X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6c78b28f9f54664babc57a4b4372c502065ed5d1..17f3f80dda9d09c68ef5642a3ff9f7ef67de69f9:/tools/arvbox/lib/arvbox/docker/service/nginx/run diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run b/tools/arvbox/lib/arvbox/docker/service/nginx/run index 2353e949f7..c1a6775883 100755 --- a/tools/arvbox/lib/arvbox/docker/service/nginx/run +++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run @@ -8,9 +8,22 @@ set -ex -o pipefail . /usr/local/lib/arvbox/common.sh -cat </var/lib/arvados/nginx.conf +if [[ $containerip != $localip ]] ; then + if ! grep -q $localip /etc/hosts ; then + echo $containerip $localip >> /etc/hosts + fi +fi + +geo_dockerip= +if [[ -f /var/run/localip_override ]] ; then + geo_dockerip="$dockerip/32 0;" +fi + +openssl verify -CAfile $root_cert $server_cert + +cat <$ARVADOS_CONTAINER_PATH/nginx.conf worker_processes auto; -pid /var/lib/arvados/nginx.pid; +pid $ARVADOS_CONTAINER_PATH/nginx.pid; error_log stderr; daemon off; @@ -21,18 +34,25 @@ events { } http { - access_log off; - include /etc/nginx/mime.types; - default_type application/octet-stream; - client_max_body_size 128M; - - server { - listen ${services[doc]} default_server; - listen [::]:${services[doc]} default_server; - root /usr/src/arvados/doc/.site; - index index.html; - server_name _; - } + access_log off; + include /etc/nginx/mime.types; + default_type application/octet-stream; + client_max_body_size 128M; + + geo \$external_client { + default 1; + 127.0.0.0/8 0; + $containerip/32 0; + $geo_dockerip + } + + server { + listen ${services[doc]} default_server; + listen [::]:${services[doc]} default_server; + root /usr/src/arvados/doc/.site; + index index.html; + server_name _; + } server { listen 80 default_server; @@ -46,39 +66,42 @@ http { server { listen *:${services[controller-ssl]} ssl default_server; server_name controller; - ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem"; - ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key"; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; location / { proxy_pass http://controller; proxy_set_header Host \$http_host; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-External-Client \$external_client; proxy_redirect off; + # This turns off response caching + proxy_buffering off; } } -upstream arvados-ws { - server localhost:${services[websockets]}; -} -server { - listen *:${services[websockets-ssl]} ssl default_server; - server_name websockets; + upstream arvados-ws { + server localhost:${services[websockets]}; + } + server { + listen *:${services[websockets-ssl]} ssl default_server; + server_name websockets; - proxy_connect_timeout 90s; - proxy_read_timeout 300s; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; - ssl on; - ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem"; - ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key"; + ssl on; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; - location / { - proxy_pass http://arvados-ws; - proxy_set_header Upgrade \$http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host \$http_host; - proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + location / { + proxy_pass http://arvados-ws; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host \$http_host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + } } -} upstream workbench2 { server localhost:${services[workbench2]}; @@ -86,8 +109,65 @@ server { server { listen *:${services[workbench2-ssl]} ssl default_server; server_name workbench2; - ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem"; - ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key"; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + + # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2 + + # Paths that are not redirected because wb1 and wb2 have similar enough paths + # that a redirect is pointless and would create a redirect loop. + # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect; + # rewrite ^/repositories.* /repositories redirect; + # rewrite ^/links.* /links redirect; + # rewrite ^/projects.* /projects redirect; + # rewrite ^/trash /trash redirect; + + # Redirects that include a uuid + rewrite ^/work_units/(.*) /processes/\$1 redirect; + rewrite ^/container_requests/(.*) /processes/\$1 redirect; + rewrite ^/users/(.*) /user/\$1 redirect; + rewrite ^/groups/(.*) /group/\$1 redirect; + + # Special file download redirects + if (\$arg_disposition = attachment) { + rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=\$1/\$2? redirect; + } + if (\$arg_disposition = inline) { + rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=\$1/\$2? redirect; + } + + # Redirects that go to a roughly equivalent page + rewrite ^/virtual_machines.* /virtual-machines-admin redirect; + rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect; + rewrite ^/authorized_keys.* /ssh-keys-admin redirect; + rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect; + rewrite ^/containers.* /all_processes redirect; + rewrite ^/container_requests /all_processes redirect; + rewrite ^/job.* /all_processes redirect; + rewrite ^/users/link_account /link_account redirect; + rewrite ^/search.* /search-results redirect; + rewrite ^/keep_services.* /keep-services redirect; + rewrite ^/trash_items.* /trash redirect; + + # Redirects that don't have a good mapping and + # just go to root. + rewrite ^/themes.* / redirect; + rewrite ^/keep_disks.* / redirect; + rewrite ^/user_agreements.* / redirect; + rewrite ^/nodes.* / redirect; + rewrite ^/humans.* / redirect; + rewrite ^/traits.* / redirect; + rewrite ^/sessions.* / redirect; + rewrite ^/logout.* / redirect; + rewrite ^/logged_out.* / redirect; + rewrite ^/current_token / redirect; + rewrite ^/logs.* / redirect; + rewrite ^/factory_jobs.* / redirect; + rewrite ^/uploaded_datasets.* / redirect; + rewrite ^/specimens.* / redirect; + rewrite ^/pipeline_templates.* / redirect; + rewrite ^/pipeline_instances.* / redirect; + location / { proxy_pass http://workbench2; proxy_set_header Host \$http_host; @@ -110,8 +190,23 @@ server { server { listen *:${services[keep-web-ssl]} ssl default_server; server_name keep-web; - ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem"; - ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key"; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + client_max_body_size 0; + location / { + proxy_pass http://keep-web; + proxy_set_header Host \$http_host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + } + server { + listen *:${services[keep-web-dl-ssl]} ssl default_server; + server_name keep-web-dl; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + client_max_body_size 0; location / { proxy_pass http://keep-web; proxy_set_header Host \$http_host; @@ -121,8 +216,94 @@ server { } } + upstream keepproxy { + server localhost:${services[keepproxy]}; + } + server { + listen *:${services[keepproxy-ssl]} ssl default_server; + server_name keepproxy; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + client_max_body_size 128M; + location / { + proxy_pass http://keepproxy; + proxy_set_header Host \$http_host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + } + + upstream arvados-git-httpd { + server localhost:${services[arv-git-httpd]}; + } + server { + listen *:${services[arv-git-httpd-ssl]} ssl default_server; + server_name arvados-git-httpd; + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + ssl on; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + client_max_body_size 50m; + + location / { + proxy_pass http://arvados-git-httpd; + proxy_set_header Host \$http_host; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + } + + +upstream arvados-webshell { + server localhost:${services[webshell]}; +} +server { + listen ${services[webshell-ssl]} ssl; + server_name arvados-webshell; + + proxy_connect_timeout 90s; + proxy_read_timeout 300s; + + ssl on; + ssl_certificate "${server_cert}"; + ssl_certificate_key "${server_cert_key}"; + + location / { + if (\$request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + if (\$request_method = 'POST') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } + if (\$request_method = 'GET') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; + } + + proxy_ssl_session_reuse off; + proxy_read_timeout 90; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host \$http_host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_pass http://arvados-webshell; + } +} } EOF -exec nginx -c /var/lib/arvados/nginx.conf +exec nginx -c $ARVADOS_CONTAINER_PATH/nginx.conf