2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
9 . /usr/local/lib/arvbox/common.sh
11 if [[ $containerip != $localip ]] ; then
12 if ! grep -q $localip /etc/hosts ; then
13 echo $containerip $localip >> /etc/hosts
18 if [[ -f /var/run/localip_override ]] ; then
19 geo_dockerip="$dockerip/32 0;"
22 openssl verify -CAfile $root_cert $server_cert
24 cat <<EOF >$ARVADOS_CONTAINER_PATH/nginx.conf
25 worker_processes auto;
26 pid $ARVADOS_CONTAINER_PATH/nginx.pid;
33 worker_connections 64;
38 include /etc/nginx/mime.types;
39 default_type application/octet-stream;
40 client_max_body_size 128M;
42 geo \$external_client {
50 listen ${services[doc]} default_server;
51 listen [::]:${services[doc]} default_server;
52 root /usr/src/arvados/doc/.site;
58 listen 80 default_server;
60 return 301 https://\$host\$request_uri;
64 server localhost:${services[controller]};
67 listen *:${services[controller-ssl]} ssl default_server;
68 server_name controller;
69 ssl_certificate "${server_cert}";
70 ssl_certificate_key "${server_cert_key}";
72 proxy_pass http://controller;
73 proxy_set_header Host \$http_host;
74 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
75 proxy_set_header X-Forwarded-Proto https;
76 proxy_set_header X-External-Client \$external_client;
78 # This turns off response caching
84 server localhost:${services[websockets]};
87 listen *:${services[websockets-ssl]} ssl default_server;
88 server_name websockets;
90 proxy_connect_timeout 90s;
91 proxy_read_timeout 300s;
94 ssl_certificate "${server_cert}";
95 ssl_certificate_key "${server_cert_key}";
98 proxy_pass http://arvados-ws;
99 proxy_set_header Upgrade \$http_upgrade;
100 proxy_set_header Connection "upgrade";
101 proxy_set_header Host \$http_host;
102 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
106 upstream workbench2 {
107 server localhost:${services[workbench2]};
110 listen *:${services[workbench2-ssl]} ssl default_server;
111 server_name workbench2;
112 ssl_certificate "${server_cert}";
113 ssl_certificate_key "${server_cert_key}";
115 # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
117 # Paths that are not redirected because wb1 and wb2 have similar enough paths
118 # that a redirect is pointless and would create a redirect loop.
119 # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
120 # rewrite ^/repositories.* /repositories redirect;
121 # rewrite ^/links.* /links redirect;
122 # rewrite ^/projects.* /projects redirect;
123 # rewrite ^/trash /trash redirect;
125 # Redirects that include a uuid
126 rewrite ^/work_units/(.*) /processes/$1 redirect;
127 rewrite ^/container_requests/(.*) /processes/$1 redirect;
128 rewrite ^/users/(.*) /user/$1 redirect;
129 rewrite ^/groups/(.*) /group/$1 redirect;
131 # Special file download redirects
132 if (\$arg_disposition = attachment) {
133 rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
135 if (\$arg_disposition = inline) {
136 rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
139 # Redirects that go to a roughly equivalent page
140 rewrite ^/virtual_machines.* /virtual-machines-admin redirect;
141 rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect;
142 rewrite ^/authorized_keys.* /ssh-keys-admin redirect;
143 rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect;
144 rewrite ^/containers.* /all_processes redirect;
145 rewrite ^/container_requests /all_processes redirect;
146 rewrite ^/job.* /all_processes redirect;
147 rewrite ^/users/link_account /link_account redirect;
148 rewrite ^/search.* /search-results redirect;
149 rewrite ^/keep_services.* /keep-services redirect;
150 rewrite ^/trash_items.* /trash redirect;
152 # Redirects that don't have a good mapping and
154 rewrite ^/themes.* / redirect;
155 rewrite ^/keep_disks.* / redirect;
156 rewrite ^/user_agreements.* / redirect;
157 rewrite ^/nodes.* / redirect;
158 rewrite ^/humans.* / redirect;
159 rewrite ^/traits.* / redirect;
160 rewrite ^/sessions.* / redirect;
161 rewrite ^/logout.* / redirect;
162 rewrite ^/logged_out.* / redirect;
163 rewrite ^/current_token / redirect;
164 rewrite ^/logs.* / redirect;
165 rewrite ^/factory_jobs.* / redirect;
166 rewrite ^/uploaded_datasets.* / redirect;
167 rewrite ^/specimens.* / redirect;
168 rewrite ^/pipeline_templates.* / redirect;
169 rewrite ^/pipeline_instances.* / redirect;
172 proxy_pass http://workbench2;
173 proxy_set_header Host \$http_host;
174 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
175 proxy_set_header X-Forwarded-Proto https;
178 location /sockjs-node {
179 proxy_pass http://workbench2;
180 proxy_set_header Upgrade \$http_upgrade;
181 proxy_set_header Connection "upgrade";
182 proxy_set_header Host \$http_host;
183 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
188 server localhost:${services[keep-web]};
191 listen *:${services[keep-web-ssl]} ssl default_server;
192 server_name keep-web;
193 ssl_certificate "${server_cert}";
194 ssl_certificate_key "${server_cert_key}";
195 client_max_body_size 0;
197 proxy_pass http://keep-web;
198 proxy_set_header Host \$http_host;
199 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
200 proxy_set_header X-Forwarded-Proto https;
205 listen *:${services[keep-web-dl-ssl]} ssl default_server;
206 server_name keep-web-dl;
207 ssl_certificate "${server_cert}";
208 ssl_certificate_key "${server_cert_key}";
209 client_max_body_size 0;
211 proxy_pass http://keep-web;
212 proxy_set_header Host \$http_host;
213 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
214 proxy_set_header X-Forwarded-Proto https;
220 server localhost:${services[keepproxy]};
223 listen *:${services[keepproxy-ssl]} ssl default_server;
224 server_name keepproxy;
225 ssl_certificate "${server_cert}";
226 ssl_certificate_key "${server_cert_key}";
227 client_max_body_size 128M;
229 proxy_pass http://keepproxy;
230 proxy_set_header Host \$http_host;
231 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
232 proxy_set_header X-Forwarded-Proto https;
237 upstream arvados-git-httpd {
238 server localhost:${services[arv-git-httpd]};
241 listen *:${services[arv-git-httpd-ssl]} ssl default_server;
242 server_name arvados-git-httpd;
243 proxy_connect_timeout 90s;
244 proxy_read_timeout 300s;
247 ssl_certificate "${server_cert}";
248 ssl_certificate_key "${server_cert_key}";
249 client_max_body_size 50m;
252 proxy_pass http://arvados-git-httpd;
253 proxy_set_header Host \$http_host;
254 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
255 proxy_set_header X-Forwarded-Proto https;
261 upstream arvados-webshell {
262 server localhost:${services[webshell]};
265 listen ${services[webshell-ssl]} ssl;
266 server_name arvados-webshell;
268 proxy_connect_timeout 90s;
269 proxy_read_timeout 300s;
272 ssl_certificate "${server_cert}";
273 ssl_certificate_key "${server_cert_key}";
276 if (\$request_method = 'OPTIONS') {
277 add_header 'Access-Control-Allow-Origin' '*';
278 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
279 add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
280 add_header 'Access-Control-Max-Age' 1728000;
281 add_header 'Content-Type' 'text/plain charset=UTF-8';
282 add_header 'Content-Length' 0;
285 if (\$request_method = 'POST') {
286 add_header 'Access-Control-Allow-Origin' '*';
287 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
288 add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
290 if (\$request_method = 'GET') {
291 add_header 'Access-Control-Allow-Origin' '*';
292 add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
293 add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
296 proxy_ssl_session_reuse off;
297 proxy_read_timeout 90;
298 proxy_set_header X-Forwarded-Proto https;
299 proxy_set_header Host \$http_host;
300 proxy_set_header X-Real-IP \$remote_addr;
301 proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
302 proxy_pass http://arvados-webshell;
309 exec nginx -c $ARVADOS_CONTAINER_PATH/nginx.conf