tools/arvbox/lib/arvbox/docker/service/nginx/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 if [[ $containerip != $localip ]] ; then
  12     if ! grep -q $localip /etc/hosts ; then
  13         echo $containerip $localip >> /etc/hosts
  14     fi
  15 fi
  16
  17 openssl verify -CAfile $root_cert $server_cert
  18
  19 cat <<EOF >/var/lib/arvados/nginx.conf
  20 worker_processes auto;
  21 pid /var/lib/arvados/nginx.pid;
  22
  23 error_log stderr;
  24 daemon off;
  25 user arvbox;
  26
  27 events {
  28         worker_connections 64;
  29 }
  30
  31 http {
  32   access_log off;
  33   include /etc/nginx/mime.types;
  34   default_type application/octet-stream;
  35   client_max_body_size 128M;
  36
  37   geo \$external_client {
  38       default     1;
  39       127.0.0.0/8 0;
  40       $containerip/32 0;
  41   }
  42
  43   server {
  44         listen ${services[doc]} default_server;
  45         listen [::]:${services[doc]} default_server;
  46         root /usr/src/arvados/doc/.site;
  47         index index.html;
  48         server_name _;
  49   }
  50
  51   server {
  52     listen 80 default_server;
  53     server_name _;
  54     return 301 https://\$host\$request_uri;
  55   }
  56
  57   upstream controller {
  58     server localhost:${services[controller]};
  59   }
  60   server {
  61     listen *:${services[controller-ssl]} ssl default_server;
  62     server_name controller;
  63     ssl_certificate "${server_cert}";
  64     ssl_certificate_key "${server_cert_key}";
  65     location  / {
  66       proxy_pass http://controller;
  67       proxy_set_header Host \$http_host;
  68       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  69       proxy_set_header X-Forwarded-Proto https;
  70       proxy_set_header X-External-Client \$external_client;
  71       proxy_redirect off;
  72     }
  73   }
  74
  75   upstream arvados-ws {
  76     server localhost:${services[websockets]};
  77   }
  78   server {
  79     listen *:${services[websockets-ssl]} ssl default_server;
  80     server_name           websockets;
  81
  82     proxy_connect_timeout 90s;
  83     proxy_read_timeout    300s;
  84
  85     ssl                   on;
  86     ssl_certificate "${server_cert}";
  87     ssl_certificate_key "${server_cert_key}";
  88
  89     location / {
  90       proxy_pass          http://arvados-ws;
  91       proxy_set_header    Upgrade         \$http_upgrade;
  92       proxy_set_header    Connection      "upgrade";
  93       proxy_set_header Host \$http_host;
  94       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  95     }
  96   }
  97
  98   upstream workbench2 {
  99     server localhost:${services[workbench2]};
 100   }
 101   server {
 102     listen *:${services[workbench2-ssl]} ssl default_server;
 103     server_name workbench2;
 104     ssl_certificate "${server_cert}";
 105     ssl_certificate_key "${server_cert_key}";
 106     location  / {
 107       proxy_pass http://workbench2;
 108       proxy_set_header Host \$http_host;
 109       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 110       proxy_set_header X-Forwarded-Proto https;
 111       proxy_redirect off;
 112     }
 113     location  /sockjs-node {
 114       proxy_pass http://workbench2;
 115       proxy_set_header    Upgrade         \$http_upgrade;
 116       proxy_set_header    Connection      "upgrade";
 117       proxy_set_header Host \$http_host;
 118       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 119     }
 120   }
 121
 122   upstream keep-web {
 123     server localhost:${services[keep-web]};
 124   }
 125   server {
 126     listen *:${services[keep-web-ssl]} ssl default_server;
 127     server_name keep-web;
 128     ssl_certificate "${server_cert}";
 129     ssl_certificate_key "${server_cert_key}";
 130     client_max_body_size 0;
 131     location  / {
 132       proxy_pass http://keep-web;
 133       proxy_set_header Host \$http_host;
 134       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 135       proxy_set_header X-Forwarded-Proto https;
 136       proxy_redirect off;
 137     }
 138   }
 139
 140   upstream keepproxy {
 141     server localhost:${services[keepproxy]};
 142   }
 143   server {
 144     listen *:${services[keepproxy-ssl]} ssl default_server;
 145     server_name keepproxy;
 146     ssl_certificate "${server_cert}";
 147     ssl_certificate_key "${server_cert_key}";
 148     client_max_body_size 128M;
 149     location  / {
 150       proxy_pass http://keepproxy;
 151       proxy_set_header Host \$http_host;
 152       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 153       proxy_set_header X-Forwarded-Proto https;
 154       proxy_redirect off;
 155     }
 156   }
 157
 158   upstream arvados-git-httpd {
 159     server localhost:${services[arv-git-httpd]};
 160   }
 161   server {
 162     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
 163     server_name arvados-git-httpd;
 164     proxy_connect_timeout 90s;
 165     proxy_read_timeout 300s;
 166
 167     ssl on;
 168     ssl_certificate "${server_cert}";
 169     ssl_certificate_key "${server_cert_key}";
 170     client_max_body_size 50m;
 171
 172     location  / {
 173       proxy_pass http://arvados-git-httpd;
 174       proxy_set_header Host \$http_host;
 175       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 176       proxy_set_header X-Forwarded-Proto https;
 177       proxy_redirect off;
 178     }
 179   }
 180
 181 }
 182
 183 EOF
 184
 185 exec nginx -c /var/lib/arvados/nginx.conf