tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_webshell_configuration.sls

   1 ---
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 # This parameter will be used here to generate a list of upstreams and vhosts.
   7 # This dict is here for convenience and should be managed some other way, but the
   8 # different ways of orchestration that can be used for this are outside the scope
   9 # of this formula and their examples.
  10 # These upstreams should match those defined in `arvados:cluster:resources:virtual_machines`
  11 {% set webshell_virtual_machines = {
  12   'shell': {
  13     'name': 'webshell',
  14     'backend': '127.0.1.1',
  15     'port': 4200,
  16   }
  17 }
  18 %}
  19
  20 ### NGINX
  21 nginx:
  22   ### SERVER
  23   server:
  24     config:
  25
  26       ### STREAMS
  27       http:
  28         {%- for vm, params in webshell_virtual_machines.items() %}
  29           {%- set vm_name = params.name | default(vm) %}
  30           {%- set vm_backend = params.backend | default(vm_name) %}
  31           {%- set vm_port = params.port | default(4200) %}
  32
  33         upstream {{ vm_name }}_upstream:
  34           - server: '{{ vm_backend }}:{{ vm_port }} fail_timeout=10s'
  35
  36         {%- endfor %}
  37
  38   ### SITES
  39   servers:
  40     managed:
  41       arvados_webshell_default.conf:
  42         enabled: true
  43         overwrite: true
  44         config:
  45           - server:
  46             - server_name: webshell.__CLUSTER__.__DOMAIN__
  47             - listen:
  48               - 80
  49             - location /.well-known:
  50               - root: /var/www
  51             - location /:
  52               - return: '301 https://$host$request_uri'
  53
  54       arvados_webshell_ssl.conf:
  55         enabled: true
  56         overwrite: true
  57         requires:
  58           file: extra_custom_certs_webshell_cert_file_copy
  59         config:
  60           - server:
  61             - server_name: webshell.__CLUSTER__.__DOMAIN__
  62             - listen:
  63               - __CONTROLLER_EXT_SSL_PORT__ http2 ssl
  64             - index: index.html index.htm
  65             {%- for vm, params in webshell_virtual_machines.items() %}
  66               {%- set vm_name = params.name | default(vm) %}
  67             - location /{{ vm_name }}:
  68               - proxy_pass: 'http://{{ vm_name }}_upstream'
  69               - proxy_read_timeout: 90
  70               - proxy_connect_timeout: 90
  71               - proxy_set_header: 'Host $http_host'
  72               - proxy_set_header: 'X-Real-IP $remote_addr'
  73               - proxy_set_header: X-Forwarded-Proto https
  74               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
  75               - proxy_ssl_session_reuse: 'off'
  76
  77               - "if ($request_method = 'OPTIONS')":
  78                 - add_header: "'Access-Control-Allow-Origin' '*'"
  79                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  80                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  81                 - add_header: "'Access-Control-Max-Age' 1728000"
  82                 - add_header: "'Content-Type' 'text/plain charset=UTF-8'"
  83                 - add_header: "'Content-Length' 0"
  84                 - return: 204
  85
  86               - "if ($request_method = 'POST')":
  87                 - add_header: "'Access-Control-Allow-Origin' '*'"
  88                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  89                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  90
  91               - "if ($request_method = 'GET')":
  92                 - add_header: "'Access-Control-Allow-Origin' '*'"
  93                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
  94                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
  95             {%- endfor %}
  96             - include: snippets/ssl_hardening_default.conf
  97             - ssl_certificate: /etc/nginx/ssl/arvados-webshell.pem
  98             - ssl_certificate_key: /etc/nginx/ssl/arvados-webshell.key
  99             - access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
 100             - error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
 101