tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls

   1 ---
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 ### NGINX
   7 nginx:
   8   ### SERVER
   9   server:
  10     config:
  11
  12       ### STREAMS
  13       http:
  14         upstream webshell_upstream:
  15           - server: 'localhost:4200 fail_timeout=10s'
  16
  17   ### SITES
  18   servers:
  19     managed:
  20       arvados_webshell_default:
  21         enabled: true
  22         overwrite: true
  23         config:
  24           - server:
  25             - server_name: webshell.__CLUSTER__.__DOMAIN__
  26             - listen:
  27               - 80
  28             - include: snippets/letsencrypt_well_known.conf
  29             - location /:
  30               - return: '301 https://$host$request_uri'
  31
  32       arvados_webshell_ssl:
  33         enabled: true
  34         overwrite: true
  35         requires:
  36           cmd: create-initial-cert-webshell.__CLUSTER__.__DOMAIN__-webshell.__CLUSTER__.__DOMAIN__
  37         config:
  38           - server:
  39             - server_name: webshell.__CLUSTER__.__DOMAIN__
  40             - listen:
  41               - __CONTROLLER_EXT_SSL_PORT__ http2 ssl
  42             - index: index.html index.htm
  43             - location /shell.__CLUSTER__.__DOMAIN__:
  44               - proxy_pass: 'http://webshell_upstream'
  45               - proxy_read_timeout: 90
  46               - proxy_connect_timeout: 90
  47               - proxy_set_header: 'Host $http_host'
  48               - proxy_set_header: 'X-Real-IP $remote_addr'
  49               - proxy_set_header: X-Forwarded-Proto https
  50               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
  51               - proxy_ssl_session_reuse: 'off'
  52
  53               - "if ($request_method = 'OPTIONS')":
  54                 - add_header: "'Access-Control-Allow-Origin' '*'"
  55                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  56                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  57                 - add_header: "'Access-Control-Max-Age' 1728000"
  58                 - add_header: "'Content-Type' 'text/plain charset=UTF-8'"
  59                 - add_header: "'Content-Length' 0"
  60                 - return: 204
  61
  62               - "if ($request_method = 'POST')":
  63                 - add_header: "'Access-Control-Allow-Origin' '*'"
  64                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  65                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  66
  67               - "if ($request_method = 'GET')":
  68                 - add_header: "'Access-Control-Allow-Origin' '*'"
  69                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  70                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  71
  72             - include: snippets/ssl_hardening_default.conf
  73             - include: snippets/webshell.__CLUSTER__.__DOMAIN___letsencrypt_cert[.]conf
  74             - access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
  75             - error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
  76