120 lines
3.9 KiB
Nginx Configuration File
120 lines
3.9 KiB
Nginx Configuration File
worker_processes auto;
|
|
error_log /var/log/nginx/error.log;
|
|
pid /run/nginx.pid;
|
|
|
|
include /usr/share/nginx/modules/*.conf;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
server {
|
|
listen 8080 default_server;
|
|
listen [::]:8080 default_server;
|
|
server_name _;
|
|
root /opt/app-root/src;
|
|
|
|
# Load configuration files for the default server block.
|
|
include /opt/app-root/etc/nginx.default.d/*.conf;
|
|
|
|
large_client_header_buffers 4 16k;
|
|
|
|
error_page 404 /404.html;
|
|
location = /40x.html {
|
|
}
|
|
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
}
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_read_timeout 86400;
|
|
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
location /auth {
|
|
proxy_pass_request_body off;
|
|
|
|
proxy_set_header Host $http_host;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header If-None-Match "";
|
|
proxy_pass http://auth-service:8080;
|
|
}
|
|
|
|
location @error401 {
|
|
# Store the request_uri (complete with args) to be redirected to
|
|
# when we hit /auth/complete.
|
|
add_header Set-Cookie "POST_AUTH_REDIRECT=$request_uri;";
|
|
return 302 /auth/login;
|
|
}
|
|
|
|
location @proxy_404_error_handler {
|
|
# Pass the request on to the webservice. Most likely the URI won't
|
|
# exist so we get a 404 from that service instead (good as the 404
|
|
# pages are consistent).
|
|
proxy_pass http://cara-webservice:8080/$request_uri;
|
|
}
|
|
|
|
location /voila-server/ {
|
|
proxy_intercept_errors on;
|
|
|
|
# Anything under voila-server or expert-app is authenticated.
|
|
auth_request /auth/probe;
|
|
error_page 401 = @error401;
|
|
error_page 404 = @proxy_404_error_handler;
|
|
|
|
# cara-app is the name of the voila server in each of docker-compose,
|
|
# caimira-test.web.cern.ch and cara.web.cern.ch.
|
|
proxy_pass http://cara-app:8080/voila-server/;
|
|
}
|
|
rewrite ^/expert-app$ /voila-server/voila/render/cara.ipynb last;
|
|
rewrite ^/(files/static)/(.*)$ /voila-server/voila/$1/$2 last;
|
|
|
|
# Before implementing the nginx router we could access /voila/render/cara.ipynb.
|
|
# Redirect this (and all other) URLs to the new scheme.
|
|
absolute_redirect off;
|
|
rewrite ^/voila/(.*)$ /voila-server/voila/$1 redirect;
|
|
|
|
location / {
|
|
# By default we have no authentication.
|
|
proxy_pass http://cara-webservice:8080;
|
|
}
|
|
|
|
location /calculator {
|
|
return 302 /calculator-cern$is_args$args;
|
|
}
|
|
|
|
location /calculator-cern {
|
|
# CERN calculator is authenticated.
|
|
auth_request /auth/probe;
|
|
error_page 401 = @error401;
|
|
|
|
# cara-webservice is the name of the tornado server (for the calculator)
|
|
# in each of docker-compose, caimira-test.web.cern.ch and cara.web.cern.ch.
|
|
proxy_pass http://cara-webservice:8080/calculator-cern;
|
|
}
|
|
|
|
location /calculator-open {
|
|
# Public open calculator
|
|
proxy_pass http://cara-calculator-open:8080/calculator-open;
|
|
}
|
|
}
|
|
}
|