projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
17212: Propagate -listen-host to postgresql and passenger.
[arvados.git] / lib / boot / nginx.go
diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index a7c09a7227913ca66ed43d8040c6e0dd1919583f..dc4aebd528d4bf3f6c8d43c359efb8b51ed6b73a 100644 (file)
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -9,8 +9,10 @@ import (
        "fmt"
        "io/ioutil"
        "net"
+       "net/url"
        "os"
        "os/exec"
+       "os/user"
        "path/filepath"
        "regexp"
 
@@ -36,7 +38,7 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
                "SSLKEY":     filepath.Join(super.tempdir, "server.key"),
                "ACCESSLOG":  filepath.Join(super.tempdir, "nginx_access.log"),
                "ERRORLOG":   filepath.Join(super.tempdir, "nginx_error.log"),
-               "TMPDIR":     super.tempdir,
+               "TMPDIR":     super.wwwtempdir,
        }
        for _, cmpt := range []struct {
                varname string
@@ -51,12 +53,12 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
                {"WORKBENCH1", super.cluster.Services.Workbench1},
                {"WS", super.cluster.Services.Websocket},
        } {
-               port, err := internalPort(cmpt.svc)
+               host, port, err := internalPort(cmpt.svc)
                if err != nil {
                        return fmt.Errorf("%s internal port: %w (%v)", cmpt.varname, err, cmpt.svc)
                }
-               if ok, err := addrIsLocal(net.JoinHostPort(super.ListenHost, port)); !ok || err != nil {
-                       return fmt.Errorf("urlIsLocal() failed for host %q port %q: %v", super.ListenHost, port, err)
+               if ok, err := addrIsLocal(net.JoinHostPort(host, port)); !ok || err != nil {
+                       return fmt.Errorf("urlIsLocal() failed for host %q port %q: %v", host, port, err)
                }
                vars[cmpt.varname+"PORT"] = port
 
@@ -99,13 +101,32 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
                        }
                }
        }
+
+       args := []string{
+               "-g", "error_log stderr info;",
+               "-g", "pid " + filepath.Join(super.wwwtempdir, "nginx.pid") + ";",
+               "-c", conffile,
+       }
+       // Nginx ignores "user www-data;" when running as a non-root
+       // user... except that it causes it to ignore our other -g
+       // options. So we still have to decide for ourselves whether
+       // it's needed.
+       if u, err := user.Current(); err != nil {
+               return fmt.Errorf("user.Current(): %w", err)
+       } else if u.Uid == "0" {
+               args = append([]string{"-g", "user www-data;"}, args...)
+       }
+
        super.waitShutdown.Add(1)
        go func() {
                defer super.waitShutdown.Done()
-               fail(super.RunProgram(ctx, ".", nil, nil, nginx,
-                       "-g", "error_log stderr info;",
-                       "-g", "pid "+filepath.Join(super.tempdir, "nginx.pid")+";",
-                       "-c", conffile))
+               fail(super.RunProgram(ctx, ".", runOptions{}, nginx, args...))
        }()
-       return waitForConnect(ctx, super.cluster.Services.Controller.ExternalURL.Host)
+       // Choose one of the ports where Nginx should listen, and wait
+       // here until we can connect. If ExternalURL is https://foo (with no port) then we connect to "foo:https"
+       testurl := url.URL(super.cluster.Services.Controller.ExternalURL)
+       if testurl.Port() == "" {
+               testurl.Host = net.JoinHostPort(testurl.Host, testurl.Scheme)
+       }
+       return waitForConnect(ctx, testurl.Host)
 }