From 9efda94f72bb5b2f53485279dd214799a8e05270 Mon Sep 17 00:00:00 2001 From: Cian Hughes Date: Fri, 31 Jan 2025 16:56:22 +0000 Subject: [PATCH] Revert "Removed nginx from config" This reverts commit d5df1fb87c8f14d46c2f05e5b0009f32e4a4e9de. --- docker/nginx/Dockerfile | 5 ++ docker/nginx/conf.d/default.conf | 133 +++++++++++++++++++++++++++++++ docker/nginx/nginx.conf | 76 ++++++++++++++++++ docker/nginx/test.crt | 33 ++++++++ docker/nginx/test.key | 52 ++++++++++++ 5 files changed, 299 insertions(+) create mode 100644 docker/nginx/Dockerfile create mode 100644 docker/nginx/conf.d/default.conf create mode 100644 docker/nginx/nginx.conf create mode 100644 docker/nginx/test.crt create mode 100644 docker/nginx/test.key diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile new file mode 100644 index 0000000..69c1bf1 --- /dev/null +++ b/docker/nginx/Dockerfile @@ -0,0 +1,5 @@ +FROM nginx +COPY nginx.conf /etc/nginx/nginx.conf +COPY conf.d/* /etc/nginx/conf.d/ +COPY test.key /etc/ssl/private/test.key +COPY test.crt /etc/ssl/certs/test.crt \ No newline at end of file diff --git a/docker/nginx/conf.d/default.conf b/docker/nginx/conf.d/default.conf new file mode 100644 index 0000000..274038b --- /dev/null +++ b/docker/nginx/conf.d/default.conf @@ -0,0 +1,133 @@ +# This nginx configuration defines two servers, one on port 80 and one on port +# 443. All traffix on port 80 is redirect to port 443 on SSL. +# +# Nginx proxies all requests on port 443 to upstream the application server +# which is expected to be running on port 5000/5001. + +upstream ui_server { + server web-ui:5000 fail_timeout=0; +} +upstream api_server { + server web-api:5000 fail_timeout=0; +} + +# HTTP server +server { + # Redirects all requests to https. - this is in addition to HAProxy which + # already redirects http to https. This redirect is needed in case you access + # the server directly (e.g. useful for debugging). + listen 80 default_server; # IPv4 + listen [::]:80 default_server; # IPv6 + server_name _; + return 301 https://$host$request_uri; +} + +# HTTPS server +server { + listen 443 default_server ssl http2; # IPv4 + listen [::]:443 default_server ssl http2; # IPv6 + server_name _; + charset utf-8; + keepalive_timeout 5; + + # SSL configuration according to best practices from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/ + # The provided certificate (test.crt) and private key (test.key) is only for + # testing and must never be used in production environment. + ssl_certificate /etc/ssl/certs/test.crt; + ssl_certificate_key /etc/ssl/private/test.key; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # Accepted protocols and ciphers + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security "max-age=15768000"; # 6 months + + # Request ID tracing (allows end-to-end tracking of requests for better + # troubleshooting) + add_header X-Request-ID $request_id; + + # The request body is sent to the proxied server immediately as it is + # received + proxy_request_buffering off; + # Sets the HTTP protocol v1.1 for proxying in order to not use the buffer + # in case of chunked transfer encoding + proxy_http_version 