tools/arvbox/lib/arvbox/docker/service/nginx/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 if [[ $containerip != $localip ]] ; then
  12     if ! grep -q $localip /etc/hosts ; then
  13         echo $containerip $localip >> /etc/hosts
  14     fi
  15 fi
  16
  17 openssl verify -CAfile $root_cert $server_cert
  18
  19 cat <<EOF >/var/lib/arvados/nginx.conf
  20 worker_processes auto;
  21 pid /var/lib/arvados/nginx.pid;
  22
  23 error_log stderr;
  24 daemon off;
  25 user arvbox;
  26
  27 events {
  28         worker_connections 64;
  29 }
  30
  31 http {
  32      access_log off;
  33      include /etc/nginx/mime.types;
  34      default_type application/octet-stream;
  35      client_max_body_size 128M;
  36
  37      geo \$external_client {
  38           default     1;
  39           127.0.0.0/8 0;
  40           $containerip/32 0;
  41      }
  42
  43      server {
  44             listen ${services[doc]} default_server;
  45             listen [::]:${services[doc]} default_server;
  46             root /usr/src/arvados/doc/.site;
  47             index index.html;
  48             server_name _;
  49      }
  50
  51   server {
  52     listen 80 default_server;
  53     server_name _;
  54     return 301 https://\$host\$request_uri;
  55   }
  56
  57   upstream controller {
  58     server localhost:${services[controller]};
  59   }
  60   server {
  61     listen *:${services[controller-ssl]} ssl default_server;
  62     server_name controller;
  63     ssl_certificate "${server_cert}";
  64     ssl_certificate_key "${server_cert_key}";
  65     location  / {
  66       proxy_pass http://controller;
  67       proxy_set_header Host \$http_host;
  68       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  69       proxy_set_header X-Forwarded-Proto https;
  70       proxy_set_header X-External-Client \$external_client;
  71       proxy_redirect off;
  72     }
  73   }
  74
  75 upstream arvados-ws {
  76   server localhost:${services[websockets]};
  77 }
  78 server {
  79   listen *:${services[websockets-ssl]} ssl default_server;
  80   server_name           websockets;
  81
  82   proxy_connect_timeout 90s;
  83   proxy_read_timeout    300s;
  84
  85   ssl                   on;
  86   ssl_certificate "${server_cert}";
  87   ssl_certificate_key "${server_cert_key}";
  88
  89   location / {
  90     proxy_pass          http://arvados-ws;
  91     proxy_set_header    Upgrade         \$http_upgrade;
  92     proxy_set_header    Connection      "upgrade";
  93     proxy_set_header Host \$http_host;
  94     proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  95   }
  96 }
  97
  98   upstream workbench2 {
  99     server localhost:${services[workbench2]};
 100   }
 101   server {
 102     listen *:${services[workbench2-ssl]} ssl default_server;
 103     server_name workbench2;
 104     ssl_certificate "${server_cert}";
 105     ssl_certificate_key "${server_cert_key}";
 106     location  / {
 107       proxy_pass http://workbench2;
 108       proxy_set_header Host \$http_host;
 109       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 110       proxy_set_header X-Forwarded-Proto https;
 111       proxy_redirect off;
 112     }
 113     location  /sockjs-node {
 114       proxy_pass http://workbench2;
 115       proxy_set_header    Upgrade         \$http_upgrade;
 116       proxy_set_header    Connection      "upgrade";
 117       proxy_set_header Host \$http_host;
 118       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 119     }
 120   }
 121
 122   upstream keep-web {
 123     server localhost:${services[keep-web]};
 124   }
 125   server {
 126     listen *:${services[keep-web-ssl]} ssl default_server;
 127     server_name keep-web;
 128     ssl_certificate "${server_cert}";
 129     ssl_certificate_key "${server_cert_key}";
 130     client_max_body_size 0;
 131     location  / {
 132       proxy_pass http://keep-web;
 133       proxy_set_header Host \$http_host;
 134       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 135       proxy_set_header X-Forwarded-Proto https;
 136       proxy_redirect off;
 137     }
 138   }
 139
 140
 141   upstream keepproxy {
 142     server localhost:${services[keepproxy]};
 143   }
 144   server {
 145     listen *:${services[keepproxy-ssl]} ssl default_server;
 146     server_name keepproxy;
 147     ssl_certificate "${server_cert}";
 148     ssl_certificate_key "${server_cert_key}";
 149     client_max_body_size 128M;
 150     location  / {
 151       proxy_pass http://keepproxy;
 152       proxy_set_header Host \$http_host;
 153       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 154       proxy_set_header X-Forwarded-Proto https;
 155       proxy_redirect off;
 156     }
 157   }
 158
 159   upstream arvados-git-httpd {
 160     server localhost:${services[arv-git-httpd]};
 161   }
 162   server {
 163     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
 164     server_name arvados-git-httpd;
 165     proxy_connect_timeout 90s;
 166     proxy_read_timeout 300s;
 167
 168     ssl on;
 169     ssl_certificate "${server_cert}";
 170     ssl_certificate_key "${server_cert_key}";
 171     client_max_body_size 50m;
 172
 173     location  / {
 174       proxy_pass http://arvados-git-httpd;
 175       proxy_set_header Host \$http_host;
 176       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 177       proxy_set_header X-Forwarded-Proto https;
 178       proxy_redirect off;
 179     }
 180   }
 181
 182 }
 183
 184 EOF
 185
 186 exec nginx -c /var/lib/arvados/nginx.conf