github.com/rochacon/deis@v1.0.2-0.20150903015341-6839b592a1ff/router/rootfs/etc/confd/templates/nginx.conf (about) 1 # required to run in a container 2 daemon off; 3 4 user nginx; 5 worker_processes {{ or (getv "/deis/router/workerProcesses") "auto" }}; 6 pid /run/nginx.pid; 7 8 events { 9 worker_connections {{ or (getv "/deis/router/maxWorkerConnections") "768" }}; 10 # multi_accept on; 11 } 12 13 14 http { 15 # basic settings 16 vhost_traffic_status_zone; 17 18 sendfile on; 19 tcp_nopush on; 20 tcp_nodelay on; 21 22 # The Timeout value must be greater than the front facing load balancers timeout value. 23 # Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra. 24 {{ $defaultTimeout := or (getv "/deis/router/defaultTimeout") "1300" }} 25 keepalive_timeout {{ $defaultTimeout }}; 26 27 types_hash_max_size 2048; 28 server_names_hash_max_size {{ or (getv "/deis/router/serverNameHashMaxSize") "512" }}; 29 server_names_hash_bucket_size {{ or (getv "/deis/router/serverNameHashBucketSize") "64" }}; 30 31 include /opt/nginx/conf/mime.types; 32 default_type application/octet-stream; 33 {{ if exists "/deis/router/gzip" }} 34 gzip {{ getv "/deis/router/gzip" }}; 35 gzip_comp_level {{ or (getv "/deis/router/gzipCompLevel") "5" }}; 36 gzip_disable {{ or (getv "/deis/router/gzipDisable") "\"msie6\"" }}; 37 gzip_http_version {{ or (getv "/deis/router/gzipHttpVersion") "1.1" }}; 38 gzip_min_length {{ or (getv "/deis/router/gzipMinLength") "256" }}; 39 gzip_types {{ or (getv "/deis/router/gzipTypes") "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }}; 40 gzip_proxied {{ or (getv "/deis/router/gzipProxied") "any" }}; 41 gzip_vary {{ or (getv "/deis/router/gzipVary") "on" }}; 42 {{ end }} 43 44 {{ $useFirewall := or (getv "/deis/router/firewall/enabled") "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules 45 include /opt/nginx/firewall/naxsi_core.rules; 46 include /opt/nginx/firewall/web_apps.rules; 47 include /opt/nginx/firewall/scanner.rules; 48 include /opt/nginx/firewall/web_server.rules;{{ end }} 49 {{ $firewallErrorCode := or (getv "/deis/router/firewall/errorCode") "400" }} 50 client_max_body_size "{{ or (getv "/deis/router/bodySize") "1m" }}"; 51 52 {{ $useProxyProtocol := or (getv "/deis/router/proxyProtocol") "false" }}{{ if ne $useProxyProtocol "false" }} 53 set_real_ip_from {{ or (getv "/deis/router/proxyRealIpCidr") "10.0.0.0/8" }}; 54 real_ip_header proxy_protocol; 55 {{ end }} 56 57 log_format upstreaminfo '[$time_local] - {{ if ne $useProxyProtocol "false" }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time'; 58 59 # send logs to STDOUT so they can be seen using 'docker logs' 60 access_log /opt/nginx/logs/access.log upstreaminfo; 61 error_log /opt/nginx/logs/error.log {{ or (getv "/deis/router/errorLogLevel") "error" }}; 62 63 map $http_upgrade $connection_upgrade { 64 default upgrade; 65 '' close; 66 } 67 68 # trust http_x_forwarded_proto headers correctly indicate ssl offloading 69 map $http_x_forwarded_proto $access_scheme { 70 default $http_x_forwarded_proto; 71 '' $scheme; 72 } 73 74 ## HSTS instructs the browser to replace all HTTP links with HTTPS links for this domain until maxAge seconds from now 75 {{ $enableHSTS := or (getv "/deis/router/hsts/enabled") "false" }} 76 {{ $maxAgeHSTS := or (getv "/deis/router/hsts/maxAge") "10886400" }} 77 {{ $includeSubdomainsHSTS := or (getv "/deis/router/hsts/includeSubDomains") "false" }} 78 {{ $preloadHSTS := or (getv "/deis/router/hsts/preload") "false" }} 79 map $access_scheme $sts { 80 'https' 'max-age={{ $maxAgeHSTS }}{{ if eq $includeSubdomainsHSTS "true" }}; includeSubDomains{{ end }}{{ if eq $preloadHSTS "true" }}; preload{{ end }}'; 81 } 82 83 ## since HSTS headers are not permitted on HTTP requests, 301 redirects to HTTPS resources are also necessary 84 {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") $enableHSTS "false" }} 85 86 ## start deis-controller 87 {{ if exists "/deis/controller/host" }} 88 upstream deis-controller { 89 server {{ getv "/deis/controller/host" }}:{{ getv "/deis/controller/port" }}; 90 } 91 {{ end }} 92 93 server { 94 server_name ~^{{ or (getv "/deis/controller/subdomain") "deis" }}\.(?<domain>.+)$; 95 include deis.conf; 96 97 {{ if exists "/deis/controller/host" }} 98 location / { 99 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 100 proxy_buffering off; 101 proxy_set_header Host $host; 102 {{ if ne $useProxyProtocol "false" }} 103 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 104 {{ else }} 105 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 106 {{ end }} 107 proxy_redirect off; 108 proxy_connect_timeout {{ or (getv "/deis/router/controller/timeout/connect") "10s" }}; 109 proxy_send_timeout {{ or (getv "/deis/router/controller/timeout/send") "20m" }}; 110 proxy_read_timeout {{ or (getv "/deis/router/controller/timeout/read") "20m" }}; 111 112 proxy_pass http://deis-controller; 113 } 114 {{ else }} 115 location / { 116 return 503; 117 } 118 {{ end }} 119 120 {{ if eq $useFirewall "true" }}location /RequestDenied { 121 return {{ $firewallErrorCode }}; 122 } 123 {{ end }} 124 125 {{ if eq $enforceHTTPS "true" }} 126 if ($access_scheme != "https") { 127 return 301 https://$host$request_uri; 128 } 129 {{ end }} 130 131 {{ if eq $enableHSTS "true" }} 132 add_header Strict-Transport-Security $sts always; 133 {{ end }} 134 } 135 ## end deis-controller 136 137 ## start deis-store-gateway 138 {{ if exists "/deis/store/gateway/host" }} 139 upstream deis-store-gateway { 140 server {{ getv "/deis/store/gateway/host" }}:{{ getv "/deis/store/gateway/port" }}; 141 } 142 {{ end }} 143 144 server { 145 server_name ~^deis-store\.(?<domain>.+)$; 146 include deis.conf; 147 148 client_max_body_size 0; 149 150 {{ if exists "/deis/store/gateway/host" }} 151 location / { 152 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 153 proxy_buffering off; 154 proxy_set_header Host $host; 155 {{ if ne $useProxyProtocol "false" }} 156 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 157 {{ else }} 158 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 159 {{ end }} 160 proxy_redirect off; 161 proxy_connect_timeout 10s; 162 proxy_send_timeout {{ $defaultTimeout }}s; 163 proxy_read_timeout {{ $defaultTimeout }}s; 164 165 proxy_pass http://deis-store-gateway; 166 } 167 {{ else }} 168 location / { 169 return 503; 170 } 171 {{ end }} 172 } 173 ## end deis-store-gateway 174 {{ $useSSL := or (getv "/deis/router/sslCert") "false" }} 175 {{ $domains := ls "/deis/domains" }} 176 {{ $certs := ls "/deis/certs" }} 177 ## start service definitions for each application 178 {{ range $app := lsdir "/deis/services" }} 179 {{ $upstreams := printf "/deis/services/%s/*" $app}} 180 upstream {{ $app }} { 181 {{ if exists "/deis/router/affinityArg" }} 182 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 183 {{ end }} 184 {{ range gets $upstreams }}server {{ .Value }}; 185 {{ end }} 186 } 187 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 188 ## server entries for custom domains 189 {{ range $app_domain := $domains }}{{ if eq $app (getv (printf "/deis/domains/%s" $app_domain)) }} 190 server { 191 server_name {{ $app_domain }}; 192 {{/* if a SSL certificate is installed for this domain, use SSL */}} 193 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 194 {{/* so we can't rely on deis.conf as each domain is an island */}} 195 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 196 server_name_in_redirect off; 197 port_in_redirect off; 198 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 199 listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 200 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 201 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 202 include ssl.conf; 203 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 204 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 205 {{/* so we can apply this config to just subdomains of the platform domain. */}} 206 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 207 {{ else }} 208 include deis.conf; 209 {{ end }} 210 {{ if ne $appContainerLen 0 }} 211 location / { 212 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 213 proxy_buffering off; 214 proxy_set_header Host $host; 215 set $access_ssl 'off'; 216 set $access_port '80'; 217 if ($access_scheme ~ https) { 218 set $access_ssl 'on'; 219 set $access_port '443'; 220 } 221 proxy_set_header X-Forwarded-Port $access_port; 222 proxy_set_header X-Forwarded-Proto $access_scheme; 223 {{ if ne $useProxyProtocol "false" }} 224 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 225 {{ else }} 226 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 227 {{ end }} 228 proxy_set_header X-Forwarded-Ssl $access_ssl; 229 proxy_redirect off; 230 proxy_connect_timeout 30s; 231 proxy_send_timeout {{ $defaultTimeout }}s; 232 proxy_read_timeout {{ $defaultTimeout }}s; 233 proxy_http_version 1.1; 234 proxy_set_header Upgrade $http_upgrade; 235 proxy_set_header Connection $connection_upgrade; 236 237 proxy_next_upstream error timeout http_502 http_503 http_504; 238 239 {{ if eq $enforceHTTPS "true" }} 240 if ($access_scheme != "https") { 241 return 301 https://$host$request_uri; 242 } 243 {{ end }} 244 245 {{ if eq $enableHSTS "true" }} 246 add_header Strict-Transport-Security $sts always; 247 {{ end }} 248 249 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 250 {{ if exists "/deis/router/affinityArg" }} 251 set_random $prng 0 99; 252 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 253 {{ end }} 254 255 proxy_pass http://{{ $app }}; 256 } 257 {{ else }} 258 location / { 259 return 503; 260 } 261 {{ end }} 262 {{ if eq $useFirewall "true" }}location /RequestDenied { 263 return {{ $firewallErrorCode }}; 264 } 265 {{ end }} 266 }{{ end }}{{ end }} 267 ## end entries for custom domains 268 269 server { 270 server_name ~^{{ $app }}\.(?<domain>.+)$; 271 include deis.conf; 272 {{ if ne $appContainerLen 0 }} 273 location / { 274 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 275 proxy_buffering off; 276 proxy_set_header Host $host; 277 set $access_ssl 'off'; 278 set $access_port '80'; 279 if ($access_scheme ~ https) { 280 set $access_ssl 'on'; 281 set $access_port '443'; 282 } 283 proxy_set_header X-Forwarded-Port $access_port; 284 proxy_set_header X-Forwarded-Proto $access_scheme; 285 {{ if ne $useProxyProtocol "false" }} 286 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 287 {{ else }} 288 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 289 {{ end }} 290 proxy_set_header X-Forwarded-Ssl $access_ssl; 291 proxy_redirect off; 292 proxy_connect_timeout 30s; 293 proxy_send_timeout {{ $defaultTimeout }}s; 294 proxy_read_timeout {{ $defaultTimeout }}s; 295 proxy_http_version 1.1; 296 proxy_set_header Upgrade $http_upgrade; 297 proxy_set_header Connection $connection_upgrade; 298 299 proxy_next_upstream error timeout http_502 http_503 http_504; 300 301 {{ if eq $enforceHTTPS "true" }} 302 if ($access_scheme != "https") { 303 return 301 https://$host$request_uri; 304 } 305 {{ end }} 306 307 {{ if eq $enableHSTS "true" }} 308 add_header Strict-Transport-Security $sts always; 309 {{ end }} 310 311 proxy_pass http://{{ $app }}; 312 } 313 {{ else }} 314 location / { 315 return 503; 316 } 317 {{ end }} 318 {{ if eq $useFirewall "true" }}location /RequestDenied { 319 return {{ $firewallErrorCode }}; 320 } 321 {{ end }} 322 }{{ end }} 323 ## end service definitions for each application 324 325 # healthcheck 326 server { 327 listen 80 default_server reuseport{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 328 location /health-check { 329 default_type 'text/plain'; 330 access_log off; 331 return 200; 332 } 333 location /router-nginx-status { 334 vhost_traffic_status_display; 335 vhost_traffic_status_display_format html; 336 } 337 location / { 338 return 404; 339 } 340 } 341 #start k8s apps 342 {{ range $k8namespace := lsdir "/registry/services/specs/" }} 343 {{ $k8appdir := printf "/registry/services/specs/%s" $k8namespace}}{{ range $kapp := ls $k8appdir }} 344 {{ $k8appPath := printf "/registry/services/specs/%s/%s" $k8namespace $kapp}}{{ $k8Svc := json (getv $k8appPath) }} 345 {{ $upstreams := printf "/registry/services/specs/%s/%s" $k8namespace $kapp}} 346 upstream {{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }} { 347 {{ if exists "/deis/router/affinityArg" }} 348 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 349 {{ end }} 350 server {{ $k8Svc.spec.clusterIP }}:80; 351 } 352 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 353 {{ $k8sappname := or $k8Svc.metadata.labels.name $k8Svc.metadata.name }} 354 ## server entries for custom domains 355 {{ range $app_domain := $domains }}{{ if eq $k8sappname (getv (printf "/deis/domains/%s" $app_domain)) }} 356 server { 357 server_name {{ $app_domain }}; 358 {{/* if a SSL certificate is installed for this domain, use SSL */}} 359 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 360 {{/* so we can't rely on deis.conf as each domain is an island */}} 361 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 362 server_name_in_redirect off; 363 port_in_redirect off; 364 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 365 listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 366 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 367 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 368 include ssl.conf; 369 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 370 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 371 {{/* so we can apply this config to just subdomains of the platform domain. */}} 372 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 373 {{ else }} 374 include deis.conf; 375 {{ end }} 376 {{ if ne $appContainerLen 0 }} 377 location / { 378 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 379 proxy_buffering off; 380 proxy_set_header Host $host; 381 set $access_ssl 'off'; 382 set $access_port '80'; 383 if ($access_scheme ~ https) { 384 set $access_ssl 'on'; 385 set $access_port '443'; 386 } 387 proxy_set_header X-Forwarded-Port $access_port; 388 proxy_set_header X-Forwarded-Proto $access_scheme; 389 {{ if ne $useProxyProtocol "false" }} 390 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 391 {{ else }} 392 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 393 {{ end }} 394 proxy_set_header X-Forwarded-Ssl $access_ssl; 395 proxy_redirect off; 396 proxy_connect_timeout 30s; 397 proxy_send_timeout {{ $defaultTimeout }}s; 398 proxy_read_timeout {{ $defaultTimeout }}s; 399 proxy_http_version 1.1; 400 proxy_set_header Upgrade $http_upgrade; 401 proxy_set_header Connection $connection_upgrade; 402 403 proxy_next_upstream error timeout http_502 http_503 http_504; 404 405 {{ if eq $enforceHTTPS "true" }} 406 if ($access_scheme != "https") { 407 return 301 https://$host$request_uri; 408 } 409 {{ end }} 410 411 {{ if eq $enableHSTS "true" }} 412 add_header Strict-Transport-Security $sts always; 413 {{ end }} 414 415 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 416 {{ if exists "/deis/router/affinityArg" }} 417 set_random $prng 0 99; 418 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 419 {{ end }} 420 421 proxy_pass http://{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}; 422 } 423 {{ else }} 424 location / { 425 return 503; 426 } 427 {{ end }} 428 {{ if eq $useFirewall "true" }}location /RequestDenied { 429 return {{ $firewallErrorCode }}; 430 } 431 {{ end }} 432 }{{ end }}{{ end }} 433 ## end entries for custom domains 434 435 server { 436 server_name ~^{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}\.(?<domain>.+)$; 437 include deis.conf; 438 {{ if ne $appContainerLen 0 }} 439 location / { 440 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 441 proxy_buffering off; 442 proxy_set_header Host $host; 443 set $access_ssl 'off'; 444 set $access_port '80'; 445 if ($access_scheme ~ https) { 446 set $access_ssl 'on'; 447 set $access_port '443'; 448 } 449 proxy_set_header X-Forwarded-Port $access_port; 450 proxy_set_header X-Forwarded-Proto $access_scheme; 451 {{ if ne $useProxyProtocol "false" }} 452 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 453 {{ else }} 454 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 455 {{ end }} 456 proxy_set_header X-Forwarded-Ssl $access_ssl; 457 proxy_redirect off; 458 proxy_connect_timeout 30s; 459 proxy_send_timeout {{ $defaultTimeout }}s; 460 proxy_read_timeout {{ $defaultTimeout }}s; 461 proxy_http_version 1.1; 462 proxy_set_header Upgrade $http_upgrade; 463 proxy_set_header Connection $connection_upgrade; 464 465 proxy_next_upstream error timeout http_502 http_503 http_504; 466 467 {{ if eq $enforceHTTPS "true" }} 468 if ($access_scheme != "https") { 469 return 301 https://$host$request_uri; 470 } 471 {{ end }} 472 473 {{ if eq $enableHSTS "true" }} 474 add_header Strict-Transport-Security $sts always; 475 {{ end }} 476 477 proxy_pass http://{{ if $k8Svc.metadata.labels.name }}{{ $k8Svc.metadata.labels.name }}{{ else }}{{ $k8Svc.metadata.name }}{{ end }}; 478 } 479 {{ else }} 480 location / { 481 return 503; 482 } 483 {{ end }} 484 {{ if eq $useFirewall "true" }}location /RequestDenied { 485 return {{ $firewallErrorCode }}; 486 } 487 {{ end }} 488 }{{end}}{{end}} 489 } 490 491 ## start builder 492 {{ if exists "/deis/builder/host" }} 493 stream { 494 495 upstream builder { 496 server {{ getv "/deis/builder/host" }}:{{ getv "/deis/builder/port" }}; 497 } 498 499 server { 500 listen 2222; 501 proxy_connect_timeout {{ or (getv "/deis/router/builder/timeout/connect") "10000" }}; 502 proxy_timeout {{ or (getv "/deis/router/builder/timeout/tcp") "1200000" }}; 503 proxy_pass builder; 504 } 505 }{{ end }} 506 ## end builder