-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.master.conf
425 lines (349 loc) · 14.3 KB
/
nginx.master.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
include common/main.conf;
http {
# Without this, cosocket-based code in worker
# initialization cannot resolve leader.mesos.
resolver 127.0.0.1:61053;
include common/http.conf;
client_max_body_size 1024M;
# Name: Apache Mesos
# Reference: https://mesos.apache.org/documentation/latest/endpoints/
upstream mesos {
server leader.mesos:5050;
}
# Name: Marathon
# Reference: https://dcos.io/docs/1.9/usage/managing-services/rest-api/
upstream marathon {
server master.mesos:8080;
}
# Name: DC/OS History
# Reference: https://github.com/dcos/dcos/tree/master/packages/dcos-history/extra#api
upstream dcos_history_service {
server leader.mesos:15055;
}
# Name: Mesos DNS
# Reference: https://dcos.io/docs/1.9/usage/service-discovery/mesos-dns/http-interface/
upstream mesos_dns {
server master.mesos:8123;
}
# Name: Exhibitor (Zookeeper)
# Reference: https://github.com/soabase/exhibitor/wiki/REST-Introduction
upstream exhibitor {
server 127.0.0.1:8181;
}
# Name: DC/OS Package Manager (Cosmos)
# Reference: https://dcos.io/docs/1.9/usage/managing-services/package-api/
upstream cosmos {
server 127.0.0.1:7070;
}
# Name: DC/OS Authentication (OAuth)
# Reference: https://dcos.io/docs/1.9/administration/id-and-access-mgt/iam-api/
upstream auth {
server 127.0.0.1:8101;
}
# Name: DC/OS Diagnostics (3DT)
# Reference: https://dcos.io/docs/1.9/administration/monitoring/#system-health-http-api-endpoint
upstream dddt {
server 127.0.0.1:1050;
}
# Name: DC/OS Metrics
# Reference: https://dcos.io/docs/1.9/administration/monitoring/metrics/metrics-api/
upstream metrics {
server unix:/run/dcos/dcos-metrics-master.sock;
}
# Name: Navstar
upstream navstar {
server 127.0.0.1:62080;
}
proxy_cache_path /tmp/nginx-mesos-cache levels=1:2 keys_zone=mesos:1m inactive=10m;
lua_shared_dict cache 100m;
lua_shared_dict shmlocks 100k;
#init_worker_by_lua '
# local cache = require "master.cache"
# cache.periodically_refresh_cache()
#';
server {
include common/server.conf;
include /opt/mesosphere/etc/adminrouter-listen-open.conf;
# Group: Root
# Description: DC/OS GUI
root /opt/mesosphere/active/dcos-ui/usr;
# Group: Authentication
# Description: Redirect to OpenID Connect server for user login
location = /login {
set_by_lua $oauth_client_id 'return os.getenv("OAUTH_CLIENT_ID")';
set_by_lua $oauth_auth_redirector 'return os.getenv("OAUTH_AUTH_REDIRECTOR")';
set_by_lua $cluster_id 'return util.get_stripped_first_line_from_file("/var/lib/dcos/cluster-id")';
# existing query string parameters will be appended by nginx
rewrite ^ $oauth_auth_redirector$uri?client=$oauth_client_id&cluster_id=$cluster_id redirect;
}
# Group: Authentication
# Description: Access Control Service (unauthenticated)
location /acs/api/v1/auth/ {
include common/proxy-headers.conf;
proxy_pass http://auth;
}
# Group: Authentication
# Description: Access Control Service
location /acs/api/v1 {
# Enforce access restriction to Auth API.
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://auth;
# Instruct user agent to not cache the response.
# Ref: http://stackoverflow.com/a/2068407/145400
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma no-cache;
add_header Expires 0;
}
# Group: Mesos
# Description: Redirect to add trailing slash
# Visibility: hidden
location = /mesos {
rewrite ^/mesos$ $scheme://$http_host/mesos/ permanent;
}
# Group: Mesos
# Description: Apache Mesos
location /mesos/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://mesos/;
}
# Group: Package
# Description: Package Management
location /package/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://cosmos/package/;
# http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_request_buffering
proxy_request_buffering off;
proxy_http_version 1.1;
}
# Group: Capabilities
# Description: List of capabilities supported by DC/OS
location /capabilities {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://cosmos/capabilities;
proxy_http_version 1.1;
}
# Group: Cosmos
# Description: Start a DC/OS service from a DC/OS package
location /cosmos/service/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://cosmos/service/;
proxy_http_version 1.1;
}
# Group: Mesos
# Cache: 5 seconds
# Description: Cache of the Mesos master API
location /cache/master/ {
add_header X-Cache-Status $upstream_cache_status;
proxy_pass http://mesos/master/;
proxy_cache mesos;
proxy_cache_bypass $http_cache_control;
proxy_cache_lock on;
proxy_cache_valid 200 5s;
}
# Group: Exhibitor
# Description: Redirect to add trailing slash
# Visibility: hidden
location = /exhibitor {
rewrite ^/exhibitor$ $scheme://$http_host/exhibitor/ permanent;
}
# Group: Exhibitor
# Description: Manage Zookeeper
location /exhibitor/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://exhibitor/;
proxy_redirect http://$http_host/ $scheme://$http_host/exhibitor/;
}
# Group: Navstar
location /navstar/lashup/key {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://navstar/lashup/key;
}
# Group: Agent
# Description: Redirect to add trailing slash
# Visibility: hidden
location ~ ^/(slave|agent)/(?<agentid>[0-9a-zA-Z-]+)$ {
# Append slash and perform internal redirect.
rewrite ^/(slave|agent)/(.*)$ /agent/$2/ last;
}
# Group: Agent
# Description: API proxy to a specific agent node
location ~ ^/(slave|agent)/(?<agentid>[0-9a-zA-Z-]+)(?<url>.+)$ {
access_by_lua 'auth.validate_jwt_or_exit()';
set $agentaddr '';
set $agentport '';
rewrite ^/(slave|agent)/[0-9a-zA-Z-]+/.*$ $url break;
rewrite_by_lua_file conf/master/agent.lua;
more_clear_input_headers Accept-Encoding;
include common/proxy-headers.conf;
# Non-streaming endpoints don't require HTTP/1.1 but will work as
# expected with it enabled. Streaming endpoints require keepalive
# functionality added in HTTP/1.1. As such, we enable HTTP/1.1 here
# while maintaining backwards compatibility.
include common/http-11.conf;
# Disable buffering to support streaming endpoints
include common/disable-request-response-buffering.conf;
proxy_pass $agentaddr:$agentport;
}
# Group: Service
# Description: Redirect to add trailing slash
# Visibility: hidden
location ~ ^/service/(?<serviceid>[0-9a-zA-Z-.]+)$ {
# Append slash and 301-redirect.
rewrite ^/service/(.*)$ /service/$1/ permanent;
}
# Group: Service
# Description: Proxy to services running on DC/OS
location ~ ^/service/(?<serviceid>[0-9a-zA-Z-.]+)/(?<url>.*) {
set $serviceurl '';
set $servicescheme '';
access_by_lua 'auth.validate_jwt_or_exit()';
more_clear_input_headers Accept-Encoding;
rewrite ^/service/[0-9a-zA-Z-.]+/?.*$ /$url break;
rewrite_by_lua_file conf/master/service.lua;
include common/proxy-headers.conf;
proxy_pass $serviceurl;
proxy_redirect $servicescheme://$host/service/$serviceid/ /service/$serviceid/;
proxy_redirect $servicescheme://$host/ /service/$serviceid/;
proxy_redirect / /service/$serviceid/;
# Disable buffering to allow real-time protocols
proxy_buffering off;
# Support web sockets and SPDY upgrades
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Group: Metadata
# Description: Public IP and Cluster ID
# Backend: Admin Router
location /metadata {
access_by_lua 'auth.validate_jwt_or_exit()';
content_by_lua_file conf/master/metadata.lua;
}
# TODO: split this into its own file
# Group: Metadata
# Description: DC/OS GUI configuration
location /dcos-metadata/ui-config.json {
include common/proxy-headers.conf;
proxy_pass http://auth;
}
# Group: Metadata
# Description: DC/OS version (unauthenticated)
location /dcos-metadata/dcos-version.json {
# Allow non-authed access for the UI.
alias /opt/mesosphere/active/dcos-metadata/etc/dcos-version.json;
}
# Group: Metadata
# Description: DC/OS metadata
location /dcos-metadata/ {
access_by_lua 'auth.validate_jwt_or_exit()';
alias /opt/mesosphere/active/dcos-metadata/etc/;
}
# Group: Marathon
# Description: Redirect to add trailing slash
# Deprecated: Use `/service/marathon/`
# Visibility: hidden
location = /marathon {
rewrite ^/marathon$ $scheme://$http_host/marathon/ permanent;
}
# Group: Marathon
# Deprecated: Use `/service/marathon/`
location /marathon/ {
# Enforce access restriction. Auth-wise, treat /marathon*
# equivalently to /service/marathon*.
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://marathon/;
}
# Group: Pkgpanda
# Description: List the active Pkgpanda packages
location /pkgpanda/active.buildinfo.full.json {
access_by_lua 'auth.validate_jwt_or_exit()';
add_header Cache-Control "no-cache";
alias /opt/mesosphere/active.buildinfo.full.json;
}
# Group: History
location /dcos-history-service/ {
access_by_lua 'auth.validate_jwt_or_exit()';
proxy_pass http://dcos_history_service/;
}
# Group: Mesos DNS
# Description: Redirect to add trailing slash
# Visibility: hidden
location = /mesos_dns {
rewrite ^/mesos_dns$ $scheme://$http_host/mesos_dns/ permanent;
}
# Group: Mesos DNS
location /mesos_dns/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://mesos_dns/;
}
# Group: Pkgpanda
# Description: DC/OS component package management
location /pkgpanda/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://pkgpanda/;
proxy_redirect http://$http_host/ /pkgpanda/;
}
# Group: System
# Description: Component service status
location /system/health/v1 {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://dddt;
}
# Group: System
# Description: Node, component service, and container (task) logs
location /system/v1/logs/v1/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/http-11.conf;
include common/proxy-headers.conf;
proxy_pass http://log/;
}
# Group: System
# Description: Node, container, and application metrics
location /system/v1/metrics/ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/proxy-headers.conf;
proxy_pass http://metrics/;
}
# Group: System
# Description: System proxy to the master node with the Mesos leader
location ~ ^/system/v1/leader/mesos(?<url>.*)$ {
access_by_lua 'auth.validate_jwt_or_exit()';
include common/http-11.conf;
include common/proxy-headers.conf;
proxy_pass http://leader.mesos/system/v1$url$is_args$query_string;
}
# Group: System
# Description: System proxy to the master node with the Marathon leader
location ~ ^/system/v1/leader/marathon(?<url>.*)$ {
access_by_lua 'auth.validate_jwt_or_exit()';
set $mleader_host '';
rewrite_by_lua_file conf/master/marathon-leader.lua;
include common/http-11.conf;
include common/proxy-headers.conf;
proxy_pass $mleader_host/system/v1$url$is_args$query_string;
}
# Group: System
# Description: System proxy to a specific agent node
location ~ ^/system/v1/agent/(?<agentid>[0-9a-zA-Z-]+)(?<type>(/logs/v1|/metrics/v0))(?<url>.*)$ {
access_by_lua 'auth.validate_jwt_or_exit()';
set $agentaddr '';
rewrite_by_lua_file conf/master/agent.lua;
rewrite ^/agent/[0-9a-zA-Z-]+(.*)$ $1 break;
more_clear_input_headers Accept-Encoding;
include common/http-11.conf;
include common/proxy-headers.conf;
proxy_pass $agentaddr:61001/system/v1$type$url$is_args$query_string;
}
}
}