Commit 732f5c1c authored by sebastien letort's avatar sebastien letort

django-nginx conf file has been reordered, and API location has been slightly...

django-nginx conf file has been reordered, and API location has been slightly rewritten with inner locations.

Here we conserved the CORS principles and make them used to all API, datastore included.
Note that trying to get a file with the api (api/v1/datastore/...) will return a 404.
-> but the end user has no reason to known this path.
parent a9ca1e41
Pipeline #79385 passed with stages
in 2 minutes and 5 seconds
......@@ -15,89 +15,82 @@ server
client_body_in_file_only clean;
client_body_buffer_size 32K;
# Disabled until #227 is implemented
#
# # registry endpoints
# # - forwarded to the registry
# # - except manifest push/pull -> forwarded through the django server (to
# # guarantee that the db is transactionally updated)
# location /v2/
# {
# proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
# proxy_redirect off;
# proxy_buffering off;
#
# location ~ ^/v2/.*/manifests/[^/]*$ {
# proxy_pass http://aio;
# }
# }
# ----
# location are presented in their application/priority order
# allgo async endpoints
location /aio/
{
proxy_pass http://aio/aio/;
proxy_redirect off;
proxy_buffering off;
}
location /api/
{ # API should be accessible only with token
# it has to be CORS compliant.
if ($request_method = 'OPTIONS')
{
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
location ~ /datastore/([0-9]+)/(.*)$ {
autoindex on;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
root /vol/rw/;
# This is a security measure (DO NOT REMOVE)
#
# By default nginx follows symbolic links, which would be a major
# vulnerability because jobs could create symbolic links to any file
# inside django container (like the secret key for signing tokens)
#
disable_symlinks on;
}
# Custom headers and headers various browsers *should* be OK with but aren't
add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
location = /auth {
internal;
proxy_pass http://django/auth;
proxy_redirect off;
proxy_set_header X-Original-URI $request_uri;
return 204;
}
location /api/v1/
{ # it's not illegal access, go through django
add_header Access-Control-Allow-Origin "*";
# allgo endpoints
# - static files served directly by nginx
# - other requests forwarded to the django server
location /
{
sendfile on;
send_timeout 300s;
proxy_pass http://django;
proxy_redirect off; # work without it, maybe it's bad to remove it
keepalive_timeout 5;
root /var/www/html;
try_files $uri/index.html $uri.html $uri @django;
}
# header set to distinguish between requests going directly from nginx and
# requests going through aio
#
# This is a security feature. Django trusts this value (like the
# X-Forwarded-* headers), do not remove it !
proxy_set_header X-Origin "nginx";
}
location /api/v1
{
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
location /api/v1/datastore/
{ # it's not illegal access, access to static file
autoindex on;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
root /vol/rw/;
# This is a security measure (DO NOT REMOVE)
#
# By default nginx follows symbolic links, which would be a major
# vulnerability because jobs could create symbolic links to any file
# inside django container (like the secret key for signing tokens)
#
disable_symlinks on;
}
} #location /api/
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
location = /auth
{ # call the auth view in django
# = grant that only known user can go through
internal;
proxy_pass http://django/auth;
proxy_redirect off;
proxy_set_header X-Original-URI $request_uri;
}
return 204;
}
add_header Access-Control-Allow-Origin "*";
location /aio/
{ # allgo async endpoints
proxy_pass http://aio/aio/;
proxy_redirect off;
proxy_buffering off;
}
# proxy_redirect off; # work without it, maybe it's bad to remove it
location @django
{ # simple access to the web site
proxy_redirect off;
proxy_pass http://django;
# header set to distinguish between requests going directly from nginx and
......@@ -108,18 +101,50 @@ server
proxy_set_header X-Origin "nginx";
}
location @django
{
proxy_redirect off;
proxy_pass http://django;
# header set to distinguish between requests going directly from nginx and
# requests going through aio
# Disabled until #227 is implemented
#
# # registry endpoints
# # - forwarded to the registry
# # - except manifest push/pull -> forwarded through the django server (to
# # guarantee that the db is transactionally updated)
# location /v2/
# {
# proxy_pass {ALLGO_REGISTRY_PRIVATE_URL}/v2/;
# proxy_redirect off;
# proxy_buffering off;
#
# location ~ ^/v2/.*/manifests/[^/]*$ {
# proxy_pass http://aio;
# }
# }
location /datastore/
{ # access to static files
autoindex on;
auth_request /auth;
auth_request_set $auth_status $upstream_status;
root /vol/rw/;
# This is a security measure (DO NOT REMOVE)
#
# This is a security feature. Django trusts this value (like the
# X-Forwarded-* headers), do not remove it !
proxy_set_header X-Origin "nginx";
# By default nginx follows symbolic links, which would be a major
# vulnerability because jobs could create symbolic links to any file
# inside django container (like the secret key for signing tokens)
#
disable_symlinks on;
}
location /
{ # allgo endpoints
# - static files served directly by nginx
# - other requests forwarded to the django server
sendfile on;
send_timeout 300s;
}
keepalive_timeout 5;
root /var/www/html;
try_files $uri/index.html $uri.html $uri @django;
}
} #server
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment