tools/arvbox/lib/arvbox/docker/service/nginx/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 openssl verify -CAfile $root_cert $server_cert
  12
  13 cat <<EOF >/var/lib/arvados/nginx.conf
  14 worker_processes auto;
  15 pid /var/lib/arvados/nginx.pid;
  16
  17 error_log stderr;
  18 daemon off;
  19 user arvbox;
  20
  21 events {
  22         worker_connections 64;
  23 }
  24
  25 http {
  26      access_log off;
  27      include /etc/nginx/mime.types;
  28      default_type application/octet-stream;
  29      client_max_body_size 128M;
  30
  31      geo \$external_client {
  32           default     1;
  33           127.0.0.0/8 0;
  34           $localip/32 0;
  35      }
  36
  37      server {
  38             listen ${services[doc]} default_server;
  39             listen [::]:${services[doc]} default_server;
  40             root /usr/src/arvados/doc/.site;
  41             index index.html;
  42             server_name _;
  43      }
  44
  45   server {
  46     listen 80 default_server;
  47     server_name _;
  48     return 301 https://\$host\$request_uri;
  49   }
  50
  51   upstream controller {
  52     server localhost:${services[controller]};
  53   }
  54   server {
  55     listen *:${services[controller-ssl]} ssl default_server;
  56     server_name controller;
  57     ssl_certificate "${server_cert}";
  58     ssl_certificate_key "${server_cert_key}";
  59     location  / {
  60       proxy_pass http://controller;
  61       proxy_set_header Host \$http_host;
  62       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  63       proxy_set_header X-Forwarded-Proto https;
  64       proxy_set_header X-External-Client \$external_client;
  65       proxy_redirect off;
  66     }
  67   }
  68
  69 upstream arvados-ws {
  70   server localhost:${services[websockets]};
  71 }
  72 server {
  73   listen *:${services[websockets-ssl]} ssl default_server;
  74   server_name           websockets;
  75
  76   proxy_connect_timeout 90s;
  77   proxy_read_timeout    300s;
  78
  79   ssl                   on;
  80   ssl_certificate "${server_cert}";
  81   ssl_certificate_key "${server_cert_key}";
  82
  83   location / {
  84     proxy_pass          http://arvados-ws;
  85     proxy_set_header    Upgrade         \$http_upgrade;
  86     proxy_set_header    Connection      "upgrade";
  87     proxy_set_header Host \$http_host;
  88     proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  89   }
  90 }
  91
  92   upstream workbench2 {
  93     server localhost:${services[workbench2]};
  94   }
  95   server {
  96     listen *:${services[workbench2-ssl]} ssl default_server;
  97     server_name workbench2;
  98     ssl_certificate "${server_cert}";
  99     ssl_certificate_key "${server_cert_key}";
 100     location  / {
 101       proxy_pass http://workbench2;
 102       proxy_set_header Host \$http_host;
 103       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 104       proxy_set_header X-Forwarded-Proto https;
 105       proxy_redirect off;
 106     }
 107     location  /sockjs-node {
 108       proxy_pass http://workbench2;
 109       proxy_set_header    Upgrade         \$http_upgrade;
 110       proxy_set_header    Connection      "upgrade";
 111       proxy_set_header Host \$http_host;
 112       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 113     }
 114   }
 115
 116   upstream keep-web {
 117     server localhost:${services[keep-web]};
 118   }
 119   server {
 120     listen *:${services[keep-web-ssl]} ssl default_server;
 121     server_name keep-web;
 122     ssl_certificate "${server_cert}";
 123     ssl_certificate_key "${server_cert_key}";
 124     client_max_body_size 0;
 125     location  / {
 126       proxy_pass http://keep-web;
 127       proxy_set_header Host \$http_host;
 128       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 129       proxy_set_header X-Forwarded-Proto https;
 130       proxy_redirect off;
 131     }
 132   }
 133
 134
 135   upstream keepproxy {
 136     server localhost:${services[keepproxy]};
 137   }
 138   server {
 139     listen *:${services[keepproxy-ssl]} ssl default_server;
 140     server_name keepproxy;
 141     ssl_certificate "${server_cert}";
 142     ssl_certificate_key "${server_cert_key}";
 143     client_max_body_size 128M;
 144     location  / {
 145       proxy_pass http://keepproxy;
 146       proxy_set_header Host \$http_host;
 147       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 148       proxy_set_header X-Forwarded-Proto https;
 149       proxy_redirect off;
 150     }
 151   }
 152
 153   upstream arvados-git-httpd {
 154     server localhost:${services[arv-git-httpd]};
 155   }
 156   server {
 157     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
 158     server_name arvados-git-httpd;
 159     proxy_connect_timeout 90s;
 160     proxy_read_timeout 300s;
 161
 162     ssl on;
 163     ssl_certificate "${server_cert}";
 164     ssl_certificate_key "${server_cert_key}";
 165     client_max_body_size 50m;
 166
 167     location  / {
 168       proxy_pass http://arvados-git-httpd;
 169       proxy_set_header Host \$http_host;
 170       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 171       proxy_set_header X-Forwarded-Proto https;
 172       proxy_redirect off;
 173     }
 174   }
 175
 176 }
 177
 178 EOF
 179
 180 exec nginx -c /var/lib/arvados/nginx.conf