declare -A services
services=(
- [workbench]=443
+ [workbench]=3001
[workbench2]=3000
- [workbench2-ssl]=3001
+ [workbench2-ssl]=443
[api]=8004
[controller]=8003
[controller-ssl]=8000
server_name workbench2;
ssl_certificate "${server_cert}";
ssl_certificate_key "${server_cert_key}";
+
+ # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+ # Paths that are not redirected because wb1 and wb2 have similar enough paths
+ # that a redirect is pointless and would create a redirect loop.
+ # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+ # rewrite ^/repositories.* /repositories redirect;
+ # rewrite ^/links.* /links redirect;
+ # rewrite ^/projects.* /projects redirect;
+ # rewrite ^/trash /trash redirect;
+
+ # Redirects that include a uuid
+ rewrite ^/work_units/(.*) /processes/$1 redirect;
+ rewrite ^/container_requests/(.*) /processes/$1 redirect;
+ rewrite ^/users/(.*) /user/$1 redirect;
+ rewrite ^/groups/(.*) /group/$1 redirect;
+
+ # Special file download redirects
+ if (\$arg_disposition = attachment) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
+ }
+ if (\$arg_disposition = inline) {
+ rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
+ }
+
+ # Redirects that go to a roughly equivalent page
+ rewrite ^/virtual_machines.* /virtual-machines-admin redirect;
+ rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect;
+ rewrite ^/authorized_keys.* /ssh-keys-admin redirect;
+ rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect;
+ rewrite ^/containers.* /all_processes redirect;
+ rewrite ^/container_requests /all_processes redirect;
+ rewrite ^/job.* /all_processes redirect;
+ rewrite ^/users/link_account /link_account redirect;
+ rewrite ^/search.* /search-results redirect;
+ rewrite ^/keep_services.* /keep-services redirect;
+ rewrite ^/trash_items.* /trash redirect;
+
+ # Redirects that don't have a good mapping and
+ # just go to root.
+ rewrite ^/themes.* / redirect;
+ rewrite ^/keep_disks.* / redirect;
+ rewrite ^/user_agreements.* / redirect;
+ rewrite ^/nodes.* / redirect;
+ rewrite ^/humans.* / redirect;
+ rewrite ^/traits.* / redirect;
+ rewrite ^/sessions.* / redirect;
+ rewrite ^/logout.* / redirect;
+ rewrite ^/logged_out.* / redirect;
+ rewrite ^/current_token / redirect;
+ rewrite ^/logs.* / redirect;
+ rewrite ^/factory_jobs.* / redirect;
+ rewrite ^/uploaded_datasets.* / redirect;
+ rewrite ^/specimens.* / redirect;
+ rewrite ^/pipeline_templates.* / redirect;
+ rewrite ^/pipeline_instances.* / redirect;
+
location / {
proxy_pass http://workbench2;
proxy_set_header Host \$http_host;
echo
echo "Your Arvados-in-a-box is ready!"
-echo "Workbench is hosted at https://$localip"
+echo "Workbench is hosted at https://$localip:${services[workbench]}"
echo "Workbench2 is hosted at https://$localip:${services[workbench2-ssl]}"
echo "Documentation is hosted at http://$localip:${services[doc]}"
- server_name: workbench2.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- - index: index.html index.htm
+
- location /:
- - root: /var/www/arvados-workbench2/workbench2
- - try_files: '$uri $uri/ /index.html'
- - 'if (-f $document_root/maintenance.html)':
- - return: 503
- - location /config.json:
- - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
+ - return: '301 https://workbench.__DOMAIN__$request_uri'
+
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
### NGINX
nginx:
- ### SERVER
- server:
- config:
-
- ### STREAMS
- http:
- upstream workbench_upstream:
- - server: 'localhost:9000 fail_timeout=10s'
-
### SITES
servers:
managed:
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
+
+ # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+ # Paths that are not redirected because wb1 and wb2 have similar enough paths
+ # that a redirect is pointless and would create a redirect loop.
+ # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+ # rewrite ^/repositories.* /repositories redirect;
+ # rewrite ^/links.* /links redirect;
+ # rewrite ^/projects.* /projects redirect;
+ # rewrite ^/trash /trash redirect;
+
+ # Redirects that include a uuid
+ - rewrite: '^/work_units/(.*) /processes/$1 redirect'
+ - rewrite: '^/container_requests/(.*) /processes/$1 redirect'
+ - rewrite: '^/users/(.*) /user/$1 redirect'
+ - rewrite: '^/groups/(.*) /group/$1 redirect'
+
+ # Special file download redirects
+ - 'if ($arg_disposition = attachment)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect'
+
+ - 'if ($arg_disposition = inline)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect'
+
+ # Redirects that go to a roughly equivalent page
+ - rewrite: '^/virtual_machines.* /virtual-machines-admin redirect'
+ - rewrite: '^/users/.*/virtual_machines /virtual-machines-user redirect'
+ - rewrite: '^/authorized_keys.* /ssh-keys-admin redirect'
+ - rewrite: '^/users/.*/ssh_keys /ssh-keys-user redirect'
+ - rewrite: '^/containers.* /all_processes redirect'
+ - rewrite: '^/container_requests /all_processes redirect'
+ - rewrite: '^/job.* /all_processes redirect'
+ - rewrite: '^/users/link_account /link_account redirect'
+ - rewrite: '^/search.* /search-results redirect'
+ - rewrite: '^/keep_services.* /keep-services redirect'
+ - rewrite: '^/trash_items.* /trash redirect'
+
+ # Redirects that don't have a good mapping and
+ # just go to root.
+ - rewrite: '^/themes.* / redirect'
+ - rewrite: '^/keep_disks.* / redirect'
+ - rewrite: '^/user_agreements.* / redirect'
+ - rewrite: '^/nodes.* / redirect'
+ - rewrite: '^/humans.* / redirect'
+ - rewrite: '^/traits.* / redirect'
+ - rewrite: '^/sessions.* / redirect'
+ - rewrite: '^/logout.* / redirect'
+ - rewrite: '^/logged_out.* / redirect'
+ - rewrite: '^/current_token / redirect'
+ - rewrite: '^/logs.* / redirect'
+ - rewrite: '^/factory_jobs.* / redirect'
+ - rewrite: '^/uploaded_datasets.* / redirect'
+ - rewrite: '^/specimens.* / redirect'
+ - rewrite: '^/pipeline_templates.* / redirect'
+ - rewrite: '^/pipeline_instances.* / redirect'
+
- location /:
- - proxy_pass: 'http://workbench_upstream'
- - proxy_read_timeout: 300
- - proxy_connect_timeout: 90
- - proxy_redirect: 'off'
- - proxy_set_header: X-Forwarded-Proto https
- - proxy_set_header: 'Host $http_host'
- - proxy_set_header: 'X-Real-IP $remote_addr'
- - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
+ - root: /var/www/arvados-workbench2/workbench2
+ - try_files: '$uri $uri/ /index.html'
+ - 'if (-f $document_root/maintenance.html)':
+ - return: 503
+ - location /config.json:
+ - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/workbench.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench.__DOMAIN__.error.log
-
- arvados_workbench_upstream:
- enabled: true
- overwrite: true
- config:
- - server:
- - listen: 'localhost:9000'
- - server_name: workbench
- - root: /var/www/arvados-workbench/current/public
- - index: index.html index.htm
- - passenger_enabled: 'on'
- # yamllint disable-line rule:line-length
- - access_log: /var/log/nginx/workbench.__DOMAIN__-upstream.access.log combined
- - error_log: /var/log/nginx/workbench.__DOMAIN__-upstream.error.log
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log
---
# Copyright (C) The Arvados Authors. All rights reserved.
#
-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: AGPL-3.0
-{%- if grains.os_family in ('RedHat',) %}
- {%- set group = 'nginx' %}
-{%- else %}
- {%- set group = 'www-data' %}
-{%- endif %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
config:
- group: {{ group }}
+ group: www-data
### NGINX
nginx:
overwrite: true
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- 80
- - location /.well-known:
- - root: /var/www
- location /:
- return: '301 https://$host$request_uri'
enabled: true
overwrite: true
requires:
- file: extra_custom_certs_file_copy_arvados-workbench2.pem
+ __CERT_REQUIRES__
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- - index: index.html index.htm
+
- location /:
- - root: /var/www/arvados-workbench2/workbench2
- - try_files: '$uri $uri/ /index.html'
- - 'if (-f $document_root/maintenance.html)':
- - return: 503
- - location /config.json:
- - return: {{ "200 '" ~ '{"API_HOST":"__CLUSTER__.__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
+ - return: '301 https://workbench.__DOMAIN__$request_uri'
+
- include: snippets/ssl_hardening_default.conf
- - ssl_certificate: /etc/nginx/ssl/arvados-workbench2.pem
- - ssl_certificate_key: /etc/nginx/ssl/arvados-workbench2.key
- - access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
+ - ssl_certificate: __CERT_PEM__
+ - ssl_certificate_key: __CERT_KEY__
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
+ {%- endif %}
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log
#
# SPDX-License-Identifier: AGPL-3.0
-{%- if grains.os_family in ('RedHat',) %}
- {%- set group = 'nginx' %}
-{%- else %}
- {%- set group = 'www-data' %}
-{%- endif %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
config:
- group: {{ group }}
+ group: www-data
### NGINX
nginx:
- ### SERVER
- server:
- config:
-
- ### STREAMS
- http:
- upstream workbench_upstream:
- - server: 'workbench.internal:9000 fail_timeout=10s'
-
### SITES
servers:
managed:
overwrite: true
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- 80
- - location /.well-known:
- - root: /var/www
- location /:
- return: '301 https://$host$request_uri'
enabled: true
overwrite: true
requires:
- file: extra_custom_certs_file_copy_arvados-workbench.pem
+ __CERT_REQUIRES__
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
+
+ # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2
+
+ # Paths that are not redirected because wb1 and wb2 have similar enough paths
+ # that a redirect is pointless and would create a redirect loop.
+ # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
+ # rewrite ^/repositories.* /repositories redirect;
+ # rewrite ^/links.* /links redirect;
+ # rewrite ^/projects.* /projects redirect;
+ # rewrite ^/trash /trash redirect;
+
+ # Redirects that include a uuid
+ - rewrite: '^/work_units/(.*) /processes/$1 redirect'
+ - rewrite: '^/container_requests/(.*) /processes/$1 redirect'
+ - rewrite: '^/users/(.*) /user/$1 redirect'
+ - rewrite: '^/groups/(.*) /group/$1 redirect'
+
+ # Special file download redirects
+ - 'if ($arg_disposition = attachment)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect'
+
+ - 'if ($arg_disposition = inline)':
+ - rewrite: '^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect'
+
+ # Redirects that go to a roughly equivalent page
+ - rewrite: '^/virtual_machines.* /virtual-machines-admin redirect'
+ - rewrite: '^/users/.*/virtual_machines /virtual-machines-user redirect'
+ - rewrite: '^/authorized_keys.* /ssh-keys-admin redirect'
+ - rewrite: '^/users/.*/ssh_keys /ssh-keys-user redirect'
+ - rewrite: '^/containers.* /all_processes redirect'
+ - rewrite: '^/container_requests /all_processes redirect'
+ - rewrite: '^/job.* /all_processes redirect'
+ - rewrite: '^/users/link_account /link_account redirect'
+ - rewrite: '^/search.* /search-results redirect'
+ - rewrite: '^/keep_services.* /keep-services redirect'
+ - rewrite: '^/trash_items.* /trash redirect'
+
+ # Redirects that don't have a good mapping and
+ # just go to root.
+ - rewrite: '^/themes.* / redirect'
+ - rewrite: '^/keep_disks.* / redirect'
+ - rewrite: '^/user_agreements.* / redirect'
+ - rewrite: '^/nodes.* / redirect'
+ - rewrite: '^/humans.* / redirect'
+ - rewrite: '^/traits.* / redirect'
+ - rewrite: '^/sessions.* / redirect'
+ - rewrite: '^/logout.* / redirect'
+ - rewrite: '^/logged_out.* / redirect'
+ - rewrite: '^/current_token / redirect'
+ - rewrite: '^/logs.* / redirect'
+ - rewrite: '^/factory_jobs.* / redirect'
+ - rewrite: '^/uploaded_datasets.* / redirect'
+ - rewrite: '^/specimens.* / redirect'
+ - rewrite: '^/pipeline_templates.* / redirect'
+ - rewrite: '^/pipeline_instances.* / redirect'
+
- location /:
- - proxy_pass: 'http://workbench_upstream'
- - proxy_read_timeout: 300
- - proxy_connect_timeout: 90
- - proxy_redirect: 'off'
- - proxy_set_header: X-Forwarded-Proto https
- - proxy_set_header: 'Host $http_host'
- - proxy_set_header: 'X-Real-IP $remote_addr'
- - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
+ - root: /var/www/arvados-workbench2/workbench2
+ - try_files: '$uri $uri/ /index.html'
+ - 'if (-f $document_root/maintenance.html)':
+ - return: 503
+ - location /config.json:
+ - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
- include: snippets/ssl_hardening_default.conf
- - ssl_certificate: /etc/nginx/ssl/arvados-workbench.pem
- - ssl_certificate_key: /etc/nginx/ssl/arvados-workbench.key
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
-
- arvados_workbench_upstream.conf:
- enabled: true
- overwrite: true
- config:
- - server:
- - listen: 'workbench.internal:9000'
- - server_name: workbench
- - root: /var/www/arvados-workbench/current/public
- - index: index.html index.htm
- - passenger_enabled: 'on'
- # yamllint disable-line rule:line-length
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.error.log
+ - ssl_certificate: __CERT_PEM__
+ - ssl_certificate_key: __CERT_KEY__
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
+ {%- endif %}
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log