github.com/chasestarr/deis@v1.13.5-0.20170519182049-1d9e59fbdbfc/router/rootfs/etc/confd/templates/nginx.conf (about) 1 # required to run in a container 2 daemon off; 3 4 user nginx; 5 worker_processes {{ or (getv "/deis/router/workerProcesses") "auto" }}; 6 pid /run/nginx.pid; 7 8 events { 9 worker_connections {{ or (getv "/deis/router/maxWorkerConnections") "768" }}; 10 # multi_accept on; 11 } 12 13 14 http { 15 # Server signature toggle (default is on) 16 server_tokens {{ or (getv "/deis/router/serverTokens") "on" }}; 17 18 # basic settings 19 vhost_traffic_status_zone shared:vhost_traffic_status:{{ or (getv "/deis/router/trafficStatusZoneSize") "1m" }}; 20 21 sendfile on; 22 tcp_nopush on; 23 tcp_nodelay on; 24 25 # The Timeout value must be greater than the front facing load balancers timeout value. 26 # Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra. 27 {{ $defaultTimeout := or (getv "/deis/router/defaultTimeout") "1300" }} 28 keepalive_timeout {{ $defaultTimeout }}; 29 30 types_hash_max_size 2048; 31 server_names_hash_max_size {{ or (getv "/deis/router/serverNameHashMaxSize") "512" }}; 32 server_names_hash_bucket_size {{ or (getv "/deis/router/serverNameHashBucketSize") "64" }}; 33 34 include /opt/nginx/conf/mime.types; 35 default_type application/octet-stream; 36 {{ if exists "/deis/router/gzip" }} 37 gzip {{ getv "/deis/router/gzip" }}; 38 gzip_comp_level {{ or (getv "/deis/router/gzipCompLevel") "5" }}; 39 gzip_disable {{ or (getv "/deis/router/gzipDisable") "\"msie6\"" }}; 40 gzip_http_version {{ or (getv "/deis/router/gzipHttpVersion") "1.1" }}; 41 gzip_min_length {{ or (getv "/deis/router/gzipMinLength") "256" }}; 42 gzip_types {{ or (getv "/deis/router/gzipTypes") "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }}; 43 gzip_proxied {{ or (getv "/deis/router/gzipProxied") "any" }}; 44 gzip_vary {{ or (getv "/deis/router/gzipVary") "on" }}; 45 {{ end }} 46 47 {{ $useFirewall := or (getv "/deis/router/firewall/enabled") "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules 48 include /opt/nginx/firewall/naxsi_core.rules; 49 include /opt/nginx/firewall/web_apps.rules; 50 include /opt/nginx/firewall/scanner.rules; 51 include /opt/nginx/firewall/web_server.rules;{{ end }} 52 {{ $firewallErrorCode := or (getv "/deis/router/firewall/errorCode") "400" }} 53 client_max_body_size "{{ or (getv "/deis/router/bodySize") "1m" }}"; 54 55 set_real_ip_from {{ or (getv "/deis/router/proxyRealIpCidr") "10.0.0.0/8" }}; 56 {{ $useProxyProtocol := or (getv "/deis/router/proxyProtocol") "false" }}{{ if ne $useProxyProtocol "false" }} 57 real_ip_header proxy_protocol;{{ else }}real_ip_header X-Forwarded-For; 58 {{ end }} 59 60 log_format upstreaminfo '[$time_local] - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time'; 61 62 # send logs to STDOUT so they can be seen using 'docker logs' 63 access_log /opt/nginx/logs/access.log upstreaminfo; 64 error_log /opt/nginx/logs/error.log {{ or (getv "/deis/router/errorLogLevel") "error" }}; 65 66 map $http_upgrade $connection_upgrade { 67 default upgrade; 68 '' close; 69 } 70 71 # The next two maps work together to determine the $access_scheme: 72 # 1. Determine if SSL may have been offloaded by the load balancer, in such cases, an HTTP request should be 73 # treated as if it were HTTPs. 74 map $http_x_forwarded_proto $tmp_access_scheme { 75 default $scheme; # if X-Forwarded-Proto header is empty, $tmp_access_scheme will be the actual protocol used 76 "~^(.*, ?)?http$" "http"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value 77 "~^(.*, ?)