X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e8d1a643cdbc3a5f4c0e5c745da58d9f7e1248d8..HEAD:/sdk/python/tests/nginx.conf diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf index cdca68dd67..a382d643ef 100644 --- a/sdk/python/tests/nginx.conf +++ b/sdk/python/tests/nginx.conf @@ -3,7 +3,6 @@ # SPDX-License-Identifier: Apache-2.0 daemon off; -error_log "{{ERRORLOG}}" info; # Yes, must be specified here _and_ cmdline events { } http { @@ -16,40 +15,39 @@ http { fastcgi_temp_path "{{TMPDIR}}"; uwsgi_temp_path "{{TMPDIR}}"; scgi_temp_path "{{TMPDIR}}"; + geo $external_client { + default 1; + 127.0.0.0/8 0; + ::1 0; + fd00::/8 0; + {{INTERNALSUBNETS}} + } upstream controller { - server {{LISTENHOST}}:{{CONTROLLERPORT}}; + server {{UPSTREAMHOST}}:{{CONTROLLERPORT}}; } server { listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl; server_name controller ~.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; + client_max_body_size 0; location / { proxy_pass http://controller; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; + proxy_set_header X-External-Client $external_client; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; - } - } - upstream arv-git-http { - server {{LISTENHOST}}:{{GITPORT}}; - } - server { - listen {{LISTENHOST}}:{{GITSSLPORT}} ssl; - server_name arv-git-http git.*; - ssl_certificate "{{SSLCERT}}"; - ssl_certificate_key "{{SSLKEY}}"; - location / { - proxy_pass http://arv-git-http; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; + proxy_max_temp_file_size 0; + proxy_request_buffering off; + proxy_buffering off; + proxy_http_version 1.1; } } upstream keepproxy { - server {{LISTENHOST}}:{{KEEPPROXYPORT}}; + server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}}; } server { listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl; @@ -63,12 +61,13 @@ http { proxy_set_header X-Forwarded-Proto https; proxy_redirect off; + client_max_body_size 67108864; proxy_http_version 1.1; proxy_request_buffering off; } } upstream keep-web { - server {{LISTENHOST}}:{{KEEPWEBPORT}}; + server {{UPSTREAMHOST}}:{{KEEPWEBPORT}}; } server { listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl; @@ -88,7 +87,7 @@ http { } } upstream health { - server {{LISTENHOST}}:{{HEALTHPORT}}; + server {{UPSTREAMHOST}}:{{HEALTHPORT}}; } server { listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl; @@ -124,7 +123,7 @@ http { } } upstream ws { - server {{LISTENHOST}}:{{WSPORT}}; + server {{UPSTREAMHOST}}:{{WSPORT}}; } server { listen {{LISTENHOST}}:{{WSSSLPORT}} ssl; @@ -139,18 +138,81 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; + + client_max_body_size 0; + proxy_http_version 1.1; + proxy_request_buffering off; } } - upstream workbench1 { - server {{LISTENHOST}}:{{WORKBENCH1PORT}}; + # wb1->wb2 redirects copied from + # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls + map $request_uri $wb1_redirect { + default 0; + + ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1; + ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1; + ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1; + ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1; + ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1; + ~^/actions\?uuid=(.*) /; + + ^/work_units/(.*) /processes/$1; + ^/container_requests/(.*) /processes/$1; + ^/users/(.*) /user/$1; + ^/groups/(.*) /group/$1; + + ^/virtual_machines.* /virtual-machines-admin; + ^/users/.*/virtual_machines /virtual-machines-user; + ^/authorized_keys.* /ssh-keys-admin; + ^/users/.*/ssh_keys /ssh-keys-user; + ^/containers.* /all_processes; + ^/container_requests /all_processes; + ^/job.* /all_processes; + ^/users/link_account /link_account; + ^/keep_services.* /keep-services; + ^/trash_items.* /trash; + + ^/themes.* /; + ^/keep_disks.* /; + ^/user_agreements.* /; + ^/nodes.* /; + ^/humans.* /; + ^/traits.* /; + ^/sessions.* /; + ^/logout.* /; + ^/logged_out.* /; + ^/current_token /; + ^/logs.* /; + ^/factory_jobs.* /; + ^/uploaded_datasets.* /; + ^/specimens.* /; + ^/pipeline_templates.* /; + ^/pipeline_instances.* /; + } + upstream workbench2 { + server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}}; } server { + listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl; listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl; - server_name workbench1 workbench.*; + server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*; ssl_certificate "{{SSLCERT}}"; ssl_certificate_key "{{SSLKEY}}"; - location / { - proxy_pass http://workbench1; + + if ($wb1_redirect) { + return 301 $wb1_redirect; + } + + # file download redirects + if ($arg_disposition = attachment) { + rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect; + } + if ($arg_disposition = inline) { + rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect; + } + + location / { + proxy_pass http://workbench2; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https;