-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OZ-457: Switch Reverse Proxy to Nginx
- Loading branch information
Showing
19 changed files
with
216 additions
and
274 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,6 @@ | ||
FROM httpd:2.4-alpine | ||
FROM nginx:1.25-alpine | ||
|
||
RUN apk add curl iproute2 iputils less nano tree ca-certificates lsof --no-cache | ||
ENV FRAME_ANCESTORS "" | ||
|
||
COPY resources/httpd.conf /usr/local/apache2/conf/httpd.conf | ||
COPY resources/proxy-rules /usr/local/apache2/conf/proxy-rules | ||
COPY resources/tls/cert.pem resources/tls/privkey.pem resources/tls/chain.pem /etc/tls/ | ||
EXPOSE 8069/tcp | ||
COPY nginx.conf /etc/nginx/nginx.conf | ||
COPY default.conf.template /etc/nginx/templates/ |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,175 @@ | ||
map $request_uri $csp_header { | ||
default "default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; img-src 'self' data:; frame-ancestors 'self' ${FRAME_ANCESTORS};"; | ||
"~^/openmrs/(?:admin|dictionary|module|patientDashboard.form)/" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; frame-ancestors 'self';"; | ||
"~^/openmrs/owa" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self';"; | ||
} | ||
|
||
map $http_x_forwarded_proto $forwarded_proto { | ||
"~.*" $http_x_forwarded_proto; | ||
default $scheme; | ||
} | ||
|
||
map $http_x_real_ip $forwarded_ip { | ||
"~.*" $http_x_real_ip; | ||
default $remote_addr; | ||
} | ||
|
||
map $forwarded_proto $var_proxy_cookie_flags { | ||
https "JSESSIONID secure samesite=strict"; | ||
default "off"; | ||
} | ||
|
||
upstream frontend { | ||
# always assume the frontend will be available | ||
server frontend max_fails=0; | ||
} | ||
|
||
upstream backend { | ||
server openmrs:8080 max_fails=0; | ||
} | ||
|
||
upstream odoo { | ||
server odoo:8069 max_fails=0; | ||
} | ||
upstream odoochat { | ||
server odoo:8072 max_fails=0; | ||
} | ||
|
||
|
||
|
||
upstream senaite { | ||
server senaite:8080 max_fails=0; | ||
} | ||
|
||
upstream superset { | ||
server superset:8088 max_fails=0; | ||
} | ||
|
||
server { | ||
listen 80; | ||
|
||
add_header X-XSS-Protection "1; mode=block"; | ||
add_header Content-Security-Policy $csp_header; | ||
add_header X-Content-Type-Options nosniff; | ||
|
||
proxy_set_header HOST $host; | ||
proxy_set_header X-Forwarded-Proto $forwarded_proto; | ||
proxy_set_header X-Real-IP $forwarded_ip; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
# if serving this via HTTPS, the following is recommended | ||
# proxy_cookie_flags $var_proxy_cookie_flags; | ||
proxy_http_version 1.1; | ||
|
||
gzip on; | ||
gzip_vary on; | ||
# 1 KiB | ||
gzip_min_length 1024; | ||
gzip_proxied any; | ||
gzip_http_version 1.0; | ||
gzip_types font/eot | ||
font/otf | ||
font/ttf | ||
image/svg+xml | ||
text/css | ||
text/javascript | ||
text/plain | ||
text/xml | ||
application/atom+xml | ||
application/geo+json | ||
application/importmap+json | ||
application/javascript | ||
application/x-javascript | ||
application/json | ||
application/ld+json | ||
application/fhir+json | ||
application/fhir+xml | ||
application/manifest+json | ||
application/rdf+xml | ||
application/rss+xml | ||
application/xhtml+xml | ||
application/xml; | ||
|
||
# all redirects are relative to the gateway | ||
absolute_redirect off; | ||
|
||
location = /openmrs/spa { | ||
return 301 /openmrs/spa/; | ||
} | ||
|
||
location /openmrs/spa/ { | ||
proxy_pass http://frontend/; | ||
proxy_redirect http://$host/ /openmrs/spa/; | ||
} | ||
|
||
location /openmrs { | ||
proxy_pass http://backend; | ||
} | ||
|
||
location = / { | ||
return 301 /openmrs/spa/; | ||
} | ||
} | ||
|
||
server { | ||
listen 8069; | ||
server_name localhost; | ||
|
||
# Increase proxy buffer size | ||
proxy_buffers 16 64k; | ||
proxy_buffer_size 128k; | ||
# Force timeouts if the backend dies | ||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; | ||
# Enable data compression | ||
gzip on; | ||
gzip_min_length 1100; | ||
gzip_buffers 4 32k; | ||
gzip_types text/plain text/xml text/css text/less application/x-javascript application/xml application/json application/javascript; | ||
gzip_vary on; | ||
|
||
# Proxy header and settings | ||
proxy_set_header Host $http_host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
|
||
|
||
|
||
# Cache static data | ||
location ~* /web/static/ { | ||
proxy_cache_valid 200 60m; | ||
proxy_buffering on; | ||
expires 864000; | ||
proxy_pass http://odoo; | ||
} | ||
|
||
location / { | ||
proxy_pass http://odoo; | ||
# The following makes the timeout broader | ||
proxy_read_timeout 30000; | ||
proxy_redirect off; | ||
} | ||
|
||
location /longpolling { | ||
proxy_pass http://odoochat; | ||
} | ||
} | ||
|
||
server { | ||
listen 8088; | ||
location / { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_pass http://superset; | ||
} | ||
} | ||
|
||
server { | ||
listen 8081; | ||
location / { | ||
proxy_set_header Host $http_host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break; | ||
proxy_pass http://senaite; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
user nobody; | ||
worker_processes auto; | ||
|
||
error_log /var/log/nginx/error.log notice; | ||
pid /var/run/nginx.pid; | ||
|
||
|
||
events { | ||
worker_connections 1024; | ||
} | ||
|
||
|
||
http { | ||
include /etc/nginx/mime.types; | ||
default_type application/octet-stream; | ||
|
||
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | ||
'$status $body_bytes_sent "$http_referer" ' | ||
'"$http_user_agent" "$http_x_forwarded_for"'; | ||
|
||
access_log /var/log/nginx/access.log main; | ||
|
||
sendfile on; | ||
tcp_nopush on; | ||
tcp_nodelay on; | ||
|
||
keepalive_timeout 65; | ||
|
||
include /etc/nginx/conf.d/*.conf; | ||
} |
Oops, something went wrong.