-
Notifications
You must be signed in to change notification settings - Fork 498
Expand file tree
/
Copy pathproxy_nginx_config.yaml
More file actions
426 lines (362 loc) · 17 KB
/
proxy_nginx_config.yaml
File metadata and controls
426 lines (362 loc) · 17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
---
apiVersion: v1
kind: ConfigMap
metadata:
name: pl-proxy-nginx-config
data:
headers_common.conf: |-
# HSTS config.
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
pixie_server_defaults.conf: |-
# On redirects don't rewrite the host/port. This can cause problems because the nginx service
# is behind a load balancer/proxy.
absolute_redirect off;
pixie_health_check.conf: |-
location /healthz {
access_log off;
return 200 "healthy\n";
}
pixie_filter.conf: |-
# These re-write variables used in our assets.
sub_filter_types application/javascript;
sub_filter '__CONFIG_OAUTH_PROVIDER__' "'${oauth_provider}'";
sub_filter '__CONFIG_AUTH_URI__' "'${auth_uri}'";
sub_filter '__CONFIG_AUTH_CLIENT_ID__' "'${auth_client_id}'";
sub_filter '__CONFIG_AUTH_EMAIL_PASSWORD_CONN__' "'${auth_email_password_conn}'";
sub_filter '__CONFIG_OIDC_HOST__' "'${oidc_host}'";
sub_filter '__CONFIG_OIDC_METADATA_URL__' "'${oidc_metadata_url}'";
sub_filter '__CONFIG_OIDC_CLIENT_ID__' "'${oidc_client_id}'";
sub_filter '__CONFIG_OIDC_ADDITIONAL_SCOPES__' "'${oidc_additional_scopes}'";
sub_filter '__CONFIG_OIDC_SOCIAL_CONFIG_LOGIN__' "`${oidc_social_config_login}`";
sub_filter '__CONFIG_OIDC_SOCIAL_CONFIG_SIGNUP__' "`${oidc_social_config_signup}`";
sub_filter '__CONFIG_DOMAIN_NAME__' "'${domain_name}'";
sub_filter '__CONFIG_SCRIPT_BUNDLE_URLS__' "'${script_bundle_urls}'";
sub_filter '__CONFIG_SCRIPT_BUNDLE_DEV__' "'${script_bundle_dev}'";
sub_filter '__CONFIG_SCRIPT_MODIFICATION_DISABLED__' "${script_modification_disabled}";
sub_filter '__SEGMENT_UI_WRITE_KEY__' "'${segment_ui_write_key}'";
sub_filter '__SEGMENT_ANALYTICS_JS_DOMAIN__' "'segment.${domain_name}'";
sub_filter '__CONFIG_LD_CLIENT_ID__' "'${ld_client_id}'";
sub_filter '__ANALYTICS_ENABLED__' "${analytics_enabled}";
sub_filter '__ANNOUNCEMENT_ENABLED__' "${announcement_enabled}";
sub_filter '__ANNOUNCE_WIDGET_URL__' "'${announce_widget_url}'";
sub_filter '__CONTACT_ENABLED__' "${contact_enabled}";
sub_filter '__PASSTHROUGH_PROXY_PORT__' "'${passthrough_proxy_port}'";
# Only need to filter once since these variables should not be repeated.
sub_filter_once on;
pixie_compression.conf: |-
gzip on;
# Enable compression for common types.
gzip_types
application/x-font-opentype
application/grpc-web-text
application/javascript
application/json
application/x-font-ttf
application/x-javascript
application/xml
image/svg+xml
font/woff2
text/css
text/javascript
text/plain
text/xml;
