sdk/python/tests/nginx.conf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: Apache-2.0
   4
   5 daemon off;
   6 error_log "{{ERRORLOG}}" info;          # Yes, must be specified here _and_ cmdline
   7 events {
   8 }
   9 http {
  10   log_format customlog
  11     '[$time_local] $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
  12     '"$http_referer" "$http_user_agent"';
  13   access_log "{{ACCESSLOG}}" customlog;
  14   client_body_temp_path "{{TMPDIR}}";
  15   proxy_temp_path "{{TMPDIR}}";
  16   fastcgi_temp_path "{{TMPDIR}}";
  17   uwsgi_temp_path "{{TMPDIR}}";
  18   scgi_temp_path "{{TMPDIR}}";
  19   upstream arv-git-http {
  20     server localhost:{{GITPORT}};
  21   }
  22   server {
  23     listen *:{{GITSSLPORT}} ssl default_server;
  24     server_name arv-git-http;
  25     ssl_certificate "{{SSLCERT}}";
  26     ssl_certificate_key "{{SSLKEY}}";
  27     location  / {
  28       proxy_pass http://arv-git-http;
  29       proxy_set_header Host $http_host;
  30       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  31       proxy_set_header X-Forwarded-Proto https;
  32       proxy_redirect off;
  33     }
  34   }
  35   upstream keepproxy {
  36     server localhost:{{KEEPPROXYPORT}};
  37   }
  38   server {
  39     listen *:{{KEEPPROXYSSLPORT}} ssl default_server;
  40     server_name keepproxy;
  41     ssl_certificate "{{SSLCERT}}";
  42     ssl_certificate_key "{{SSLKEY}}";
  43     location  / {
  44       proxy_pass http://keepproxy;
  45       proxy_set_header Host $http_host;
  46       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  47       proxy_set_header X-Forwarded-Proto https;
  48       proxy_redirect off;
  49
  50       proxy_http_version 1.1;
  51       proxy_request_buffering off;
  52     }
  53   }
  54   upstream keep-web {
  55     server localhost:{{KEEPWEBPORT}};
  56   }
  57   server {
  58     listen *:{{KEEPWEBSSLPORT}} ssl default_server;
  59     server_name keep-web;
  60     ssl_certificate "{{SSLCERT}}";
  61     ssl_certificate_key "{{SSLKEY}}";
  62     location  / {
  63       proxy_pass http://keep-web;
  64       proxy_set_header Host $http_host;
  65       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  66       proxy_set_header X-Forwarded-Proto https;
  67       proxy_redirect off;
  68
  69       client_max_body_size 0;
  70       proxy_http_version 1.1;
  71       proxy_request_buffering off;
  72     }
  73   }
  74   server {
  75     listen *:{{KEEPWEBDLSSLPORT}} ssl default_server;
  76     server_name keep-web-dl ~.*;
  77     ssl_certificate "{{SSLCERT}}";
  78     ssl_certificate_key "{{SSLKEY}}";
  79     location  / {
  80       proxy_pass http://keep-web;
  81       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  82       proxy_set_header X-Forwarded-Proto https;
  83
  84       client_max_body_size 0;
  85       proxy_http_version 1.1;
  86       proxy_request_buffering off;
  87
  88       # Unlike other proxy sections, here we need to override the
  89       # requested Host header and use proxy_redirect because of the
  90       # way the test suite orchestrates services. Keep-web's "download
  91       # only" behavior relies on the Host header matching a configured
  92       # value, but when run_test_servers.py writes keep-web's command
  93       # line, the keep-web-dl TLS port (which clients will connect to
  94       # and include in their Host header) has not yet been assigned.
  95       #
  96       # In production, "proxy_set_header Host $http_host;
  97       # proxy_redirect off;" works: keep-web's redirect URLs will
  98       # match the request URL received by Nginx.
  99       #
 100       # Here, keep-web will issue redirects to https://download/ and
 101       # Nginx will rewrite them.
 102       #
 103       proxy_set_header Host  download;
 104       proxy_redirect https://download/ https://$host:{{KEEPWEBDLSSLPORT}}/;
 105     }
 106   }
 107   upstream ws {
 108     server localhost:{{WSPORT}};
 109   }
 110   server {
 111     listen *:{{WSSPORT}} ssl default_server;
 112     server_name websocket;
 113     ssl_certificate "{{SSLCERT}}";
 114     ssl_certificate_key "{{SSLKEY}}";
 115     location  / {
 116       proxy_pass http://ws;
 117       proxy_set_header Upgrade $http_upgrade;
 118       proxy_set_header Connection "upgrade";
 119       proxy_set_header Host $http_host;
 120       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 121       proxy_set_header X-Forwarded-Proto https;
 122       proxy_redirect off;
 123     }
 124   }
 125   upstream controller {
 126     server localhost:{{CONTROLLERPORT}};
 127   }
 128   server {
 129     listen *:{{CONTROLLERSSLPORT}} ssl default_server;
 130     server_name controller;
 131     ssl_certificate "{{SSLCERT}}";
 132     ssl_certificate_key "{{SSLKEY}}";
 133     location  / {
 134       proxy_pass http://controller;
 135       proxy_set_header Host $http_host;
 136       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 137       proxy_set_header X-Forwarded-Proto https;
 138       proxy_redirect off;
 139     }
 140   }
 141 }