Revert "Removed nginx from config"

This reverts commit d5df1fb87c.

docker/nginx/Dockerfile

@@ -0,0 +1,5 @@
+FROM nginx
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY conf.d/* /etc/nginx/conf.d/
+COPY test.key /etc/ssl/private/test.key
+COPY test.crt /etc/ssl/certs/test.crt

docker/nginx/conf.d/default.conf

@@ -0,0 +1,133 @@
+# This nginx configuration defines two servers, one on port 80 and one on port
+# 443. All traffix on port 80 is redirect to port 443 on SSL.
+#
+# Nginx proxies all requests on port 443 to upstream the application server
+# which is expected to be running on port 5000/5001.
+
+upstream ui_server {
+  server web-ui:5000 fail_timeout=0;
+}
+upstream api_server {
+  server web-api:5000 fail_timeout=0;
+}
+
+# HTTP server
+server {
+  # Redirects all requests to https. - this is in addition to HAProxy which
+  # already redirects http to https. This redirect is needed in case you access
+  # the server directly (e.g. useful for debugging).
+  listen 80 default_server; # IPv4
+  listen [::]:80 default_server; # IPv6
+  server_name _;
+  return 301 https://$host$request_uri;
+}
+
+# HTTPS server
+server {
+  listen 443 default_server ssl http2; # IPv4
+  listen [::]:443 default_server ssl http2; # IPv6
+  server_name _;
+  charset utf-8;
+  keepalive_timeout 5;
+
+  # SSL configuration according to best practices from
+  # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+  # The provided certificate (test.crt) and private key (test.key) is only for
+  # testing and must never be used in production environment.
+  ssl_certificate /etc/ssl/certs/test.crt;
+  ssl_certificate_key /etc/ssl/private/test.key;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  # Accepted protocols and ciphers
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_prefer_server_ciphers on;
+
+  add_header Strict-Transport-Security "max-age=15768000"; # 6 months
+
+  # Request ID tracing (allows end-to-end tracking of requests for better
+  # troubleshooting)
+  add_header X-Request-ID $request_id;
+
+  # The request body is sent to the proxied server immediately as it is
+  # received
+  proxy_request_buffering off;
+  # Sets the HTTP protocol v1.1 for proxying in order to not use the buffer
+  # in case of chunked transfer encoding
+  proxy_http_version 1.1;
+
+  # Proxying to the application server
+  ## UI server
+  location / {
+    uwsgi_pass ui_server;
+    include uwsgi_params;
+    uwsgi_buffering off;
+    uwsgi_request_buffering off;
+    chunked_transfer_encoding off;
+    uwsgi_param Host $host;
+    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
+    uwsgi_param X-Forwarded-Proto $scheme;
+    # Pass request id to the ui server
+    uwsgi_param X-Request-ID $request_id;
+    # X-Session-ID / X-User-ID is read by nginx and included in the logs,
+    # however we don't want to expose them to clients so we are hiding them.
+    uwsgi_hide_header X-Session-ID;
+    uwsgi_hide_header X-User-ID;
+    # Max upload size (except for files) is set to 100mb as default.
+    client_max_body_size 100m;
+  }
+  ## Most API
+  location /api {
+    uwsgi_pass api_server;
+    include uwsgi_params;
+    uwsgi_buffering off;
+    uwsgi_request_buffering off;
+    chunked_transfer_encoding off;
+    uwsgi_param Host $host;
+    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
+    uwsgi_param X-Forwarded-Proto $scheme;
+    # Pass request id to the api server
+    uwsgi_param X-Request-ID $request_id;
+    # X-Session-ID / X-User-ID is read by nginx and included in the logs,
+    # however we don't want to expose them to clients so we are hiding them.
+    uwsgi_hide_header X-Session-ID;
+    uwsgi_hide_header X-User-ID;
+    # Max upload size (except for files) is set to 100mb as default.
+    client_max_body_size 100m;
+  }
+  ## API files
+  # Another location is defined in order to allow large file uploads in the files
+  # API without exposing the other parts of the application to receive huge
+  # request bodies.
+  location ~ /api/records/.+/draft/files/.+/content {
+    gzip off;
+    uwsgi_pass api_server;
+    include uwsgi_params;
+    uwsgi_buffering off;
+    uwsgi_request_buffering off;
+    chunked_transfer_encoding off;
+    uwsgi_param Host $host;
+    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
+    uwsgi_param X-Forwarded-Proto $scheme;
+    # Pass request id to api server
+    uwsgi_param X-Request-ID $request_id;
+    # X-Session-ID / X-User-ID is read by nginx and included in the logs,
+    # however we don't want to expose them to clients so we are hiding them.
+    uwsgi_hide_header X-Session-ID;
+    uwsgi_hide_header X-User-ID;
+    # Max upload size for files is set to 50GB (configure as needed).
+    client_max_body_size 50G;
+  }
+  # Static content is served directly by nginx and not the application server.
+  location /static {
+    alias /opt/invenio/var/instance/static;
+    autoindex off;
+  }
+  # Robots.txt file is served by nginx.
+  location /robots.txt {
+    alias /opt/invenio/var/instance/static/robots.txt;
+    autoindex off;
+  }
+}

