--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+. /usr/local/lib/arvbox/common.sh
+
+if [[ $containerip != $localip ]] ; then
+ if ! grep -q $localip /etc/hosts ; then
+ echo $containerip $localip >> /etc/hosts
+ fi
+fi
+
+geo_dockerip=
+if [[ -f /var/run/localip_override ]] ; then
+ geo_dockerip="$dockerip/32 0;"
+fi
+
+openssl verify -CAfile $root_cert $server_cert
+
+cat <<EOF >$ARVADOS_CONTAINER_PATH/nginx.conf
+worker_processes auto;
+pid $ARVADOS_CONTAINER_PATH/nginx.pid;
+
+error_log stderr;
+daemon off;
+user arvbox;
+
+events {
+ worker_connections 64;
+}
+
+http {
+ access_log off;
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+ client_max_body_size 128M;
+
+ geo \$external_client {
+ default 1;
+ 127.0.0.0/8 0;
+ $containerip/32 0;
+ $geo_dockerip
+ }
+
+ server {
+ listen ${services[doc]} default_server;
+ listen [::]:${services[doc]} default_server;
+ root /usr/src/arvados/doc/.site;
+ index index.html;
+ server_name _;
+ }
+
+ server {
+ listen 80 default_server;
+ server_name _;
+ return 301 https://\$host\$request_uri;
+ }
+
+ upstream controller {
+ server localhost:${services[controller]};
+ }
+ server {
+ listen *:${services[controller-ssl]} ssl default_server;
+ server_name controller;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+ location / {
+ proxy_pass http://controller;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header X-External-Client \$external_client;
+ proxy_redirect off;
+ # This turns off response caching
+ proxy_buffering off;
+ }
+ }
+
+ upstream arvados-ws {
+ server localhost:${services[websockets]};
+ }
+ server {
+ listen *:${services[websockets-ssl]} ssl default_server;
+ server_name websockets;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+
+ location / {
+ proxy_pass http://arvados-ws;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ }
+ }
+
+ upstream workbench2 {
+ server localhost:${services[workbench2]};
+ }
+ server {
+ listen *:${services[workbench2-ssl]} ssl default_server;
+ server_name workbench2;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+
+ # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+ # Paths that are not redirected because wb1 and wb2 have similar enough paths
+ # that a redirect is pointless and would create a redirect loop.
+ # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+ # rewrite ^/repositories.* /repositories redirect;
+ # rewrite ^/links.* /links redirect;
+ # rewrite ^/projects.* /projects redirect;
+ # rewrite ^/trash /trash redirect;
+
+ # Redirects that include a uuid
+ rewrite ^/work_units/(.*) /processes/\$1 redirect;
+ rewrite ^/container_requests/(.*) /processes/\$1 redirect;
+ rewrite ^/users/(.*) /user/\$1 redirect;
+ rewrite ^/groups/(.*) /group/\$1 redirect;
+
+ # Special file download redirects
+ if (\$arg_disposition = attachment) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=\$1/\$2? redirect;
+ }
+ if (\$arg_disposition = inline) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=\$1/\$2? redirect;
+ }
+
+ # Redirects that go to a roughly equivalent page
+ rewrite ^/virtual_machines.* /virtual-machines-admin redirect;
+ rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect;
+ rewrite ^/authorized_keys.* /ssh-keys-admin redirect;
+ rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect;
+ rewrite ^/containers.* /all_processes redirect;
+ rewrite ^/container_requests /all_processes redirect;
+ rewrite ^/job.* /all_processes redirect;
+ rewrite ^/users/link_account /link_account redirect;
+ rewrite ^/search.* /search-results redirect;
+ rewrite ^/keep_services.* /keep-services redirect;
+ rewrite ^/trash_items.* /trash redirect;
+
+ # Redirects that don't have a good mapping and
+ # just go to root.
+ rewrite ^/themes.* / redirect;
+ rewrite ^/keep_disks.* / redirect;
+ rewrite ^/user_agreements.* / redirect;
+ rewrite ^/nodes.* / redirect;
+ rewrite ^/humans.* / redirect;
+ rewrite ^/traits.* / redirect;
+ rewrite ^/sessions.* / redirect;
+ rewrite ^/logout.* / redirect;
+ rewrite ^/logged_out.* / redirect;
+ rewrite ^/current_token / redirect;
+ rewrite ^/logs.* / redirect;
+ rewrite ^/factory_jobs.* / redirect;
+ rewrite ^/uploaded_datasets.* / redirect;
+ rewrite ^/specimens.* / redirect;
+ rewrite ^/pipeline_templates.* / redirect;
+ rewrite ^/pipeline_instances.* / redirect;
+
+ location / {
+ proxy_pass http://workbench2;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ location /sockjs-node {
+ proxy_pass http://workbench2;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ }
+ }
+
+ upstream keep-web {
+ server localhost:${services[keep-web]};
+ }
+ server {
+ listen *:${services[keep-web-ssl]} ssl default_server;
+ server_name keep-web;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+ client_max_body_size 0;
+ location / {
+ proxy_pass http://keep-web;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+ server {
+ listen *:${services[keep-web-dl-ssl]} ssl default_server;
+ server_name keep-web-dl;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+ client_max_body_size 0;
+ location / {
+ proxy_pass http://keep-web;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
+ upstream keepproxy {
+ server localhost:${services[keepproxy]};
+ }
+ server {
+ listen *:${services[keepproxy-ssl]} ssl default_server;
+ server_name keepproxy;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+ client_max_body_size 128M;
+ location / {
+ proxy_pass http://keepproxy;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
+ upstream arvados-git-httpd {
+ server localhost:${services[arv-git-httpd]};
+ }
+ server {
+ listen *:${services[arv-git-httpd-ssl]} ssl default_server;
+ server_name arvados-git-httpd;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+ client_max_body_size 50m;
+
+ location / {
+ proxy_pass http://arvados-git-httpd;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
+
+upstream arvados-webshell {
+ server localhost:${services[webshell]};
+}
+server {
+ listen ${services[webshell-ssl]} ssl;
+ server_name arvados-webshell;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "${server_cert}";
+ ssl_certificate_key "${server_cert_key}";
+
+ location / {
+ if (\$request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if (\$request_method = 'POST') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+ if (\$request_method = 'GET') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+ add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+ }
+
+ proxy_ssl_session_reuse off;
+ proxy_read_timeout 90;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Real-IP \$remote_addr;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_pass http://arvados-webshell;
+ }
+}
+}
+
+EOF
+
+exec nginx -c $ARVADOS_CONTAINER_PATH/nginx.conf