Commit 5bff7613 authored by Steve Weber's avatar Steve Weber
Browse files

rt1188031

parent eaa02f77
......@@ -62,10 +62,12 @@ http {
internal;
}
{% if vars.get('require_vpn') %}
set $is_allowed no;
if ($is_local_uw_ip = yes) {
set $is_allowed yes;
}
{% endif %}
{% if vars.favicon_source %}
location = /favicon.ico {
......@@ -92,12 +94,15 @@ http {
# default_type text/plain;
# return 200 "Undergoing some planned maintenance. The service will be restored soon.";
{% if vars.get('require_vpn') %}
if ($is_allowed = no) {
return 307 https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}$request_uri;
# NOTE: nginx does not have a good way to encode_url for the callback
# SO: A request like .. ?callback=https://x/?x=1&y=2
# will drop y=2 from the callback!
}
{% endif %}
proxy_send_timeout 20;
proxy_read_timeout 130;
keepalive_timeout 120;
......@@ -106,6 +111,11 @@ http {
proxy_buffer_size 6144;
proxy_buffering on;
# fix: 400 Request Header Or Cookie Too Large
#large_client_header_buffers 4 16k;
# max upload size
#client_max_body_size 75M;
# enable chunked responses
proxy_http_version 1.1;
......
<!DOCTYPE html>
<html>
<head>
<title>Issue</title>
</head>
<body>
<h1>Oops</h1>
<p>Sorry, because of maintainance or an issue this service is temporarily offline.</p>
<p>We are likely aware of the issue and actively working on the solution.</p>
<p>Please reload this page or try again in 15 minutes.<p>
</body>
<pre>
,
,-. _,---._ __ / \
/ ) .-' `./ / \
( ( ,' `/ /|
\ `-" \'\ / |
`. , \ \ / |
/`. ,'-`----Y |
( ; | '
| ,-. ,-' | /
| | ( | | /
) | \ `.___________|/
`--' `--'
</pre>
</html>
{%- from 'uwl/nginx/init.sls' import vars as _nginx -%}
user {{_nginx.user}};
worker_processes auto;
pid {{_nginx.pid}};
include /etc/nginx/modules-enabled/*.conf;
user {{vars.user}};
worker_processes auto;
pid /run/nginx.pid;
# load_module "/usr/share/nginx/modules/ngx_http_geoip_module.so";
events {
worker_connections 1000;
worker_connections {{vars.worker_connections}};
}
http {
include mime.types;
default_type application/octet-stream;
# send logs to journal
geo $is_local_uw_ip {
{{vars.map_local_uw_ip}}
}
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
error_log stderr;
access_log syslog:server=unix:/dev/log;
gzip on;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
gzip on;
upstream backend {
server 127.0.0.1:8000;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name {{vars.server_name}};
return 307 https://$server_name$request_uri;
return 307 https://{{vars.server_name}}$request_uri;
}
# configuration of the server
server {
listen 443 ssl;
server_name {{vars.server_name}};
charset utf-8;
ssl_certificate {{vars.ssl_certificate_pem}};
ssl_certificate_key {{vars.ssl_certificate_key}};
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'AES128+EECDH:EECDH+AESGCM:AES256+EECDH';
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
ssl_ciphers "AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
# fix: 400 Request Header Or Cookie Too Large
large_client_header_buffers 4 16k;
# max upload size
client_max_body_size 75M;
client_body_timeout 10;
client_header_timeout 10;
{%- if vars.htpasswd_enabled %}
auth_basic "{{vars.htpasswd_msg}}";
auth_basic_user_file {{vars.htpasswd_path}};
{%- endif %}
# hide nginx version headers
server_tokens off;
location /media {
alias {{vars.dir_vol}}/media;
error_page 504 502 /custom_error.html;
location = /custom_error.html {
root {{salt.file.dirname(vars.error_page)}};
internal;
}
location /static {
alias {{vars.dir_vol}}/static;
{% if vars.get('require_vpn') %}
set $is_allowed no;
if ($is_local_uw_ip = yes) {
set $is_allowed yes;
}
{% endif %}
{% if vars.favicon %}
{% if vars.favicon_source %}
location = /favicon.ico {
alias {{vars.favicon}};
}
{%- endif %}
{%- if vars.error_page %}
error_page 404 504 502 /custom_error.html;
location = /custom_error.html {
root /usr/share/nginx/html;
internal;
}
{%- endif %}
location / {
{%- if vars.htpasswd_enabled %}
auth_basic "Admin Access";
auth_basic_user_file {{vars.htpasswd_path}};
{%- endif %}
# hide nginx version headers
server_tokens off;
gzip_proxied any;
# max upload size
client_max_body_size 75M;
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/csv text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
#add_header Content-Security-Policy "default-src https: http: 'unsafe-inline' 'unsafe-eval'; frame-ancestors https: http:";
#add_header Content-Security-Policy-Report-Only "default-src https: http: 'unsafe-inline' 'unsafe-eval';";
location / {
## ** maintenance
# default_type text/plain;
# return 200 "Undergoing some planned maintenance. The service will be restored soon.";
{% if vars.get('require_vpn') %}
if ($is_allowed = no) {
return 307 https://checkvpn.uwaterloo.ca/?callback=https://{{vars.server_name}}$request_uri;
# NOTE: nginx does not have a good way to encode_url for the callback
# SO: A request like .. ?callback=https://x/?x=1&y=2
# will drop y=2 from the callback!
}
{% endif %}
proxy_send_timeout 20;
proxy_read_timeout 130;
keepalive_timeout 120;
# proxy_buffer_size 4096 is not enough for cache key, it should increased at least to 6144,
proxy_buffer_size 6144;
proxy_buffering on;
# fix: 400 Request Header Or Cookie Too Large
#large_client_header_buffers 4 16k;
# max upload size
#client_max_body_size 75M;
# enable chunked responses
proxy_http_version 1.1;
add_header X-Nginx-Cache $upstream_cache_status;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_next_upstream error timeout;
proxy_redirect off;
proxy_pass http://balancer_http_oat;
#proxy_pass https://balancer_http_oat;
#proxy_ssl_certificate {{vars.ssl_certificate_pem}};
#proxy_ssl_certificate_key {{vars.ssl_certificate_key}};
#proxy_ssl_verify off;
add_header Access-Control-Allow-Origin https://{{vars.server_name}};
add_header Access-Control-Allow-Methods 'GET, POST, DELETE, OPTIONS';
add_header Front-End-Https on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
#add_header X-Nginx-Cache $upstream_cache_status;
#add_header X-XSS-Protection "1; mode=block";
#add_header X-Content-Type-Options nosniff;
#add_header X-Frame-Options SAMEORIGIN;
}
}
}
......@@ -2,23 +2,42 @@
{% from 'uwl/nginx/init.sls' import vars as _nginx %}
{% load_yaml as vars %}
default:
config_file: {{_nginx.config_file}}
_nginx: {{_nginx}}
name: {{_nginx.config_file}}
source: salt://{{tpldir}}/_data/nginx.conf
#server_name: {{grains.fqdn}}
ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key
ssl_certificate_pem: /etc/ssl/certs/ssl-cert-snakeoil.pem
uwsgi_pass: 127.0.0.1:8000
server_name: {{grains['fqdn']}}
http_root: /repo_vol/public
error_page: {{_nginx.http_root}}/custom_error.html
error_page_source: salt://{{tpldir}}/_data/error.html
user: {{_nginx.user}}
worker_connections: 1024
htpasswd_enabled: False
htpasswd_path: /etc/htpasswd
htpasswd_msg: Admin Access
htpasswd_content: 'qa:{PLAIN}qapass'
favicon: {{_nginx.http_root}}/custom_favicon.ico
error_page: /usr/share/nginx/html/custom_error.html
favicon: /usr/share/nginx/html/favicon.ico
favicon_source: salt://{{tpldir}}/_data/favicon.ico
htpasswd_enabled: True
htpasswd_path: /etc/htpasswd
htpasswd_content: |
qa:{PLAIN}qa
cache_size: {{(grains['mem_total'] * 0.05)|int}}
site_req_limit: 50
site_req_limit_burst: 1500
api_req_limit: 200
api_req_limit_burst: 1500
map_local_uw_ip: |
default no;
127.0.0.0/8 yes;
10.0.0.0/8 yes;
172.16.0.0/12 yes;
192.168.0.0/16 yes;
129.97.0.0/16 yes;
47.252.27.26/32 yes; # Alibaba VPN
app_servers:
- 127.0.0.1
{% endload %}
{% set vars = salt.uwl.solve_vars(vars, tplfile) %}
# ------------------
......@@ -27,54 +46,57 @@
include:
- {{_nginx.sls}}
{% if vars.error_page %}
{{sls}} error_page:
{{sls}}:
file.managed:
- name: {{vars.error_page}}
- source: {{vars.error_page_source}}
- name: {{vars.name}}
- source: {{vars.source}}
- template: jinja
- context:
vars: {{vars|json}}
- context: { vars: {{vars|json}} }
- mode: '0644'
{%- endif %}
- watch_in:
- service: {{_nginx.sls}}
{#
{{sls}} geoip packages:
pkg.installed:
- pkgs:
- geoip-database
- libgeoip1
- nginx-full
- require_in:
- file: {{sls}}
- watch_in:
- service: {{_nginx.sls}}
#}
{%- if vars.htpasswd_enabled %}
{{sls}} htpasswd:
{{sls}} - error_page:
file.managed:
- name: {{vars.htpasswd_path}}
- template: jinja
- contents: {{vars.htpasswd_content}}
- context:
vars: {{vars|json}}
- name: {{vars.error_page}}
- source: salt://{{tpldir}}/_data/custom_error.html
- mode: '0644'
- watch_in:
- service: {{_nginx.sls}}
{%- endif %}
{% if vars.favicon %}
{% if vars.favicon_source %}
{{sls}} - favicon:
file.managed:
- name: {{vars.favicon}}
- source: {{vars.favicon_source}}
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0644'
- watch_in:
- service: {{_nginx.sls}}
{%- endif %}
{{sls}} config:
{%- if vars.htpasswd_enabled %}
{{sls}} - htpasswd:
file.managed:
- name: {{vars.config_file}}
- source: {{vars.source}}
- name: {{vars.htpasswd_path}}
- source: salt://{{tpldir}}/_data/htpasswd
- template: jinja
- context:
vars: {{vars|json}}
- mode: '0644'
- watch_in:
- service: {{_nginx.sls}}
- service: {{vars._nginx.sls}}
{%- endif %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment