-
Notifications
You must be signed in to change notification settings - Fork 131
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* cherry picked #2122 and in galaxy-importer * Update rh-certified url to match 891656c * Add sleeps and wait_for_all_tasks_gk calls, 2112, 2101 * Need to template out the nginx port also, 2118 No-Issue
- Loading branch information
1 parent
3f249ef
commit 378f3de
Showing
10 changed files
with
203 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,146 @@ | ||
# TODO: Support IPv6. | ||
# TODO: Maybe serve multiple `location`s, not just one. | ||
|
||
# The "nginx" package on fedora creates this user and group. | ||
user nginx nginx; | ||
# Gunicorn docs suggest this value. | ||
worker_processes 1; | ||
daemon off; | ||
events { | ||
worker_connections 1024; # increase if you have lots of clients | ||
accept_mutex off; # set to 'on' if nginx worker_processes > 1 | ||
} | ||
|
||
http { | ||
include mime.types; | ||
# fallback in case we can't determine a type | ||
default_type application/octet-stream; | ||
sendfile on; | ||
|
||
# If left at the default of 1024, nginx emits a warning about being unable | ||
# to build optimal hash types. | ||
types_hash_max_size 4096; | ||
|
||
upstream pulp-content { | ||
server 127.0.0.1:24816; | ||
} | ||
|
||
upstream pulp-api { | ||
server 127.0.0.1:24817; | ||
} | ||
|
||
server { | ||
# Gunicorn docs suggest the use of the "deferred" directive on Linux. | ||
{% if https | default(false) -%} | ||
listen 443 default_server deferred ssl; | ||
|
||
ssl_certificate /etc/pulp/certs/pulp_webserver.crt; | ||
ssl_certificate_key /etc/pulp/certs/pulp_webserver.key; | ||
ssl_session_cache shared:SSL:50m; | ||
ssl_session_timeout 1d; | ||
ssl_session_tickets off; | ||
|
||
# intermediate configuration | ||
ssl_protocols TLSv1.2; | ||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | ||
ssl_prefer_server_ciphers on; | ||
|
||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | ||
add_header Strict-Transport-Security max-age=15768000; | ||
{%- else -%} | ||
listen {{ NGINX_PORT }} default_server deferred; | ||
{%- endif %} | ||
server_name $hostname; | ||
|
||
# The default client_max_body_size is 1m. Clients uploading | ||
# files larger than this will need to chunk said files. | ||
client_max_body_size 10m; | ||
|
||
# Gunicorn docs suggest this value. | ||
keepalive_timeout 5; | ||
|
||
#location {{ content_path }} { | ||
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
# proxy_set_header X-Forwarded-Proto $scheme; | ||
# proxy_set_header Host $http_host; | ||
# # we don't want nginx trying to do something clever with | ||
# # redirects, we set the Host: header above already. | ||
# proxy_redirect off; | ||
# proxy_pass http://pulp-content; | ||
#} | ||
|
||
location /pulp/content/ { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Host $http_host; | ||
# we don't want nginx trying to do something clever with | ||
# redirects, we set the Host: header above already. | ||
proxy_redirect off; | ||
proxy_pass http://pulp-content; | ||
} | ||
|
||
location {{ api_root }}api/v3/ { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Host $http_host; | ||
# we don't want nginx trying to do something clever with | ||
# redirects, we set the Host: header above already. | ||
proxy_redirect off; | ||
proxy_pass http://pulp-api; | ||
client_max_body_size 0; | ||
} | ||
|
||
{%- if domain_enabled | default(false) %} | ||
location ~ {{ api_root }}.+/api/v3/ { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Host $http_host; | ||
# we don't want nginx trying to do something clever with | ||
# redirects, we set the Host: header above already. | ||
proxy_redirect off; | ||
proxy_pass http://pulp-api; | ||
client_max_body_size 0; | ||
} | ||
{%- endif %} | ||
|
||
location /auth/login/ { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Host $http_host; | ||
# we don't want nginx trying to do something clever with | ||
# redirects, we set the Host: header above already. | ||
proxy_redirect off; | ||
proxy_pass http://pulp-api; | ||
} | ||
|
||
include pulp/*.conf; | ||
|
||
location / { | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Host $http_host; | ||
# we don't want nginx trying to do something clever with | ||
# redirects, we set the Host: header above already. | ||
proxy_redirect off; | ||
proxy_pass http://pulp-api; | ||
# most pulp static files are served through whitenoise | ||
# http://whitenoise.evans.io/en/stable/ | ||
} | ||
|
||
{%- if https | default(false) %} | ||
# ACME http-01 tokens, i.e, for Let's Encrypt | ||
location /.well-known/ { | ||
try_files $uri $uri/ =404; | ||
} | ||
{%- endif %} | ||
} | ||
{%- if https | default(false) %} | ||
server { | ||
listen 55001 default_server; | ||
server_name _; | ||
return 301 https://$host$request_uri; | ||
} | ||
{%- endif %} | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
import argparse | ||
import os | ||
import django | ||
from django.core.exceptions import AppRegistryNotReady, ImproperlyConfigured | ||
|
||
from jinja2 import Template | ||
|
||
|
||
if __name__ == "__main__": | ||
parser = argparse.ArgumentParser( | ||
description="Create Pulp's nginx conf file based on current settings.", | ||
) | ||
parser.add_argument("template_file", type=open) | ||
parser.add_argument("output_file", type=argparse.FileType("w")) | ||
args = parser.parse_args() | ||
|
||
https = os.getenv("PULP_HTTPS", "false") | ||
values = { | ||
"https": https.lower() == "true", | ||
"api_root": "/pulp/", | ||
"content_path": "/pulp/content/", | ||
"domain_enabled": False, | ||
} | ||
|
||
try: | ||
django.setup() | ||
from django.conf import settings | ||
except (AppRegistryNotReady, ImproperlyConfigured): | ||
print("Failed to find settings for nginx template, using defaults") | ||
else: | ||
values["api_root"] = settings.API_ROOT | ||
values["content_path"] = settings.CONTENT_PATH_PREFIX | ||
values["domain_enabled"] = getattr(settings, "DOMAIN_ENABLED", False) | ||
|
||
values['NGINX_PORT'] = os.environ.get('NGINX_PORT', '55001') | ||
|
||
template = Template(args.template_file.read()) | ||
output = template.render(**values) | ||
args.output_file.write(output) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.