1.1; + + # Proxying to the application server + ## UI server + location / { + uwsgi_pass ui_server; + include uwsgi_params; + uwsgi_buffering off; + uwsgi_request_buffering off; + chunked_transfer_encoding off; + uwsgi_param Host $host; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $scheme; + # Pass request id to the ui server + uwsgi_param X-Request-ID $request_id; + # X-Session-ID / X-User-ID is read by nginx and included in the logs, + # however we don't want to expose them to clients so we are hiding them. + uwsgi_hide_header X-Session-ID; + uwsgi_hide_header X-User-ID; + # Max upload size (except for files) is set to 100mb as default. + client_max_body_size 100m; + } + ## Most API + location /api { + uwsgi_pass api_server; + include uwsgi_params; + uwsgi_buffering off; + uwsgi_request_buffering off; + chunked_transfer_encoding off; + uwsgi_param Host $host; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $scheme; + # Pass request id to the api server + uwsgi_param X-Request-ID $request_id; + # X-Session-ID / X-User-ID is read by nginx and included in the logs, + # however we don't want to expose them to clients so we are hiding them. + uwsgi_hide_header X-Session-ID; + uwsgi_hide_header X-User-ID; + # Max upload size (except for files) is set to 100mb as default. + client_max_body_size 100m; + } + ## API files + # Another location is defined in order to allow large file uploads in the files + # API without exposing the other parts of the application to receive huge + # request bodies. + location ~ /api/records/.+/draft/files/.+/content { + gzip off; + uwsgi_pass api_server; + include uwsgi_params; + uwsgi_buffering off; + uwsgi_request_buffering off; + chunked_transfer_encoding off; + uwsgi_param Host $host; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $scheme; + # Pass request id to api server + uwsgi_param X-Request-ID $request_id; + # X-Session-ID / X-User-ID is read by nginx and included in the logs, + # however we don't want to expose them to clients so we are hiding them. + uwsgi_hide_header X-Session-ID; + uwsgi_hide_header X-User-ID; + # Max upload size for files is set to 50GB (configure as needed). + client_max_body_size 50G; + } + # Static content is served directly by nginx and not the application server. + location /static { + alias /opt/invenio/var/instance/static; + autoindex off; + } + # Robots.txt file is served by nginx. + location /robots.txt { + alias /opt/invenio/var/instance/static/robots.txt; + autoindex off; + } +} diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf new file mode 100644 index 0000000..5440b43 --- /dev/null +++ b/docker/nginx/nginx.conf @@ -0,0 +1,76 @@ +user nginx; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Standard log format + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Request tracing log format - includes request id, session id, user id, + # and request timing. + log_format trace '$remote_addr - [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" $request_id ' + '$msec $request_time ' + '$upstream_http_x_session_id $upstream_http_x_user_id'; + + access_log /var/log/nginx/access.log trace; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 65; + + gzip on; + gzip_disable "msie6"; + gzip_http_version 1.1; + gzip_comp_level 5; # or anything between 4-6 + gzip_min_length 100; + gzip_proxied any; + # We may need more mime-types here (eg. 'application/x-bibtex') + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/octet-stream + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-javascript + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + application/xml+rss + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/javascript + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + text/xml; + gzip_vary on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/docker/nginx/test.crt b/docker/nginx/test.crt new file mode 100644 index 0000000..c272856 --- /dev/null +++ b/docker/nginx/test.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpzCCA4+gAwIBAgIUUYJ6tvU7tTyQgpunblH/obBk/WAwDQYJKoZIhvcNAQEL +BQAwYzELMAkGA1UEBhMCQ0gxCjAIBgNVBAgMAS4xCjAIBgNVBAcMAS4xCjAIBgNV +BAoMAS4xCjAIBgNVBAsMAS4xEjAQBgNVBAMMCWxvY2FsaG9zdDEQMA4GCSqGSIb3 +DQEJARYBLjAeFw0yNTAxMjcwOTUwMjBaFw0yNjAxMjcwOTUwMjBaMGMxCzAJBgNV +BAYTAkNIMQowCAYDVQQIDAEuMQowCAYDVQQHDAEuMQowCAYDVQQKDAEuMQowCAYD +VQQLDAEuMRIwEAYDVQQDDAlsb2NhbGhvc3QxEDAOBgkqhkiG9w0BCQEWAS4wggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDi2I5Ew61Lfbz9ZfYTrtI4Zln/ +hwnCf0umd+z4JzZe7IPpnCmFVk+cVMNGgCOLNsBvJCqlXI4xKu+4xtSGP1uG9T/G +NsMURD0M6BP/wTzydPBTqhIkxI9IwGS9l9qOAbQGcfX+1hKB3F1KoQ/blp5HIfim +MlHPmwE2V6GRT5TCOZ7rB3fj48bSSCVND52D1z9DkfnTHiWBNehg1RLGaxv13lud +20DKmKMZZRuDcx7GfVwCyuXjUQ1kYfWZG2b64eBR8aqshWjH118JrU/EB7FZ0+Td +puc8l+beH8uzTWn0kLUXAGKCsL429ptKi/JmQm4kuV9pJMwf6hWtvfJ6Iz85WnfE +ISJ5gQe5WkIZALhDOjOUDKI85p9lNalU12yulDwHj403WukabZFC8QoLp1HU/l0o +YebgfW/o/uDOkCk4N+nN/rkm0F25KN+qMMV2muZgXCOyRi75SYtbXAhWxbSwJDdj +PhQvLSEX48+O6e3KLvI1VT9m33l91sAdhu2b1uDFXLeE/t3lKWrPyXvHpmgoWAII +NDQlDlG8h/gqKxN741LMnCs6pflmu4ipCZUqOuehHgDwxCvH29txmJ01Kx8Qevou +HMVEEtKxzUh+/osXbnT/fpbB9/hkGkTKbFjMBYR5VGdHR36ytTkVx3rAnLJg7wcL +s9SEAvUm+9qJKfFoZwIDAQABo1MwUTAdBgNVHQ4EFgQU+lschFrhuWcv7SirStrG +0QoLHo4wHwYDVR0jBBgwFoAU+lschFrhuWcv7SirStrG0QoLHo4wDwYDVR0TAQH/ +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA0v6x5Sr5hEzzD1W6G7ERHmZh7eQt +XlxR/7Df3BXHf9v/hD8hp/g9IlzMkCx0IL9eXpXGkcqQZuwclj56jht+ryRTTGaf +swYMCd/H6BHXHXL/R70LN1Kz1XVXMcBaYmNOmbbt88TEjU0L9m9GUFYj2GX6ZHnL +Wz8ZcRDjoV03bcdDdRK2Z6SBDw05OSZdAHJD+Utbqeby1GUkaxHy3QbQ2vPX7lmO +3o75FcXkKReiL96aUOWHTH2moTje2eFSx7IPbEG/gtj48OQWXFjGJjz+OHs9Gl5i +DcBIrfY3+Amg27ggJv5OGg6NbTkjHzPhugufaoT4O2vcHmryUj9Grqhmhh5FULxp +1uhTP6eXPybWDOkFMMxGD0PNtAT1oeY42WZQHrYz3fyf48HmFa2/zfRjQsQYc2x4 +wl0G8lkHm20G6dGsi+ij1EwRTeKmmBdDINV6vnthCwDPe608VdCm2Mpr2KgOZmBS +HaATg8ZZqx2wEflk02zqO9AWuShxYu3ynVuJsoga+qAiljIMqTmj3ed7lKuvvaJz +bqbpG7LDf9nZMjP4m+EukoFcQMAOHuTGqVtmyCKT2gj2CsIy2zZzY3dN7IR8V2HI +7ppjHTQ/s1myCR4Jkb0psFbrqG3vOKn9xfH+prk+oeph8gAAXqMLZS0EXQQF5iDR +fBA+J7fD6XnBFJU= +-----END CERTIFICATE----- diff --git a/docker/nginx/test.key b/docker/nginx/test.key new file mode 100644 index 0000000..4581e5c --- /dev/null +++ b/docker/nginx/test.