# Copyright (C) The Arvados Authors. All rights reserved. # # SPDX-License-Identifier: Apache-2.0 daemon off; events { } http { log_format customlog '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port ' '"$http_referer" "$http_user_agent"'; access_log "{{ACCESSLOG}}" customlog; client_body_temp_path "{{TMPDIR}}"; proxy_temp_path "{{TMPDIR}}"; fastcgi_temp_path "{{TMPDIR}}"; uwsgi_temp_path "{{TMPDIR}}"; scgi_temp_path "{{TMPDIR}}"; geo $external_client { default 1; 127.0.0.0/8 0; ::1 0; fd00::/8 0; {{INTERNALSUBNETS}} } upstream controller { server {{UPSTREAMHOST}}:{{CONTROLLERPORT}}; } server { listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl; server_name controller ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; client_max_body_size 0; location / { proxy_pass http://controller; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-External-Client $external_client; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_max_temp_file_size 0; proxy_request_buffering off; proxy_buffering off; proxy_http_version 1.1; } } upstream keepproxy { server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}}; } server { listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl; server_name keepproxy keep.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keepproxy; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 67108864; proxy_http_version 1.1; proxy_request_buffering off; } } upstream keep-web { server {{UPSTREAMHOST}}:{{KEEPWEBPORT}}; } server { listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl; server_name keep-web collections.* ~\.collections\.; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; } } upstream health { server {{UPSTREAMHOST}}:{{HEALTHPORT}}; } server { listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl; server_name health health.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://health; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; proxy_http_version 1.1; proxy_request_buffering off; } } server { listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl; server_name keep-web-dl download.* ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; } } upstream ws { server {{UPSTREAMHOST}}:{{WSPORT}}; } server { listen {{LISTENHOST}}:{{WSSSLPORT}} ssl; server_name websocket ws.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://ws; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; } } # wb1->wb2 redirects copied from # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls map $request_uri $wb1_redirect { default 0; ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1; ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1; ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1; ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1; ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1; ~^/actions\?uuid=(.*) /; ^/work_units/(.*) /processes/$1; ^/container_requests/(.*) /processes/$1; ^/users/(.*) /user/$1; ^/groups/(.*) /group/$1; ^/virtual_machines.* /virtual-machines-admin; ^/users/.*/virtual_machines /virtual-machines-user; ^/authorized_keys.* /ssh-keys-admin; ^/users/.*/ssh_keys /ssh-keys-user; ^/containers.* /all_processes; ^/container_requests /all_processes; ^/job.* /all_processes; ^/users/link_account /link_account; ^/keep_services.* /keep-services; ^/trash_items.* /trash; ^/themes.* /; ^/keep_disks.* /; ^/user_agreements.* /; ^/nodes.* /; ^/humans.* /; ^/traits.* /; ^/sessions.* /; ^/logout.* /; ^/logged_out.* /; ^/current_token /; ^/logs.* /; ^/factory_jobs.* /; ^/uploaded_datasets.* /; ^/specimens.* /; ^/pipeline_templates.* /; ^/pipeline_instances.* /; } upstream workbench2 { server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}}; } server { listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl; listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl; server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; if ($wb1_redirect) { return 301 $wb1_redirect; } # file download redirects if ($arg_disposition = attachment) { rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect; } if ($arg_disposition = inline) { rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect; } location / { proxy_pass http://workbench2; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } }