tools/arvbox/lib/arvbox/docker/service/nginx/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 if [[ $containerip != $localip ]] ; then
  12     if ! grep -q $localip /etc/hosts ; then
  13         echo $containerip $localip >> /etc/hosts
  14     fi
  15 fi
  16
  17 geo_dockerip=
  18 if  [[ -f /var/run/localip_override ]] ; then
  19     geo_dockerip="$dockerip/32 0;"
  20 fi
  21
  22 openssl verify -CAfile $root_cert $server_cert
  23
  24 cat <<EOF >/var/lib/arvados/nginx.conf
  25 worker_processes auto;
  26 pid /var/lib/arvados/nginx.pid;
  27
  28 error_log stderr;
  29 daemon off;
  30 user arvbox;
  31
  32 events {
  33         worker_connections 64;
  34 }
  35
  36 http {
  37   access_log off;
  38   include /etc/nginx/mime.types;
  39   default_type application/octet-stream;
  40   client_max_body_size 128M;
  41
  42   geo \$external_client {
  43       default     1;
  44       127.0.0.0/8 0;
  45       $containerip/32 0;
  46       $geo_dockerip
  47   }
  48
  49   server {
  50         listen ${services[doc]} default_server;
  51         listen [::]:${services[doc]} default_server;
  52         root /usr/src/arvados/doc/.site;
  53         index index.html;
  54         server_name _;
  55   }
  56
  57   server {
  58     listen 80 default_server;
  59     server_name _;
  60     return 301 https://\$host\$request_uri;
  61   }
  62
  63   upstream controller {
  64     server localhost:${services[controller]};
  65   }
  66   server {
  67     listen *:${services[controller-ssl]} ssl default_server;
  68     server_name controller;
  69     ssl_certificate "${server_cert}";
  70     ssl_certificate_key "${server_cert_key}";
  71     location  / {
  72       proxy_pass http://controller;
  73       proxy_set_header Host \$http_host;
  74       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  75       proxy_set_header X-Forwarded-Proto https;
  76       proxy_set_header X-External-Client \$external_client;
  77       proxy_redirect off;
  78       # This turns off response caching
  79       proxy_buffering off;
  80     }
  81   }
  82
  83   upstream arvados-ws {
  84     server localhost:${services[websockets]};
  85   }
  86   server {
  87     listen *:${services[websockets-ssl]} ssl default_server;
  88     server_name           websockets;
  89
  90     proxy_connect_timeout 90s;
  91     proxy_read_timeout    300s;
  92
  93     ssl                   on;
  94     ssl_certificate "${server_cert}";
  95     ssl_certificate_key "${server_cert_key}";
  96
  97     location / {
  98       proxy_pass          http://arvados-ws;
  99       proxy_set_header    Upgrade         \$http_upgrade;
 100       proxy_set_header    Connection      "upgrade";
 101       proxy_set_header Host \$http_host;
 102       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 103     }
 104   }
 105
 106   upstream workbench2 {
 107     server localhost:${services[workbench2]};
 108   }
 109   server {
 110     listen *:${services[workbench2-ssl]} ssl default_server;
 111     server_name workbench2;
 112     ssl_certificate "${server_cert}";
 113     ssl_certificate_key "${server_cert_key}";
 114     location  / {
 115       proxy_pass http://workbench2;
 116       proxy_set_header Host \$http_host;
 117       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 118       proxy_set_header X-Forwarded-Proto https;
 119       proxy_redirect off;
 120     }
 121     location  /sockjs-node {
 122       proxy_pass http://workbench2;
 123       proxy_set_header    Upgrade         \$http_upgrade;
 124       proxy_set_header    Connection      "upgrade";
 125       proxy_set_header Host \$http_host;
 126       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 127     }
 128   }
 129
 130   upstream keep-web {
 131     server localhost:${services[keep-web]};
 132   }
 133   server {
 134     listen *:${services[keep-web-ssl]} ssl default_server;
 135     server_name keep-web;
 136     ssl_certificate "${server_cert}";
 137     ssl_certificate_key "${server_cert_key}";
 138     client_max_body_size 0;
 139     location  / {
 140       proxy_pass http://keep-web;
 141       proxy_set_header Host \$http_host;
 142       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 143       proxy_set_header X-Forwarded-Proto https;
 144       proxy_redirect off;
 145     }
 146   }
 147
 148   upstream keepproxy {
 149     server localhost:${services[keepproxy]};
 150   }
 151   server {
 152     listen *:${services[keepproxy-ssl]} ssl default_server;
 153     server_name keepproxy;
 154     ssl_certificate "${server_cert}";
 155     ssl_certificate_key "${server_cert_key}";
 156     client_max_body_size 128M;
 157     location  / {
 158       proxy_pass http://keepproxy;
 159       proxy_set_header Host \$http_host;
 160       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 161       proxy_set_header X-Forwarded-Proto https;
 162       proxy_redirect off;
 163     }
 164   }
 165
 166   upstream arvados-git-httpd {
 167     server localhost:${services[arv-git-httpd]};
 168   }
 169   server {
 170     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
 171     server_name arvados-git-httpd;
 172     proxy_connect_timeout 90s;
 173     proxy_read_timeout 300s;
 174
 175     ssl on;
 176     ssl_certificate "${server_cert}";
 177     ssl_certificate_key "${server_cert_key}";
 178     client_max_body_size 50m;
 179
 180     location  / {
 181       proxy_pass http://arvados-git-httpd;
 182       proxy_set_header Host \$http_host;
 183       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 184       proxy_set_header X-Forwarded-Proto https;
 185       proxy_redirect off;
 186     }
 187   }
 188
 189 }
 190
 191 EOF
 192
 193 exec nginx -c /var/lib/arvados/nginx.conf