?https$" "https"; # account for the possibility of a comma-delimited X-Forwarded-Proto header value 78 } 79 # 2. If the request is an HTTPS request, upgrade $access_scheme to https, regardless of what the X-Forwarded-Proto 80 # header might say. 81 map $scheme $access_scheme { 82 default $tmp_access_scheme; 83 "https" "https"; 84 } 85 86 ## HSTS instructs the browser to replace all HTTP links with HTTPS links for this domain until maxAge seconds from now 87 {{ $enableHSTS := or (getv "/deis/router/hsts/enabled") "false" }} 88 {{ $maxAgeHSTS := or (getv "/deis/router/hsts/maxAge") "10886400" }} 89 {{ $includeSubdomainsHSTS := or (getv "/deis/router/hsts/includeSubDomains") "false" }} 90 {{ $preloadHSTS := or (getv "/deis/router/hsts/preload") "false" }} 91 map $access_scheme $sts { 92 'https' 'max-age={{ $maxAgeHSTS }}{{ if eq $includeSubdomainsHSTS "true" }}; includeSubDomains{{ end }}{{ if eq $preloadHSTS "true" }}; preload{{ end }}'; 93 } 94 95 ## since HSTS headers are not permitted on HTTP requests, 301 redirects to HTTPS resources are also necessary 96 {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") $enableHSTS "false" }} 97 98 {{/* Enabling the enforceWhitelist option deny all connections except those from IPs explicitly allowed */}} 99 {{ $enforceWhitelist := or (getv "/deis/router/enforceWhitelist") "false" }} 100 101 ## start deis-controller 102 {{ if exists "/deis/controller/host" }} 103 upstream deis-controller { 104 server {{ getv "/deis/controller/host" }}:{{ getv "/deis/controller/port" }}; 105 } 106 {{ end }} 107 108 server { 109 server_name ~^{{ or (getv "/deis/controller/subdomain") "deis" }}\.(?<domain>.+)$; 110 include deis.conf; 111 112 {{/* IP Whitelisting */}} 113 {{ $controllerHasWhitelist := exists "/deis/router/controller/whitelist" }} 114 {{ if $controllerHasWhitelist }} 115 ## Only connections from the following addresses are allowed 116 {{ $whitelist := getv "/deis/router/controller/whitelist" }} 117 {{ range $whitelist_entry := split $whitelist "," }} 118 {{ $whitelist_detail := split $whitelist_entry ":" }} 119 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 120 {{ end }} 121 {{ end }} 122 {{ if or (eq $enforceWhitelist "true") $controllerHasWhitelist }} 123 deny all; 124 {{ end }} 125 126 {{ if exists "/deis/controller/host" }} 127 location / { 128 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 129 proxy_buffering off; 130 proxy_set_header Host $host; 131 proxy_set_header X-Forwarded-For $remote_addr; 132 proxy_redirect off; 133 proxy_connect_timeout {{ or (getv "/deis/router/controller/timeout/connect") "10s" }}; 134 proxy_send_timeout {{ or (getv "/deis/router/controller/timeout/send") "20m" }}; 135 proxy_read_timeout {{ or (getv "/deis/router/controller/timeout/read") "20m" }}; 136 137 proxy_pass http://deis-controller; 138 } 139 {{ else }} 140 location / { 141 return 503; 142 } 143 {{ end }} 144 145 {{ if eq $useFirewall "true" }}location /RequestDenied { 146 return {{ $firewallErrorCode }}; 147 } 148 {{ end }} 149 150 {{ if eq $enforceHTTPS "true" }} 151 if ($access_scheme != "https") { 152 return 301 https://$host$request_uri; 153 } 154 {{ end }} 155 156 {{ if eq $enableHSTS "true" }} 157 add_header Strict-Transport-Security $sts always; 158 {{ end }} 159 } 160 ## end deis-controller 161 162 ## start deis-store-gateway 163 {{ if exists "/deis/store/gateway/host" }} 164 upstream deis-store-gateway { 165 server {{ getv "/deis/store/gateway/host" }}:{{ getv "/deis/store/gateway/port" }}; 166 } 167 {{ end }} 168 169 server { 170 server_name ~^deis-store\.(?<domain>.