Merge branch '21717-keepstore-cors'
[arvados.git] / sdk / python / tests / nginx.conf
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: Apache-2.0
4
5 daemon off;
6 events {
7 }
8 http {
9   log_format customlog
10     '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
11     '"$http_referer" "$http_user_agent"';
12   access_log "{{ACCESSLOG}}" customlog;
13   client_body_temp_path "{{TMPDIR}}";
14   proxy_temp_path "{{TMPDIR}}";
15   fastcgi_temp_path "{{TMPDIR}}";
16   uwsgi_temp_path "{{TMPDIR}}";
17   scgi_temp_path "{{TMPDIR}}";
18   geo $external_client {
19     default 1;
20     127.0.0.0/8 0;
21     ::1 0;
22     fd00::/8 0;
23     {{INTERNALSUBNETS}}
24   }
25   upstream controller {
26     server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
27   }
28   server {
29     listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
30     server_name controller ~.*;
31     ssl_certificate "{{SSLCERT}}";
32     ssl_certificate_key "{{SSLKEY}}";
33     client_max_body_size 0;
34     location  / {
35       proxy_pass http://controller;
36       proxy_set_header Upgrade $http_upgrade;
37       proxy_set_header Connection "upgrade";
38       proxy_set_header Host $http_host;
39       proxy_set_header X-External-Client $external_client;
40       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
41       proxy_set_header X-Forwarded-Proto https;
42       proxy_redirect off;
43       proxy_max_temp_file_size 0;
44       proxy_request_buffering off;
45       proxy_buffering off;
46       proxy_http_version 1.1;
47     }
48   }
49   upstream arv-git-http {
50     server {{UPSTREAMHOST}}:{{GITPORT}};
51   }
52   server {
53     listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
54     server_name arv-git-http git.*;
55     ssl_certificate "{{SSLCERT}}";
56     ssl_certificate_key "{{SSLKEY}}";
57     location  / {
58       proxy_pass http://arv-git-http;
59       proxy_set_header Host $http_host;
60       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
61       proxy_set_header X-Forwarded-Proto https;
62       proxy_redirect off;
63     }
64   }
65   upstream keepproxy {
66     server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
67   }
68   server {
69     listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
70     server_name keepproxy keep.*;
71     ssl_certificate "{{SSLCERT}}";
72     ssl_certificate_key "{{SSLKEY}}";
73     location  / {
74       proxy_pass http://keepproxy;
75       proxy_set_header Host $http_host;
76       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
77       proxy_set_header X-Forwarded-Proto https;
78       proxy_redirect off;
79
80       client_max_body_size 67108864;
81       proxy_http_version 1.1;
82       proxy_request_buffering off;
83     }
84   }
85   upstream keep-web {
86     server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
87   }
88   server {
89     listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
90     server_name keep-web collections.* ~\.collections\.;
91     ssl_certificate "{{SSLCERT}}";
92     ssl_certificate_key "{{SSLKEY}}";
93     location  / {
94       proxy_pass http://keep-web;
95       proxy_set_header Host $http_host;
96       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
97       proxy_set_header X-Forwarded-Proto https;
98       proxy_redirect off;
99
100       client_max_body_size 0;
101       proxy_http_version 1.1;
102       proxy_request_buffering off;
103     }
104   }
105   upstream health {
106     server {{UPSTREAMHOST}}:{{HEALTHPORT}};
107   }
108   server {
109     listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
110     server_name health health.*;
111     ssl_certificate "{{SSLCERT}}";
112     ssl_certificate_key "{{SSLKEY}}";
113     location  / {
114       proxy_pass http://health;
115       proxy_set_header Host $http_host;
116       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
117       proxy_set_header X-Forwarded-Proto https;
118       proxy_redirect off;
119
120       proxy_http_version 1.1;
121       proxy_request_buffering off;
122     }
123   }
124   server {
125     listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl;
126     server_name keep-web-dl download.* ~.*;
127     ssl_certificate "{{SSLCERT}}";
128     ssl_certificate_key "{{SSLKEY}}";
129     location  / {
130       proxy_pass http://keep-web;
131       proxy_set_header Host $http_host;
132       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
133       proxy_set_header X-Forwarded-Proto https;
134       proxy_redirect off;
135
136       client_max_body_size 0;
137       proxy_http_version 1.1;
138       proxy_request_buffering off;
139     }
140   }
141   upstream ws {
142     server {{UPSTREAMHOST}}:{{WSPORT}};
143   }
144   server {
145     listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
146     server_name websocket ws.*;
147     ssl_certificate "{{SSLCERT}}";
148     ssl_certificate_key "{{SSLKEY}}";
149     location  / {
150       proxy_pass http://ws;
151       proxy_set_header Upgrade $http_upgrade;
152       proxy_set_header Connection "upgrade";
153       proxy_set_header Host $http_host;
154       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
155       proxy_set_header X-Forwarded-Proto https;
156       proxy_redirect off;
157
158       client_max_body_size 0;
159       proxy_http_version 1.1;
160       proxy_request_buffering off;
161     }
162   }
163   # wb1->wb2 redirects copied from
164   # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
165   map $request_uri $wb1_redirect {
166     default                        0;
167
168     ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1;
169     ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1;
170     ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1;
171     ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1;
172     ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1;
173     ~^/actions\?uuid=(.*)          /;
174
175     ^/work_units/(.*)              /processes/$1;
176     ^/container_requests/(.*)      /processes/$1;
177     ^/users/(.*)                   /user/$1;
178     ^/groups/(.*)                  /group/$1;
179
180     ^/virtual_machines.*           /virtual-machines-admin;
181     ^/users/.*/virtual_machines    /virtual-machines-user;
182     ^/authorized_keys.*            /ssh-keys-admin;
183     ^/users/.*/ssh_keys            /ssh-keys-user;
184     ^/containers.*                 /all_processes;
185     ^/container_requests           /all_processes;
186     ^/job.*                        /all_processes;
187     ^/users/link_account           /link_account;
188     ^/keep_services.*              /keep-services;
189     ^/trash_items.*                /trash;
190
191     ^/themes.*                     /;
192     ^/keep_disks.*                 /;
193     ^/user_agreements.*            /;
194     ^/nodes.*                      /;
195     ^/humans.*                     /;
196     ^/traits.*                     /;
197     ^/sessions.*                   /;
198     ^/logout.*                     /;
199     ^/logged_out.*                 /;
200     ^/current_token                /;
201     ^/logs.*                       /;
202     ^/factory_jobs.*               /;
203     ^/uploaded_datasets.*          /;
204     ^/specimens.*                  /;
205     ^/pipeline_templates.*         /;
206     ^/pipeline_instances.*         /;
207   }
208   upstream workbench2 {
209     server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
210   }
211   server {
212     listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;
213     listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
214     server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*;
215     ssl_certificate "{{SSLCERT}}";
216     ssl_certificate_key "{{SSLKEY}}";
217
218     if ($wb1_redirect) {
219       return 301 $wb1_redirect;
220     }
221
222     # file download redirects
223     if ($arg_disposition = attachment) {
224       rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
225     }
226     if ($arg_disposition = inline) {
227       rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
228     }
229
230     location / {
231       proxy_pass http://workbench2;
232       proxy_set_header Host $http_host;
233       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
234       proxy_set_header X-Forwarded-Proto https;
235       proxy_redirect off;
236     }
237   }
238 }