# Try to serve .gz files directly if they exist.
# TODO(zasgar): Re-enable once we fix env subs.
gzip_static off;
# Increase the compression level, at the expense of additional CPU
# cpu cycles are cheap virtually everywhere now, bandwidth not nearly as much.
gzip_comp_level 9;
gzip_proxied any;
# How many buffers to hold.
gzip_buffers 16 64k;
# Min size before we compress.
gzip_min_length 50;
pixie_cache.conf: |-
etag on;
expires 60m;
add_header Cache-Control "public";
include /usr/local/openresty/nginx/conf.d/headers_common.conf;
pixie_api.conf: |-
location /api/ {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://httpapisvc;
}
location ~ ^/pl.* {
rewrite ^/pl\.(.*)$ /px.$1 last;
}
location ~ ^/px.cloudapi.* {
# The nginx parser does not seem to understand that the $api_service
# variable contains the port. Just referring to it as api-service since this
# works in a service agnosistic way.
grpc_pass grpcs://grpcapisvc;
}
location ~ ^/px.api.* {
# The nginx parser does not seem to understand that the $api_service
# variable contains the port. Just referring to it as api-service since this
# works in a service agnosistic way.
grpc_pass grpcs://grpcapisvc;
}
pixie_vars.conf: |-
# Get the environment information so that we can inject the correct config
# into the javascript assets.
# The environment variable also need an ENV directive above.
set_by_lua_block $oauth_provider { return os.getenv("PL_OAUTH_PROVIDER") }
set_by_lua_block $auth_uri { return os.getenv("PL_AUTH_URI") }
set_by_lua_block $auth_client_id { return os.getenv("PL_AUTH_CLIENT_ID") }
set_by_lua_block $auth_email_password_conn { return os.getenv("PL_AUTH_EMAIL_PASSWORD_CONN") }
set_by_lua_block $oidc_host { return os.getenv("PL_OIDC_HOST") }
set_by_lua_block $oidc_metadata_url { return os.getenv("PL_OIDC_METADATA_URL") }
set_by_lua_block $oidc_client_id { return os.getenv("PL_OIDC_CLIENT_ID") }
set_by_lua_block $oidc_additional_scopes { return os.getenv("PL_OIDC_ADDITIONAL_SCOPES") }
set_by_lua_block $oidc_social_config_login { return os.getenv("PL_OIDC_SOCIAL_CONFIG_LOGIN") }
set_by_lua_block $oidc_social_config_signup { return os.getenv("PL_OIDC_SOCIAL_CONFIG_SIGNUP") }
set_by_lua_block $domain_name { return os.getenv("PL_DOMAIN_NAME") }
set_by_lua_block $api_service { return os.getenv("PL_API_SERVICE_HTTP") }
set_by_lua_block $segment_ui_write_key { return os.getenv("PL_SEGMENT_UI_WRITE_KEY") }
set_by_lua_block $segment_cli_write_key { return os.getenv("PL_SEGMENT_CLI_WRITE_KEY") }
set_by_lua_block $script_bundle_urls { return os.getenv("SCRIPT_BUNDLE_URLS") }
set_by_lua_block $script_bundle_dev { return os.getenv("SCRIPT_BUNDLE_DEV") }
set_by_lua_block $script_modification_disabled { return os.getenv("PL_SCRIPT_MODIFICATION_DISABLED") }
set_by_lua_block $analytics_enabled { return os.getenv("ANALYTICS_ENABLED") }
set_by_lua_block $announcement_enabled { return os.getenv("ANNOUNCEMENT_ENABLED") }
set_by_lua_block $announce_widget_url { return os.getenv("ANNOUNCE_WIDGET_URL") }
set_by_lua_block $ld_client_id { return os.getenv("PL_LD_CLIENT_ID") }
set_by_lua_block $contact_enabled { return os.getenv("CONTACT_ENABLED") }
set_by_lua_block $passthrough_proxy_port { return os.getenv("PASSTHROUGH_PROXY_PORT") }
