From 6da2686038bac2f71cee886915aa21fc622ba4b9 Mon Sep 17 00:00:00 2001 From: Josh Zamor Date: Thu, 25 Apr 2019 00:30:21 -0700 Subject: [PATCH] OLMIS-6183, simplify proxy options Focus is on the nginx config and changing the proxy pass options. Primarly forwarding the Host header that will include the port as well as the requested address (e.g. nifi.local) and the port. This allows Nginx to be bound to ports other than 80 and 443. Further reduced the expected use-cases be assuming that Nginx as a reverse proxy will fully encapsulate Nifi and Superset, and that if a user wants to use SSL, either the termination will be done at Nginx and the configuration will include certs, or the termination may happen a level above Nginx (e.g. an AWS ELB) in which case running a server on port 443 is unneeded. --- reporting/.env | 14 ++--- .../nginx/consul-template/openlmis.conf | 51 ++++++++----------- reporting/docker-compose.yml | 4 +- 3 files changed, 26 insertions(+), 43 deletions(-) diff --git a/reporting/.env b/reporting/.env index 0810a9f0..cd1e155b 100644 --- a/reporting/.env +++ b/reporting/.env @@ -31,14 +31,10 @@ SUPERSET_SSL_KEY=superset.local.key SUPERSET_SSL_CERT_CHAIN=superset.local.crt # Whether to enable accessing the Superset domain securely SUPERSET_ENABLE_SSL=false -# Whether Superset is behind a load balancer -SUPERSET_BEHIND_LOAD_BALANCER=false -# Whether to redirect HTTP traffic on the load balancer to https -SUPERSET_LOAD_BALANCER_REDIRECT_HTTP=false +# Whether Superset certs should be used. +SUPERSET_PROVIDE_CERTS=false ### NiFi Service ### -NIFI_WEB_HTTP_PORT=80 -NIFI_WEB_HTTP_HOST=nifi.local # The JVM Memory maximum heap size NIFI_JVM_HEAP_MAX="1g" # The domain name to use for NiFi @@ -54,10 +50,8 @@ NIFI_SSL_KEY=nifi.local.key NIFI_SSL_CERT_CHAIN=nifi.local.crt # Whether to enable accessing the NiFi domain securely NIFI_ENABLE_SSL=false -# Whether Nifi is behind a load balancer -NIFI_BEHIND_LOAD_BALANCER=false -# Whether to redirect HTTP traffic on the load balancer to https -NIFI_LOAD_BALANCER_REDIRECT_HTTP=false +# Whether provided certs should be used +NIFI_PROVIDE_CERTS=false # Nifi Passwords DB_PASSWORD=p@ssw0rd INVOKEHTTP_PASSWORD=changeme diff --git a/reporting/config/services/nginx/consul-template/openlmis.conf b/reporting/config/services/nginx/consul-template/openlmis.conf index 0026ee7c..2c5d0170 100644 --- a/reporting/config/services/nginx/consul-template/openlmis.conf +++ b/reporting/config/services/nginx/consul-template/openlmis.conf @@ -26,26 +26,17 @@ log_format upstream_time '$remote_addr - $remote_user [$time_local] ' server { server_name {{ $location }}; listen 80; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header X-ProxyScheme http; + proxy_set_header Host $http_host; + proxy_set_header X-ProxyContextPath /; {{ if $locationData.enable_ssl }} return 301 https://$server_name$request_uri; {{ else }} -{{ if (and ($locationData.behind_load_balancer) ($locationData.redirect_http_traffic)) }} - if ($http_X_Forwarded_Proto = "http") { - return 301 https://$server_name$request_uri; - } -{{ end }} location / { proxy_pass http://{{ $locationData.upstream }}; - {{ if not $locationData.behind_load_balancer }} - proxy_set_header X-ProxyScheme http; - proxy_set_header X-Forwarded-Proto http; - proxy_set_header X-ProxyPort 80; - {{ end }} - proxy_set_header X-ProxyHost {{ $location }}; - proxy_set_header Host {{ $location }}; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-ProxyContextPath /; {{ if $locationData.enable_basic_auth }} auth_basic "Authentication Required"; auth_basic_user_file /etc/nginx/.htpasswd; @@ -54,26 +45,16 @@ server { {{ end }} } -{{ if $locationData.enable_ssl }} +{{ if (and ($locationData.enable_ssl) ($locationData.provide_certs)) }} server { server_name {{ $location }}; - - location / { - proxy_pass http://{{ $locationData.upstream }}; - proxy_set_header X-ProxyScheme https; - proxy_set_header X-ProxyHost {{ $location }}; - proxy_set_header Host {{ $location }}; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-ProxyPort 443; - proxy_set_header X-ProxyContextPath /; -{{ if $locationData.enable_basic_auth }} - auth_basic "Authentication Required"; - auth_basic_user_file /etc/nginx/.htpasswd; -{{ end }} - } - listen 443; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_set_header X-ProxyScheme http; + proxy_set_header Host $http_host; + proxy_set_header X-ProxyContextPath /; + ssl on; ssl_certificate {{ $locationData.ssl_cert }}; ssl_certificate_key {{ $locationData.ssl_key }}; @@ -88,6 +69,14 @@ server { add_header Strict-Transport-Security 'max-age=15768000'; ssl_stapling on; ssl_session_cache builtin:1000 shared:SSL:10m; + + location / { + proxy_pass http://{{ $locationData.upstream }}; +{{ if $locationData.enable_basic_auth }} + auth_basic "Authentication Required"; + auth_basic_user_file /etc/nginx/.htpasswd; +{{ end }} + } } {{ end }} {{ end }} diff --git a/reporting/docker-compose.yml b/reporting/docker-compose.yml index 59106e38..ce82d19e 100644 --- a/reporting/docker-compose.yml +++ b/reporting/docker-compose.yml @@ -5,9 +5,9 @@ services: command: > sh -c "while ! curl -f \"http://consul:8500/v1/agent/self\"; do sleep 10;done && curl -X PUT -H \"Content-Type: application/json\" --data '{\"name\": \"superset-service\", \"address\": \"superset\", \"id\": \"superset1\", \"port\": 8088, \"tags\": [\"openlmis-service\"], \"check\": { \"http\": \"http://superset:8088/login\", \"method\": \"GET\", \"interval\": \"30s\", \"timeout\": \"10s\"}}' http://consul:8500/v1/agent/service/register - && curl -X PUT --data '{ \"upstream\": \"superset-service\", \"enable_basic_auth\": false, \"behind_load_balancer\": ${SUPERSET_BEHIND_LOAD_BALANCER}, \"redirect_http_traffic\": ${SUPERSET_LOAD_BALANCER_REDIRECT_HTTP}, \"enable_ssl\": ${SUPERSET_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${SUPERSET_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${SUPERSET_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${SUPERSET_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${SUPERSET_DOMAIN_NAME} + && curl -X PUT --data '{ \"upstream\": \"superset-service\", \"enable_basic_auth\": false, \"provide_certs\": ${SUPERSET_PROVIDE_CERTS}, \"enable_ssl\": ${SUPERSET_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${SUPERSET_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${SUPERSET_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${SUPERSET_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${SUPERSET_DOMAIN_NAME} && curl -X PUT -H \"Content-Type: application/json\" --data '{\"name\": \"nifi-service\", \"address\": \"nifi\", \"id\": \"nifi1\", \"port\": 8080, \"tags\": [\"openlmis-service\"], \"check\": { \"http\": \"http://nifi:8080\", \"method\": \"GET\", \"interval\": \"30s\", \"timeout\": \"10s\"}}' http://consul:8500/v1/agent/service/register - && curl -X PUT --data '{ \"upstream\": \"nifi-service\", \"enable_basic_auth\": true, \"behind_load_balancer\": ${NIFI_BEHIND_LOAD_BALANCER}, \"redirect_http_traffic\": ${NIFI_LOAD_BALANCER_REDIRECT_HTTP}, \"enable_ssl\": ${NIFI_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${NIFI_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${NIFI_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${NIFI_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${NIFI_DOMAIN_NAME}" + && curl -X PUT --data '{ \"upstream\": \"nifi-service\", \"enable_basic_auth\": true, \"provide_certs\": ${NIFI_PROVIDE_CERTS}, \"enable_ssl\": ${NIFI_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${NIFI_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${NIFI_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${NIFI_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${NIFI_DOMAIN_NAME}" build: context: ./config volumes: