github.com/spg/deis@v1.7.3/router/image/templates/nginx.conf (about) 1 # required to run in a container 2 daemon off; 3 4 user nginx; 5 worker_processes {{ or (getv "/deis/router/workerProcesses") "auto" }}; 6 pid /run/nginx.pid; 7 8 events { 9 worker_connections {{ or (getv "/deis/router/maxWorkerConnections") "768" }}; 10 # multi_accept on; 11 } 12 13 14 http { 15 # basic settings 16 sendfile on; 17 tcp_nopush on; 18 tcp_nodelay on; 19 20 # The Timeout value must be greater than the front facing load balancers timeout value. 21 # Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra. 22 {{ $defaultTimeout := or (getv "/deis/router/defaultTimeout") "1300" }} 23 keepalive_timeout {{ $defaultTimeout }}; 24 25 types_hash_max_size 2048; 26 server_names_hash_max_size {{ or (getv "/deis/router/serverNameHashMaxSize") "512" }}; 27 server_names_hash_bucket_size {{ or (getv "/deis/router/serverNameHashBucketSize") "64" }}; 28 29 include /opt/nginx/conf/mime.types; 30 default_type application/octet-stream; 31 {{ if exists "/deis/router/gzip" }} 32 gzip {{ getv "/deis/router/gzip" }}; 33 gzip_comp_level {{ or (getv "/deis/router/gzipCompLevel") "5" }}; 34 gzip_disable {{ or (getv "/deis/router/gzipDisable") "\"msie6\"" }}; 35 gzip_http_version {{ or (getv "/deis/router/gzipHttpVersion") "1.1" }}; 36 gzip_min_length {{ or (getv "/deis/router/gzipMinLength") "256" }}; 37 gzip_types {{ or (getv "/deis/router/gzipTypes") "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" }}; 38 gzip_proxied {{ or (getv "/deis/router/gzipProxied") "any" }}; 39 gzip_vary {{ or (getv "/deis/router/gzipVary") "on" }}; 40 {{ end }} 41 42 {{ $useFirewall := or (getv "/deis/router/firewall/enabled") "false" }}{{ if eq $useFirewall "true" }}# include naxsi rules 43 include /opt/nginx/firewall/naxsi_core.rules; 44 include /opt/nginx/firewall/web_apps.rules; 45 include /opt/nginx/firewall/scanner.rules; 46 include /opt/nginx/firewall/web_server.rules;{{ end }} 47 {{ $firewallErrorCode := or (getv "/deis/router/firewall/errorCode") "400" }} 48 client_max_body_size "{{ or (getv "/deis/router/bodySize") "1m" }}"; 49 50 {{ $useProxyProtocol := or (getv "/deis/router/proxyProtocol") "false" }}{{ if ne $useProxyProtocol "false" }} 51 set_real_ip_from {{ or (getv "/deis/router/proxyRealIpCidr") "10.0.0.0/8" }}; 52 real_ip_header proxy_protocol; 53 {{ end }} 54 55 log_format upstreaminfo '[$time_local] - {{ if ne $useProxyProtocol "false" }}$proxy_protocol_addr{{ else }}$remote_addr{{ end }} - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time'; 56 57 # send logs to STDOUT so they can be seen using 'docker logs' 58 access_log /opt/nginx/logs/access.log upstreaminfo; 59 error_log /opt/nginx/logs/error.log {{ or (getv "/deis/router/errorLogLevel") "error" }}; 60 61 map $http_upgrade $connection_upgrade { 62 default upgrade; 63 '' close; 64 } 65 66 # trust http_x_forwarded_proto headers correctly indicate ssl offloading 67 map $http_x_forwarded_proto $access_scheme { 68 default $http_x_forwarded_proto; 69 '' $scheme; 70 } 71 72 {{ $enforceHTTPS := or (getv "/deis/router/enforceHTTPS") "false" }} 73 74 ## start deis-controller 75 {{ if exists "/deis/controller/host" }} 76 upstream deis-controller { 77 server {{ getv "/deis/controller/host" }}:{{ getv "/deis/controller/port" }}; 78 } 79 {{ end }} 80 81 server { 82 server_name ~^{{ or (getv "/deis/controller/subdomain") "deis" }}\.(?<domain>.