16552: Nginx listens on all interfaces, not just loopback.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --git a/lib/boot/cmd.go b/lib/boot/cmd.go
index 15af548e96f91f9e11c20beea6be97da750afc1c..e407ec5b561c4bcbe87b9c9a38c9e81976e6c6e1 100644 (file)
--- a/lib/boot/cmd.go
+++ b/lib/boot/cmd.go
@@ -66,7 +66,7 @@ func (bcmd bootCommand) run(ctx context.Context, prog string, args []string, std
        flags.StringVar(&super.ConfigPath, "config", "/etc/arvados/config.yml", "arvados config file `path`")
        flags.StringVar(&super.SourcePath, "source", ".", "arvados source tree `directory`")
        flags.StringVar(&super.ClusterType, "type", "production", "cluster `type`: development, test, or production")
-       flags.StringVar(&super.ListenHost, "listen-host", "localhost", "host name or interface address for external services, and internal services whose InternalURLs are not configured")
+       flags.StringVar(&super.ListenHost, "listen-host", "localhost", "host name or interface address for internal services whose InternalURLs are not configured")
        flags.StringVar(&super.ControllerAddr, "controller-address", ":0", "desired controller address, `host:port` or `:port`")
        flags.StringVar(&super.Workbench2Source, "workbench2-source", "../arvados-workbench2", "path to arvados-workbench2 source tree")
        flags.BoolVar(&super.NoWorkbench1, "no-workbench1", false, "do not run workbench1")

diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index 48d3bba474d2abc8566d5632cc1e79ceda807a6f..8a29823a12a411298aadc15009c7ae75b2ac08fe 100644 (file)
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -33,7 +33,8 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
                return err
        }
        vars := map[string]string{
-               "LISTENHOST":       super.ListenHost,
+               "LISTENHOST":       "0.0.0.0",
+               "UPSTREAMHOST":     super.ListenHost,
                "SSLCERT":          filepath.Join(super.tempdir, "server.crt"),
                "SSLKEY":           filepath.Join(super.tempdir, "server.key"),
                "ACCESSLOG":        filepath.Join(super.tempdir, "nginx_access.log"),

diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go
index 9ed92cb1aa4b6b7200220167330ca8d4727d6b69..ddc17953d2363d020d6aa37332c97c36c5b48646 100644 (file)
--- a/lib/boot/supervisor.go
+++ b/lib/boot/supervisor.go
@@ -247,13 +247,9 @@ func (super *Supervisor) runCluster() error {
        }
 
        if super.ListenHost == "" {
-               if urlhost := super.cluster.Services.Controller.ExternalURL.Host; urlhost != "" {
-                       if h, _, _ := net.SplitHostPort(urlhost); h != "" {
-                               super.ListenHost = h
-                       } else {
-                               super.ListenHost = urlhost
-                       }
-               } else {
+               u := url.URL(super.cluster.Services.Controller.ExternalURL)
+               super.ListenHost = u.Hostname()
+               if super.ListenHost == "" {
                        super.ListenHost = "0.0.0.0"
                }
        }

diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf
index 543390004b7479be19d0a4422b4f41366a0f2014..1c624e324b7a37171fd0de1440cb042a8b2baee9 100644 (file)
--- a/sdk/python/tests/nginx.conf
+++ b/sdk/python/tests/nginx.conf
@@ -16,7 +16,7 @@ http {
   uwsgi_temp_path "{{TMPDIR}}";
   scgi_temp_path "{{TMPDIR}}";
   upstream controller {
-    server {{LISTENHOST}}:{{CONTROLLERPORT}};
+    server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
@@ -37,7 +37,7 @@ http {
     }
   }
   upstream arv-git-http {
-    server {{LISTENHOST}}:{{GITPORT}};
+    server {{UPSTREAMHOST}}:{{GITPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
@@ -53,7 +53,7 @@ http {
     }
   }
   upstream keepproxy {
-    server {{LISTENHOST}}:{{KEEPPROXYPORT}};
+    server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
@@ -73,7 +73,7 @@ http {
     }
   }
   upstream keep-web {
-    server {{LISTENHOST}}:{{KEEPWEBPORT}};
+    server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
@@ -93,7 +93,7 @@ http {
     }
   }
   upstream health {
-    server {{LISTENHOST}}:{{HEALTHPORT}};
+    server {{UPSTREAMHOST}}:{{HEALTHPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
@@ -129,7 +129,7 @@ http {
     }
   }
   upstream ws {
-    server {{LISTENHOST}}:{{WSPORT}};
+    server {{UPSTREAMHOST}}:{{WSPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
@@ -147,7 +147,7 @@ http {
     }
   }
   upstream workbench1 {
-    server {{LISTENHOST}}:{{WORKBENCH1PORT}};
+    server {{UPSTREAMHOST}}:{{WORKBENCH1PORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
@@ -163,7 +163,7 @@ http {
     }
   }
   upstream workbench2 {
-    server {{LISTENHOST}}:{{WORKBENCH2PORT}};
+    server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;

diff --git a/sdk/python/tests/run_test_server.py b/sdk/python/tests/run_test_server.py
index 2c01b35aeac79b1642b18c7af7d166ef2cffdc3c..28cb0953f3c42a348a623a4f3f54aadc27d7958c 100644 (file)
--- a/sdk/python/tests/run_test_server.py
+++ b/sdk/python/tests/run_test_server.py
@@ -635,6 +635,7 @@ def run_nginx():
         return
     stop_nginx()
     nginxconf = {}
+    nginxconf['UPSTREAMHOST'] = 'localhost'
     nginxconf['LISTENHOST'] = 'localhost'
     nginxconf['CONTROLLERPORT'] = internal_port_from_config("Controller")
     nginxconf['ARVADOS_API_HOST'] = "0.0.0.0:" + str(external_port_from_config("Controller"))