projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
20640: Add computed permissions API.
[arvados.git] / sdk / python / tests / nginx.conf
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: Apache-2.0
4
5 daemon off;
6 events {
7 }
8 http {
9   log_format customlog
10     '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
11     '"$http_referer" "$http_user_agent"';
12   access_log "{{ACCESSLOG}}" customlog;
13   client_body_temp_path "{{TMPDIR}}";
14   proxy_temp_path "{{TMPDIR}}";
15   fastcgi_temp_path "{{TMPDIR}}";
16   uwsgi_temp_path "{{TMPDIR}}";
17   scgi_temp_path "{{TMPDIR}}";
18   geo $external_client {
19     default 1;
20     127.0.0.0/8 0;
21     ::1 0;
22     fd00::/8 0;
23     {{INTERNALSUBNETS}}
24   }
25   upstream controller {
26     server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
27   }
28   server {
29     listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
30     server_name controller ~.*;
31     ssl_certificate "{{SSLCERT}}";
32     ssl_certificate_key "{{SSLKEY}}";
33     client_max_body_size 0;
34     location  / {
35       proxy_pass http://controller;
36       proxy_set_header Upgrade $http_upgrade;
37       proxy_set_header Connection "upgrade";
38       proxy_set_header Host $http_host;
39       proxy_set_header X-External-Client $external_client;
40       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
41       proxy_set_header X-Forwarded-Proto https;
42       proxy_redirect off;
43       proxy_max_temp_file_size 0;
44       proxy_request_buffering off;
45       proxy_buffering off;
46       proxy_http_version 1.1;
47     }
48   }
49   upstream keepproxy {
50     server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
51   }
52   server {
53     listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
54     server_name keepproxy keep.*;
55     ssl_certificate "{{SSLCERT}}";
56     ssl_certificate_key "{{SSLKEY}}";
57     location  / {
58       proxy_pass http://keepproxy;
59       proxy_set_header Host $http_host;
60       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
61       proxy_set_header X-Forwarded-Proto https;
62       proxy_redirect off;
63
64       client_max_body_size 67108864;
65       proxy_http_version 1.1;
66       proxy_request_buffering off;
67     }
68   }
69   upstream keep-web {
70     server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
71   }
72   server {
73     listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
74     server_name keep-web collections.* ~\.collections\.;
75     ssl_certificate "{{SSLCERT}}";
76     ssl_certificate_key "{{SSLKEY}}";
77     location  / {
78       proxy_pass http://keep-web;
79       proxy_set_header Host $http_host;
80       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
81       proxy_set_header X-Forwarded-Proto https;
82       proxy_redirect off;
83
84       client_max_body_size 0;
85       proxy_http_version 1.1;
86       proxy_request_buffering off;
87     }
88   }
89   upstream health {
90     server {{UPSTREAMHOST}}:{{HEALTHPORT}};
91   }
92   server {
93     listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
94     server_name health health.*;
95     ssl_certificate "{{SSLCERT}}";
96     ssl_certificate_key "{{SSLKEY}}";
97     location  / {
98       proxy_pass http://health;
99       proxy_set_header Host $http_host;
100       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
101       proxy_set_header X-Forwarded-Proto https;
102       proxy_redirect off;
103
104       proxy_http_version 1.1;
105       proxy_request_buffering off;
106     }
107   }
108   server {
109     listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl;
110     server_name keep-web-dl download.* ~.*;
111     ssl_certificate "{{SSLCERT}}";
112     ssl_certificate_key "{{SSLKEY}}";
113     location  / {
114       proxy_pass http://keep-web;
115       proxy_set_header Host $http_host;
116       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
117       proxy_set_header X-Forwarded-Proto https;
118       proxy_redirect off;
119
120       client_max_body_size 0;
121       proxy_http_version 1.1;
122       proxy_request_buffering off;
123     }
124   }
125   upstream ws {
126     server {{UPSTREAMHOST}}:{{WSPORT}};
127   }
128   server {
129     listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
130     server_name websocket ws.*;
131     ssl_certificate "{{SSLCERT}}";
132     ssl_certificate_key "{{SSLKEY}}";
133     location  / {
134       proxy_pass http://ws;
135       proxy_set_header Upgrade $http_upgrade;
136       proxy_set_header Connection "upgrade";
137       proxy_set_header Host $http_host;
138       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
139       proxy_set_header X-Forwarded-Proto https;
140       proxy_redirect off;
141
142       client_max_body_size 0;
143       proxy_http_version 1.1;
144       proxy_request_buffering off;
145     }
146   }
147   # wb1->wb2 redirects copied from
148   # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
149   map $request_uri $wb1_redirect {
150     default                        0;
151
152     ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1;
153     ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1;
154     ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1;
155     ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1;
156     ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1;
157     ~^/actions\?uuid=(.*)          /;
158
159     ^/work_units/(.*)              /processes/$1;
160     ^/container_requests/(.*)      /processes/$1;
161     ^/users/(.*)                   /user/$1;
162     ^/groups/(.*)                  /group/$1;
163
164     ^/virtual_machines.*           /virtual-machines-admin;
165     ^/users/.*/virtual_machines    /virtual-machines-user;
166     ^/authorized_keys.*            /ssh-keys-admin;
167     ^/users/.*/ssh_keys            /ssh-keys-user;
168     ^/containers.*                 /all_processes;
169     ^/container_requests           /all_processes;
170     ^/job.*                        /all_processes;
171     ^/users/link_account           /link_account;
172     ^/keep_services.*              /keep-services;
173     ^/trash_items.*                /trash;
174
175     ^/themes.*                     /;
176     ^/keep_disks.*                 /;
177     ^/user_agreements.*            /;
178     ^/nodes.*                      /;
179     ^/humans.*                     /;
180     ^/traits.*                     /;
181     ^/sessions.*                   /;
182     ^/logout.*                     /;
183     ^/logged_out.*                 /;
184     ^/current_token                /;
185     ^/logs.*                       /;
186     ^/factory_jobs.*               /;
187     ^/uploaded_datasets.*          /;
188     ^/specimens.*                  /;
189     ^/pipeline_templates.*         /;
190     ^/pipeline_instances.*         /;
191   }
192   upstream workbench2 {
193     server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
194   }
195   server {
196     listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;
197     listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
198     server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*;
199     ssl_certificate "{{SSLCERT}}";
200     ssl_certificate_key "{{SSLKEY}}";
201
202     if ($wb1_redirect) {
203       return 301 $wb1_redirect;
204     }
205
206     # file download redirects
207     if ($arg_disposition = attachment) {
208       rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
209     }
210     if ($arg_disposition = inline) {
211       rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
212     }
213
214     location / {
215       proxy_pass http://workbench2;
216       proxy_set_header Host $http_host;
217       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
218       proxy_set_header X-Forwarded-Proto https;
219       proxy_redirect off;
220     }
221   }
222 }