docker/nginx/nginx.conf

@@ -0,0 +1,76 @@
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # Standard log format
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    # Request tracing log format - includes request id, session id, user id,
+    # and request timing.
+    log_format trace '$remote_addr - [$time_local] "$request" '
+                 '$status  $body_bytes_sent "$http_referer"  '
+                 '"$http_user_agent" "$http_x_forwarded_for" $request_id '
+                 '$msec $request_time '
+                 '$upstream_http_x_session_id $upstream_http_x_user_id';
+
+    access_log  /var/log/nginx/access.log  trace;
+
+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+
+    keepalive_timeout  65;
+
+    gzip on;
+    gzip_disable "msie6";
+    gzip_http_version 1.1;
+    gzip_comp_level 5; # or anything between 4-6
+    gzip_min_length 100;
+    gzip_proxied any;
+    # We may need more mime-types here (eg. 'application/x-bibtex')
+    gzip_types
+        application/atom+xml
+        application/javascript
+        application/json
+        application/ld+json
+        application/manifest+json
+        application/octet-stream
+        application/rss+xml
+        application/vnd.geo+json
+        application/vnd.ms-fontobject
+        application/x-font-ttf
+        application/x-javascript
+        application/x-web-app-manifest+json
+        application/xhtml+xml
+        application/xml
+        application/xml+rss
+        font/opentype
+        image/bmp
+        image/svg+xml
+        image/x-icon
+        text/cache-manifest
+        text/css
+        text/javascript
+        text/plain
+        text/vcard
+        text/vnd.rim.location.xloc
+        text/vtt
+        text/x-component
+        text/x-cross-domain-policy
+        text/xml;
+    gzip_vary on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

docker/nginx/test.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpzCCA4+gAwIBAgIUUYJ6tvU7tTyQgpunblH/obBk/WAwDQYJKoZIhvcNAQEL
+BQAwYzELMAkGA1UEBhMCQ0gxCjAIBgNVBAgMAS4xCjAIBgNVBAcMAS4xCjAIBgNV
+BAoMAS4xCjAIBgNVBAsMAS4xEjAQBgNVBAMMCWxvY2FsaG9zdDEQMA4GCSqGSIb3
+DQEJARYBLjAeFw0yNTAxMjcwOTUwMjBaFw0yNjAxMjcwOTUwMjBaMGMxCzAJBgNV
+BAYTAkNIMQowCAYDVQQIDAEuMQowCAYDVQQHDAEuMQowCAYDVQQKDAEuMQowCAYD
+VQQLDAEuMRIwEAYDVQQDDAlsb2NhbGhvc3QxEDAOBgkqhkiG9w0BCQEWAS4wggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDi2I5Ew61Lfbz9ZfYTrtI4Zln/
+hwnCf0umd+z4JzZe7IPpnCmFVk+cVMNGgCOLNsBvJCqlXI4xKu+4xtSGP1uG9T/G
+NsMURD0M6BP/wTzydPBTqhIkxI9IwGS9l9qOAbQGcfX+1hKB3F1KoQ/blp5HIfim
+MlHPmwE2V6GRT5TCOZ7rB3fj48bSSCVND52D1z9DkfnTHiWBNehg1RLGaxv13lud
+20DKmKMZZRuDcx7GfVwCyuXjUQ1kYfWZG2b64eBR8aqshWjH118JrU/EB7FZ0+Td
+puc8l+beH8uzTWn0kLUXAGKCsL429ptKi/JmQm4kuV9pJMwf6hWtvfJ6Iz85WnfE
+ISJ5gQe5WkIZALhDOjOUDKI85p9lNalU12yulDwHj403WukabZFC8QoLp1HU/l0o
+YebgfW/o/uDOkCk4N+nN/rkm0F25KN+qMMV2muZgXCOyRi75SYtbXAhWxbSwJDdj
+PhQvLSEX48+O6e3KLvI1VT9m33l91sAdhu2b1uDFXLeE/t3lKWrPyXvHpmgoWAII
+NDQlDlG8h/gqKxN741LMnCs6pflmu4ipCZUqOuehHgDwxCvH29txmJ01Kx8Qevou
+HMVEEtKxzUh+/osXbnT/fpbB9/hkGkTKbFjMBYR5VGdHR36ytTkVx3rAnLJg7wcL
+s9SEAvUm+9qJKfFoZwIDAQABo1MwUTAdBgNVHQ4EFgQU+lschFrhuWcv7SirStrG
+0QoLHo4wHwYDVR0jBBgwFoAU+lschFrhuWcv7SirStrG0QoLHo4wDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEA0v6x5Sr5hEzzD1W6G7ERHmZh7eQt
+XlxR/7Df3BXHf9v/hD8hp/g9IlzMkCx0IL9eXpXGkcqQZuwclj56jht+ryRTTGaf
+swYMCd/H6BHXHXL/R70LN1Kz1XVXMcBaYmNOmbbt88TEjU0L9m9GUFYj2GX6ZHnL
+Wz8ZcRDjoV03bcdDdRK2Z6SBDw05OSZdAHJD+Utbqeby1GUkaxHy3QbQ2vPX7lmO
+3o75FcXkKReiL96aUOWHTH2moTje2eFSx7IPbEG/gtj48OQWXFjGJjz+OHs9Gl5i
+DcBIrfY3+Amg27ggJv5OGg6NbTkjHzPhugufaoT4O2vcHmryUj9Grqhmhh5FULxp
+1uhTP6eXPybWDOkFMMxGD0PNtAT1oeY42WZQHrYz3fyf48HmFa2/zfRjQsQYc2x4
+wl0G8lkHm20G6dGsi+ij1EwRTeKmmBdDINV6vnthCwDPe608VdCm2Mpr2KgOZmBS
+HaATg8ZZqx2wEflk02zqO9AWuShxYu3ynVuJsoga+qAiljIMqTmj3ed7lKuvvaJz
+bqbpG7LDf9nZMjP4m+EukoFcQMAOHuTGqVtmyCKT2gj2CsIy2zZzY3dN7IR8V2HI
+7ppjHTQ/s1myCR4Jkb0psFbrqG3vOKn9xfH+prk+oeph8gAAXqMLZS0EXQQF5iDR
+fBA+J7fD6XnBFJU=
+-----END CERTIFICATE-----

docker/nginx/test.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDi2I5Ew61Lfbz9
+ZfYTrtI4Zln/hwnCf0umd+z4JzZe7IPpnCmFVk+cVMNGgCOLNsBvJCqlXI4xKu+4
+xtSGP1uG9T/GNsMURD0M6BP/wTzydPBTqhIkxI9IwGS9l9qOAbQGcfX+1hKB3F1K
+oQ/blp5HIfimMlHPmwE2V6GRT5TCOZ7rB3fj48bSSCVND52D1z9DkfnTHiWBNehg
+1RLGaxv13lud20DKmKMZZRuDcx7GfVwCyuXjUQ1kYfWZG2b64eBR8aqshWjH118J
+rU/EB7FZ0+Tdpuc8l+beH8uzTWn0kLUXAGKCsL429ptKi/JmQm4kuV9pJMwf6hWt
+vfJ6Iz85WnfEISJ5gQe5WkIZALhDOjOUDKI85p9lNalU12yulDwHj403WukabZFC
+8QoLp1HU/l0oYebgfW/o/uDOkCk4N+nN/rkm0F25KN+qMMV2muZgXCOyRi75SYtb
+XAhWxbSwJDdjPhQvLSEX48+O6e3KLvI1VT9m33l91sAdhu2b1uDFXLeE/t3lKWrP
+yXvHpmgoWAIINDQlDlG8h/gqKxN741LMnCs6pflmu4ipCZUqOuehHgDwxCvH29tx
+mJ01Kx8QevouHMVEEtKxzUh+/osXbnT/fpbB9/hkGkTKbFjMBYR5VGdHR36ytTkV
+x3rAnLJg7wcLs9SEAvUm+9qJKfFoZwIDAQABAoICACL/ZBup0M+ny4OQuoFY5Gf9
+Kn9o1xGh0AsTz4SNkC7e8I8XH7TJlyi4TxROaq1sug2rl8TBXdKqHCf2zQ0VM0rE
+BZ3QDxLOYFjgaU15A60oa3eM8pWnma+Qtzok9nwYOS0RYfF6F4rfc6ky5h5rw2mY
+DSOe+c48zNgUdwHTNFEu0JzUHyQSnTcOGGsmMJgJmmITYGa47PJdXceqt+XS2pJ5
+Rss462sWV3twhOkn1qSq7IolwYfrllRZZKnFd4LXXGNoFHvfbUX/rVLx4S+OPEdu
+kI291Ukc6mp0n1m/ZMxtkvLEhW5CVGZob5b1tmUedJ3H17eCDNgTplqSxpkfXP5y
+3SBCzQXGHMUQ7JIzAdJS0Qn59IzTPEg06Bvrd6Sgxf1+twxFyu6/LUIi1KKPfzgD
+rtRypWvB3KflGJj07eoBpF9fOZJ6htMFp1FgkC7TPkdwuXy9Tc2JQ0pjsiPAbJvO
+IcpSQOvdwpIUSvjpHukl3OC0qXXv2xkkr8WhWP8P2OnL9zZ2mJ9kiODXLUMcNRPw
+KN+PKVnXYi2yvI2s+ZZPM5J9DBHrditiW/lNmGdmGMjgLtNVqJ2dnQHP+AXcGiug
+durU/+VCjRkT6RhgVenjzbW/0rK4f2zIDklIOWDhPScpH8VuUi6+XFagG9+yIWcB
+1C8QNJC6rC1e/860ChBpAoIBAQDrnwQugeOfuAYDQy5oSUBHDgX6zLp4mVQyacb4
+/16VKVmNaKqmrkmFIYsVca1K4hds+/KSEusfMlxYaAtjrtyK0Qvq16buAq/jrNic
+U3XYpYPxE708kufsuYlMNxbsFf0L9CJdcJWYRFLoSk4xMiaFrK0HbAceEnkEYnok
