Refactor RSK nginx sites for proxy/lb usage

2023-06-18 16:55:38 +02:00 · 2023-06-18 16:55:38 +02:00 · 90f66c74d2
parent 635ca3870a
commit 90f66c74d2
9 changed files with 83 additions and 36 deletions
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -36,6 +36,8 @@
      "kosmos_garage::firewall_rpc",
      "kosmos_garage::nginx_web",
      "kosmos_gitea::nginx",
+      "kosmos_rsk::nginx_testnet",
+      "kosmos_rsk::nginx_mainnet",
      "kosmos_website",
      "kosmos_website::default",
      "kosmos-akkounts::nginx",
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@ -22,6 +22,8 @@ default_run_list = %w(
  kosmos_garage::firewall_rpc
  kosmos_garage::nginx_web
  kosmos_gitea::nginx
+  kosmos_rsk::nginx_testnet
+  kosmos_rsk::nginx_mainnet
  kosmos_website::default
  kosmos-akkounts::nginx
  kosmos-akkounts::nginx_api
--- a/roles/rskj_testnet.rb
+++ b/roles/rskj_testnet.rb
@ -9,7 +9,6 @@ default_attributes 'rskj' => {

 default_run_list = %w(
  kosmos_rsk::rskj
-  kosmos_rsk::nginx
 )

 env_run_lists(
--- a/site-cookbooks/kosmos_rsk/attributes/default.rb
+++ b/site-cookbooks/kosmos_rsk/attributes/default.rb
@ -1,2 +1,4 @@
 node.default['rskj']['version'] = '4.4.0~focal'
 node.default['rskj']['network'] = 'testnet'
+
+node.default['rskj']['nginx']['domain'] = nil
--- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/nginx.rb
@ -1,27 +0,0 @@
-#
-# Cookbook Name:: kosmos_rsk
-# Recipe:: nginx
-#
-
-include_recipe "kosmos-nginx"
-
-app_name = "rskj"
-domain   = node[app_name]["nginx"]["domain"]
-
-nginx_certbot_site domain
-
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf_#{app_name}.erb"
-  owner 'www-data'
-  mode 0640
-  variables app_name: app_name,
-            domain: domain,
-            port: "4444",
-            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
-  notifies :reload, 'service[nginx]', :delayed
-end
-
-nginx_site domain do
-  action :enable
-end
--- a/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb
@ -0,0 +1,8 @@
+#
+# Cookbook Name:: kosmos_rsk
+# Recipe:: nginx_mainnet
+#
+
+rskj_nginx_site "mainnet" do
+  domain "rsk.kosmos.org"
+end
--- a/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb
@ -0,0 +1,8 @@
+#
+# Cookbook Name:: kosmos_rsk
+# Recipe:: nginx_testnet
+#
+
+rskj_nginx_site "testnet" do
+  domain "rsk-testnet.kosmos.org"
+end
--- a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb
+++ b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb
@ -0,0 +1,37 @@
+resource_name :rskj_nginx_site
+provides :rskj_nginx_site
+
+property :network, String, required: true, name_property: true
+property :domain, String, required: true
+
+action :create do
+  include_recipe "kosmos-nginx"
+
+  network = new_resource.network
+  domain  = new_resource.domain
+
+  nginx_certbot_site domain
+
+  upstream_hosts = []
+  search(:node, "role:rskj_#{network}").each do |node|
+    upstream_hosts << node["knife_zero"]["host"]
+  end
+  upstream_hosts.push("localhost") if upstream_hosts.empty?
+
+  template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+    source "nginx_conf_rskj.erb"
+    owner 'www-data'
+    mode 0640
+    variables domain: domain,
+              upstream_name: "rskj_#{network}",
+              upstream_hosts: upstream_hosts,
+              upstream_port: "4444",
+              ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+              ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site domain do
+    action :enable
+  end
+end
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@ -1,23 +1,39 @@
-# Generated by Chef
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+upstream _<%= @upstream_name %> {
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
+}
+
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
-  add_header Strict-Transport-Security "max-age=15768000";
-
-  ssl_certificate <%= @ssl_cert %>;
-  ssl_certificate_key <%= @ssl_key %>;

  server_name <%= @domain %>;

+  add_header Strict-Transport-Security "max-age=15768000";
+
  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;

  location / {
+    if ($request_method = 'OPTIONS') {
+      add_header 'Access-Control-Allow-Origin' '*';
+      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+      add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+      add_header 'Access-Control-Max-Age' 1209600;
+      add_header 'Content-Type' 'text/plain; charset=utf-8';
+      add_header 'Content-Length' 0;
+      return 204;
+    }
+
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_redirect off;
-    proxy_pass http://localhost:<%= @port %>;
+    proxy_pass http://_<%= @upstream_name %>;
   }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
 }
-<% end -%>