kube/services/revproxy/nginx.conf

user nginx;
worker_processes 4;
pid /var/run/nginx.pid;

#
# Module loading moved out to gen3_modules.conf to account
# for differences between nginx versions.
# See revproxy-deploy.yaml
#
include /etc/nginx/gen3_mod*.conf;

##
# Preserve environment variables
# Note: to use the variable in blocks below, you must use
#   perl to set the variable. eg:
# perl_set $my_var 'sub { return $ENV{"MY_ENVIRONMENT_VAIRABLE"}; }';
##
env POD_NAMESPACE;
env CANARY_PERCENT_JSON;
env COOKIE_DOMAIN;
env ORIGINS_ALLOW_CREDENTIALS;
env DES_NAMESPACE;
env MAINTENANCE_MODE;
env INDEXD_AUTHZ;
env MDS_AUTHZ;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
port_in_redirect off;
# server_tokens off;

# For websockets
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}


map $proxy_protocol_addr $initialip {
  "" $http_x_forwarded_for;
  default $proxy_protocol_addr;
}

map $initialip $realip {
  "" $remote_addr; #if this header missing set remote_addr as real ip
  default $initialip;
}

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Note - nginscript js_set, etc get processed
#   on demand: https://www.nginx.com/blog/introduction-nginscript/
#
js_include helpers.js;
js_set $userid userid;
js_set $black_list_check checkBlackList;

# Modsecurity and blacklist configuration
include /etc/nginx/gen3_server*.conf;

# see portal-conf
perl_set $maintenance_mode_env 'sub { return $ENV{"MAINTENANCE_MODE"} || "undefined"; }';

##
# Get canary weight environment vars into block
# This allows us to use the var in njs scripts
##
perl_set $canary_percent_json 'sub { return $ENV{"CANARY_PERCENT_JSON"}; }';

##
# Service release parsing and assignment
#
js_set $service_releases getServiceReleases;

##
# Logging Settings
##
log_format aws   '$realip - $userid [$time_local] '
            '"$request" "$upstream" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent" "$canary_percent_json"';
error_log /dev/stderr warn;

log_format json '{"gen3log": "nginx", '
  '"date_access": "$time_iso8601", '
  '"user_id": "$userid", '
  '"request_id": "$request_id", '
  '"session_id": "$session_id", '
  '"visitor_id": "$visitor_id", '
  '"network_client_ip": "$realip", '
  '"network_bytes_write": $body_bytes_sent, '
  '"response_secs": $request_time, '
  '"http_status_code": $status, '
  '"http_request": "$request_uri", '
  '"http_verb": "$request_method", '
  '"http_referer": "$http_referer", '
  '"http_useragent": "$http_user_agent", '
  '"http_upstream": "$upstream", '
  '"proxy_service": "$proxy_service", '
  '"message": "$request" }';

access_log  /dev/stdout  json;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access_not_json.log main;

##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_proxied any;
gzip_types
  text/css
  text/javascript
  text/xml
  text/plain
  application/javascript
  application/x-javascript
  application/json;

##
# Namespace
##
perl_set $namespace 'sub { return $ENV{"POD_NAMESPACE"}; }';

##
# Fence Namespace
##
# For using fence, indexd, etc from a different namespace within the same k8 cluster -
# support data ecosystem feature ...
##    
perl_set $des_domain 'sub { return $ENV{"DES_NAMESPACE"} ? qq{.$ENV{"DES_NAMESPACE"}.svc.cluster.local} : qq{.$ENV{"POD_NAMESPACE"}.svc.cluster.local}; }';

##
# CORS Credential White List
##
perl_set $origins_allow_credentials 'sub { return $ENV{"ORIGINS_ALLOW_CREDENTIALS"}; }';
js_set $credentials_allowed isCredentialsAllowed;

## For multi-domain deployments
perl_set $csrf_cookie_domain 'sub { return $ENV{"COOKIE_DOMAIN"} ? qq{;domain=$ENV{"COOKIE_DOMAIN"}} : ""; }';

# indexd password for admin endpoint
perl_set $indexd_b64 'sub { $_ = $ENV{"INDEXD_AUTHZ"}; chomp; return "$_"; }';
# metadata service password for admin endpoint
perl_set $mds_b64 'sub { $_ = $ENV{"MDS_AUTHZ"}; chomp; return "$_"; }';


server {
    listen       6567;

    root /var/www/metrics;

    location /aggregated_metrics {
        types {}
        default_type text/plain;
        try_files $uri $uri/ /metrics.txt;
        autoindex on;
        access_log off;
    }
}

##
# Proxy Settings
##
# Serve internet facing http requests via this, and redirect to https
server {
  listen      82 default_server proxy_protocol;
  listen      83;

  server_tokens off;
  more_set_headers "X-Content-Type-Options: nosniff";

  set $proxy_service  "noproxy";
  set $access_token "none";
  set $session_id "none";
  set $visitor_id "none";
  set $upstream http://443loopback;

  return 301 https://$host$request_uri;
}

# Serve internet facing https requests and internal http requests here
server {
  listen 81 proxy_protocol;
  listen 80;

  server_tokens off;
  more_clear_headers "X-Powered-By" "Server"
  more_set_headers "X-Frame-Options: SAMEORIGIN";
  more_set_headers "X-Content-Type-Options: nosniff";
  more_set_headers "X-Xss-Protection: 1; mode=block";

  if ($http_x_forwarded_proto = "http") { return 301 https://$host$request_uri; }
  #
  # Strict-Transport-Security only applys for https traffic - set after testing protocol
  #
  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubdomains; ";

  # check request against ip black list
  include /etc/nginx/manifest-revproxy/blacklist.conf;
  
  #
  # From https://enable-cors.org/server_nginx.html
  # This overrides the individual services
  #
  set $allow_origin "*";
  if ($http_origin) {
    set $allow_origin "$http_origin";
  }

  more_set_headers "Access-Control-Allow-Origin: $allow_origin";
  more_set_headers "Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT";
  more_set_headers "Access-Control-Allow-Credentials: $credentials_allowed";
  more_set_headers "Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,Cookie,X-CSRF-Token";
  more_set_headers "Access-Control-Expose-Headers: Content-Length,Content-Range";

  # update service release cookie
  add_header Set-Cookie "service_releases=${service_releases};Path=/;Max-Age=600;HttpOnly;Secure";
  
  if ($request_method = 'OPTIONS') {
    return 204;
  }

  #
  # DNS resolver required to resolve dynamic hostnames, btw - kubedns may not support ipv6
  # see https://www.nginx.com/blog/dns-service-discovery-nginx-plus/
  #     https://distinctplace.com/2017/04/19/nginx-resolver-explained/
  #
  resolver kube-dns.kube-system.svc.cluster.local ipv6=off;

  set $access_token "";
  set $csrf_check "ok-tokenauth";

  #
  # Note: add_header blocks are inheritted iff the current block does not call add_header:
  #     http://nginx.org/en/docs/http/ngx_http_headers_module.html
  #
  set $csrf_token "$request_id$request_length$request_time$time_iso8601";
  if ($cookie_csrftoken) {
    set $csrf_token "$cookie_csrftoken";
  }
  add_header Set-Cookie "csrftoken=$csrf_token$csrf_cookie_domain;Path=/;Secure";

  # visitor and session tracking for analytics -
  #    https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id
  #
  # Simple session tracking - expire the session if not active for 20 minutes
  set $session_id "$request_id";
  if ($cookie_session) {
    set $session_id "$cookie_session";
  }
  add_header Set-Cookie "session=$session_id;Path=/;Max-Age=1200;HttpOnly;Secure";
  # Simple visitor tracking - immortal
  set $visitor_id "$request_id";
  if ($cookie_visitor) {
    set $visitor_id "$cookie_visitor";
  }
  add_header Set-Cookie "visitor=$visitor_id;Path=/;Max-Age=36000000;HttpOnly;Secure";

  if ($cookie_access_token) {
      set $access_token "bearer $cookie_access_token";
      # cookie auth requires csrf check
      set $csrf_check "fail";
  }
  if ($http_authorization) {
      # Authorization header is present - prefer that token over cookie token
      set $access_token "$http_authorization";
  }