set_by_lua_block $hydra_service { return os.getenv("PL_HYDRA_SERVICE") }
set_by_lua_block $kratos_service { return os.getenv("PL_KRATOS_SERVICE") }
# This file will have @PL_DOMAIN_NAME@ replaced with the domain name specified in the
# pl-domain-config Configmap. See the entrypoint.sh script for how this is done.
# yamllint disable rule:line-length
nginx.conf.tmpl: |-
# File borrowed from openresty config.
# Environment variable need to be specified here (and below).
env PL_OAUTH_PROVIDER;
env PL_AUTH_URI;
env PL_AUTH_CLIENT_ID;
env PL_AUTH_EMAIL_PASSWORD_CONN;
env PL_OIDC_HOST;
env PL_OIDC_METADATA_URL;
env PL_OIDC_CLIENT_ID;
env PL_OIDC_ADDITIONAL_SCOPES;
env PL_OIDC_SOCIAL_CONFIG_LOGIN;
env PL_OIDC_SOCIAL_CONFIG_SIGNUP;
env PL_LD_CLIENT_ID;
env PL_DOMAIN_NAME;
env PL_API_SERVICE_HTTP;
env PL_SEGMENT_UI_WRITE_KEY;
env PL_SEGMENT_CLI_WRITE_KEY;
env PL_HYDRA_SERVICE;
env PL_KRATOS_SERVICE;
env SCRIPT_BUNDLE_URLS;
env SCRIPT_BUNDLE_DEV;
env PL_SCRIPT_MODIFICATION_DISABLED;
env ANALYTICS_ENABLED;
env ANNOUNCEMENT_ENABLED;
env ANNOUNCE_WIDGET_URL;
env CONTACT_ENABLED;
env PASSTHROUGH_PROXY_PORT;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name to: $upstream_addr: $request upstream_response_time $upstream_response_time msec $msec request_time $request_time';
resolver kube-dns.kube-system.svc.cluster.local valid=5s;
# Tune nginx keepalives to work with the GCP HTTP(S) Load Balancer:
keepalive_timeout 650;
keepalive_requests 10000;
# Increase default server names length to 128:
server_names_hash_bucket_size 128;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m max_size=100m inactive=1d;
proxy_temp_path /var/cache/nginx/tmp;
ssl_buffer_size 4k;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
ssl_protocols TLSv1.2 TLSv1.3;
upstream httpapisvc {
# The nginx parser does not seem to understand that the $api_service
# variable contains the port. Just referring to it as api-service since this
# works in a service agnosistic way.
server api-service:51200;
keepalive 128;
}
upstream grpcapisvc {
# The nginx parser does not seem to understand that the $api_service
# variable contains the port. Just referring to it as api-service since this
# works in a service agnosistic way.
server api-service:51200;
keepalive 128;
}
# This is the default fallback server if none of the subdomains match.
server {
listen [::]:56000 default_server;
listen 56000;
server_name _;
ssl_certificate /certs/tls.crt;
ssl_certificate_key /certs/tls.key;
include /usr/local/openresty/nginx/conf.d/pixie_health_check.conf;
if ($http_x_forwarded_proto = "http") {
return 404;
}
location / {
return 404;
}
}
# This is the server that we use for all the locations that don't have a subdomain.
# This just serves the minimal pages necessary to authenticate and get into a subdomain specific site.
server {
listen [::]:56000 ssl http2;
listen 56000 ssl http2;
server_name @PL_DOMAIN_NAME@ *.cluster.local;
include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
include /usr/local/openresty/nginx/conf.d/pixie_server_defaults.conf;
include /usr/local/openresty/nginx/conf.d/pixie_api.conf;
if ($http_x_forwarded_proto = "http") {
return 307 https://$host$request_uri;
}
location /install.sh {
root /installer;
try_files "/install.sh" =404;
}
location / {
return 307 https://work.$domain_name$request_uri;
}
}
# This is the server for the work subdomain.
server {
listen [::]:56000 ssl http2;
listen 56000 ssl http2;
server_name work.@PL_DOMAIN_NAME@;
error_page 404 = @error404;
include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
include /usr/local/openresty/nginx/conf.d/pixie_server_defaults.conf;
include /usr/local/openresty/nginx/conf.d/pixie_health_check.conf;
include /usr/local/openresty/nginx/conf.d/pixie_api.conf;
include /usr/local/openresty/nginx/conf.d/headers_common.conf;
include /usr/local/openresty/nginx/conf.d/private/*.conf;
