-
Notifications
You must be signed in to change notification settings - Fork 249
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[notebook] Move notebook and workshop nginx to sidecar (#10204)
* [notebook] Move notebook and workshop nginx to sidecar * [tls] update tls doc * [notebook] add nginx sidecar to deployment * add proxy.conf * move ssl config from python to nginx * try to fix host header * add multiple apps to /etc/hosts on the pod * template auth url
- Loading branch information
1 parent
9380e85
commit 4ed7a2e
Showing
11 changed files
with
305 additions
and
103 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM {{ hail_ubuntu_image.image }} | ||
|
||
RUN hail-apt-get-install nginx | ||
|
||
RUN rm -f /etc/nginx/sites-enabled/default && \ | ||
rm -f /etc/nginx/nginx.conf | ||
ADD nginx.conf.out /etc/nginx/nginx.conf | ||
ADD proxy.conf /etc/nginx/ | ||
|
||
RUN ln -sf /dev/stdout /var/log/nginx/access.log | ||
RUN ln -sf /dev/stderr /var/log/nginx/error.log | ||
|
||
CMD ["nginx", "-g", "daemon off;"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,190 @@ | ||
worker_processes auto; | ||
pid /run/nginx.pid; | ||
include /etc/nginx/modules-enabled/*.conf; | ||
|
||
events { | ||
worker_connections 768; | ||
} | ||
|
||
http { | ||
|
||
sendfile on; | ||
tcp_nopush on; | ||
tcp_nodelay on; | ||
keepalive_timeout 65; | ||
types_hash_max_size 2048; | ||
server_names_hash_bucket_size 128; | ||
|
||
include /etc/nginx/mime.types; | ||
default_type application/octet-stream; | ||
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | ||
ssl_prefer_server_ciphers on; | ||
|
||
log_format json-log escape=json '{' | ||
'"message":"$scheme $request done in ${request_time}s: $status",' | ||
'"response_status":$status,' | ||
'"request_duration":$request_time,' | ||
'"remote_address":"$remote_addr",' | ||
'"x_real_ip":"$http_x_real_ip",' | ||
'"request_start_time":"$time_local",' | ||
'"body_bytes_sent":"$body_bytes_sent",' | ||
'"http_referer":"$http_referer",' | ||
'"http_user_agent":"$http_user_agent"' | ||
'}'; | ||
|
||
access_log /var/log/nginx/access.log json-log; | ||
error_log /var/log/nginx/error.log; | ||
|
||
gzip on; | ||
|
||
include /ssl-config/ssl-config-http.conf; | ||
map $http_x_forwarded_proto $updated_scheme { | ||
default $http_x_forwarded_proto; | ||
'' $scheme; | ||
} | ||
map $http_x_forwarded_host $updated_host { | ||
default $http_x_forwarded_host; | ||
'' $http_host; | ||
} | ||
map $http_upgrade $connection_upgrade { | ||
default upgrade; | ||
'' close; | ||
} | ||
|
||
server { | ||
server_name notebook.*; | ||
|
||
# needed to correctly handle error_page with internal handles | ||
recursive_error_pages on; | ||
|
||
location = /auth { | ||
internal; | ||
{% if deploy %} | ||
proxy_pass http://notebook.local:5000/auth/$notebook_token; | ||
{% else %} | ||
proxy_pass http://notebook.local:5000/{{ default_ns.name }}/notebook/auth/$notebook_token; | ||
{% endif %} | ||
} | ||
|
||
{% if deploy %} | ||
location ~ /instance/([^/]+)/(.*) { | ||
{% else %} | ||
location ~ {{ default_ns.name }}/notebook/instance/([^/]+)/(.*) { | ||
{% endif %} | ||
set $notebook_token $1; | ||
auth_request /auth; | ||
auth_request_set $auth_pod_ip $upstream_http_pod_ip; | ||
|
||
proxy_pass http://$auth_pod_ip$request_uri; | ||
|
||
include /etc/nginx/proxy.conf; | ||
proxy_http_version 1.1; | ||
proxy_redirect off; | ||
proxy_buffering off; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_read_timeout 86400; | ||
|
||
proxy_connect_timeout 5s; | ||
|
||
proxy_intercept_errors on; | ||
error_page 401 403 502 504 = @error; | ||
} | ||
|
||
location @error { | ||
{% if deploy %} | ||
return 302 $updated_scheme://$updated_host/error; | ||
{% else %} | ||
return 302 $updated_scheme://$updated_host/{{ default_ns.name }}/notebook/error; | ||
{% endif %} | ||
} | ||
|
||
location / { | ||
proxy_pass http://notebook.local:5000; | ||
|
||
# don't set Host, notebook dispatches off domain | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Host $http_host; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header X-Real-IP $http_x_real_ip; | ||
proxy_http_version 1.1; | ||
proxy_redirect off; | ||
proxy_buffering off; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_read_timeout 86400; | ||
} | ||
|
||
listen 443 ssl; | ||
listen [::]:443 ssl; | ||
} | ||
|
||
server { | ||
server_name workshop.*; | ||
|
||
# needed to correctly handle error_page with internal handles | ||
recursive_error_pages on; | ||
|
||
location = /auth { | ||
internal; | ||
{% if deploy %} | ||
proxy_pass http://workshop.local:5000/auth/$notebook_token; | ||
{% else %} | ||
proxy_pass http://workshop.local:5000/{{ default_ns.name }}/workshop/auth/$notebook_token; | ||
{% endif %} | ||
} | ||
|
||
{% if deploy %} | ||
location ~ /instance/([^/]+)/(.*) { | ||
{% else %} | ||
location ~ {{ default_ns.name }}/workshop/instance/([^/]+)/(.*) { | ||
{% endif %} | ||
set $notebook_token $1; | ||
auth_request /auth; | ||
auth_request_set $auth_pod_ip $upstream_http_pod_ip; | ||
|
||
proxy_pass http://$auth_pod_ip$request_uri; | ||
|
||
include /etc/nginx/proxy.conf; | ||
proxy_http_version 1.1; | ||
proxy_redirect off; | ||
proxy_buffering off; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_read_timeout 86400; | ||
|
||
proxy_connect_timeout 5s; | ||
|
||
proxy_intercept_errors on; | ||
error_page 401 403 502 504 = @error; | ||
} | ||
|
||
location @error { | ||
{% if deploy %} | ||
return 302 $updated_scheme://$updated_host/error; | ||
{% else %} | ||
return 302 $updated_scheme://$updated_host/{{ default_ns.name }}/workshop/error; | ||
{% endif %} | ||
} | ||
|
||
location / { | ||
proxy_pass http://workshop.local:5000; | ||
|
||
# don't set Host, notebook dispatches off domain | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Host $http_host; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header X-Real-IP $http_x_real_ip; | ||
proxy_http_version 1.1; | ||
proxy_redirect off; | ||
proxy_buffering off; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_read_timeout 86400; | ||
} | ||
|
||
listen 443 ssl; | ||
listen [::]:443 ssl; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
proxy_set_header Host $http_host; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Host $updated_host; | ||
proxy_set_header X-Forwarded-Proto $updated_scheme; | ||
proxy_set_header X-Real-IP $http_x_real_ip; | ||
include /ssl-config/ssl-config-proxy.conf; |
Oops, something went wrong.