X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/73ad2ee9af3b97c46293bdfc9e2925a67726b786..7653054635e3f4f84da3f2b6862cd2c02fbe3fd4:/sdk/python/tests/nginx.conf diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf index ce1929fdf7..a7b8bacdc3 100644 --- a/sdk/python/tests/nginx.conf +++ b/sdk/python/tests/nginx.conf @@ -7,18 +7,29 @@ error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdl events { } http { - access_log "{{ACCESSLOG}}" combined; + log_format customlog + '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port ' + '"$http_referer" "$http_user_agent"'; + access_log "{{ACCESSLOG}}" customlog; client_body_temp_path "{{TMPDIR}}"; + proxy_temp_path "{{TMPDIR}}"; + fastcgi_temp_path "{{TMPDIR}}"; + uwsgi_temp_path "{{TMPDIR}}"; + scgi_temp_path "{{TMPDIR}}"; upstream arv-git-http { server localhost:{{GITPORT}}; } server { listen *:{{GITSSLPORT}} ssl default_server; - server_name _; + server_name arv-git-http; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://arv-git-http; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; } } upstream keepproxy { @@ -26,11 +37,18 @@ http { } server { listen *:{{KEEPPROXYSSLPORT}} ssl default_server; - server_name _; + server_name keepproxy; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keepproxy; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + + proxy_http_version 1.1; + proxy_request_buffering off; } } upstream keep-web { @@ -38,25 +56,52 @@ http { } server { listen *:{{KEEPWEBSSLPORT}} ssl default_server; - server_name ~^(?.*)$; + server_name keep-web; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; - proxy_set_header Host $request_host:{{KEEPWEBPORT}}; + proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + + client_max_body_size 0; + proxy_http_version 1.1; + proxy_request_buffering off; } } server { listen *:{{KEEPWEBDLSSLPORT}} ssl default_server; - server_name ~.*; + server_name keep-web-dl ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; - proxy_set_header Host download:{{KEEPWEBPORT}}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect //download:{{KEEPWEBPORT}}/ https://$host:{{KEEPWEBDLSSLPORT}}/; + proxy_set_header X-Forwarded-Proto https; + + client_max_body_size 0; + proxy_http_version 1.1; + proxy_request_buffering off; + + # Unlike other proxy sections, here we need to override the + # requested Host header and use proxy_redirect because of the + # way the test suite orchestrates services. Keep-web's "download + # only" behavior relies on the Host header matching a configured + # value, but when run_test_servers.py writes keep-web's command + # line, the keep-web-dl TLS port (which clients will connect to + # and include in their Host header) has not yet been assigned. + # + # In production, "proxy_set_header Host $http_host; + # proxy_redirect off;" works: keep-web's redirect URLs will + # match the request URL received by Nginx. + # + # Here, keep-web will issue redirects to https://download/ and + # Nginx will rewrite them. + # + proxy_set_header Host download; + proxy_redirect https://download/ https://$host:{{KEEPWEBDLSSLPORT}}/; } } upstream ws { @@ -64,15 +109,17 @@ http { } server { listen *:{{WSSPORT}} ssl default_server; - server_name ~^(?.*)$; + server_name websocket; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://ws; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_set_header Host $request_host:{{WSPORT}}; + proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; } } upstream controller { @@ -80,12 +127,15 @@ http { } server { listen *:{{CONTROLLERSSLPORT}} ssl default_server; - server_name _; + server_name controller; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://controller; + proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; } } }