From: Tom Clegg <tom@curii.com>
Date: Thu, 30 Jun 2022 05:08:40 +0000 (-0400)
Subject: 16552: Nginx listens on all interfaces, not just loopback.
X-Git-Tag: 2.5.0~116^2~25
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/8b3dd08ed1d43121bd92452c7cb0504098eb5887

16552: Nginx listens on all interfaces, not just loopback.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---

diff --git a/lib/boot/cmd.go b/lib/boot/cmd.go
index 15af548e96..e407ec5b56 100644
--- a/lib/boot/cmd.go
+++ b/lib/boot/cmd.go
@@ -66,7 +66,7 @@ func (bcmd bootCommand) run(ctx context.Context, prog string, args []string, std
 	flags.StringVar(&super.ConfigPath, "config", "/etc/arvados/config.yml", "arvados config file `path`")
 	flags.StringVar(&super.SourcePath, "source", ".", "arvados source tree `directory`")
 	flags.StringVar(&super.ClusterType, "type", "production", "cluster `type`: development, test, or production")
-	flags.StringVar(&super.ListenHost, "listen-host", "localhost", "host name or interface address for external services, and internal services whose InternalURLs are not configured")
+	flags.StringVar(&super.ListenHost, "listen-host", "localhost", "host name or interface address for internal services whose InternalURLs are not configured")
 	flags.StringVar(&super.ControllerAddr, "controller-address", ":0", "desired controller address, `host:port` or `:port`")
 	flags.StringVar(&super.Workbench2Source, "workbench2-source", "../arvados-workbench2", "path to arvados-workbench2 source tree")
 	flags.BoolVar(&super.NoWorkbench1, "no-workbench1", false, "do not run workbench1")
diff --git a/lib/boot/nginx.go b/lib/boot/nginx.go
index 48d3bba474..8a29823a12 100644
--- a/lib/boot/nginx.go
+++ b/lib/boot/nginx.go
@@ -33,7 +33,8 @@ func (runNginx) Run(ctx context.Context, fail func(error), super *Supervisor) er
 		return err
 	}
 	vars := map[string]string{
-		"LISTENHOST":       super.ListenHost,
+		"LISTENHOST":       "0.0.0.0",
+		"UPSTREAMHOST":     super.ListenHost,
 		"SSLCERT":          filepath.Join(super.tempdir, "server.crt"),
 		"SSLKEY":           filepath.Join(super.tempdir, "server.key"),
 		"ACCESSLOG":        filepath.Join(super.tempdir, "nginx_access.log"),
diff --git a/lib/boot/supervisor.go b/lib/boot/supervisor.go
index 9ed92cb1aa..ddc17953d2 100644
--- a/lib/boot/supervisor.go
+++ b/lib/boot/supervisor.go
@@ -247,13 +247,9 @@ func (super *Supervisor) runCluster() error {
 	}
 
 	if super.ListenHost == "" {
-		if urlhost := super.cluster.Services.Controller.ExternalURL.Host; urlhost != "" {
-			if h, _, _ := net.SplitHostPort(urlhost); h != "" {
-				super.ListenHost = h
-			} else {
-				super.ListenHost = urlhost
-			}
-		} else {
+		u := url.URL(super.cluster.Services.Controller.ExternalURL)
+		super.ListenHost = u.Hostname()
+		if super.ListenHost == "" {
 			super.ListenHost = "0.0.0.0"
 		}
 	}
diff --git a/sdk/python/tests/nginx.conf b/sdk/python/tests/nginx.conf
index 543390004b..1c624e324b 100644
--- a/sdk/python/tests/nginx.conf
+++ b/sdk/python/tests/nginx.conf
@@ -16,7 +16,7 @@ http {
   uwsgi_temp_path "{{TMPDIR}}";
   scgi_temp_path "{{TMPDIR}}";
   upstream controller {
-    server {{LISTENHOST}}:{{CONTROLLERPORT}};
+    server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
@@ -37,7 +37,7 @@ http {
     }
   }
   upstream arv-git-http {
-    server {{LISTENHOST}}:{{GITPORT}};
+    server {{UPSTREAMHOST}}:{{GITPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
@@ -53,7 +53,7 @@ http {
     }
   }
   upstream keepproxy {
-    server {{LISTENHOST}}:{{KEEPPROXYPORT}};
+    server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
@@ -73,7 +73,7 @@ http {
     }
   }
   upstream keep-web {
-    server {{LISTENHOST}}:{{KEEPWEBPORT}};
+    server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
@@ -93,7 +93,7 @@ http {
     }
   }
   upstream health {
-    server {{LISTENHOST}}:{{HEALTHPORT}};
+    server {{UPSTREAMHOST}}:{{HEALTHPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
@@ -129,7 +129,7 @@ http {
     }
   }
   upstream ws {
-    server {{LISTENHOST}}:{{WSPORT}};
+    server {{UPSTREAMHOST}}:{{WSPORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
@@ -147,7 +147,7 @@ http {
     }
   }
   upstream workbench1 {
-    server {{LISTENHOST}}:{{WORKBENCH1PORT}};
+    server {{UPSTREAMHOST}}:{{WORKBENCH1PORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
@@ -163,7 +163,7 @@ http {
     }
   }
   upstream workbench2 {
-    server {{LISTENHOST}}:{{WORKBENCH2PORT}};
+    server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
   }
   server {
     listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;
diff --git a/sdk/python/tests/run_test_server.py b/sdk/python/tests/run_test_server.py
index 2c01b35aea..28cb0953f3 100644
--- a/sdk/python/tests/run_test_server.py
+++ b/sdk/python/tests/run_test_server.py
@@ -635,6 +635,7 @@ def run_nginx():
         return
     stop_nginx()
     nginxconf = {}
+    nginxconf['UPSTREAMHOST'] = 'localhost'
     nginxconf['LISTENHOST'] = 'localhost'
     nginxconf['CONTROLLERPORT'] = internal_port_from_config("Controller")
     nginxconf['ARVADOS_API_HOST'] = "0.0.0.0:" + str(external_port_from_config("Controller"))