X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/9adb8562be07369827dd884cb7919845fd4fd9b0..c59af50bc2f7a366cd12a8dd6fc7d7e3b1c32480:/sdk/python/tests/nginx.conf diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf index a7b8bacdc3..a4336049f2 100644 --- a/sdk/python/tests/nginx.conf +++ b/sdk/python/tests/nginx.conf @@ -11,17 +11,33 @@ http { '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port ' '"$http_referer" "$http_user_agent"'; access_log "{{ACCESSLOG}}" customlog; - client_body_temp_path "{{TMPDIR}}"; - proxy_temp_path "{{TMPDIR}}"; - fastcgi_temp_path "{{TMPDIR}}"; - uwsgi_temp_path "{{TMPDIR}}"; - scgi_temp_path "{{TMPDIR}}"; + client_body_temp_path "{{TMPDIR}}/nginx"; + proxy_temp_path "{{TMPDIR}}/nginx"; + fastcgi_temp_path "{{TMPDIR}}/nginx"; + uwsgi_temp_path "{{TMPDIR}}/nginx"; + scgi_temp_path "{{TMPDIR}}/nginx"; + upstream controller { + server {{LISTENHOST}}:{{CONTROLLERPORT}}; + } + server { + listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl; + server_name controller ~.*; + ssl_certificate "{{SSLCERT}}"; + ssl_certificate_key "{{SSLKEY}}"; + location / { + proxy_pass http://controller; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + } + } upstream arv-git-http { - server localhost:{{GITPORT}}; + server {{LISTENHOST}}:{{GITPORT}}; } server { - listen *:{{GITSSLPORT}} ssl default_server; - server_name arv-git-http; + listen {{LISTENHOST}}:{{GITSSLPORT}} ssl; + server_name arv-git-http git.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { @@ -33,11 +49,11 @@ http { } } upstream keepproxy { - server localhost:{{KEEPPROXYPORT}}; + server {{LISTENHOST}}:{{KEEPPROXYPORT}}; } server { - listen *:{{KEEPPROXYSSLPORT}} ssl default_server; - server_name keepproxy; + listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl; + server_name keepproxy keep.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { @@ -52,11 +68,11 @@ http { } } upstream keep-web { - server localhost:{{KEEPWEBPORT}}; + server {{LISTENHOST}}:{{KEEPWEBPORT}}; } server { - listen *:{{KEEPWEBSSLPORT}} ssl default_server; - server_name keep-web; + listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl; + server_name keep-web collections.* ~\.collections\.; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { @@ -71,45 +87,48 @@ http { proxy_request_buffering off; } } + upstream health { + server {{LISTENHOST}}:{{HEALTHPORT}}; + } + server { + listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl; + server_name health health.*; + ssl_certificate "{{SSLCERT}}"; + ssl_certificate_key "{{SSLKEY}}"; + location / { + proxy_pass http://health; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + + proxy_http_version 1.1; + proxy_request_buffering off; + } + } server { - listen *:{{KEEPWEBDLSSLPORT}} ssl default_server; - server_name keep-web-dl ~.*; + listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl; + server_name keep-web-dl download.* ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { proxy_pass http://keep-web; + proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; client_max_body_size 0; proxy_http_version 1.1; proxy_request_buffering off; - - # Unlike other proxy sections, here we need to override the - # requested Host header and use proxy_redirect because of the - # way the test suite orchestrates services. Keep-web's "download - # only" behavior relies on the Host header matching a configured - # value, but when run_test_servers.py writes keep-web's command - # line, the keep-web-dl TLS port (which clients will connect to - # and include in their Host header) has not yet been assigned. - # - # In production, "proxy_set_header Host $http_host; - # proxy_redirect off;" works: keep-web's redirect URLs will - # match the request URL received by Nginx. - # - # Here, keep-web will issue redirects to https://download/ and - # Nginx will rewrite them. - # - proxy_set_header Host download; - proxy_redirect https://download/ https://$host:{{KEEPWEBDLSSLPORT}}/; } } upstream ws { - server localhost:{{WSPORT}}; + server {{LISTENHOST}}:{{WSPORT}}; } server { - listen *:{{WSSPORT}} ssl default_server; - server_name websocket; + listen {{LISTENHOST}}:{{WSSSLPORT}} ssl; + server_name websocket ws.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { @@ -122,16 +141,16 @@ http { proxy_redirect off; } } - upstream controller { - server localhost:{{CONTROLLERPORT}}; + upstream workbench1 { + server {{LISTENHOST}}:{{WORKBENCH1PORT}}; } server { - listen *:{{CONTROLLERSSLPORT}} ssl default_server; - server_name controller; + listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl; + server_name workbench1 workbench.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; location / { - proxy_pass http://controller; + proxy_pass http://workbench1; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https;