Refactor RSK nginx sites for proxy/lb usage
This commit is contained in:
parent
635ca3870a
commit
90f66c74d2
|
@ -36,6 +36,8 @@
|
|||
"kosmos_garage::firewall_rpc",
|
||||
"kosmos_garage::nginx_web",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos-akkounts::nginx",
|
||||
|
|
|
@ -22,6 +22,8 @@ default_run_list = %w(
|
|||
kosmos_garage::firewall_rpc
|
||||
kosmos_garage::nginx_web
|
||||
kosmos_gitea::nginx
|
||||
kosmos_rsk::nginx_testnet
|
||||
kosmos_rsk::nginx_mainnet
|
||||
kosmos_website::default
|
||||
kosmos-akkounts::nginx
|
||||
kosmos-akkounts::nginx_api
|
||||
|
|
|
@ -9,7 +9,6 @@ default_attributes 'rskj' => {
|
|||
|
||||
default_run_list = %w(
|
||||
kosmos_rsk::rskj
|
||||
kosmos_rsk::nginx
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
node.default['rskj']['version'] = '4.4.0~focal'
|
||||
node.default['rskj']['network'] = 'testnet'
|
||||
|
||||
node.default['rskj']['nginx']['domain'] = nil
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos_rsk
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
app_name = "rskj"
|
||||
domain = node[app_name]["nginx"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_#{app_name}.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables app_name: app_name,
|
||||
domain: domain,
|
||||
port: "4444",
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
|
@ -0,0 +1,8 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos_rsk
|
||||
# Recipe:: nginx_mainnet
|
||||
#
|
||||
|
||||
rskj_nginx_site "mainnet" do
|
||||
domain "rsk.kosmos.org"
|
||||
end
|
|
@ -0,0 +1,8 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos_rsk
|
||||
# Recipe:: nginx_testnet
|
||||
#
|
||||
|
||||
rskj_nginx_site "testnet" do
|
||||
domain "rsk-testnet.kosmos.org"
|
||||
end
|
|
@ -0,0 +1,37 @@
|
|||
resource_name :rskj_nginx_site
|
||||
provides :rskj_nginx_site
|
||||
|
||||
property :network, String, required: true, name_property: true
|
||||
property :domain, String, required: true
|
||||
|
||||
action :create do
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
network = new_resource.network
|
||||
domain = new_resource.domain
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:rskj_#{network}").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_rskj.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
upstream_name: "rskj_#{network}",
|
||||
upstream_hosts: upstream_hosts,
|
||||
upstream_port: "4444",
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
end
|
|
@ -1,23 +1,39 @@
|
|||
# Generated by Chef
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
upstream _<%= @upstream_name %> {
|
||||
<% @upstream_hosts.each do |host| %>
|
||||
server <%= host %>:<%= @upstream_port %>;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
server_name <%= @domain %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
location / {
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1209600;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
proxy_pass http://localhost:<%= @port %>;
|
||||
proxy_pass http://_<%= @upstream_name %>;
|
||||
}
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
}
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue