tools/arvbox/lib/arvbox/docker/service/nginx/run

   1 #!/bin/bash
   2 # Copyright (C) The Arvados Authors. All rights reserved.
   3 #
   4 # SPDX-License-Identifier: AGPL-3.0
   5
   6 exec 2>&1
   7 set -ex -o pipefail
   8
   9 . /usr/local/lib/arvbox/common.sh
  10
  11 if [[ $containerip != $localip ]] ; then
  12     if ! grep -q $localip /etc/hosts ; then
  13         echo $containerip $localip >> /etc/hosts
  14     fi
  15 fi
  16
  17 openssl verify -CAfile $root_cert $server_cert
  18
  19 cat <<EOF >/var/lib/arvados/nginx.conf
  20 worker_processes auto;
  21 pid /var/lib/arvados/nginx.pid;
  22
  23 error_log stderr;
  24 daemon off;
  25 user arvbox;
  26
  27 events {
  28         worker_connections 64;
  29 }
  30
  31 http {
  32   access_log off;
  33   include /etc/nginx/mime.types;
  34   default_type application/octet-stream;
  35   client_max_body_size 128M;
  36
  37   geo \$external_client {
  38       default     1;
  39       127.0.0.0/8 0;
  40       $containerip/32 0;
  41       $dockerip/32 0;
  42   }
  43
  44   server {
  45         listen ${services[doc]} default_server;
  46         listen [::]:${services[doc]} default_server;
  47         root /usr/src/arvados/doc/.site;
  48         index index.html;
  49         server_name _;
  50   }
  51
  52   server {
  53     listen 80 default_server;
  54     server_name _;
  55     return 301 https://\$host\$request_uri;
  56   }
  57
  58   upstream controller {
  59     server localhost:${services[controller]};
  60   }
  61   server {
  62     listen *:${services[controller-ssl]} ssl default_server;
  63     server_name controller;
  64     ssl_certificate "${server_cert}";
  65     ssl_certificate_key "${server_cert_key}";
  66     location  / {
  67       proxy_pass http://controller;
  68       proxy_set_header Host \$http_host;
  69       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  70       proxy_set_header X-Forwarded-Proto https;
  71       proxy_set_header X-External-Client \$external_client;
  72       proxy_redirect off;
  73       # This turns off response caching
  74       proxy_buffering off;
  75     }
  76   }
  77
  78   upstream arvados-ws {
  79     server localhost:${services[websockets]};
  80   }
  81   server {
  82     listen *:${services[websockets-ssl]} ssl default_server;
  83     server_name           websockets;
  84
  85     proxy_connect_timeout 90s;
  86     proxy_read_timeout    300s;
  87
  88     ssl                   on;
  89     ssl_certificate "${server_cert}";
  90     ssl_certificate_key "${server_cert_key}";
  91
  92     location / {
  93       proxy_pass          http://arvados-ws;
  94       proxy_set_header    Upgrade         \$http_upgrade;
  95       proxy_set_header    Connection      "upgrade";
  96       proxy_set_header Host \$http_host;
  97       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  98     }
  99   }
 100
 101   upstream workbench2 {
 102     server localhost:${services[workbench2]};
 103   }
 104   server {
 105     listen *:${services[workbench2-ssl]} ssl default_server;
 106     server_name workbench2;
 107     ssl_certificate "${server_cert}";
 108     ssl_certificate_key "${server_cert_key}";
 109     location  / {
 110       proxy_pass http://workbench2;
 111       proxy_set_header Host \$http_host;
 112       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 113       proxy_set_header X-Forwarded-Proto https;
 114       proxy_redirect off;
 115     }
 116     location  /sockjs-node {
 117       proxy_pass http://workbench2;
 118       proxy_set_header    Upgrade         \$http_upgrade;
 119       proxy_set_header    Connection      "upgrade";
 120       proxy_set_header Host \$http_host;
 121       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 122     }
 123   }
 124
 125   upstream keep-web {
 126     server localhost:${services[keep-web]};
 127   }
 128   server {
 129     listen *:${services[keep-web-ssl]} ssl default_server;
 130     server_name keep-web;
 131     ssl_certificate "${server_cert}";
 132     ssl_certificate_key "${server_cert_key}";
 133     client_max_body_size 0;
 134     location  / {
 135       proxy_pass http://keep-web;
 136       proxy_set_header Host \$http_host;
 137       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 138       proxy_set_header X-Forwarded-Proto https;
 139       proxy_redirect off;
 140     }
 141   }
 142
 143   upstream keepproxy {
 144     server localhost:${services[keepproxy]};
 145   }
 146   server {
 147     listen *:${services[keepproxy-ssl]} ssl default_server;
 148     server_name keepproxy;
 149     ssl_certificate "${server_cert}";
 150     ssl_certificate_key "${server_cert_key}";
 151     client_max_body_size 128M;
 152     location  / {
 153       proxy_pass http://keepproxy;
 154       proxy_set_header Host \$http_host;
 155       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 156       proxy_set_header X-Forwarded-Proto https;
 157       proxy_redirect off;
 158     }
 159   }
 160
 161   upstream arvados-git-httpd {
 162     server localhost:${services[arv-git-httpd]};
 163   }
 164   server {
 165     listen *:${services[arv-git-httpd-ssl]} ssl default_server;
 166     server_name arvados-git-httpd;
 167     proxy_connect_timeout 90s;
 168     proxy_read_timeout 300s;
 169
 170     ssl on;
 171     ssl_certificate "${server_cert}";
 172     ssl_certificate_key "${server_cert_key}";
 173     client_max_body_size 50m;
 174
 175     location  / {
 176       proxy_pass http://arvados-git-httpd;
 177       proxy_set_header Host \$http_host;
 178       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
 179       proxy_set_header X-Forwarded-Proto https;
 180       proxy_redirect off;
 181     }
 182   }
 183
 184 }
 185
 186 EOF
 187
 188 exec nginx -c /var/lib/arvados/nginx.conf