projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch '20943-trashed-role-groups' refs #20943
[arvados.git] / tools / salt-install / config_examples / multi_host / aws / pillars / nginx_webshell_configuration.sls
1 ---
2 # Copyright (C) The Arvados Authors. All rights reserved.
3 #
4 # SPDX-License-Identifier: AGPL-3.0
5
6 {%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
7
8 ### NGINX
9 nginx:
10   ### SERVER
11   server:
12     config:
13
14       ### STREAMS
15       http:
16         upstream webshell_upstream:
17           - server: 'shell.__DOMAIN__:4200 fail_timeout=10s'
18
19   ### SITES
20   servers:
21     managed:
22       arvados_webshell_default.conf:
23         enabled: true
24         overwrite: true
25         config:
26           - server:
27             - server_name: webshell.__DOMAIN__
28             - listen:
29               - 80
30             - location /:
31               - return: '301 https://$host$request_uri'
32
33       arvados_webshell_ssl.conf:
34         enabled: true
35         overwrite: true
36         requires:
37           __CERT_REQUIRES__
38         config:
39           - server:
40             - server_name: webshell.__DOMAIN__
41             - listen:
42               - __WEBSHELL_EXT_SSL_PORT__ http2 ssl
43             - index: index.html index.htm
44             - location /shell.__DOMAIN__:
45               - proxy_pass: 'http://webshell_upstream'
46               - proxy_read_timeout: 90
47               - proxy_connect_timeout: 90
48               - proxy_set_header: 'Host $http_host'
49               - proxy_set_header: 'X-Real-IP $remote_addr'
50               - proxy_set_header: X-Forwarded-Proto https
51               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
52               - proxy_ssl_session_reuse: 'off'
53
54               - "if ($request_method = 'OPTIONS')":
55                 - add_header: "'Access-Control-Allow-Origin' '*'"
56                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
57                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
58                 - add_header: "'Access-Control-Max-Age' 1728000"
59                 - add_header: "'Content-Type' 'text/plain charset=UTF-8'"
60                 - add_header: "'Content-Length' 0"
61                 - return: 204
62
63               - "if ($request_method = 'POST')":
64                 - add_header: "'Access-Control-Allow-Origin' '*'"
65                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
66                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
67
68               - "if ($request_method = 'GET')":
69                 - add_header: "'Access-Control-Allow-Origin' '*'"
70                 - add_header: "'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'"
71                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
72
73             - include: snippets/ssl_hardening_default.conf
74             - ssl_certificate: __CERT_PEM__
75             - ssl_certificate_key: __CERT_KEY__
76             {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
77             - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
78             {%- endif %}
79             - access_log: /var/log/nginx/webshell.__DOMAIN__.access.log combined
80             - error_log: /var/log/nginx/webshell.__DOMAIN__.error.log
81