fic
/
server
2
0
Fork 0
Code Issues Pull Requests 10 Releases Wiki Activity

configs: Rework nginx configs

This commit is contained in:
nemunaire 2021-09-05 05:23:55 +02:00
parent a0a1a717ee
commit fb53c9a4f1
13 changed files with 54 additions and 286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile-nginx
View File

@ -21,7 +21,8 @@ EXPOSE 80
COPY configs/nginx-chbase.sh /docker-entrypoint.d/40-update-baseurl.sh
COPY configs/fic-auth-docker.conf /etc/nginx/fic-auth.conf
COPY configs/nginx-docker.conf /etc/nginx/templates/default.conf.template
COPY configs/nginx/get-team/upstream.conf /etc/nginx/fic-get-team.conf
COPY configs/nginx/auth/none.conf /etc/nginx/fic-auth.conf
COPY configs/nginx/base/docker.conf /etc/nginx/templates/default.conf.template
COPY --from=nodebuild /ui/build/ /srv/htdocs-frontend

240
configs/nginx-frontend-htpasswd.conf
View File

@ -1,240 +0,0 @@
server_tokens off;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
proxy_connect_timeout 1s;
server {
listen 80 default;
listen [::]:80 default;
root /srv/htdocs-frontend/;
error_page 401 /welcome.html;
error_page 403 404 /e404.html;
error_page 413 404 /e413.html;
error_page 500 502 504 /e500.html;
location = / {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
}
location = /index.html {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
}
location = /welcome.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e404.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e413.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location = /e500.html {
internal;
if ($http_accept ~ "^application/json") {
rewrite ^/(.*).html$ /$1.json;
}
}
location /edit {
rewrite ^/.*$ /index.html;
}
location /rank {
rewrite ^/.*$ /index.html;
}
location /rules {
rewrite ^/.*$ /index.html;
}
location /tags/ {
rewrite ^/.*$ /index.html;
}
location /register {
rewrite ^/.*$ /index.html;
}
location ~ ^/[A-Z] {
rewrite ^/.*$ /index.html;
}
location /files/ {
alias /srv/FILES/;
tcp_nodelay on;
}
location /wait.json {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
}
location /stats.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location /my.json {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
root /srv/TEAMS/$team/;
expires epoch;
add_header Cache-Control no-cache;
if (!-f $document_root/../../startingblock/started) {
rewrite ^/ /wait.json;
}
}
location /settings.json {
root /srv/SETTINGS/;
expires epoch;
add_header X-FIC-time $msec;
add_header Cache-Control no-cache;
}
location /teams.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location /themes.json {
root /srv/TEAMS/;
expires epoch;
add_header Cache-Control no-cache;
}
location /dashboard/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
#if ($remote_user !~ "^nemunaire|bombal_s$") {
# return 403;
#}
proxy_pass http://fic-dashboard:8082;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /api/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
#if ($remote_user !~ "^nemunaire|bombal_s$") {
# return 403;
#}
proxy_pass http://fic-admin:8081/admin/api/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /admin/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
#if ($remote_user !~ "^nemunaire|bombal_s$") {
# return 403;
#}
proxy_pass http://fic-admin:8081;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /submit/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
rewrite ^/submit/(.*)$ /submission/$team/$1 break;
proxy_pass http://fic-frontend:8080/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /submit/name {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
rewrite ^/submit/.*$ /chname/$team break;
proxy_pass http://fic-frontend:8080/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /qa/ {
proxy_pass http://fic-qa:8083;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /registration {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
rewrite ^/registration /registration/$team break;
proxy_pass http://fic-frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /openhint/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
rewrite ^/openhint/(.*)$ /openhint/$team/$1 break;
proxy_pass http://fic-frontend:8080/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location /wantchoices/ {
#auth_basic "Secure Zone";
#auth_basic_user_file ficpasswd;
include /etc/nginx/auth.conf;
rewrite ^/wantchoices/(.*)$ /wantchoices/$team/$1 break;
proxy_pass http://fic-frontend:8080/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
}
location = /events.json {
proxy_pass http://fic-admin:8081/api/events/;
proxy_method GET;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_redirect off;
proxy_cache STATIC;
proxy_cache_valid 3s;
}
}

3
configs/nginx/auth/client-cert.conf Normal file
View File

@ -0,0 +1,3 @@
ssl_client_certificate /srv/PKI/shared/ca.pem;
ssl_trusted_certificate /srv/PKI/shared/ca.pem;
ssl_verify_client optional;

0
configs/nginx/auth/none.conf Normal file
View File

0
configs/nginx-demo.conf → configs/nginx/base/demo.conf
View File

44
configs/nginx-docker.conf → configs/nginx/base/docker.conf
View File

@ -6,6 +6,8 @@ server {
listen 80 default;
listen [::]:80 default;
include fic-auth.conf;
root ${PATH_STATIC};
error_page 401 /welcome.html;
@ -27,10 +29,10 @@ server {
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'";
location = / {
include fic-auth.conf;
include fic-get-team.conf;
}
location = /index.html {
include fic-auth.conf;
include fic-get-team.conf;
}
location = /welcome.html {
internal;
@ -62,38 +64,38 @@ server {
}
location ~ ^/[A-Z] {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /edit {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /issues {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rank {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /tags/ {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /register {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rules {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
@ -105,7 +107,7 @@ server {
}
location /wait.json {
include fic-auth.conf;
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
@ -117,7 +119,7 @@ server {
add_header Cache-Control no-cache;
}
location /my.json {
include fic-auth.conf;
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
@ -128,7 +130,7 @@ server {
}
}
location /issues.json {
include fic-auth.conf;
include fic-get-team.conf;
root ${PATH_TEAMS}/$team/;
expires epoch;
@ -152,7 +154,7 @@ server {
}
location /submit/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND}/submission/;
proxy_set_header X-Forwarded-For $remote_addr;
@ -160,7 +162,7 @@ server {
proxy_redirect off;
}
location /issue {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
@ -168,7 +170,7 @@ server {
proxy_redirect off;
}
location /chname {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
@ -176,7 +178,7 @@ server {
proxy_redirect off;
}
location /registration {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
@ -184,7 +186,7 @@ server {
proxy_redirect off;
}
location /openhint/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
@ -192,7 +194,7 @@ server {
proxy_redirect off;
}
location /wantchoices/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_FRONTEND};
proxy_set_header X-Forwarded-For $remote_addr;
@ -201,7 +203,7 @@ server {
}
location /api/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_ADMIN}${FIC_BASEURL}admin/api/;
proxy_set_header X-Forwarded-For $remote_addr;
@ -216,7 +218,7 @@ server {
}
location ${FIC_BASEURL}qa/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_QA};
proxy_set_header X-Forwarded-For $remote_addr;
@ -225,7 +227,7 @@ server {
}
location ${FIC_BASEURL}dashboard/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://${HOST_DASHBOARD};
proxy_set_header X-Forwarded-For $remote_addr;

40
configs/nginx-prod.conf → configs/nginx/base/prod.conf
View File

@ -19,9 +19,7 @@ server {
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_client_certificate /srv/PKI/shared/ca.pem;
ssl_trusted_certificate /srv/PKI/shared/ca.pem;
ssl_verify_client optional;
include fic-auth.conf;
root /srv/htdocs-frontend/;
@ -39,10 +37,10 @@ server {
add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'";
location = / {
include fic-auth.conf;
include fic-get-team.conf;
}
location = /index.html {
include fic-auth.conf;
include fic-get-team.conf;
}
location = /welcome.html {
internal;
@ -70,38 +68,38 @@ server {
}
location ~ ^/[A-Z] {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /edit {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /issues {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rank {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /tags/ {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /register {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
location /rules {
include fic-auth.conf;
include fic-get-team.conf;
rewrite ^/.*$ /index.html;
}
@ -113,7 +111,7 @@ server {
}
location /wait.json {
include fic-auth.conf;
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
@ -125,7 +123,7 @@ server {
add_header Cache-Control no-cache;
}
location /my.json {
include fic-auth.conf;
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
@ -136,7 +134,7 @@ server {
}
}
location /issues.json {
include fic-auth.conf;
include fic-get-team.conf;
root /srv/TEAMS/$team/;
expires epoch;
@ -165,7 +163,7 @@ server {
}
location /submit/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080/submission/;
proxy_set_header X-Forwarded-For $remote_addr;
@ -173,7 +171,7 @@ server {
proxy_redirect off;
}
location /issue {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
@ -181,7 +179,7 @@ server {
proxy_redirect off;
}
location /chname {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
@ -189,7 +187,7 @@ server {
proxy_redirect off;
}
location /registration {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
@ -197,7 +195,7 @@ server {
proxy_redirect off;
}
location /openhint/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;
@ -205,7 +203,7 @@ server {
proxy_redirect off;
}
location /wantchoices/ {
include fic-auth.conf;
include fic-get-team.conf;
proxy_pass http://frontend:8080;
proxy_set_header X-Forwarded-For $remote_addr;

0
configs/nginx-fic-static.conf → configs/nginx/base/static.conf
View File

0
configs/fic-auth.conf → configs/nginx/get-team/client-cert.conf
View File

0
configs/fic-auth-fwd.conf → configs/nginx/get-team/request.conf
View File

0
configs/nginx-fic.conf → configs/nginx/get-team/team-1.conf
View File

0
configs/fic-auth-docker.conf → configs/nginx/get-team/upstream.conf
View File

8
fickit-frontend.yml
View File

@ -142,6 +142,7 @@ services:
- /etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro
- /etc/nginx/ssl/:/etc/nginx/ssl/:ro
- /etc/nginx/fic-auth.conf:/etc/nginx/fic-auth.conf:ro
- /etc/nginx/fic-get-team.conf:/etc/nginx/fic-get-team.conf:ro
- /www/htdocs-frontend:/srv/htdocs-frontend:ro
- /var/lib/fic/files:/srv/FILES:ro
- /var/lib/fic/pki:/srv/PKI:ro
@ -255,10 +256,13 @@ files:
source: configs/dhcpd.conf
mode: "0400"
- path: etc/nginx/conf.d/default.conf
source: configs/nginx-prod.conf
source: configs/nginx/base/prod.conf
mode: "0400"
- path: etc/nginx/fic-auth.conf
source: configs/fic-auth.conf
source: configs/nginx/auth/oidc.conf
mode: "0400"
- path: etc/nginx/fic-get-team.conf
source: configs/nginx/get-team/oidc.conf
mode: "0400"
- path: www/htdocs-frontend