Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OLMIS-6183, simplify proxy options #73

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

OLMIS-6183, simplify proxy options #73

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 4 additions & 10 deletions reporting/.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,10 @@ SUPERSET_SSL_KEY=superset.local.key
SUPERSET_SSL_CERT_CHAIN=superset.local.crt
# Whether to enable accessing the Superset domain securely
SUPERSET_ENABLE_SSL=false
# Whether Superset is behind a load balancer
SUPERSET_BEHIND_LOAD_BALANCER=false
# Whether to redirect HTTP traffic on the load balancer to https
SUPERSET_LOAD_BALANCER_REDIRECT_HTTP=false
# Whether Superset certs should be used.
SUPERSET_PROVIDE_CERTS=false

### NiFi Service ###
NIFI_WEB_HTTP_PORT=80
NIFI_WEB_HTTP_HOST=nifi.local
# The JVM Memory maximum heap size
NIFI_JVM_HEAP_MAX="1g"
# The domain name to use for NiFi
Expand All @@ -54,10 +50,8 @@ NIFI_SSL_KEY=nifi.local.key
NIFI_SSL_CERT_CHAIN=nifi.local.crt
# Whether to enable accessing the NiFi domain securely
NIFI_ENABLE_SSL=false
# Whether Nifi is behind a load balancer
NIFI_BEHIND_LOAD_BALANCER=false
# Whether to redirect HTTP traffic on the load balancer to https
NIFI_LOAD_BALANCER_REDIRECT_HTTP=false
# Whether provided certs should be used
NIFI_PROVIDE_CERTS=false
# Nifi Passwords
DB_PASSWORD=p@ssw0rd
INVOKEHTTP_PASSWORD=changeme
Expand Down
51 changes: 20 additions & 31 deletions reporting/config/services/nginx/consul-template/openlmis.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,26 +26,17 @@ log_format upstream_time '$remote_addr - $remote_user [$time_local] '
server {
server_name {{ $location }};
listen 80;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-ProxyScheme http;
proxy_set_header Host $http_host;
proxy_set_header X-ProxyContextPath /;

{{ if $locationData.enable_ssl }}
return 301 https://$server_name$request_uri;
{{ else }}
{{ if (and ($locationData.behind_load_balancer) ($locationData.redirect_http_traffic)) }}
if ($http_X_Forwarded_Proto = "http") {
return 301 https://$server_name$request_uri;
}
{{ end }}
location / {
proxy_pass http://{{ $locationData.upstream }};
{{ if not $locationData.behind_load_balancer }}
proxy_set_header X-ProxyScheme http;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-ProxyPort 80;
{{ end }}
proxy_set_header X-ProxyHost {{ $location }};
proxy_set_header Host {{ $location }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-ProxyContextPath /;
{{ if $locationData.enable_basic_auth }}
auth_basic "Authentication Required";
auth_basic_user_file /etc/nginx/.htpasswd;
Expand All @@ -54,26 +45,16 @@ server {
{{ end }}
}

{{ if $locationData.enable_ssl }}
{{ if (and ($locationData.enable_ssl) ($locationData.provide_certs)) }}
server {
server_name {{ $location }};

location / {
proxy_pass http://{{ $locationData.upstream }};
proxy_set_header X-ProxyScheme https;
proxy_set_header X-ProxyHost {{ $location }};
proxy_set_header Host {{ $location }};
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-ProxyPort 443;
proxy_set_header X-ProxyContextPath /;
{{ if $locationData.enable_basic_auth }}
auth_basic "Authentication Required";
auth_basic_user_file /etc/nginx/.htpasswd;
{{ end }}
}

listen 443;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header X-ProxyScheme http;
proxy_set_header Host $http_host;
proxy_set_header X-ProxyContextPath /;

ssl on;
ssl_certificate {{ $locationData.ssl_cert }};
ssl_certificate_key {{ $locationData.ssl_key }};
Expand All @@ -88,6 +69,14 @@ server {
add_header Strict-Transport-Security 'max-age=15768000';
ssl_stapling on;
ssl_session_cache builtin:1000 shared:SSL:10m;

location / {
proxy_pass http://{{ $locationData.upstream }};
{{ if $locationData.enable_basic_auth }}
auth_basic "Authentication Required";
auth_basic_user_file /etc/nginx/.htpasswd;
{{ end }}
}
}
{{ end }}
{{ end }}
4 changes: 2 additions & 2 deletions reporting/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,9 @@ services:
command: >
sh -c "while ! curl -f \"http://consul:8500/v1/agent/self\"; do sleep 10;done
&& curl -X PUT -H \"Content-Type: application/json\" --data '{\"name\": \"superset-service\", \"address\": \"superset\", \"id\": \"superset1\", \"port\": 8088, \"tags\": [\"openlmis-service\"], \"check\": { \"http\": \"http://superset:8088/login\", \"method\": \"GET\", \"interval\": \"30s\", \"timeout\": \"10s\"}}' http://consul:8500/v1/agent/service/register
&& curl -X PUT --data '{ \"upstream\": \"superset-service\", \"enable_basic_auth\": false, \"behind_load_balancer\": ${SUPERSET_BEHIND_LOAD_BALANCER}, \"redirect_http_traffic\": ${SUPERSET_LOAD_BALANCER_REDIRECT_HTTP}, \"enable_ssl\": ${SUPERSET_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${SUPERSET_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${SUPERSET_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${SUPERSET_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${SUPERSET_DOMAIN_NAME}
&& curl -X PUT --data '{ \"upstream\": \"superset-service\", \"enable_basic_auth\": false, \"provide_certs\": ${SUPERSET_PROVIDE_CERTS}, \"enable_ssl\": ${SUPERSET_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${SUPERSET_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${SUPERSET_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${SUPERSET_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${SUPERSET_DOMAIN_NAME}
&& curl -X PUT -H \"Content-Type: application/json\" --data '{\"name\": \"nifi-service\", \"address\": \"nifi\", \"id\": \"nifi1\", \"port\": 8080, \"tags\": [\"openlmis-service\"], \"check\": { \"http\": \"http://nifi:8080\", \"method\": \"GET\", \"interval\": \"30s\", \"timeout\": \"10s\"}}' http://consul:8500/v1/agent/service/register
&& curl -X PUT --data '{ \"upstream\": \"nifi-service\", \"enable_basic_auth\": true, \"behind_load_balancer\": ${NIFI_BEHIND_LOAD_BALANCER}, \"redirect_http_traffic\": ${NIFI_LOAD_BALANCER_REDIRECT_HTTP}, \"enable_ssl\": ${NIFI_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${NIFI_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${NIFI_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${NIFI_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${NIFI_DOMAIN_NAME}"
&& curl -X PUT --data '{ \"upstream\": \"nifi-service\", \"enable_basic_auth\": true, \"provide_certs\": ${NIFI_PROVIDE_CERTS}, \"enable_ssl\": ${NIFI_ENABLE_SSL}, \"ssl_cert\": \"/config/nginx/tls/${NIFI_SSL_CERT}\", \"ssl_key\": \"/config/nginx/tls/${NIFI_SSL_KEY}\", \"ssl_cert_chain\": \"/config/nginx/tls/${NIFI_SSL_CERT_CHAIN}\"}' http://consul:8500/v1/kv/resources/${NIFI_DOMAIN_NAME}"
build:
context: ./config
volumes:
Expand Down