-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.template.conf
177 lines (141 loc) · 6.95 KB
/
nginx.template.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
user www-data;
worker_processes 1;
events {
worker_connections 1024;
}
http {
index index.html index.htm;
# Note: We could use `stroomProxy` in `proxy_pass`. Useful if we want to refer to the
# address several times (which we don't yet).
#upstream stroomProxy {
# server ${SWARM_IP}:8085;
#}
server {
root /usr/share/nginx/html;
listen 80;
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/certs/server.pem.crt;
ssl_certificate_key /etc/nginx/certs/server.unencrypted.key;
ssl_client_certificate /etc/nginx/certs/ca.pem.crt;
# This needs to be on otherwise we won't be able to extract the DN or the cert
ssl_verify_client on;
ssl_verify_depth 1;
# These set the timeouts - the unit is seconds
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
# Was the CA cert configured with an OCSP responder?
# - If so you can enable the following lines and NGINX will call out to the OCSP
# server to check for revoked certificates.
# Are there intermediate CA certs?
# - If so you will need to cat them together to make sure the OCSP server is picked up.
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /etc/nginx/certs/ca.pem.crt;
# We're going to send / to /stroom
# location / {
# return 301 $scheme://${NGINX_ADVERTISED_HOST}/stroom;
# # proxy_pass http://<SWARM_IP>:8080/;
# # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# }
location /stats/ {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8086/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Note: the path for admin must match the `adminContextPath` in the configuration
# for the Dropwizard app. This is configured by environment variable in `swarm.yml`.
location /statsAdmin/ {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8087/statsAdmin/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /proxy/ {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8085/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /stroom/ {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8080/stroom;
proxy_pass_header Set-Cookie;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_request_body on;
proxy_pass_request_headers on;
}
location /stroomAdmin {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8081/stroomAdmin;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# This is the root for all services hosted by auth.
# It's needed for the Swagger client's baseUrl.
# TODO the auth services will be redundent when everything uses the
# Swagger clients.
location /authService {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8099;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# We only need to pass in the DN.
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
}
location /authorisationService {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8080/api/authorisation;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# We only need to pass in the DN.
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
}
location /authenticationServiceAdmin {
# Note: the path below must match the `adminContextPath` in the configuration
# for the Dropwizard app. This is configured by environment variable in `swarm.yml`.
proxy_pass http://${NGINX_ADVERTISED_HOST}:8100/authenticationServiceAdmin;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /auth {
rewrite ^/auth(.*) /$1 break;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
proxy_pass http://${NGINX_ADVERTISED_HOST}:5000/;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# We only need to pass in the DN.
# We're not proxying the auth UI. Instead we're rewriting the request
# to send the user's browser to the right place. This makes mounting the
# app in the right place much simpler.
# return 301 $scheme://${NGINX_ADVERTISED_HOST}:5000;
}
location /annotationsService {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8199/annotations;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# We only need to pass in the DN.
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
}
location /annotationsServiceAdmin/ {
# Note: the path below must match the `adminContextPath` in the configuration
# for the Dropwizard app. This is configured by environment variable in `swarm.yml`.
proxy_pass http://${NGINX_ADVERTISED_HOST}:8200/annotationsServiceAdmin;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /annotations {
# We're not proxying the auth UI. Instead we're rewriting the request
# to send the user's browser to the right place. This makes mounting the
# app in the right place much simpler.
return 301 $scheme://${NGINX_ADVERTISED_HOST}:5001;
}
location /queryElasticService/ {
proxy_pass http://${NGINX_ADVERTISED_HOST}:8299/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# We only need to pass in the DN.
proxy_set_header X-SSL-ClIENT-S-DN $ssl_client_s_dn;
}
location /queryElasticServiceAdmin/ {
# Note: the path below must match the `adminContextPath` in the configuration
# for the Dropwizard app. This is configured by environment variable in `swarm.yml`.
proxy_pass http://${NGINX_ADVERTISED_HOST}:8300;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /queryElastic {
# We're not proxying the auth UI. Instead we're rewriting the request
# to send the user's browser to the right place. This makes mounting the
# app in the right place much simpler.
return 301 $scheme://${NGINX_ADVERTISED_HOST}:5002;
}
}
}