Merge branch '15529-federated-user-accounts' refs #15529

[arvados.git] / tools / arvbox / lib / arvbox / docker / service / nginx / run

diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run b/tools/arvbox/lib/arvbox/docker/service/nginx/run
index 2353e949f7090093a02501afa57779f0dce6f649..0d60e74128365605a49194b27cb2cf9c09af9618 100755 (executable)
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run
@@ -8,6 +8,8 @@ set -ex -o pipefail
 
 . /usr/local/lib/arvbox/common.sh
 
+openssl verify -CAfile $root_cert $server_cert
+
 cat <<EOF >/var/lib/arvados/nginx.conf
 worker_processes auto;
 pid /var/lib/arvados/nginx.pid;
@@ -46,8 +48,8 @@ http {
   server {
     listen *:${services[controller-ssl]} ssl default_server;
     server_name controller;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
     location  / {
       proxy_pass http://controller;
       proxy_set_header Host \$http_host;
@@ -68,8 +70,8 @@ server {
   proxy_read_timeout    300s;
 
   ssl                   on;
-  ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-  ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+  ssl_certificate "${server_cert}";
+  ssl_certificate_key "${server_cert_key}";
 
   location / {
     proxy_pass          http://arvados-ws;
@@ -86,8 +88,8 @@ server {
   server {
     listen *:${services[workbench2-ssl]} ssl default_server;
     server_name workbench2;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
     location  / {
       proxy_pass http://workbench2;
       proxy_set_header Host \$http_host;
@@ -110,8 +112,9 @@ server {
   server {
     listen *:${services[keep-web-ssl]} ssl default_server;
     server_name keep-web;
-    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
-    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
+    client_max_body_size 0;
     location  / {
       proxy_pass http://keep-web;
       proxy_set_header Host \$http_host;
@@ -121,6 +124,48 @@ server {
     }
   }
 
+
+  upstream keepproxy {
+    server localhost:${services[keepproxy]};
+  }
+  server {
+    listen *:${services[keepproxy-ssl]} ssl default_server;
+    server_name keepproxy;
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
+    client_max_body_size 128M;
+    location  / {
+      proxy_pass http://keepproxy;
+      proxy_set_header Host \$http_host;
+      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
+    }
+  }
+
+  upstream arvados-git-httpd {
+    server localhost:${services[arv-git-httpd]};
+  }
+  server {
+    listen *:${services[arv-git-httpd-ssl]} ssl default_server;
+    server_name arvados-git-httpd;
+    proxy_connect_timeout 90s;
+    proxy_read_timeout 300s;
+
+    ssl on;
+    ssl_certificate "${server_cert}";
+    ssl_certificate_key "${server_cert_key}";
+    client_max_body_size 50m;
+
+    location  / {
+      proxy_pass http://arvados-git-httpd;
+      proxy_set_header Host \$http_host;
+      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
+    }
+  }
+
 }
 
 EOF