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDi2I5Ew61Lfbz9 +ZfYTrtI4Zln/hwnCf0umd+z4JzZe7IPpnCmFVk+cVMNGgCOLNsBvJCqlXI4xKu+4 +xtSGP1uG9T/GNsMURD0M6BP/wTzydPBTqhIkxI9IwGS9l9qOAbQGcfX+1hKB3F1K +oQ/blp5HIfimMlHPmwE2V6GRT5TCOZ7rB3fj48bSSCVND52D1z9DkfnTHiWBNehg +1RLGaxv13lud20DKmKMZZRuDcx7GfVwCyuXjUQ1kYfWZG2b64eBR8aqshWjH118J +rU/EB7FZ0+Tdpuc8l+beH8uzTWn0kLUXAGKCsL429ptKi/JmQm4kuV9pJMwf6hWt +vfJ6Iz85WnfEISJ5gQe5WkIZALhDOjOUDKI85p9lNalU12yulDwHj403WukabZFC +8QoLp1HU/l0oYebgfW/o/uDOkCk4N+nN/rkm0F25KN+qMMV2muZgXCOyRi75SYtb +XAhWxbSwJDdjPhQvLSEX48+O6e3KLvI1VT9m33l91sAdhu2b1uDFXLeE/t3lKWrP +yXvHpmgoWAIINDQlDlG8h/gqKxN741LMnCs6pflmu4ipCZUqOuehHgDwxCvH29tx +mJ01Kx8QevouHMVEEtKxzUh+/osXbnT/fpbB9/hkGkTKbFjMBYR5VGdHR36ytTkV +x3rAnLJg7wcLs9SEAvUm+9qJKfFoZwIDAQABAoICACL/ZBup0M+ny4OQuoFY5Gf9 +Kn9o1xGh0AsTz4SNkC7e8I8XH7TJlyi4TxROaq1sug2rl8TBXdKqHCf2zQ0VM0rE +BZ3QDxLOYFjgaU15A60oa3eM8pWnma+Qtzok9nwYOS0RYfF6F4rfc6ky5h5rw2mY +DSOe+c48zNgUdwHTNFEu0JzUHyQSnTcOGGsmMJgJmmITYGa47PJdXceqt+XS2pJ5 +Rss462sWV3twhOkn1qSq7IolwYfrllRZZKnFd4LXXGNoFHvfbUX/rVLx4S+OPEdu +kI291Ukc6mp0n1m/ZMxtkvLEhW5CVGZob5b1tmUedJ3H17eCDNgTplqSxpkfXP5y +3SBCzQXGHMUQ7JIzAdJS0Qn59IzTPEg06Bvrd6Sgxf1+twxFyu6/LUIi1KKPfzgD +rtRypWvB3KflGJj07eoBpF9fOZJ6htMFp1FgkC7TPkdwuXy9Tc2JQ0pjsiPAbJvO +IcpSQOvdwpIUSvjpHukl3OC0qXXv2xkkr8WhWP8P2OnL9zZ2mJ9kiODXLUMcNRPw +KN+PKVnXYi2yvI2s+ZZPM5J9DBHrditiW/lNmGdmGMjgLtNVqJ2dnQHP+AXcGiug +durU/+VCjRkT6RhgVenjzbW/0rK4f2zIDklIOWDhPScpH8VuUi6+XFagG9+yIWcB +1C8QNJC6rC1e/860ChBpAoIBAQDrnwQugeOfuAYDQy5oSUBHDgX6zLp4mVQyacb4 +/16VKVmNaKqmrkmFIYsVca1K4hds+/KSEusfMlxYaAtjrtyK0Qvq16buAq/jrNic +U3XYpYPxE708kufsuYlMNxbsFf0L9CJdcJWYRFLoSk4xMiaFrK0HbAceEnkEYnok +w2Ssrq85GrQABnfxprQYkqO68o+Gv4JzzXVchiKFB8iatbUcX95dG6uRPKfQ9vTi +H+kIevdZaEd5/RExUrFasYhH3xvZBMo/xPGxa5Ww3wZ9Bk0iUODuydvzUxc8s6lD +cJlSXUEuQLh1+ARyfLvIWNKsi3fC4dc/yD/Ifu6XqQTzmhvNAoIBAQD2dz5KjYfz +hveh/+0P41GGED3b/hnxoQHd/v7G3bnrnMM1MoaoJbys4tXovdSsWUUG3ReyDmJo +46XfzoQxMMhoMbjlplypvBhfpfF1njM1bTpTfgHHPCNp0AgePFzTdVKV4VvdzBT4 +BpM79LofqLgf6mUlys0TIZGmt9D62QHY2LG6KKretabDi4+5+OghO2kI1vmCS8Wt +l4S4az5bcWqyi3w4KO3pkPKnpF9SOqqwOs+R6lPABKbcf3+t3CJDYplKhLaVGjDy +uXtV2zi3cNVLAwnwR5SWYME4IZDNsQAFXO+g5g5y8bpF//QaDyxMb+bjTD/cwE+x +G9sWJ+ccrGkDAoIBAQCEm1YrJocJGPSpWWIA51j5pHbRE+/Od9zfEpEdCfwdTsxL +vaBtdqGB/8LbKsMw5dXxTErU0zjosdsvFj9ytrMAnW5rmTslsPV02Y5/TKmCaIS9 +ZTKXqMZGgJU5A7gu3qEv3RKKLBbFP465lTg0j9kGWox3JOFMl3Dses/raNx8I0QS +i2jKqtlOc1fgjIcBbApC9/1fVz659/Ptktff2mw3r+zh0fTZJJ3+CT8BFJx+XVZg +R0QS786BR9zxAgGFEZgGp598DEdKZxY0GRD5xFYc/g/Z1FmptBXb3/FfNzvTExDg +CyTFn/RAytqUgwjuev/H+nq+NuFO4cE+Ma3Lu+vxAoIBAE+rsi4lXBojue7bLQWi +xNqia2yu0jIiitj5MeCVEiGQtiV/JLo8IKZ+WQl4O8ROwxp548wCDFu9owQa3O6N +x2qvEAbkZTXVAMgCe3A66HDP0zfkFq0RypzMy6MCfjs4xK6Af9LNwsV+Up/h9zx+ +rK5cdb/ms64Ifu22o85C0e8H9UOpG7sMW1EAz0AdruP3MXfTDirJVahMv3Fh8XFb +01LN9iStTmLfISGB5/JL1ptLF4giiFoc5teGO363FzhTKhxFlEPUiJgdzzmsuMPL +rJcn71GFwgluU2dSql1jZw9UwH1xgKA1dbJlD8JQv1AiKC+3mTlBzUECMSsTUQka +zoMCggEBAIxQpHv0SX4RvHVBbNxVQ5rjcXjOmIfN6SnvGKn1J0Qxxbc1zlUvbucP +4Hw60bqEZewVheLrKkx6HDbOJuWuRZkOeiqANbDhdMjJWxfs+FX19dvphVKfDR24 +uBwAgu766smqma0HxuTBTuE6gPttxXoNOxaXVz9pOiN7J3eO5hE2VrJSta5isj02 +RQkbcDRVdvt4KzaUMM22wGdhLT/Rnlh3Q94dgEf8KYFcaEnGBEKH0ZFugkI4Oq9x +guN18wKDvKGZH8PZp8NhrFLtwRL0epwjQIc/i8d55rqjMLJNXVDy5Wn47OEsV2mr +3hZ66Qvn/zNMwRkuIEbB0I7k5nNiISA= +-----END PRIVATE KEY-----