# Disable caching by default.
add_header Cache-Control "no-store";
if ($http_x_forwarded_proto = "http") {
return 307 https://$host$request_uri;
}
location /oauth/hydra {
if ($hydra_service = "") {
return 404;
}
# Using a variable in the proxy_pass argument and a trailing slash on the location
# doesn't forward the subpath to the proxy destination. Instead we need to manually
# manage this change by rewriting the path.
rewrite ^/oauth/hydra/(.*) /$1 break;
# Note - storing the protocol in the env variable causes nginx to reject the proxy_pass dest.
proxy_pass https://$hydra_service$uri$is_args$args;
}
# Disable self-service registration in Kratos is the only way to prevent registration to orgs
# that a user does not have permission to join. Org Admins should instead invite their users.
# In the future Kratos will support disabling registration within kratos_config.yaml.
# We want to replace this rule when that becomes available.
# Issue tracking the feature: https://github.com/ory/kratos/issues/882
location /oauth/kratos/self-service/registration {
error_page 404 = @error404;
return 404;
}
location /oauth/kratos {
error_page 404 = @error404;
if ($kratos_service = "") {
return 404;
}
# Using a variable in the proxy_pass argument and a trailing slash on the location
# doesn't forward the subpath to the proxy destination. Instead we need to manually
# manage this change by rewriting the path.
rewrite ^/oauth/kratos/(.*) /$1 break;
# Note - storing the protocol in the env variable causes nginx to reject the proxy_pass dest.
proxy_pass https://$kratos_service$uri$is_args$args;
}
location /install.sh {
root /installer;
try_files "/install.sh" =404;
}
location / {
gzip_static off;
root /assets;
try_files $uri "/index.html";
}
# Cache all contents hosted under /static. This is actually the same as the contents hosted under '/'
# but nginx knows to cache these and webpack puts all the hashed assets in here.
location ~ ^/static(/.*)$ {
gzip_static off;
root /assets;
include /usr/local/openresty/nginx/conf.d/pixie_cache.conf;
include /usr/local/openresty/nginx/conf.d/pixie_filter.conf;
try_files $1 "/index.html";
}
location /auth-complete {
root /assets;
include /usr/local/openresty/nginx/conf.d/pixie_filter.conf;
try_files $uri "/index.html";
}
location ~ ^/docs(?:/(.*))?$ {
return 307 https://docs.pixielabs.ai/$1;
}
location @error404 {
return 307 https://$domain_name?not_found=$uri;
}
}
# This is the proxy server for segment.
server {
listen [::]:56000 ssl http2;
listen 56000 ssl http2;
server_name segment.@PL_DOMAIN_NAME@;
include /usr/local/openresty/nginx/conf.d/pixie_compression.conf;
include /usr/local/openresty/nginx/conf.d/pixie_vars.conf;
set $segment_cdn "cdn.segment.com";
location /v1/projects {
proxy_pass https://$segment_cdn$uri$is_args$args;
proxy_cache my_cache;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
}
location /analytics.js/v1 {
proxy_pass https://$segment_cdn$uri$is_args$args;
proxy_cache my_cache;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
}
location /analytics-next {
proxy_pass https://$segment_cdn$uri$is_args$args;
proxy_cache my_cache;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
}
location /next-integrations {
proxy_pass https://$segment_cdn$uri$is_args$args;
proxy_cache my_cache;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
}
location /cli-write-key {
return 200 $segment_cli_write_key;
default_type text/plain;
}
location / {
set $segment_api "api.segment.io";
proxy_pass https://$segment_api$uri$is_args$args;
proxy_cache my_cache;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
}
}
# This is the redirect to the netlify hosted site for docs.
server {
listen [::]:56000 ssl http2;
listen 56000 ssl http2;
server_name docs.@PL_DOMAIN_NAME@;
location / {
return 307 https://docs.pixielabs.ai$request_uri;
}
}
}