20688: Reorder redirects by priority
[arvados.git] / tools / arvbox / lib / arvbox / docker / service / nginx / run
1 #!/bin/bash
2 # Copyright (C) The Arvados Authors. All rights reserved.
3 #
4 # SPDX-License-Identifier: AGPL-3.0
5
6 exec 2>&1
7 set -ex -o pipefail
8
9 . /usr/local/lib/arvbox/common.sh
10
11 if [[ $containerip != $localip ]] ; then
12     if ! grep -q $localip /etc/hosts ; then
13         echo $containerip $localip >> /etc/hosts
14     fi
15 fi
16
17 geo_dockerip=
18 if  [[ -f /var/run/localip_override ]] ; then
19     geo_dockerip="$dockerip/32 0;"
20 fi
21
22 openssl verify -CAfile $root_cert $server_cert
23
24 cat <<EOF >$ARVADOS_CONTAINER_PATH/nginx.conf
25 worker_processes auto;
26 pid $ARVADOS_CONTAINER_PATH/nginx.pid;
27
28 error_log stderr;
29 daemon off;
30 user arvbox;
31
32 events {
33         worker_connections 64;
34 }
35
36 http {
37   access_log off;
38   include /etc/nginx/mime.types;
39   default_type application/octet-stream;
40   client_max_body_size 128M;
41
42   geo \$external_client {
43       default     1;
44       127.0.0.0/8 0;
45       $containerip/32 0;
46       $geo_dockerip
47   }
48
49   server {
50         listen ${services[doc]} default_server;
51         listen [::]:${services[doc]} default_server;
52         root /usr/src/arvados/doc/.site;
53         index index.html;
54         server_name _;
55   }
56
57   server {
58     listen 80 default_server;
59     server_name _;
60     return 301 https://\$host\$request_uri;
61   }
62
63   upstream controller {
64     server localhost:${services[controller]};
65   }
66   server {
67     listen *:${services[controller-ssl]} ssl default_server;
68     server_name controller;
69     ssl_certificate "${server_cert}";
70     ssl_certificate_key "${server_cert_key}";
71     location  / {
72       proxy_pass http://controller;
73       proxy_set_header Host \$http_host;
74       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
75       proxy_set_header X-Forwarded-Proto https;
76       proxy_set_header X-External-Client \$external_client;
77       proxy_redirect off;
78       # This turns off response caching
79       proxy_buffering off;
80     }
81   }
82
83   upstream arvados-ws {
84     server localhost:${services[websockets]};
85   }
86   server {
87     listen *:${services[websockets-ssl]} ssl default_server;
88     server_name           websockets;
89
90     proxy_connect_timeout 90s;
91     proxy_read_timeout    300s;
92
93     ssl                   on;
94     ssl_certificate "${server_cert}";
95     ssl_certificate_key "${server_cert_key}";
96
97     location / {
98       proxy_pass          http://arvados-ws;
99       proxy_set_header    Upgrade         \$http_upgrade;
100       proxy_set_header    Connection      "upgrade";
101       proxy_set_header Host \$http_host;
102       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
103     }
104   }
105
106   upstream workbench2 {
107     server localhost:${services[workbench2]};
108   }
109   server {
110     listen *:${services[workbench2-ssl]} ssl default_server;
111     server_name workbench2;
112     ssl_certificate "${server_cert}";
113     ssl_certificate_key "${server_cert_key}";
114
115     # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
116
117     # Paths that are not redirected because wb1 and wb2 have similar enough paths
118     # that a redirect is pointless and would create a redirect loop.
119     # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
120     # rewrite ^/repositories.* /repositories redirect;
121     # rewrite ^/links.* /links redirect;
122     # rewrite ^/projects.* /projects redirect;
123     # rewrite ^/trash /trash redirect;
124
125     # Redirects that include a uuid
126     rewrite ^/work_units/(.*) /processes/$1 redirect;
127     rewrite ^/container_requests/(.*) /processes/$1 redirect;
128     rewrite ^/users/(.*) /user/$1 redirect;
129     rewrite ^/groups/(.*) /group/$1 redirect;
130
131     # Special file download redirects
132     if (\$arg_disposition = attachment) {
133       rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
134     }
135     if (\$arg_disposition = inline) {
136       rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
137     }
138
139     # Redirects that go to a roughly equivalent page
140     rewrite ^/virtual_machines.* /virtual-machines-admin redirect;
141     rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect;
142     rewrite ^/authorized_keys.* /ssh-keys-admin redirect;
143     rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect;
144     rewrite ^/containers.* /all_processes redirect;
145     rewrite ^/container_requests /all_processes redirect;
146     rewrite ^/job.* /all_processes redirect;
147     rewrite ^/users/link_account /link_account redirect;
148     rewrite ^/search.* /search-results redirect;
149     rewrite ^/keep_services.* /keep-services redirect;
150     rewrite ^/trash_items.* /trash redirect;
151
152     # Redirects that don't have a good mapping and
153     # just go to root.
