# SPDX-License-Identifier: Apache-2.0
daemon off;
-error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdline
events {
}
http {
'[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
'"$http_referer" "$http_user_agent"';
access_log "{{ACCESSLOG}}" customlog;
- client_body_temp_path "{{TMPDIR}}/nginx";
- proxy_temp_path "{{TMPDIR}}/nginx";
- fastcgi_temp_path "{{TMPDIR}}/nginx";
- uwsgi_temp_path "{{TMPDIR}}/nginx";
- scgi_temp_path "{{TMPDIR}}/nginx";
+ client_body_temp_path "{{TMPDIR}}";
+ proxy_temp_path "{{TMPDIR}}";
+ fastcgi_temp_path "{{TMPDIR}}";
+ uwsgi_temp_path "{{TMPDIR}}";
+ scgi_temp_path "{{TMPDIR}}";
+ geo $external_client {
+ default 1;
+ 127.0.0.0/8 0;
+ ::1 0;
+ fd00::/8 0;
+ {{INTERNALSUBNETS}}
+ }
upstream controller {
- server {{LISTENHOST}}:{{CONTROLLERPORT}};
+ server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
}
server {
listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
server_name controller ~.*;
ssl_certificate "{{SSLCERT}}";
ssl_certificate_key "{{SSLKEY}}";
+ client_max_body_size 0;
location / {
proxy_pass http://controller;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
+ proxy_set_header X-External-Client $external_client;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
+ proxy_max_temp_file_size 0;
+ proxy_request_buffering off;
+ proxy_buffering off;
+ proxy_http_version 1.1;
}
}
upstream arv-git-http {
- server {{LISTENHOST}}:{{GITPORT}};
+ server {{UPSTREAMHOST}}:{{GITPORT}};
}
server {
listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
}
}
upstream keepproxy {
- server {{LISTENHOST}}:{{KEEPPROXYPORT}};
+ server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
}
server {
listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
+ client_max_body_size 67108864;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
upstream keep-web {
- server {{LISTENHOST}}:{{KEEPWEBPORT}};
+ server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
}
server {
listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
}
}
upstream health {
- server {{LISTENHOST}}:{{HEALTHPORT}};
+ server {{UPSTREAMHOST}}:{{HEALTHPORT}};
}
server {
listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
}
}
upstream ws {
- server {{LISTENHOST}}:{{WSPORT}};
+ server {{UPSTREAMHOST}}:{{WSPORT}};
}
server {
listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
+
+ client_max_body_size 0;
+ proxy_http_version 1.1;
+ proxy_request_buffering off;
}
}
- upstream workbench1 {
- server {{LISTENHOST}}:{{WORKBENCH1PORT}};
+ # wb1->wb2 redirects copied from
+ # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
+ map $request_uri $wb1_redirect {
+ default 0;
+
+ ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1;
+ ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1;
+ ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1;
+ ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1;
+ ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1;
+ ~^/actions\?uuid=(.*) /;
+
+ ^/work_units/(.*) /processes/$1;
+ ^/container_requests/(.*) /processes/$1;
+ ^/users/(.*) /user/$1;
+ ^/groups/(.*) /group/$1;
+
+ ^/virtual_machines.* /virtual-machines-admin;
+ ^/users/.*/virtual_machines /virtual-machines-user;
+ ^/authorized_keys.* /ssh-keys-admin;
+ ^/users/.*/ssh_keys /ssh-keys-user;
+ ^/containers.* /all_processes;
+ ^/container_requests /all_processes;
+ ^/job.* /all_processes;
+ ^/users/link_account /link_account;
+ ^/keep_services.* /keep-services;
+ ^/trash_items.* /trash;
+
+ ^/themes.* /;
+ ^/keep_disks.* /;
+ ^/user_agreements.* /;
+ ^/nodes.* /;
+ ^/humans.* /;
+ ^/traits.* /;
+ ^/sessions.* /;
+ ^/logout.* /;
+ ^/logged_out.* /;
+ ^/current_token /;
+ ^/logs.* /;
+ ^/factory_jobs.* /;
+ ^/uploaded_datasets.* /;
+ ^/specimens.* /;
+ ^/pipeline_templates.* /;
+ ^/pipeline_instances.* /;
+ }
+ upstream workbench2 {
+ server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
}
server {
+ listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;
listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
- server_name workbench1 workbench.*;
+ server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*;
ssl_certificate "{{SSLCERT}}";
ssl_certificate_key "{{SSLKEY}}";
- location / {
- proxy_pass http://workbench1;
+
+ if ($wb1_redirect) {
+ return 301 $wb1_redirect;
+ }
+
+ # file download redirects
+ if ($arg_disposition = attachment) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
+ }
+ if ($arg_disposition = inline) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
+ }
+
+ location / {
+ proxy_pass http://workbench2;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
projects / arvados.git / blobdiff