  #
  # initialize proxy_service and upstream used as key in logs to 
  # unspecified values - 
  # individual service locations should override to "peregrine", ...
  #
  set $proxy_service  "noproxy";

  #
  # Note - need to repeat this line in location blocks that call proxy_set_header,
  #   as nginx proxy module inherits proxy_set_header if and only if current level does
  #   not set headers ... http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
  #
  proxy_set_header   Authorization "$access_token";
  proxy_set_header   Host $host;
  proxy_set_header   X-Forwarded-For "$realip";
  proxy_set_header   X-UserId "$userid";
  # Can propagate this request id through downstream microservice requests for tracing
  proxy_set_header   X-ReqId "$request_id";
  proxy_set_header   X-SessionId "$session_id";
  proxy_set_header   X-VisitorId "$visitor_id";
  proxy_intercept_errors on;

  #
  # Accomodate large jwt token headers
  # * http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
  # * https://ma.ttias.be/nginx-proxy-upstream-sent-big-header-reading-response-header-upstream/
  #
  proxy_buffer_size          16k;
  proxy_buffers              8 16k;
  proxy_busy_buffers_size    32k;
  client_body_buffer_size    16k;
  
  #
  # also incoming from client:
  # * https://fullvalence.com/2016/07/05/cookie-size-in-nginx/
  # * https://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
  large_client_header_buffers 4 8k;
  client_header_buffer_size 4k;

  #
  # CSRF check
  # This block requires a csrftoken for all POST requests.
  #
  if ($cookie_csrftoken = $http_x_csrf_token) {
    # this will fail further below if cookie_csrftoken is empty
    set $csrf_check "ok-$cookie_csrftoken";
  }
  if ($request_method != "POST") {
    set $csrf_check "ok-$request_method";
  }
  if ($cookie_access_token = "") {
    # do this again here b/c empty cookie_csrftoken == empty http_x_csrf_token - ugh
    set $csrf_check "ok-tokenauth";
  }

  ##
  # Set variables for service release names
  ##
  set $fence_release_name "fence";
  # TODO: configure the rest of the canary-related config later
  set $presigned_url_fence_release_name "presigned-url-fence";
  if ($service_releases ~* "fence\.canary") {
    set $fence_release_name "${fence_release_name}-canary";
  }
  set $fenceshib_release_name "fenceshib";
  if ($service_releases ~* "fenceshib\.canary") {
    set $fenceshib_release_name "${fenceshib_release_name}-canary";
  }
  set $sheepdog_release_name "sheepdog";
  if ($service_releases ~* "sheepdog\.canary") {
    set $sheepdog_release_name "${sheepdog_release_name}-canary";
  }
  set $peregrine_release_name "peregrine";
  if ($service_releases ~* "peregrine\.canary") {
    set $peregrine_release_name "${peregrine_release_name}-canary";
  }
  set $indexd_release_name "indexd";
  if ($service_releases ~* "indexd\.canary") {
    set $indexd_release_name "${indexd_release_name}-canary";
  }
  set $manifestservice_release_name "manifestservice";
  if ($service_releases ~* "manifestservice\.canary") {
    set $manifestservice_release_name "${manifestservice_release_name}-canary";
  }
  set $arborist_release_name "arborist";

  error_page 500 501 502 503 504 @5xx;

  location @5xx {
      internal;
      return 500 "{ \"error\": \"service failure - try again later\"}";
  }

  location = /_status {    
      default_type application/json;
      set $upstream http://localhost;
      return 200 "{ \"message\": \"Fealin good!\", \"csrf\": \"$csrf_token\" }\n";
  }

  location /nginx_status {
      stub_status;
      allow 127.0.0.1;
      deny all;
      access_log off;
  }

  # https://easyengine.io/tutorials/nginx/status-page/
  # Disable for now - access restrictions not working ...?
  #location /nginx_status {
  #  stub_status on;
  #  access_log   off;
  #  allow 172.16.0.0/12;
  #  allow 10.0.0.0/8;
  #  deny all;
  #}

  include /etc/nginx/gen3.conf/*.conf;

  location @errorworkspace {
      return 302 https://$host/no-workspace-access;
  }
}
}