+)$; 83 include deis.conf; 84 85 {{ if exists "/deis/controller/host" }} 86 location / { 87 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 88 proxy_buffering off; 89 proxy_set_header Host $host; 90 {{ if ne $useProxyProtocol "false" }} 91 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 92 {{ else }} 93 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 94 {{ end }} 95 proxy_redirect off; 96 proxy_connect_timeout {{ or (getv "/deis/router/controller/timeout/connect") "10s" }}; 97 proxy_send_timeout {{ or (getv "/deis/router/controller/timeout/send") "20m" }}; 98 proxy_read_timeout {{ or (getv "/deis/router/controller/timeout/read") "20m" }}; 99 100 proxy_pass http://deis-controller; 101 } 102 {{ else }} 103 location / { 104 return 503; 105 } 106 {{ end }} 107 108 {{ if eq $useFirewall "true" }}location /RequestDenied { 109 return {{ $firewallErrorCode }}; 110 } 111 {{ end }} 112 113 {{ if eq $enforceHTTPS "true" }} 114 if ($access_scheme != "https") { 115 return 301 https://$host$request_uri; 116 } 117 {{ end }} 118 } 119 ## end deis-controller 120 121 ## start deis-store-gateway 122 {{ if exists "/deis/store/gateway/host" }} 123 upstream deis-store-gateway { 124 server {{ getv "/deis/store/gateway/host" }}:{{ getv "/deis/store/gateway/port" }}; 125 } 126 {{ end }} 127 128 server { 129 server_name ~^deis-store\.(?<domain>.+)$; 130 include deis.conf; 131 132 client_max_body_size 0; 133 134 {{ if exists "/deis/store/gateway/host" }} 135 location / { 136 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 137 proxy_buffering off; 138 proxy_set_header Host $host; 139 {{ if ne $useProxyProtocol "false" }} 140 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 141 {{ else }} 142 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 143 {{ end }} 144 proxy_redirect off; 145 proxy_connect_timeout 10s; 146 proxy_send_timeout {{ $defaultTimeout }}s; 147 proxy_read_timeout {{ $defaultTimeout }}s; 148 149 proxy_pass http://deis-store-gateway; 150 } 151 {{ else }} 152 location / { 153 return 503; 154 } 155 {{ end }} 156 } 157 ## end deis-store-gateway 158 {{ $useSSL := or (getv "/deis/router/sslCert") "false" }} 159 {{ $domains := ls "/deis/domains" }} 160 {{ $certs := ls "/deis/certs" }} 161 ## workaround for nginx hashing empty string bug http://trac.nginx.org/nginx/ticket/765 162 {{ if exists "/deis/router/affinityArg" }} 163 set_random $prng 0 99; 164 set_if_empty $arg_{{ getv "/deis/router/affinityArg" }} $prng; 165 {{ end }} 166 ## start service definitions for each application 167 {{ range $app := lsdir "/deis/services" }} 168 {{ $upstreams := printf "/deis/services/%s/*" $app}} 169 upstream {{ $app }} { 170 {{ if exists "/deis/router/affinityArg" }} 171 hash $arg_{{ getv "/deis/router/affinityArg" }} consistent; 172 {{ end }} 173 {{ range gets $upstreams }}server {{ .Value }}; 174 {{ end }} 175 } 176 {{ $appContainers := gets $upstreams }}{{ $appContainerLen := len $appContainers }} 177 ## server entries for custom domains 178 {{ range $app_domain := $domains }}{{ if eq $app (getv (printf "/deis/domains/%s" $app_domain)) }} 179 server { 180 server_name {{ $app_domain }}; 181 {{/* if a SSL certificate is installed for this domain, use SSL */}} 182 {{/* NOTE (bacongobbler): domains are separate from the default platform domain, */}} 183 {{/* so we can't rely on deis.conf as each domain is an island */}} 184 {{ if exists (printf "/deis/certs/%s/cert" $app_domain) }} 185 server_name_in_redirect off; 186 port_in_redirect off; 187 listen 80{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 188 listen 443 ssl spdy{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 189 ssl_certificate /etc/ssl/deis/certs/{{ $app_domain }}.cert; 190 ssl_certificate_key /etc/ssl/deis/keys/{{ $app_domain }}.key; 191 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 192 {{/* if there's no app SSL cert but we have a router SSL cert, enable that instead */}} 193 {{/* TODO (bacongobbler): wait for https://github.com/kelseyhightower/confd/issues/270 */}} 194 {{/* so we can apply this config to just subdomains of the platform domain. */}} 195 {{/* ref: https://github.com/deis/deis/pull/3519 */}} 196 {{ else }} 197 include deis.conf; 198 {{ end }} 199 {{ if ne $appContainerLen 0 }} 200 location / { 201 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 202 proxy_buffering off; 203 proxy_set_header Host $host; 204 set $access_ssl 'off'; 205 set $access_port '80'; 206 if ($access_scheme ~ https) { 207 set $access_ssl 'on'; 208 set $access_port '443'; 209 } 210 proxy_set_header X-Forwarded-Port $access_port; 211 proxy_set_header X-Forwarded-Proto $access_scheme; 212 {{ if ne $useProxyProtocol "false" }} 213 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 214 {{ else }} 215 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 216 {{ end }} 217 proxy_set_header X-Forwarded-Ssl $access_ssl; 218 proxy_redirect off; 219 proxy_connect_timeout 30s; 220 proxy_send_timeout {{ $defaultTimeout }}s; 221 proxy_read_timeout {{ $defaultTimeout }}s; 222 proxy_http_version 1.1; 223 proxy_set_header Upgrade $http_upgrade; 224 proxy_set_header Connection $connection_upgrade; 225 226 proxy_next_upstream error timeout http_502 http_503 http_504; 227 228 {{ if eq $enforceHTTPS "true" }} 229 if ($access_scheme != "https") { 230 return 301 https://$host$request_uri; 231 } 232 {{ end }} 233 234 proxy_pass http://{{ $app }}; 235 } 236 {{ else }} 237 location / { 238 return 503; 239 } 240 {{ end }} 241 {{ if eq $useFirewall "true" }}location /RequestDenied { 242 return {{ $firewallErrorCode }}; 243 } 244 {{ end }} 245 }{{ end }}{{ end }} 246 ## end entries for custom domains 247 248 server { 249 server_name ~^{{ $app }}\.(?<domain>.+)$; 250 include deis.conf; 251 {{ if ne $appContainerLen 0 }} 252 location / { 253 {{ if eq $useFirewall "true" }}include /opt/nginx/firewall/active-mode.rules;{{ end }} 254 proxy_buffering off; 255 proxy_set_header Host $host; 256 set $access_ssl 'off'; 257 set $access_port '80'; 258 if ($access_scheme ~ https) { 259 set $access_ssl 'on'; 260 set $access_port '443'; 261 } 262 proxy_set_header X-Forwarded-Port $access_port; 263 proxy_set_header X-Forwarded-Proto $access_scheme; 264 {{ if ne $useProxyProtocol "false" }} 265 proxy_set_header X-Forwarded-For $proxy_protocol_addr; 266 {{ else }} 267 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 268 {{ end }} 269 proxy_set_header X-Forwarded-Ssl $access_ssl; 270 proxy_redirect off; 271 proxy_connect_timeout 30s; 272 proxy_send_timeout {{ $defaultTimeout }}s; 273 proxy_read_timeout {{ $defaultTimeout }}s; 274 proxy_http_version 1.1; 275 proxy_set_header Upgrade $http_upgrade; 276 proxy_set_header Connection $connection_upgrade; 277 278 proxy_next_upstream error timeout http_502 http_503 http_504; 279 280 {{ if eq $enforceHTTPS "true" }} 281 if ($access_scheme != "https") { 282 return 301 https://$host$request_uri; 283 } 284 {{ end }} 285 286 proxy_pass http://{{ $app }}; 287 } 288 {{ else }} 289 location / { 290 return 503; 291 } 292 {{ end }} 293 {{ if eq $useFirewall "true" }}location /RequestDenied { 294 return {{ $firewallErrorCode }}; 295 } 296 {{ end }} 297 }{{ end }} 298 ## end service definitions for each application 299 300 # healthcheck 301 server { 302 listen 80 default_server{{ if ne $useProxyProtocol "false" }} proxy_protocol{{ end }}; 303 location /health-check { 304 default_type 'text/plain'; 305 access_log off; 306 return 200; 307 } 308 location /router-nginx-status { 309 stub_status on; 310 return 200; 311 } 312 location / { 313 return 404; 314 } 315 } 316 } 317 318 ## start builder 319 {{ if exists "/deis/builder/host" }} 320 stream { 321 322 upstream builder { 323 server {{ getv "/deis/builder/host" }}:{{ getv "/deis/builder/port" }}; 324 } 325 326 server { 327 listen 2222; 328 proxy_connect_timeout {{ or (getv "/deis/router/builder/timeout/connect") "10000" }}; 329 proxy_timeout {{ or (getv "/deis/router/builder/timeout/tcp") "1200000" }}; 330 proxy_pass builder; 331 } 332 }{{ end }} 333 ## end builder