X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f023eb5138f8886820f33901b46b67ba9a0d24a2..a22d01b7133be84a38914ab98a19d4e5aba07d50:/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
index be571ca77e..822ba49814 100644
--- a/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
@@ -3,6 +3,8 @@
 #
 # SPDX-License-Identifier: AGPL-3.0
 
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
+
 ### ARVADOS
 arvados:
   config:
@@ -10,64 +12,113 @@ arvados:
 
 ### NGINX
 nginx:
-  ### SERVER
-  server:
-    config:
-
-      ### STREAMS
-      http:
-        upstream workbench_upstream:
-          - server: 'workbench.internal:9000 fail_timeout=10s'
-
   ### SITES
   servers:
     managed:
       ### DEFAULT
-      arvados_workbench_default:
+      arvados_workbench_default.conf:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: workbench.__CLUSTER__.__DOMAIN__
+            - server_name: workbench.__DOMAIN__
             - listen:
               - 80
-            - location /.well-known:
-              - root: /var/www
             - location /:
               - return: '301 https://$host$request_uri'
 
-      arvados_workbench_ssl:
+      arvados_workbench_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          __CERT_REQUIRES__
         config:
+          # Maps WB1 '/actions?uuid=X' URLs to their equivalent on WB2
+          - 'map $request_uri $actions_redirect':
+            - '~^/actions\?uuid=(.*-4zz18-.*)': '/collections/$1'
+            - '~^/actions\?uuid=(.*-j7d0g-.*)': '/projects/$1'
+            - '~^/actions\?uuid=(.*-tpzed-.*)': '/projects/$1'
+            - '~^/actions\?uuid=(.*-7fd4e-.*)': '/workflows/$1'
+            - '~^/actions\?uuid=(.*-xvhdp-.*)': '/processes/$1'
+            - '~^/actions\?uuid=(.*)': '/'
+            - default: 0
+
           - server:
-            - server_name: workbench.__CLUSTER__.__DOMAIN__
+            - server_name: workbench.__DOMAIN__
             - listen:
-              - __HOST_SSL_PORT__ http2 ssl
+              - __CONTROLLER_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm
-            - location /:
-              - proxy_pass: 'http://workbench_upstream'
-              - proxy_read_timeout: 300
-              - proxy_connect_timeout: 90
-              - proxy_redirect: 'off'
-              - proxy_set_header: X-Forwarded-Proto https
-              - proxy_set_header: 'Host $http_host'
-              - proxy_set_header: 'X-Real-IP $remote_addr'
-              - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
-            - include: 'snippets/arvados-snakeoil.conf'
-            - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
-            - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
 
-      arvados_workbench_upstream:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - listen: 'workbench.internal:9000'
-            - server_name: workbench
-            - root: /var/www/arvados-workbench/current/public
-            - index:  index.html index.htm
-            - passenger_enabled: 'on'
-            # yamllint disable-line rule:line-length
-            - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.access.log combined
-            - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.error.log
+    # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+    # Paths that are not redirected because wb1 and wb2 have similar enough paths
+    # that a redirect is pointless and would create a redirect loop.
+    # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+    # rewrite ^/repositories.* /repositories redirect;
+    # rewrite ^/links.* /links redirect;
+    # rewrite ^/projects.* /projects redirect;
+    # rewrite ^/trash /trash redirect;
+
+            # WB1 '/actions?uuid=X' URL Redirects
+            - 'if ($actions_redirect)':
+              - return: '301 $actions_redirect'
+
+    # Redirects that include a uuid
+            - rewrite: '^/work_units/(.*) /processes/$1 redirect'
+            - rewrite: '^/container_requests/(.*) /processes/$1 redirect'
+            - rewrite: '^/users/(.*) /user/$1 redirect'
+            - rewrite: '^/groups/(.*) /group/$1 redirect'
+
+    # Special file download redirects
+            - 'if ($arg_disposition = attachment)':
+              - rewrite: '^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect'
+
+            - 'if ($arg_disposition = inline)':
+              - rewrite: '^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect'
+
+    # Redirects that go to a roughly equivalent page
+            - rewrite: '^/virtual_machines.* /virtual-machines-admin redirect'
+            - rewrite: '^/users/.*/virtual_machines /virtual-machines-user redirect'
+            - rewrite: '^/authorized_keys.* /ssh-keys-admin redirect'
+            - rewrite: '^/users/.*/ssh_keys /ssh-keys-user redirect'
+            - rewrite: '^/containers.* /all_processes redirect'
+            - rewrite: '^/container_requests /all_processes redirect'
+            - rewrite: '^/job.* /all_processes redirect'
+            - rewrite: '^/users/link_account /link_account redirect'
+            - rewrite: '^/keep_services.* /keep-services redirect'
+            - rewrite: '^/trash_items.* /trash redirect'
+
+    # Redirects that don't have a good mapping and
+    # just go to root.
+            - rewrite: '^/themes.* / redirect'
+            - rewrite: '^/keep_disks.* / redirect'
+            - rewrite: '^/user_agreements.* / redirect'
+            - rewrite: '^/nodes.* / redirect'
+            - rewrite: '^/humans.* / redirect'
+            - rewrite: '^/traits.* / redirect'
+            - rewrite: '^/sessions.* / redirect'
+            - rewrite: '^/logout.* / redirect'
+            - rewrite: '^/logged_out.* / redirect'
+            - rewrite: '^/current_token / redirect'
+            - rewrite: '^/logs.* / redirect'
+            - rewrite: '^/factory_jobs.* / redirect'
+            - rewrite: '^/uploaded_datasets.* / redirect'
+            - rewrite: '^/specimens.* / redirect'
+            - rewrite: '^/pipeline_templates.* / redirect'
+            - rewrite: '^/pipeline_instances.* / redirect'
+
+            - location /:
+              - root: /var/www/arvados-workbench2/workbench2
+              - try_files: '$uri $uri/ /index.html'
+              - 'if (-f $document_root/maintenance.html)':
+                - return: 503
+            - location /config.json:
+              - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
+            - include: snippets/ssl_hardening_default.conf
+            - ssl_certificate: __CERT_PEM__
+            - ssl_certificate_key: __CERT_KEY__
+            {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+            - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
+            {%- endif %}
+            - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+            - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log