeout: 90
72               - proxy_connect_timeout: 90
73               - proxy_set_header: 'Host $http_host'
74               - proxy_set_header: 'X-Real-IP $remote_addr'
75               - proxy_set_header: X-Forwarded-Proto https
76               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
77               - proxy_ssl_session_reuse: 'off'
78
79               - "if ($request_method = 'OPTIONS')":
80                 - add_header: "'Access-Control-Allow-Origin' '*'"
81                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
82                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
83                 - add_header: "'Access-Control-Max-Age' 1728000"
84                 - add_header: "'Content-Type' 'text/plain charset=UTF-8'"
85                 - add_header: "'Content-Length' 0"
86                 - return: 204
87
88               - "if ($request_method = 'POST')":
89                 - add_header: "'Access-Control-Allow-Origin' '*'"
90                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
91                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
92
93               - "if ($request_method = 'GET')":
94                 - add_header: "'Access-Control-Allow-Origin' '*'"
95                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
96                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
97             {%- endfor %}
98             - include: 'snippets/ssl_hardening_default.conf'
99             # - include: 'snippets/letsencrypt.conf'
100             - include: 'snippets/ssl_snakeoil.conf'
101             - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
102             - error_log: /var/log/nginx/webshell.fixme.example.net.error.log
103