diff --git a/CHANGES/605.feature b/CHANGES/605.feature new file mode 100644 index 00000000..955e82d8 --- /dev/null +++ b/CHANGES/605.feature @@ -0,0 +1 @@ +NGINX is now configured to use the values of API_ROOT and CONTENT_PATH_PREFIX diff --git a/images/pulp_ci_centos/Containerfile b/images/pulp_ci_centos/Containerfile index 918c27d8..58850a0d 100644 --- a/images/pulp_ci_centos/Containerfile +++ b/images/pulp_ci_centos/Containerfile @@ -33,8 +33,8 @@ RUN dnf -y install postgresql && \ COPY images/s6_assets/openssl.cnf /etc/ssl/pulp/openssl.cnf COPY images/s6_assets/v3.cnf /etc/ssl/pulp/v3.cnf COPY images/s6_assets/wait_on_database_migrations.sh /database/assets/wait_on_database_migrations.sh -COPY images/s6_assets/ssl_nginx.conf /nginx/ssl_nginx.conf -COPY images/s6_assets/nginx.conf /nginx/nginx.conf +COPY images/s6_assets/template_nginx.py /nginx/template_nginx.py +COPY images/s6_assets/nginx.conf.j2 /nginx/nginx.conf.j2 COPY images/s6_assets/s6-rc.d /etc/s6-overlay/s6-rc.d COPY images/s6_assets/init /etc/init COPY images/s6_assets/fix-attrs.d /etc/fix-attrs.d diff --git a/images/s6_assets/init/nginx b/images/s6_assets/init/nginx index 13fbcdb1..de24e9db 100755 --- a/images/s6_assets/init/nginx +++ b/images/s6_assets/init/nginx @@ -1,9 +1,5 @@ #!/bin/bash -if [ "${PULP_HTTPS,,}" = "true" ]; then - cp -avr /nginx/ssl_nginx.conf /etc/nginx/nginx.conf -else - cp -avr /nginx/nginx.conf /etc/nginx/nginx.conf -fi +python3 /nginx/template_nginx.py /nginx/nginx.conf.j2 /etc/nginx/nginx.conf exec /usr/sbin/nginx diff --git a/images/s6_assets/nginx.conf b/images/s6_assets/nginx.conf deleted file mode 100644 index 7aca1e12..00000000 --- a/images/s6_assets/nginx.conf +++ /dev/null @@ -1,89 +0,0 @@ -# TODO: Support IPv6. -# TODO: Maybe serve multiple `location`s, not just one. - -# The "nginx" package on fedora creates this user and group. -user nginx nginx; -# Gunicorn docs suggest this value. -worker_processes 1; -daemon off; -events { - worker_connections 1024; # increase if you have lots of clients - accept_mutex off; # set to 'on' if nginx worker_processes > 1 -} - -http { - include mime.types; - # fallback in case we can't determine a type - default_type application/octet-stream; - sendfile on; - - # If left at the default of 1024, nginx emits a warning about being unable - # to build optimal hash types. - types_hash_max_size 4096; - - upstream pulp-content { - server 127.0.0.1:24816; - } - - upstream pulp-api { - server 127.0.0.1:24817; - } - - server { - # Gunicorn docs suggest the use of the "deferred" directive on Linux. - listen 80 default_server deferred; - server_name $hostname; - - # The default client_max_body_size is 1m. Clients uploading - # files larger than this will need to chunk said files. - client_max_body_size 10m; - - # Gunicorn docs suggest this value. - keepalive_timeout 5; - - location /pulp/content/ { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://pulp-content; - } - - location /pulp/api/v3/ { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://pulp-api; - client_max_body_size 0; - } - - location /auth/login/ { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://pulp-api; - } - - include pulp/*.conf; - - location / { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://pulp-api; - # most pulp static files are served through whitenoise - # http://whitenoise.evans.io/en/stable/ - } - } -} diff --git a/images/s6_assets/ssl_nginx.conf b/images/s6_assets/nginx.conf.j2 similarity index 82% rename from images/s6_assets/ssl_nginx.conf rename to images/s6_assets/nginx.conf.j2 index f0a85313..4d77c4ca 100644 --- a/images/s6_assets/ssl_nginx.conf +++ b/images/s6_assets/nginx.conf.j2 @@ -31,6 +31,7 @@ http { server { # Gunicorn docs suggest the use of the "deferred" directive on Linux. + {% if https | default(false) -%} listen 443 default_server deferred ssl; ssl_certificate /etc/pulp/certs/pulp_webserver.crt; @@ -46,7 +47,9 @@ http { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - + {%- else -%} + listen 80 default_server deferred; + {%- endif %} server_name $hostname; # The default client_max_body_size is 1m. Clients uploading @@ -56,7 +59,7 @@ http { # Gunicorn docs suggest this value. keepalive_timeout 5; - location /pulp/content/ { + location {{ content_path }} { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; @@ -66,7 +69,19 @@ http { proxy_pass http://pulp-content; } - location /pulp/api/v3/ { + location {{ api_root }}api/v3/ { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://pulp-api; + client_max_body_size 0; + } + + {%- if domain_enabled | default(false) %} + location ~ {{ api_root }}.+/api/v3/ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; @@ -76,6 +91,7 @@ http { proxy_pass http://pulp-api; client_max_body_size 0; } + {%- endif %} location /auth/login/ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -101,17 +117,18 @@ http { # http://whitenoise.evans.io/en/stable/ } + {%- if https | default(false) %} # ACME http-01 tokens, i.e, for Let's Encrypt location /.well-known/ { try_files $uri $uri/ =404; } - + {%- endif %} } - + {%- if https | default(false) %} server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } - + {%- endif %} } diff --git a/images/s6_assets/template_nginx.py b/images/s6_assets/template_nginx.py new file mode 100755 index 00000000..ddbc1426 --- /dev/null +++ b/images/s6_assets/template_nginx.py @@ -0,0 +1,37 @@ +import argparse +import os +import django +from django.core.exceptions import AppRegistryNotReady, ImproperlyConfigured + +from jinja2 import Template + + +if __name__ == "__main__": + parser = argparse.ArgumentParser( + description="Create Pulp's nginx conf file based on current settings.", + ) + parser.add_argument("template_file", type=open) + parser.add_argument("output_file", type=argparse.FileType("w")) + args = parser.parse_args() + + https = os.getenv("PULP_HTTPS", "false") + values = { + "https": https.lower() == "true", + "api_root": "/pulp/", + "content_path": "/pulp/content/", + "domain_enabled": False, + } + + try: + django.setup() + from django.conf import settings + except (AppRegistryNotReady, ImproperlyConfigured): + print("Failed to find settings for nginx template, using defaults") + else: + values["api_root"] = settings.API_ROOT + values["content_path"] = settings.CONTENT_PATH_PREFIX + values["domain_enabled"] = settings.DOMAIN_ENABLED + + template = Template(args.template_file.read()) + output = template.render(**values) + args.output_file.write(output)