pulp · mdellweg · Apr 4, 2024 · Apr 3, 2024
diff --git a/CHANGES/605.feature b/CHANGES/605.feature
@@ -0,0 +1 @@
+NGINX is now configured to use the values of API_ROOT and CONTENT_PATH_PREFIX
diff --git a/images/pulp_ci_centos/Containerfile b/images/pulp_ci_centos/Containerfile
@@ -33,8 +33,8 @@ RUN dnf -y install postgresql && \
 COPY images/s6_assets/openssl.cnf /etc/ssl/pulp/openssl.cnf
 COPY images/s6_assets/v3.cnf /etc/ssl/pulp/v3.cnf
 COPY images/s6_assets/wait_on_database_migrations.sh /database/assets/wait_on_database_migrations.sh
-COPY images/s6_assets/ssl_nginx.conf /nginx/ssl_nginx.conf
-COPY images/s6_assets/nginx.conf /nginx/nginx.conf
+COPY images/s6_assets/template_nginx.py /nginx/template_nginx.py
+COPY images/s6_assets/nginx.conf.j2 /nginx/nginx.conf.j2
 COPY images/s6_assets/s6-rc.d /etc/s6-overlay/s6-rc.d
 COPY images/s6_assets/init /etc/init
 COPY images/s6_assets/fix-attrs.d /etc/fix-attrs.d

diff --git a/images/s6_assets/init/nginx b/images/s6_assets/init/nginx
@@ -1,9 +1,5 @@
 #!/bin/bash
 
-if [ "${PULP_HTTPS,,}" = "true" ]; then
-  cp -avr /nginx/ssl_nginx.conf /etc/nginx/nginx.conf
-else
-  cp -avr /nginx/nginx.conf /etc/nginx/nginx.conf
-fi
+python3 /nginx/template_nginx.py /nginx/nginx.conf.j2 /etc/nginx/nginx.conf
 
 exec /usr/sbin/nginx
diff --git a/images/s6_assets/nginx.conf b/images/s6_assets/nginx.conf
diff --git a/images/s6_assets/ssl_nginx.conf → images/s6_assets/nginx.conf.j2 b/images/s6_assets/ssl_nginx.conf → images/s6_assets/nginx.conf.j2
@@ -31,6 +31,7 @@ http {
 
     server {
         # Gunicorn docs suggest the use of the "deferred" directive on Linux.
+        {% if https | default(false) -%}
         listen 443 default_server deferred ssl;
 
         ssl_certificate /etc/pulp/certs/pulp_webserver.crt;
@@ -46,7 +47,9 @@ http {
 
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
-
+        {%- else -%}
+        listen 80 default_server deferred;
+        {%- endif %}
         server_name $hostname;
 
         # The default client_max_body_size is 1m. Clients uploading
@@ -56,7 +59,7 @@ http {
         # Gunicorn docs suggest this value.
         keepalive_timeout 5;
 
-        location /pulp/content/ {
+        location {{ content_path }} {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $http_host;
@@ -66,7 +69,19 @@ http {
             proxy_pass http://pulp-content;
         }
 
-        location /pulp/api/v3/ {
+        location {{ api_root }}api/v3/ {
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            # we don't want nginx trying to do something clever with
+            # redirects, we set the Host: header above already.
+            proxy_redirect off;
+            proxy_pass http://pulp-api;
+            client_max_body_size 0;
+        }
+
+        {%- if domain_enabled | default(false) %}
+        location ~ {{ api_root }}.+/api/v3/ {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header Host $http_host;
@@ -76,6 +91,7 @@ http {
             proxy_pass http://pulp-api;
             client_max_body_size 0;
         }
+        {%- endif %}
 
         location /auth/login/ {
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -101,17 +117,18 @@ http {
             # http://whitenoise.evans.io/en/stable/
         }
 
+        {%- if https | default(false) %}
         # ACME http-01 tokens, i.e, for Let's Encrypt
         location /.well-known/ {
             try_files $uri $uri/ =404;
         }
-
+        {%- endif %}
     }
-
+    {%- if https | default(false) %}
     server {
         listen 80 default_server;
         server_name _;
         return 301 https://$host$request_uri;
     }
-
+    {%- endif %}
 }
diff --git a/images/s6_assets/template_nginx.py b/images/s6_assets/template_nginx.py
@@ -0,0 +1,37 @@
+import argparse
+import os
+import django
+from django.core.exceptions import AppRegistryNotReady, ImproperlyConfigured
+
+from jinja2 import Template
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Create Pulp's nginx conf file based on current settings.",
+    )
+    parser.add_argument("template_file", type=open)
+    parser.add_argument("output_file", type=argparse.FileType("w"))
+    args = parser.parse_args()
+
+    https = os.getenv("PULP_HTTPS", "false")
+    values = {
+        "https": https.lower() == "true",
+        "api_root": "/pulp/",
+        "content_path": "/pulp/content/",
+        "domain_enabled": False,
+    }
+
+    try:
+        django.setup()
+        from django.conf import settings
+    except (AppRegistryNotReady, ImproperlyConfigured):
+        print("Failed to find settings for nginx template, using defaults")
+    else:
+        values["api_root"] = settings.API_ROOT
+        values["content_path"] = settings.CONTENT_PATH_PREFIX
+        values["domain_enabled"] = settings.DOMAIN_ENABLED
+
+    template = Template(args.template_file.read())
+    output = template.render(**values)
+    args.output_file.write(output)