154     rewrite ^/themes.* / redirect;
155     rewrite ^/keep_disks.* / redirect;
156     rewrite ^/user_agreements.* / redirect;
157     rewrite ^/nodes.* / redirect;
158     rewrite ^/humans.* / redirect;
159     rewrite ^/traits.* / redirect;
160     rewrite ^/sessions.* / redirect;
161     rewrite ^/logout.* / redirect;
162     rewrite ^/logged_out.* / redirect;
163     rewrite ^/current_token / redirect;
164     rewrite ^/logs.* / redirect;
165     rewrite ^/factory_jobs.* / redirect;
166     rewrite ^/uploaded_datasets.* / redirect;
167     rewrite ^/specimens.* / redirect;
168     rewrite ^/pipeline_templates.* / redirect;
169     rewrite ^/pipeline_instances.* / redirect;
170
171     location  / {
172       proxy_pass http://workbench2;
173       proxy_set_header Host \$http_host;
174       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
175       proxy_set_header X-Forwarded-Proto https;
176       proxy_redirect off;
177     }
178     location  /sockjs-node {
179       proxy_pass http://workbench2;
180       proxy_set_header    Upgrade         \$http_upgrade;
181       proxy_set_header    Connection      "upgrade";
182       proxy_set_header Host \$http_host;
183       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
184     }
185   }
186
187   upstream keep-web {
188     server localhost:${services[keep-web]};
189   }
190   server {
191     listen *:${services[keep-web-ssl]} ssl default_server;
192     server_name keep-web;
193     ssl_certificate "${server_cert}";
194     ssl_certificate_key "${server_cert_key}";
195     client_max_body_size 0;
196     location  / {
197       proxy_pass http://keep-web;
198       proxy_set_header Host \$http_host;
199       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
200       proxy_set_header X-Forwarded-Proto https;
201       proxy_redirect off;
202     }
203   }
204   server {
205     listen *:${services[keep-web-dl-ssl]} ssl default_server;
206     server_name keep-web-dl;
207     ssl_certificate "${server_cert}";
208     ssl_certificate_key "${server_cert_key}";
209     client_max_body_size 0;
210     location  / {
211       proxy_pass http://keep-web;
212       proxy_set_header Host \$http_host;
213       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
214       proxy_set_header X-Forwarded-Proto https;
215       proxy_redirect off;
216     }
217   }
218
219   upstream keepproxy {
220     server localhost:${services[keepproxy]};
221   }
222   server {
223     listen *:${services[keepproxy-ssl]} ssl default_server;
224     server_name keepproxy;
225     ssl_certificate "${server_cert}";
226     ssl_certificate_key "${server_cert_key}";
227     client_max_body_size 128M;
228     location  / {
229       proxy_pass http://keepproxy;
230       proxy_set_header Host \$http_host;
231       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
232       proxy_set_header X-Forwarded-Proto https;
233       proxy_redirect off;
234     }
235   }
236
237   upstream arvados-git-httpd {
238     server localhost:${services[arv-git-httpd]};
239   }
240   server {
241     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
242     server_name arvados-git-httpd;
243     proxy_connect_timeout 90s;
244     proxy_read_timeout 300s;
245
246     ssl on;
247     ssl_certificate "${server_cert}";
248     ssl_certificate_key "${server_cert_key}";
249     client_max_body_size 50m;
250
251     location  / {
252       proxy_pass http://arvados-git-httpd;
253       proxy_set_header Host \$http_host;
254       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
255       proxy_set_header X-Forwarded-Proto https;
256       proxy_redirect off;
257     }
258   }
259
260
261 upstream arvados-webshell {
262   server                localhost:${services[webshell]};
263 }
264 server {
265   listen                ${services[webshell-ssl]} ssl;
266   server_name           arvados-webshell;
267
268   proxy_connect_timeout 90s;
269   proxy_read_timeout    300s;
270
271   ssl                   on;
272   ssl_certificate "${server_cert}";
273   ssl_certificate_key "${server_cert_key}";
274
275   location / {
276     if (\$request_method = 'OPTIONS') {
277        add_header 'Access-Control-Allow-Origin' '*';
278        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
279        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
280        add_header 'Access-Control-Max-Age' 1728000;
281        add_header 'Content-Type' 'text/plain charset=UTF-8';
282        add_header 'Content-Length' 0;
283        return 204;
284     }
285     if (\$request_method = 'POST') {
286        add_header 'Access-Control-Allow-Origin' '*';
287        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
288        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
289     }
290     if (\$request_method = 'GET') {
291        add_header 'Access-Control-Allow-Origin' '*';
292        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
293        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
294     }
295
296     proxy_ssl_session_reuse off;
297     proxy_read_timeout  90;
298     proxy_set_header    X-Forwarded-Proto https;
299     proxy_set_header    Host \$http_host;
300     proxy_set_header    X-Real-IP \$remote_addr;
301     proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;
302     proxy_pass          http://arvados-webshell;
303   }
304 }
305 }
306
307 EOF
308
309 exec nginx -c $ARVADOS_CONTAINER_PATH/nginx.conf