+w2Ssrq85GrQABnfxprQYkqO68o+Gv4JzzXVchiKFB8iatbUcX95dG6uRPKfQ9vTi
+H+kIevdZaEd5/RExUrFasYhH3xvZBMo/xPGxa5Ww3wZ9Bk0iUODuydvzUxc8s6lD
+cJlSXUEuQLh1+ARyfLvIWNKsi3fC4dc/yD/Ifu6XqQTzmhvNAoIBAQD2dz5KjYfz
+hveh/+0P41GGED3b/hnxoQHd/v7G3bnrnMM1MoaoJbys4tXovdSsWUUG3ReyDmJo
+46XfzoQxMMhoMbjlplypvBhfpfF1njM1bTpTfgHHPCNp0AgePFzTdVKV4VvdzBT4
+BpM79LofqLgf6mUlys0TIZGmt9D62QHY2LG6KKretabDi4+5+OghO2kI1vmCS8Wt
+l4S4az5bcWqyi3w4KO3pkPKnpF9SOqqwOs+R6lPABKbcf3+t3CJDYplKhLaVGjDy
+uXtV2zi3cNVLAwnwR5SWYME4IZDNsQAFXO+g5g5y8bpF//QaDyxMb+bjTD/cwE+x
+G9sWJ+ccrGkDAoIBAQCEm1YrJocJGPSpWWIA51j5pHbRE+/Od9zfEpEdCfwdTsxL
+vaBtdqGB/8LbKsMw5dXxTErU0zjosdsvFj9ytrMAnW5rmTslsPV02Y5/TKmCaIS9
+ZTKXqMZGgJU5A7gu3qEv3RKKLBbFP465lTg0j9kGWox3JOFMl3Dses/raNx8I0QS
+i2jKqtlOc1fgjIcBbApC9/1fVz659/Ptktff2mw3r+zh0fTZJJ3+CT8BFJx+XVZg
+R0QS786BR9zxAgGFEZgGp598DEdKZxY0GRD5xFYc/g/Z1FmptBXb3/FfNzvTExDg
+CyTFn/RAytqUgwjuev/H+nq+NuFO4cE+Ma3Lu+vxAoIBAE+rsi4lXBojue7bLQWi
+xNqia2yu0jIiitj5MeCVEiGQtiV/JLo8IKZ+WQl4O8ROwxp548wCDFu9owQa3O6N
+x2qvEAbkZTXVAMgCe3A66HDP0zfkFq0RypzMy6MCfjs4xK6Af9LNwsV+Up/h9zx+
+rK5cdb/ms64Ifu22o85C0e8H9UOpG7sMW1EAz0AdruP3MXfTDirJVahMv3Fh8XFb
+01LN9iStTmLfISGB5/JL1ptLF4giiFoc5teGO363FzhTKhxFlEPUiJgdzzmsuMPL
+rJcn71GFwgluU2dSql1jZw9UwH1xgKA1dbJlD8JQv1AiKC+3mTlBzUECMSsTUQka
+zoMCggEBAIxQpHv0SX4RvHVBbNxVQ5rjcXjOmIfN6SnvGKn1J0Qxxbc1zlUvbucP
+4Hw60bqEZewVheLrKkx6HDbOJuWuRZkOeiqANbDhdMjJWxfs+FX19dvphVKfDR24
+uBwAgu766smqma0HxuTBTuE6gPttxXoNOxaXVz9pOiN7J3eO5hE2VrJSta5isj02
+RQkbcDRVdvt4KzaUMM22wGdhLT/Rnlh3Q94dgEf8KYFcaEnGBEKH0ZFugkI4Oq9x
+guN18wKDvKGZH8PZp8NhrFLtwRL0epwjQIc/i8d55rqjMLJNXVDy5Wn47OEsV2mr
+3hZ66Qvn/zNMwRkuIEbB0I7k5nNiISA=
+-----END PRIVATE KEY-----