diff --git a/scripts/dockerfiles/nginx/Dockerfile b/scripts/dockerfiles/nginx/Dockerfile index caf6b283b..dec7f3987 100644 --- a/scripts/dockerfiles/nginx/Dockerfile +++ b/scripts/dockerfiles/nginx/Dockerfile @@ -1,179 +1,5 @@ -# Dockerfile - alpine -# https://github.com/openresty/docker-openresty +FROM openresty/openresty:1.21.4.1-alpine -ARG RESTY_IMAGE_BASE="alpine" -ARG RESTY_IMAGE_TAG="3.16" - -FROM ${RESTY_IMAGE_BASE}:${RESTY_IMAGE_TAG} - -LABEL maintainer="Evan Wies " - -# Docker Build Arguments -ARG RESTY_IMAGE_BASE="alpine" -ARG RESTY_IMAGE_TAG="3.16" -ARG RESTY_VERSION="1.21.4.1" -ARG RESTY_OPENSSL_VERSION="1.1.1p" -ARG RESTY_OPENSSL_PATCH_VERSION="1.1.1f" -ARG RESTY_OPENSSL_URL_BASE="https://www.openssl.org/source" -ARG RESTY_PCRE_VERSION="8.45" -ARG RESTY_PCRE_BUILD_OPTIONS="--enable-jit" -ARG RESTY_PCRE_SHA256="4e6ce03e0336e8b4a3d6c2b70b1c5e18590a5673a98186da90d4f33c23defc09" -ARG RESTY_J="1" -ARG RESTY_CONFIG_OPTIONS="\ - --with-compat \ - --with-file-aio \ - --with-http_addition_module \ - --with-http_auth_request_module \ - --with-http_dav_module \ - --with-http_flv_module \ - --with-http_geoip_module=dynamic \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_image_filter_module=dynamic \ - --with-http_mp4_module \ - --with-http_random_index_module \ - --with-http_realip_module \ - --with-http_secure_link_module \ - --with-http_slice_module \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - --with-http_sub_module \ - --with-http_v2_module \ - --with-http_xslt_module=dynamic \ - --with-ipv6 \ - --with-mail \ - --with-mail_ssl_module \ - --with-md5-asm \ - --with-sha1-asm \ - --with-stream \ - --with-stream_ssl_module \ - --with-threads \ - " -ARG RESTY_CONFIG_OPTIONS_MORE="" -ARG RESTY_LUAJIT_OPTIONS="--with-luajit-xcflags='-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT'" -ARG RESTY_PCRE_OPTIONS="--with-pcre-jit" - -ARG RESTY_ADD_PACKAGE_BUILDDEPS="" -ARG RESTY_ADD_PACKAGE_RUNDEPS="" -ARG RESTY_EVAL_PRE_CONFIGURE="" -ARG RESTY_EVAL_POST_MAKE="" - -# These are not intended to be user-specified -ARG _RESTY_CONFIG_DEPS="--with-pcre \ - --with-cc-opt='-DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl/include' \ - --with-ld-opt='-L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl/lib -Wl,-rpath,/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl/lib' \ - " - -LABEL resty_image_base="${RESTY_IMAGE_BASE}" -LABEL resty_image_tag="${RESTY_IMAGE_TAG}" -LABEL resty_version="${RESTY_VERSION}" -LABEL resty_openssl_version="${RESTY_OPENSSL_VERSION}" -LABEL resty_openssl_patch_version="${RESTY_OPENSSL_PATCH_VERSION}" -LABEL resty_openssl_url_base="${RESTY_OPENSSL_URL_BASE}" -LABEL resty_pcre_version="${RESTY_PCRE_VERSION}" -LABEL resty_pcre_build_options="${RESTY_PCRE_BUILD_OPTIONS}" -LABEL resty_pcre_sha256="${RESTY_PCRE_SHA256}" -LABEL resty_config_options="${RESTY_CONFIG_OPTIONS}" -LABEL resty_config_options_more="${RESTY_CONFIG_OPTIONS_MORE}" -LABEL resty_config_deps="${_RESTY_CONFIG_DEPS}" -LABEL resty_add_package_builddeps="${RESTY_ADD_PACKAGE_BUILDDEPS}" -LABEL resty_add_package_rundeps="${RESTY_ADD_PACKAGE_RUNDEPS}" -LABEL resty_eval_pre_configure="${RESTY_EVAL_PRE_CONFIGURE}" -LABEL resty_eval_post_make="${RESTY_EVAL_POST_MAKE}" -LABEL resty_luajit_options="${RESTY_LUAJIT_OPTIONS}" -LABEL resty_pcre_options="${RESTY_PCRE_OPTIONS}" - -RUN apk add --no-cache --virtual .build-deps \ - build-base \ - coreutils \ - curl \ - gd-dev \ - geoip-dev \ - libxslt-dev \ - linux-headers \ - make \ - perl-dev \ - readline-dev \ - zlib-dev \ - ${RESTY_ADD_PACKAGE_BUILDDEPS} \ - && apk add --no-cache \ - gd \ - geoip \ - libgcc \ - libxslt \ - zlib \ - ${RESTY_ADD_PACKAGE_RUNDEPS} \ - && cd /tmp \ - && if [ -n "${RESTY_EVAL_PRE_CONFIGURE}" ]; then eval $(echo ${RESTY_EVAL_PRE_CONFIGURE}); fi \ - && cd /tmp \ - && curl -fSL "${RESTY_OPENSSL_URL_BASE}/openssl-${RESTY_OPENSSL_VERSION}.tar.gz" -o openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ - && tar xzf openssl-${RESTY_OPENSSL_VERSION}.tar.gz \ - && cd openssl-${RESTY_OPENSSL_VERSION} \ - && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.1" ] ; then \ - echo 'patching OpenSSL 1.1.1 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ - fi \ - && if [ $(echo ${RESTY_OPENSSL_VERSION} | cut -c 1-5) = "1.1.0" ] ; then \ - echo 'patching OpenSSL 1.1.0 for OpenResty' \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/ed328977028c3ec3033bc25873ee360056e247cd/patches/openssl-1.1.0j-parallel_build_fix.patch | patch -p1 \ - && curl -s https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-${RESTY_OPENSSL_PATCH_VERSION}-sess_set_get_cb_yield.patch | patch -p1 ; \ - fi \ - && ./config \ - no-threads shared zlib -g \ - enable-ssl3 enable-ssl3-method \ - --prefix=/usr/local/openresty/openssl \ - --libdir=lib \ - -Wl,-rpath,/usr/local/openresty/openssl/lib \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install_sw \ - && cd /tmp \ - && curl -fSL https://downloads.sourceforge.net/project/pcre/pcre/${RESTY_PCRE_VERSION}/pcre-${RESTY_PCRE_VERSION}.tar.gz -o pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && echo "${RESTY_PCRE_SHA256} pcre-${RESTY_PCRE_VERSION}.tar.gz" | shasum -a 256 --check \ - && tar xzf pcre-${RESTY_PCRE_VERSION}.tar.gz \ - && cd /tmp/pcre-${RESTY_PCRE_VERSION} \ - && ./configure \ - --prefix=/usr/local/openresty/pcre \ - --disable-cpp \ - --enable-utf \ - --enable-unicode-properties \ - ${RESTY_PCRE_BUILD_OPTIONS} \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install \ - && cd /tmp \ - && curl -fSL https://openresty.org/download/openresty-${RESTY_VERSION}.tar.gz -o openresty-${RESTY_VERSION}.tar.gz \ - && tar xzf openresty-${RESTY_VERSION}.tar.gz \ - && cd /tmp/openresty-${RESTY_VERSION} \ - && eval ./configure -j${RESTY_J} ${_RESTY_CONFIG_DEPS} ${RESTY_CONFIG_OPTIONS} ${RESTY_CONFIG_OPTIONS_MORE} ${RESTY_LUAJIT_OPTIONS} ${RESTY_PCRE_OPTIONS} \ - && make -j${RESTY_J} \ - && make -j${RESTY_J} install \ - && cd /tmp \ - && if [ -n "${RESTY_EVAL_POST_MAKE}" ]; then eval $(echo ${RESTY_EVAL_POST_MAKE}); fi \ - && rm -rf \ - openssl-${RESTY_OPENSSL_VERSION}.tar.gz openssl-${RESTY_OPENSSL_VERSION} \ - pcre-${RESTY_PCRE_VERSION}.tar.gz pcre-${RESTY_PCRE_VERSION} \ - openresty-${RESTY_VERSION}.tar.gz openresty-${RESTY_VERSION} \ - && apk del .build-deps \ - && mkdir -p /var/run/openresty \ - && ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \ - && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log - -# Add additional binaries into PATH for convenience -ENV PATH=$PATH:/usr/local/openresty/luajit/bin:/usr/local/openresty/nginx/sbin:/usr/local/openresty/bin - -# Copy nginx configuration files -COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf -COPY nginx.vh.default.conf /etc/nginx/conf.d/default.conf - -CMD ["/usr/local/openresty/bin/openresty", "-g", "daemon off;"] - -# Use SIGQUIT instead of default SIGTERM to cleanly drain requests -# See https://github.com/openresty/docker-openresty/blob/master/README.md#tips--pitfalls -STOPSIGNAL SIGQUIT - - -# Openreplay Custom configs - -RUN apk upgrade busybox --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main # Adding prometheus monitoring support ADD https://raw.githubusercontent.com/knyar/nginx-lua-prometheus/master/prometheus.lua /usr/local/openresty/lualib/ ADD https://raw.githubusercontent.com/knyar/nginx-lua-prometheus/master/prometheus_keys.lua /usr/local/openresty/lualib/ @@ -183,4 +9,6 @@ RUN chmod 0644 /usr/local/openresty/lualib/*.lua # Enabling monitoring on port 9145 # Warning: don't expose this port to public network COPY nginx.conf /usr/local/openresty${RESTY_DEB_FLAVOR}/nginx/conf/nginx.conf +COPY compression.conf /etc/nginx/conf.d/compression.conf +COPY location.list /etc/nginx/conf.d/location.list RUN chmod 0644 /usr/local/openresty${RESTY_DEB_FLAVOR}/nginx/conf/nginx.conf diff --git a/scripts/dockerfiles/nginx/compression.conf b/scripts/dockerfiles/nginx/compression.conf new file mode 100644 index 000000000..fa0c6df3c --- /dev/null +++ b/scripts/dockerfiles/nginx/compression.conf @@ -0,0 +1,28 @@ +# Compression +gzip on; +gzip_comp_level 5; +gzip_min_length 256; # 256Bytes +gzip_proxied any; +gzip_vary on; +# Content types for compression +gzip_types +application/atom+xml +application/javascript +application/json +application/ld+json +application/manifest+json +application/rss+xml +application/vnd.geo+json +application/vnd.ms-fontobject +application/x-font-ttf +application/x-web-app-manifest+json +application/xhtml+xml +application/xml +font/opentype +image/bmp +image/svg+xml +image/x-icon +text/cache-manifest +text/css +text/plain +; diff --git a/scripts/dockerfiles/nginx/default.conf b/scripts/dockerfiles/nginx/default.conf new file mode 100644 index 000000000..4dd31fa01 --- /dev/null +++ b/scripts/dockerfiles/nginx/default.conf @@ -0,0 +1,147 @@ +location ~* /general_stats { + deny all; +} +location /healthz { + return 200 'OK'; +} +location ~ ^/(mobs|sessions-assets|frontend|static|sourcemaps|ios-images)/ { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + + proxy_connect_timeout 300; + # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + + proxy_pass http://minio.db.svc.cluster.local:9000; +} + +location /minio/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass http://minio.db.svc.cluster.local:9000; +} +location /ingest/ { + rewrite ^/ingest/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $real_ip; + proxy_set_header X-Forwarded-Host $real_ip; + proxy_set_header X-Real-IP $real_ip; + proxy_set_header Host $host; + proxy_pass http://http-openreplay.app.svc.cluster.local; + proxy_read_timeout 300; + proxy_connect_timeout 120; + proxy_send_timeout 300; +} +location /grafana { + set $target http://monitoring-grafana.monitoring.svc.cluster.local; + rewrite ^/grafana/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass $target; +} +location /api/ { + rewrite ^/api/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://chalice-openreplay.app.svc.cluster.local:8000; +} +location /assist/ { + rewrite ^/assist/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass http://utilities-openreplay.app.svc.cluster.local:9000; +} +location /assets/ { + rewrite ^/assets/(.*) /sessions-assets/$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_pass http://minio.db.svc.cluster.local:9000; +} +location / { + index /index.html; + rewrite ^((?!.(js|css|png|svg|jpg|woff|woff2)).)*$ /frontend/index.html break; + include /etc/nginx/conf.d/compression.conf; + proxy_set_header Host $http_host; + proxy_pass http://minio.db.svc.cluster.local:9000/frontend/; + proxy_intercept_errors on; # see http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + error_page 404 =200 /index.html; +} +mpression.conf: |- +# Compression +gzip on; +gzip_comp_level 5; +gzip_min_length 256; # 256Bytes +gzip_proxied any; +gzip_vary on; +# Content types for compression +gzip_types +application/atom+xml +application/javascript +application/json +application/ld+json +application/manifest+json +application/rss+xml +application/vnd.geo+json +application/vnd.ms-fontobject +application/x-font-ttf +application/x-web-app-manifest+json +application/xhtml+xml +application/xml +font/opentype +image/bmp +image/svg+xml +image/x-icon +text/cache-manifest +text/css +text/plain +; + +tes.conf: |- +# Ref: https://github.com/openresty/openresty/#resolvconf-parsing +resolver local=on; +# Need real ip address for flags in replay. +# Some LBs will forward real ips as x-forwarded-for +# So making that as priority +map $http_x_forwarded_for $real_ip { + ~^(\d+\.\d+\.\d+\.\d+) $1; + default $remote_addr; +} +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} +server { + listen 80 default_server; + listen [::]:80 default_server; + # server_name _; + + include /etc/nginx/conf.d/location.list; + client_max_body_size 10M; +} +server { + listen 443 ssl; + ssl_certificate /etc/secrets/site.crt; + ssl_certificate_key /etc/secrets/site.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + include /etc/nginx/conf.d/location.list; + client_max_body_size 10M; +} + diff --git a/scripts/dockerfiles/nginx/location.list b/scripts/dockerfiles/nginx/location.list new file mode 100644 index 000000000..e668b1359 --- /dev/null +++ b/scripts/dockerfiles/nginx/location.list @@ -0,0 +1,51 @@ +location ~* /general_stats { + deny all; +} +location /healthz { + return 200 'OK'; +} +location /ingest/ { + rewrite ^/ingest/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $real_ip; + proxy_set_header X-Forwarded-Host $real_ip; + proxy_set_header X-Real-IP $real_ip; + proxy_set_header Host $host; + set $target http://http-openreplay:8080; + proxy_pass $target; + proxy_read_timeout 300; + proxy_connect_timeout 120; + proxy_send_timeout 300; +} +location /api/ { + rewrite ^/api/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + set $target http://chalice-openreplay:8000; + proxy_pass $target; +} +location /assist/ { + rewrite ^/assist/(.*) /$1 break; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + set $target http://utilities-openreplay:9000; + proxy_pass $target; +} +location / { + index /index.html; + rewrite ^((?!.(js|css|png|svg|jpg|woff|woff2)).)*$ /frontend/index.html break; + include /etc/nginx/conf.d/compression.conf; + proxy_set_header Host $http_host; + set $target http://frontend:8080/; + proxy_pass $target; + proxy_intercept_errors on; # see http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + add_header hello 'rajesh'; + error_page 404 =200 /index.html; +} diff --git a/scripts/dockerfiles/nginx/nginx.conf b/scripts/dockerfiles/nginx/nginx.conf index 007b51ed2..cedb0011b 100644 --- a/scripts/dockerfiles/nginx/nginx.conf +++ b/scripts/dockerfiles/nginx/nginx.conf @@ -115,6 +115,29 @@ http { } } + # Ref: https://github.com/openresty/openresty/#resolvconf-parsing + resolver local=on; + # Need real ip address for flags in replay. + # Some LBs will forward real ips as x-forwarded-for + # So making that as priority + map $http_x_forwarded_for $real_ip { + ~^(\d+\.\d+\.\d+\.\d+) $1; + default $remote_addr; + } + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80 default_server; + # listen [::]:80 default_server; + # server_name _; + + include /etc/nginx/conf.d/location.list; + client_max_body_size 10M; + } + include /etc/nginx/conf.d/*.conf; # Don't reveal OpenResty version to clients. diff --git a/scripts/dockerfiles/nginx/nginx.vh.default.conf b/scripts/dockerfiles/nginx/nginx.vh.default.conf deleted file mode 100644 index 3ad957225..000000000 --- a/scripts/dockerfiles/nginx/nginx.vh.default.conf +++ /dev/null @@ -1,58 +0,0 @@ -# nginx.vh.default.conf -- docker-openresty -# -# This file is installed to: -# `/etc/nginx/conf.d/default.conf` -# -# It tracks the `server` section of the upstream OpenResty's `nginx.conf`. -# -# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by -# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`. -# -# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files -# - - -server { - listen 80; - server_name localhost; - - #charset koi8-r; - #access_log /var/log/nginx/host.access.log main; - - location / { - root /usr/local/openresty/nginx/html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/local/openresty/nginx/html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root /usr/local/openresty/nginx/html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} -}