From fb53c9a4f1c0c64d38f057e65735fa7837761821 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Sun, 5 Sep 2021 05:23:55 +0200 Subject: [PATCH] configs: Rework nginx configs --- Dockerfile-nginx | 5 +- configs/nginx-frontend-htpasswd.conf | 240 ------------------ configs/nginx/auth/client-cert.conf | 3 + configs/nginx/auth/none.conf | 0 .../{nginx-demo.conf => nginx/base/demo.conf} | 0 .../base/docker.conf} | 44 ++-- .../{nginx-prod.conf => nginx/base/prod.conf} | 40 ++- .../base/static.conf} | 0 .../get-team/client-cert.conf} | 0 .../get-team/request.conf} | 0 .../get-team/team-1.conf} | 0 .../get-team/upstream.conf} | 0 fickit-frontend.yml | 8 +- 13 files changed, 54 insertions(+), 286 deletions(-) delete mode 100644 configs/nginx-frontend-htpasswd.conf create mode 100644 configs/nginx/auth/client-cert.conf create mode 100644 configs/nginx/auth/none.conf rename configs/{nginx-demo.conf => nginx/base/demo.conf} (100%) rename configs/{nginx-docker.conf => nginx/base/docker.conf} (89%) rename configs/{nginx-prod.conf => nginx/base/prod.conf} (88%) rename configs/{nginx-fic-static.conf => nginx/base/static.conf} (100%) rename configs/{fic-auth.conf => nginx/get-team/client-cert.conf} (100%) rename configs/{fic-auth-fwd.conf => nginx/get-team/request.conf} (100%) rename configs/{nginx-fic.conf => nginx/get-team/team-1.conf} (100%) rename configs/{fic-auth-docker.conf => nginx/get-team/upstream.conf} (100%) diff --git a/Dockerfile-nginx b/Dockerfile-nginx index c1e3d77e..d3d83b55 100644 --- a/Dockerfile-nginx +++ b/Dockerfile-nginx @@ -21,7 +21,8 @@ EXPOSE 80 COPY configs/nginx-chbase.sh /docker-entrypoint.d/40-update-baseurl.sh -COPY configs/fic-auth-docker.conf /etc/nginx/fic-auth.conf -COPY configs/nginx-docker.conf /etc/nginx/templates/default.conf.template +COPY configs/nginx/get-team/upstream.conf /etc/nginx/fic-get-team.conf +COPY configs/nginx/auth/none.conf /etc/nginx/fic-auth.conf +COPY configs/nginx/base/docker.conf /etc/nginx/templates/default.conf.template COPY --from=nodebuild /ui/build/ /srv/htdocs-frontend diff --git a/configs/nginx-frontend-htpasswd.conf b/configs/nginx-frontend-htpasswd.conf deleted file mode 100644 index c745f3fb..00000000 --- a/configs/nginx-frontend-htpasswd.conf +++ /dev/null @@ -1,240 +0,0 @@ -server_tokens off; -proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; -proxy_connect_timeout 1s; - -server { - listen 80 default; - listen [::]:80 default; - - root /srv/htdocs-frontend/; - - error_page 401 /welcome.html; - error_page 403 404 /e404.html; - error_page 413 404 /e413.html; - error_page 500 502 504 /e500.html; - - location = / { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - } - location = /index.html { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - } - - location = /welcome.html { - internal; - if ($http_accept ~ "^application/json") { - rewrite ^/(.*).html$ /$1.json; - } - } - location = /e404.html { - internal; - if ($http_accept ~ "^application/json") { - rewrite ^/(.*).html$ /$1.json; - } - } - location = /e413.html { - internal; - if ($http_accept ~ "^application/json") { - rewrite ^/(.*).html$ /$1.json; - } - } - location = /e500.html { - internal; - if ($http_accept ~ "^application/json") { - rewrite ^/(.*).html$ /$1.json; - } - } - - location /edit { - rewrite ^/.*$ /index.html; - } - location /rank { - rewrite ^/.*$ /index.html; - } - location /rules { - rewrite ^/.*$ /index.html; - } - location /tags/ { - rewrite ^/.*$ /index.html; - } - location /register { - rewrite ^/.*$ /index.html; - } - location ~ ^/[A-Z] { - rewrite ^/.*$ /index.html; - } - - location /files/ { - alias /srv/FILES/; - tcp_nodelay on; - } - - location /wait.json { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - root /srv/TEAMS/$team/; - expires epoch; - add_header Cache-Control no-cache; - } - location /stats.json { - root /srv/TEAMS/; - expires epoch; - add_header Cache-Control no-cache; - } - location /my.json { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - root /srv/TEAMS/$team/; - expires epoch; - add_header Cache-Control no-cache; - - if (!-f $document_root/../../startingblock/started) { - rewrite ^/ /wait.json; - } - } - location /settings.json { - root /srv/SETTINGS/; - expires epoch; - add_header X-FIC-time $msec; - add_header Cache-Control no-cache; - } - location /teams.json { - root /srv/TEAMS/; - expires epoch; - add_header Cache-Control no-cache; - } - location /themes.json { - root /srv/TEAMS/; - expires epoch; - add_header Cache-Control no-cache; - } - - location /dashboard/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - #if ($remote_user !~ "^nemunaire|bombal_s$") { - # return 403; - #} - - proxy_pass http://fic-dashboard:8082; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /api/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - #if ($remote_user !~ "^nemunaire|bombal_s$") { - # return 403; - #} - - proxy_pass http://fic-admin:8081/admin/api/; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /admin/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - #if ($remote_user !~ "^nemunaire|bombal_s$") { - # return 403; - #} - - proxy_pass http://fic-admin:8081; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /submit/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - rewrite ^/submit/(.*)$ /submission/$team/$1 break; - - proxy_pass http://fic-frontend:8080/; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /submit/name { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - rewrite ^/submit/.*$ /chname/$team break; - - proxy_pass http://fic-frontend:8080/; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /qa/ { - proxy_pass http://fic-qa:8083; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /registration { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - rewrite ^/registration /registration/$team break; - - proxy_pass http://fic-frontend:8080; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /openhint/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - rewrite ^/openhint/(.*)$ /openhint/$team/$1 break; - - proxy_pass http://fic-frontend:8080/; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location /wantchoices/ { - #auth_basic "Secure Zone"; - #auth_basic_user_file ficpasswd; - - include /etc/nginx/auth.conf; - - rewrite ^/wantchoices/(.*)$ /wantchoices/$team/$1 break; - - proxy_pass http://fic-frontend:8080/; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - } - - location = /events.json { - proxy_pass http://fic-admin:8081/api/events/; - proxy_method GET; - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_redirect off; - proxy_cache STATIC; - proxy_cache_valid 3s; - } -} diff --git a/configs/nginx/auth/client-cert.conf b/configs/nginx/auth/client-cert.conf new file mode 100644 index 00000000..7fcbb0c7 --- /dev/null +++ b/configs/nginx/auth/client-cert.conf @@ -0,0 +1,3 @@ +ssl_client_certificate /srv/PKI/shared/ca.pem; +ssl_trusted_certificate /srv/PKI/shared/ca.pem; +ssl_verify_client optional; diff --git a/configs/nginx/auth/none.conf b/configs/nginx/auth/none.conf new file mode 100644 index 00000000..e69de29b diff --git a/configs/nginx-demo.conf b/configs/nginx/base/demo.conf similarity index 100% rename from configs/nginx-demo.conf rename to configs/nginx/base/demo.conf diff --git a/configs/nginx-docker.conf b/configs/nginx/base/docker.conf similarity index 89% rename from configs/nginx-docker.conf rename to configs/nginx/base/docker.conf index aee1c2cb..105f820d 100644 --- a/configs/nginx-docker.conf +++ b/configs/nginx/base/docker.conf @@ -6,6 +6,8 @@ server { listen 80 default; listen [::]:80 default; + include fic-auth.conf; + root ${PATH_STATIC}; error_page 401 /welcome.html; @@ -27,10 +29,10 @@ server { add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'"; location = / { - include fic-auth.conf; + include fic-get-team.conf; } location = /index.html { - include fic-auth.conf; + include fic-get-team.conf; } location = /welcome.html { internal; @@ -62,38 +64,38 @@ server { } location ~ ^/[A-Z] { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /edit { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /issues { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /rank { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /tags/ { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /register { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /rules { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } @@ -105,7 +107,7 @@ server { } location /wait.json { - include fic-auth.conf; + include fic-get-team.conf; root ${PATH_TEAMS}/$team/; expires epoch; @@ -117,7 +119,7 @@ server { add_header Cache-Control no-cache; } location /my.json { - include fic-auth.conf; + include fic-get-team.conf; root ${PATH_TEAMS}/$team/; expires epoch; @@ -128,7 +130,7 @@ server { } } location /issues.json { - include fic-auth.conf; + include fic-get-team.conf; root ${PATH_TEAMS}/$team/; expires epoch; @@ -152,7 +154,7 @@ server { } location /submit/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}/submission/; proxy_set_header X-Forwarded-For $remote_addr; @@ -160,7 +162,7 @@ server { proxy_redirect off; } location /issue { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}; proxy_set_header X-Forwarded-For $remote_addr; @@ -168,7 +170,7 @@ server { proxy_redirect off; } location /chname { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}; proxy_set_header X-Forwarded-For $remote_addr; @@ -176,7 +178,7 @@ server { proxy_redirect off; } location /registration { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}; proxy_set_header X-Forwarded-For $remote_addr; @@ -184,7 +186,7 @@ server { proxy_redirect off; } location /openhint/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}; proxy_set_header X-Forwarded-For $remote_addr; @@ -192,7 +194,7 @@ server { proxy_redirect off; } location /wantchoices/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_FRONTEND}; proxy_set_header X-Forwarded-For $remote_addr; @@ -201,7 +203,7 @@ server { } location /api/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_ADMIN}${FIC_BASEURL}admin/api/; proxy_set_header X-Forwarded-For $remote_addr; @@ -216,7 +218,7 @@ server { } location ${FIC_BASEURL}qa/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_QA}; proxy_set_header X-Forwarded-For $remote_addr; @@ -225,7 +227,7 @@ server { } location ${FIC_BASEURL}dashboard/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://${HOST_DASHBOARD}; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/configs/nginx-prod.conf b/configs/nginx/base/prod.conf similarity index 88% rename from configs/nginx-prod.conf rename to configs/nginx/base/prod.conf index d5819b2a..e13add70 100644 --- a/configs/nginx-prod.conf +++ b/configs/nginx/base/prod.conf @@ -19,9 +19,7 @@ server { ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; - ssl_client_certificate /srv/PKI/shared/ca.pem; - ssl_trusted_certificate /srv/PKI/shared/ca.pem; - ssl_verify_client optional; + include fic-auth.conf; root /srv/htdocs-frontend/; @@ -39,10 +37,10 @@ server { add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'"; location = / { - include fic-auth.conf; + include fic-get-team.conf; } location = /index.html { - include fic-auth.conf; + include fic-get-team.conf; } location = /welcome.html { internal; @@ -70,38 +68,38 @@ server { } location ~ ^/[A-Z] { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /edit { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /issues { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /rank { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /tags/ { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /register { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } location /rules { - include fic-auth.conf; + include fic-get-team.conf; rewrite ^/.*$ /index.html; } @@ -113,7 +111,7 @@ server { } location /wait.json { - include fic-auth.conf; + include fic-get-team.conf; root /srv/TEAMS/$team/; expires epoch; @@ -125,7 +123,7 @@ server { add_header Cache-Control no-cache; } location /my.json { - include fic-auth.conf; + include fic-get-team.conf; root /srv/TEAMS/$team/; expires epoch; @@ -136,7 +134,7 @@ server { } } location /issues.json { - include fic-auth.conf; + include fic-get-team.conf; root /srv/TEAMS/$team/; expires epoch; @@ -165,7 +163,7 @@ server { } location /submit/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080/submission/; proxy_set_header X-Forwarded-For $remote_addr; @@ -173,7 +171,7 @@ server { proxy_redirect off; } location /issue { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; @@ -181,7 +179,7 @@ server { proxy_redirect off; } location /chname { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; @@ -189,7 +187,7 @@ server { proxy_redirect off; } location /registration { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; @@ -197,7 +195,7 @@ server { proxy_redirect off; } location /openhint/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; @@ -205,7 +203,7 @@ server { proxy_redirect off; } location /wantchoices/ { - include fic-auth.conf; + include fic-get-team.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/configs/nginx-fic-static.conf b/configs/nginx/base/static.conf similarity index 100% rename from configs/nginx-fic-static.conf rename to configs/nginx/base/static.conf diff --git a/configs/fic-auth.conf b/configs/nginx/get-team/client-cert.conf similarity index 100% rename from configs/fic-auth.conf rename to configs/nginx/get-team/client-cert.conf diff --git a/configs/fic-auth-fwd.conf b/configs/nginx/get-team/request.conf similarity index 100% rename from configs/fic-auth-fwd.conf rename to configs/nginx/get-team/request.conf diff --git a/configs/nginx-fic.conf b/configs/nginx/get-team/team-1.conf similarity index 100% rename from configs/nginx-fic.conf rename to configs/nginx/get-team/team-1.conf diff --git a/configs/fic-auth-docker.conf b/configs/nginx/get-team/upstream.conf similarity index 100% rename from configs/fic-auth-docker.conf rename to configs/nginx/get-team/upstream.conf diff --git a/fickit-frontend.yml b/fickit-frontend.yml index 2fa43611..b803dfd5 100644 --- a/fickit-frontend.yml +++ b/fickit-frontend.yml @@ -142,6 +142,7 @@ services: - /etc/nginx/conf.d/default.conf:/etc/nginx/conf.d/default.conf:ro - /etc/nginx/ssl/:/etc/nginx/ssl/:ro - /etc/nginx/fic-auth.conf:/etc/nginx/fic-auth.conf:ro + - /etc/nginx/fic-get-team.conf:/etc/nginx/fic-get-team.conf:ro - /www/htdocs-frontend:/srv/htdocs-frontend:ro - /var/lib/fic/files:/srv/FILES:ro - /var/lib/fic/pki:/srv/PKI:ro @@ -255,10 +256,13 @@ files: source: configs/dhcpd.conf mode: "0400" - path: etc/nginx/conf.d/default.conf - source: configs/nginx-prod.conf + source: configs/nginx/base/prod.conf mode: "0400" - path: etc/nginx/fic-auth.conf - source: configs/fic-auth.conf + source: configs/nginx/auth/oidc.conf + mode: "0400" + - path: etc/nginx/fic-get-team.conf + source: configs/nginx/get-team/oidc.conf mode: "0400" - path: www/htdocs-frontend