+)$; 171 include deis.conf; 172 173 client_max_body_size 0; 174 175 {{ if exists "/deis/store/gateway/host" }} 176 location / { 177 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 178 proxy_buffering off; 179 proxy_set_header Host $host; 180 proxy_set_header X-Forwarded-For $remote_addr; 181 proxy_redirect off; 182 proxy_connect_timeout 10s; 183 proxy_send_timeout {{ $defaultTimeout }}s; 184 proxy_read_timeout {{ $defaultTimeout }}s; 185 186 proxy_pass http://deis-store-gateway; 187 } 188 {{ else }} 189 location / { 190 return 503; 191 } 192 {{ end }} 193 } 194 ## end deis-store-gateway 195 {{ $domains := ls "/deis/domains" }} 196 ## start service definitions for each application 197 {{ range $app := lsdir "/deis/services" }} 198 {{ $upstreams := printf "/deis/services/%s/*" $app}} 199 upstream {{ $app }} { 200 {{ if exists "/deis/router/affinityArg" }} 201 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 202 {{ end }} 203 {{ range gets $upstreams }}server {{ .Value }}; 204 {{ end }} 205 } 206 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 207 ## server entries for custom domains 208 {{ range $app_domain := $domains }}{{ if eq $app (getv (printf "/deis/domains/%s" $app_domain)) }} 209 server { 210 server_name {{ $app_domain }}; 211 {{/* if a SSL certificate is installed for this domain, use SSL */}} 212 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 213 {{/* so we can't rely on deis.conf as each domain is an island */}} 214 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 215 server_name_in_redirect off; 216 port_in_redirect off; 217 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 218 listen 443 ssl http2{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 219 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 220 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 221 include ssl.conf; 222 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 223 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 224 {{/* so we can apply this config to just subdomains of the platform domain. */}} 225 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 226 {{ else }} 227 include deis.conf; 228 {{ end }} 229 230 {{/* IP Whitelisting */}} 231 {{ $appHasWhitelist := exists (printf "/deis/config/%s/deis_whitelist" $app) }} 232 {{ if $appHasWhitelist }} 233 ## Only connections from the following addresses are allowed 234 {{ $whitelist := getv (printf "/deis/config/%s/deis_whitelist" $app) }} 235 {{ range $whitelist_entry := split $whitelist "," }} 236 {{ $whitelist_detail := split $whitelist_entry ":" }} 237 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 238 {{ end }} 239 {{ end }} 240 {{ if or (eq $enforceWhitelist "true") $appHasWhitelist}} 241 deny all; 242 {{ end }} 243 244 {{ if ne $appContainerLen 0 }} 245 location / { 246 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 247 proxy_buffering off; 248 proxy_set_header Host $host; 249 set $access_ssl 'off'; 250 set $access_port '80'; 251 if ($access_scheme ~ https) { 252 set $access_ssl 'on'; 253 set $access_port '443'; 254 } 255 proxy_set_header X-Forwarded-Port $access_port; 256 proxy_set_header X-Forwarded-Proto $access_scheme; 257 proxy_set_header X-Forwarded-For $remote_addr; 258 proxy_set_header X-Forwarded-Ssl $access_ssl; 259 proxy_redirect off; 260 proxy_connect_timeout 30s; 261 proxy_send_timeout {{ $defaultTimeout }}s; 262 proxy_read_timeout {{ $defaultTimeout }}s; 263 proxy_http_version 1.1; 264 proxy_set_header Upgrade $http_upgrade; 265 proxy_set_header Connection $connection_upgrade; 266 267 proxy_next_upstream error timeout http_502 http_503 http_504; 268 269 {{ if eq $enforceHTTPS "true" }} 270 if ($access_scheme != "https") { 271 return 301 https://$host$request_uri; 272 } 273 {{ end }} 274 275 {{ if eq $enableHSTS "true" }} 276 add_header Strict-Transport-Security $sts always; 277 {{ end }} 278 279 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 280 {{ if exists "/deis/router/affinityArg" }} 281 set_random $prng 0 99; 282 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 283 {{ end }} 284 285 proxy_pass http://{{ $app }}; 286 } 287 {{ else }} 288 location / { 289 return 503; 290 } 291 {{ end }} 292 {{ if eq $useFirewall "true" }}location /RequestDenied { 293 return {{ $firewallErrorCode }}; 294 } 295 {{ end }} 296 }{{ end }}{{ end }} 297 ## end entries for custom domains 298 299 server { 300 server_name ~^{{ $app }}\.