# Copyright (C) The Arvados Authors. All rights reserved. # # SPDX-License-Identifier: Apache-2.0 daemon off; error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdline events { } http { log_format customlog '[$time_local] $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port ' '"$http_referer" "$http_user_agent"'; access_log "{{ACCESSLOG}}" customlog; client_body_temp_path "{{TMPDIR}}"; proxy_temp_path "{{TMPDIR}}"; fastcgi_temp_path "{{TMPDIR}}"; uwsgi_temp_path "{{TMPDIR}}"; scgi_temp_path "{{TMPDIR}}"; upstream arv-git-http { server localhost:{{GITPORT}}; } server { listen *:{{GITSSLPORT}} ssl default_server; server_name arv-git-http; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://arv-git-http; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } upstream keepproxy { server localhost:{{KEEPPROXYPORT}}; } server { listen *:{{KEEPPROXYSSLPORT}} ssl default_server; server_name keepproxy; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keepproxy; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_http_version 1.1; proxy_request_buffering off; } } upstream keep-web { server localhost:{{KEEPWEBPORT}}; } server { listen *:{{KEEPWEBSSLPORT}} ssl default_server; server_name keep-web; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; } } server { listen *:{{KEEPWEBDLSSLPORT}} ssl default_server; server_name keep-web-dl ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; # Unlike other proxy sections, here we need to override the # requested Host header and use proxy_redirect because of the # way the test suite orchestrates services. Keep-web's "download # only" behavior relies on the Host header matching a configured # value, but when run_test_servers.py writes keep-web's command # line, the keep-web-dl TLS port (which clients will connect to # and include in their Host header) has not yet been assigned. # # In production, "proxy_set_header Host $http_host; # proxy_redirect off;" works: keep-web's redirect URLs will # match the request URL received by Nginx. # # Here, keep-web will issue redirects to https://download/ and # Nginx will rewrite them. # proxy_set_header Host download; proxy_redirect https://download/ https://$host:{{KEEPWEBDLSSLPORT}}/; } } upstream ws { server localhost:{{WSPORT}}; } server { listen *:{{WSSPORT}} ssl default_server; server_name websocket; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://ws; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } upstream controller { server localhost:{{CONTROLLERPORT}}; } server { listen *:{{CONTROLLERSSLPORT}} ssl default_server; server_name controller; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://controller; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } }