sdk/python/tests/nginx.conf

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: Apache-2.0
   4
   5 daemon off;
   6 error_log "{{ERRORLOG}}" info;          # Yes, must be specified here _and_ cmdline
   7 events {
   8 }
   9 http {
  10   log_format customlog
  11     '[$time_local] $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
  12     '"$http_referer" "$http_user_agent"';
  13   access_log "{{ACCESSLOG}}" customlog;
  14   client_body_temp_path "{{TMPDIR}}";
  15   upstream arv-git-http {
  16     server localhost:{{GITPORT}};
  17   }
  18   server {
  19     listen *:{{GITSSLPORT}} ssl default_server;
  20     server_name arv-git-http;
  21     ssl_certificate "{{SSLCERT}}";
  22     ssl_certificate_key "{{SSLKEY}}";
  23     location  / {
  24       proxy_pass http://arv-git-http;
  25       proxy_set_header Host $http_host;
  26       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  27       proxy_set_header X-Forwarded-Proto https;
  28       proxy_redirect off;
  29     }
  30   }
  31   upstream keepproxy {
  32     server localhost:{{KEEPPROXYPORT}};
  33   }
  34   server {
  35     listen *:{{KEEPPROXYSSLPORT}} ssl default_server;
  36     server_name keepproxy;
  37     ssl_certificate "{{SSLCERT}}";
  38     ssl_certificate_key "{{SSLKEY}}";
  39     location  / {
  40       proxy_pass http://keepproxy;
  41       proxy_set_header Host $http_host;
  42       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  43       proxy_set_header X-Forwarded-Proto https;
  44       proxy_redirect off;
  45
  46       proxy_http_version 1.1;
  47       proxy_request_buffering off;
  48     }
  49   }
  50   upstream keep-web {
  51     server localhost:{{KEEPWEBPORT}};
  52   }
  53   server {
  54     listen *:{{KEEPWEBSSLPORT}} ssl default_server;
  55     server_name keep-web;
  56     ssl_certificate "{{SSLCERT}}";
  57     ssl_certificate_key "{{SSLKEY}}";
  58     location  / {
  59       proxy_pass http://keep-web;
  60       proxy_set_header Host $http_host;
  61       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  62       proxy_set_header X-Forwarded-Proto https;
  63       proxy_redirect off;
  64
  65       client_max_body_size 0;
  66       proxy_http_version 1.1;
  67       proxy_request_buffering off;
  68     }
  69   }
  70   server {
  71     listen *:{{KEEPWEBDLSSLPORT}} ssl default_server;
  72     server_name keep-web-dl ~.*;
  73     ssl_certificate "{{SSLCERT}}";
  74     ssl_certificate_key "{{SSLKEY}}";
  75     location  / {
  76       proxy_pass http://keep-web;
  77       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  78       proxy_set_header X-Forwarded-Proto https;
  79
  80       client_max_body_size 0;
  81       proxy_http_version 1.1;
  82       proxy_request_buffering off;
  83
  84       # Unlike other proxy sections, here we need to override the
  85       # requested Host header and use proxy_redirect because of the
  86       # way the test suite orchestrates services. Keep-web's "download
  87       # only" behavior relies on the Host header matching a configured
  88       # value, but when run_test_servers.py writes keep-web's command
  89       # line, the keep-web-dl TLS port (which clients will connect to
  90       # and include in their Host header) has not yet been assigned.
  91       #
  92       # In production, "proxy_set_header Host $http_host;
  93       # proxy_redirect off;" works: keep-web's redirect URLs will
  94       # match the request URL received by Nginx.
  95       #
  96       # Here, keep-web will issue redirects to https://download/ and
  97       # Nginx will rewrite them.
  98       #
  99       proxy_set_header Host  download;
 100       proxy_redirect https://download/ https://$host:{{KEEPWEBDLSSLPORT}}/;
 101     }
 102   }
 103   upstream ws {
 104     server localhost:{{WSPORT}};
 105   }
 106   server {
 107     listen *:{{WSSPORT}} ssl default_server;
 108     server_name websocket;
 109     ssl_certificate "{{SSLCERT}}";
 110     ssl_certificate_key "{{SSLKEY}}";
 111     location  / {
 112       proxy_pass http://ws;
 113       proxy_set_header Upgrade $http_upgrade;
 114       proxy_set_header Connection "upgrade";
 115       proxy_set_header Host $http_host;
 116       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 117       proxy_set_header X-Forwarded-Proto https;
 118       proxy_redirect off;
 119     }
 120   }
 121   upstream controller {
 122     server localhost:{{CONTROLLERPORT}};
 123   }
 124   server {
 125     listen *:{{CONTROLLERSSLPORT}} ssl default_server;
 126     server_name controller;
 127     ssl_certificate "{{SSLCERT}}";
 128     ssl_certificate_key "{{SSLKEY}}";
 129     location  / {
 130       proxy_pass http://controller;
 131       proxy_set_header Host $http_host;
 132       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 133       proxy_set_header X-Forwarded-Proto https;
 134       proxy_redirect off;
 135     }
 136   }
 137 }