(?<domain>.+)$; 301 include deis.conf; 302 303 {{/* IP Whitelisting */}} 304 {{ $appHasWhitelist := exists (printf "/deis/config/%s/deis_whitelist" $app) }} 305 {{ if $appHasWhitelist }} 306 ## Only connections from the following addresses are allowed 307 {{ $whitelist := getv (printf "/deis/config/%s/deis_whitelist" $app) }} 308 {{ range $whitelist_entry := split $whitelist "," }} 309 {{ $whitelist_detail := split $whitelist_entry ":" }} 310 allow {{index $whitelist_detail 0}};{{if eq (len $whitelist_detail) 2}} # {{index $whitelist_detail 1}}{{ end }} 311 {{ end }} 312 {{ end }} 313 {{ if or (eq $enforceWhitelist "true") $appHasWhitelist}} 314 deny all; 315 {{ end }} 316 317 {{ if ne $appContainerLen 0 }} 318 location / { 319 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 320 proxy_buffering off; 321 proxy_set_header Host $host; 322 set $access_ssl 'off'; 323 set $access_port '80'; 324 if ($access_scheme ~ https) { 325 set $access_ssl 'on'; 326 set $access_port '443'; 327 } 328 proxy_set_header X-Forwarded-Port $access_port; 329 proxy_set_header X-Forwarded-Proto $access_scheme; 330 proxy_set_header X-Forwarded-For $remote_addr; 331 proxy_set_header X-Forwarded-Ssl $access_ssl; 332 proxy_redirect off; 333 proxy_connect_timeout 30s; 334 proxy_send_timeout {{ $defaultTimeout }}s; 335 proxy_read_timeout {{ $defaultTimeout }}s; 336 proxy_http_version 1.1; 337 proxy_set_header Upgrade $http_upgrade; 338 proxy_set_header Connection $connection_upgrade; 339 340 proxy_next_upstream error timeout http_502 http_503 http_504; 341 342 {{ if eq $enforceHTTPS "true" }} 343 if ($access_scheme != "https") { 344 return 301 https://$host$request_uri; 345 } 346 {{ end }} 347 348 {{ if eq $enableHSTS "true" }} 349 add_header Strict-Transport-Security $sts always; 350 {{ end }} 351 352 proxy_pass http://{{ $app }}; 353 } 354 {{ else }} 355 location / { 356 return 503; 357 } 358 {{ end }} 359 {{ if eq $useFirewall "true" }}location /RequestDenied { 360 return {{ $firewallErrorCode }}; 361 } 362 {{ end }} 363 }{{ end }} 364 ## end service definitions for each application 365 366 # default server, including "classic" healthcheck 367 server { 368 listen 80 default_server reuseport{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 369 location /health-check { 370 access_log off; 371 default_type 'text/plain'; 372 return 200; 373 } 374 {{ if eq (getv "/deis/router/enableNginxStatus") "true" }}location /router-nginx-status { 375 vhost_traffic_status_display; 376 vhost_traffic_status_display_format html; 377 }{{ end }} 378 location / { 379 return 404; 380 } 381 } 382 383 # healthcheck on 9090 -- never uses proxy_protocol 384 server { 385 listen 9090 default_server; 386 location /health-check { 387 access_log off; 388 default_type 'text/plain'; 389 return 200; 390 } 391 location / { 392 return 404; 393 } 394 } 395 } 396 397 ## start builder 398 {{ if exists "/deis/builder/host" }} 399 stream { 400 401 upstream builder { 402 server {{ getv "/deis/builder/host" }}:{{ getv "/deis/builder/port" }}; 403 } 404 405 server { 406 listen 2222; 407 proxy_connect_timeout {{ or (getv "/deis/router/builder/timeout/connect") "10000" }}; 408 proxy_timeout {{ or (getv "/deis/router/builder/timeout/tcp") "1200000" }}; 409 proxy_pass builder; 410 } 411 }{{ end }} 412 ## end builder