From ac582c7cbf919350315d0f266123a802b4070ab1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 15:23:58 +0000 Subject: [PATCH 01/19] Upgrade Docker base image to nginx 1.31.0 Agent-Logs-Url: https://github.com/kbase/nginx/sessions/15ed0885-1c16-4a82-8a8d-1fa8dfbe5da3 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index fd42788..2d468bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM openresty/openresty:buster +FROM nginx:1.31.0 # These ARGs values are passed in via the docker build command ARG BUILD_DATE @@ -11,13 +11,10 @@ COPY deployment/ /kb/deployment/ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get upgrade -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ - software-properties-common ca-certificates apt-transport-https curl net-tools wget + ca-certificates curl net-tools wget -RUN rm -rf /etc/nginx && \ - ln -s /usr/local/openresty/nginx/conf /etc/nginx && \ - cd /etc/nginx && \ - mkdir ssl /var/log/nginx && \ - mkdir /usr/local/openresty/nginx/conf/conf.d && \ +RUN cd /etc/nginx && \ + mkdir -p ssl /var/log/nginx sites-enabled conf.d && \ openssl req -x509 -newkey rsa:4096 -keyout ssl/key.pem -out ssl/cert.pem -days 365 -nodes \ -subj '/C=US/ST=California/L=Berkeley/O=Lawrence Berkeley National Lab/OU=KBase/CN=localhost' && \ cd /tmp && \ @@ -26,7 +23,7 @@ RUN rm -rf /etc/nginx && \ rm dockerize-linux-amd64-v0.6.1.tar.gz && \ mv dockerize /kb/deployment/bin -COPY nginx-sites.d/ /usr/local/openresty/nginx/conf/sites-enabled +COPY nginx-sites.d/ /etc/nginx/sites-enabled # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to From d8f8ee6a5a3410a508da4fe64f690712cc74af1f Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 10:36:41 -0500 Subject: [PATCH 02/19] Add managed build workflow for CI/CD --- .github/workflows/managed_build.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/workflows/managed_build.yaml diff --git a/.github/workflows/managed_build.yaml b/.github/workflows/managed_build.yaml new file mode 100644 index 0000000..36c2ade --- /dev/null +++ b/.github/workflows/managed_build.yaml @@ -0,0 +1,15 @@ +name: Build, Publish and Scan (Managed) +on: + workflow_dispatch: + push: + branches: ["main", "master", "develop"] + pull_request: + branches: ["main", "master", "develop"] + release: + types: [published] +jobs: + build-publish-scan: + uses: BERDataLakehouse/.github/.github/workflows/build_publish_scan.yaml@main + permissions: + contents: read + packages: write From 3f420b4cbf42745bd6ee35b2ee7edf1b96e90fa7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 15:49:37 +0000 Subject: [PATCH 03/19] Update plan: remove unused minikb template rendering Agent-Logs-Url: https://github.com/kbase/nginx/sessions/5fe01df0-25e8-4876-b562-a53c8d76cf36 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 8 +++++--- deployment/conf/.templates/minikb-narrative.templ | 4 +--- nginx-sites.d/appdev-narrative | 5 ++--- nginx-sites.d/ci-narrative | 5 +---- nginx-sites.d/next-narrative | 6 ++---- nginx-sites.d/prod-narrative | 3 +-- 6 files changed, 12 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2d468bd..3cf49c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.31.0 +FROM openresty/openresty:1.29.2.3-bookworm-fat # These ARGs values are passed in via the docker build command ARG BUILD_DATE @@ -13,7 +13,9 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y \ ca-certificates curl net-tools wget -RUN cd /etc/nginx && \ +RUN rm -rf /etc/nginx && \ + ln -s /usr/local/openresty/nginx/conf /etc/nginx && \ + cd /etc/nginx && \ mkdir -p ssl /var/log/nginx sites-enabled conf.d && \ openssl req -x509 -newkey rsa:4096 -keyout ssl/key.pem -out ssl/cert.pem -days 365 -nodes \ -subj '/C=US/ST=California/L=Berkeley/O=Lawrence Berkeley National Lab/OU=KBase/CN=localhost' && \ @@ -23,7 +25,7 @@ RUN cd /etc/nginx && \ rm dockerize-linux-amd64-v0.6.1.tar.gz && \ mv dockerize /kb/deployment/bin -COPY nginx-sites.d/ /etc/nginx/sites-enabled +COPY nginx-sites.d/ /usr/local/openresty/nginx/conf/sites-enabled # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to diff --git a/deployment/conf/.templates/minikb-narrative.templ b/deployment/conf/.templates/minikb-narrative.templ index 9a7c08d..526cc3f 100644 --- a/deployment/conf/.templates/minikb-narrative.templ +++ b/deployment/conf/.templates/minikb-narrative.templ @@ -162,7 +162,7 @@ server { # limit_req_zone $1 zone=shockapi:10m rate=1r/m; server { - listen 443; + listen 443 ssl; server_name {{ default .Env.server_name "localhost" }} # this resolver is the internal rancher resolver @@ -178,7 +178,6 @@ server { # added kkeller 30sep2015 for kbase-2777 proxy_request_buffering off; - ssl on; # Letsencrypt generated certs ssl_certificate {{ default .Env.ssl_certificate "/kb/deployment/conf/localhost.crt" }}; ssl_certificate_key {{ default .Env.ssl_certificate_key "/kb/deployment/conf/localhost.key" }}; @@ -295,4 +294,3 @@ server { } # End of https server block - diff --git a/nginx-sites.d/appdev-narrative b/nginx-sites.d/appdev-narrative index 0a03a16..674d88a 100644 --- a/nginx-sites.d/appdev-narrative +++ b/nginx-sites.d/appdev-narrative @@ -120,7 +120,7 @@ server { resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; server { - listen 443; + listen 443 ssl; server_name appdev.kbase.us localhost; @@ -133,7 +133,6 @@ server { # added kkeller 30sep2015 for kbase-2777 proxy_request_buffering off; - ssl on; # Letsencrypt generated certs ssl_certificate /etc/letsencrypt/live/appdev.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/appdev.kbase.us/privkey.pem; @@ -441,4 +440,4 @@ server { } -# End of https appdev server block \ No newline at end of file +# End of https appdev server block diff --git a/nginx-sites.d/ci-narrative b/nginx-sites.d/ci-narrative index 271b051..253bc3c 100644 --- a/nginx-sites.d/ci-narrative +++ b/nginx-sites.d/ci-narrative @@ -124,7 +124,7 @@ server { resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; server { - listen 443; + listen 443 ssl; server_name ci.kbase.us localhost; # taken from next-www @@ -136,7 +136,6 @@ server { # added kkeller 30sep2015 for kbase-2777 proxy_request_buffering off; - ssl on; # Letsencrypt generated certs ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; @@ -503,7 +502,6 @@ server { listen 443 ssl; server_name dockerhub-ci.kbase.us; - ssl on; # letsencrypt certs ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; @@ -535,7 +533,6 @@ server { listen 443 ssl; server_name dockerhub-ciauth2.kbase.us; - ssl on; #ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; ssl_certificate /etc/nginx/ssl/server.chained.crt; diff --git a/nginx-sites.d/next-narrative b/nginx-sites.d/next-narrative index 55f8707..2be5bea 100644 --- a/nginx-sites.d/next-narrative +++ b/nginx-sites.d/next-narrative @@ -140,7 +140,7 @@ server { resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; server { - listen 443; + listen 443 ssl; server_name next.kbase.us localhost; # taken from next-www @@ -152,7 +152,6 @@ server { # added kkeller 30sep2015 for kbase-2777 proxy_request_buffering off; - ssl on; # Letsencrypt generated certs ssl_certificate /etc/letsencrypt/live/next.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/next.kbase.us/privkey.pem; @@ -473,7 +472,6 @@ server { listen 443 ssl; server_name dockerhub-next.kbase.us; - ssl on; ssl_certificate /etc/letsencrypt/live/next.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/next.kbase.us/privkey.pem; ssl_session_timeout 5m; @@ -501,4 +499,4 @@ server { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto $scheme; } -} \ No newline at end of file +} diff --git a/nginx-sites.d/prod-narrative b/nginx-sites.d/prod-narrative index 4d690da..f827e30 100644 --- a/nginx-sites.d/prod-narrative +++ b/nginx-sites.d/prod-narrative @@ -54,7 +54,7 @@ server { # HTTPS server # server { - listen 443; + listen 443 ssl; server_name localhost narrative narrative.kbase.us; # Setup a DNS resolver # kkeller 13jul2017: should not need the rancher resolver here @@ -62,7 +62,6 @@ server { # try putting the docker resolver here # resolver 172.0.0.11; - ssl on; # Letsencrypt generated certs ssl_certificate /etc/letsencrypt/live/narrative.kbase.us/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/narrative.kbase.us/privkey.pem; From 10ffcba10f39686e769ca2bdd7c610bb0b7dc300 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 15:53:00 +0000 Subject: [PATCH 04/19] Remove unused minikb template path and static-template remnants Agent-Logs-Url: https://github.com/kbase/nginx/sessions/5fe01df0-25e8-4876-b562-a53c8d76cf36 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 1 - deployment/conf/localhost.ini | 2 +- nginx-sites.d/appdev-narrative | 3 +-- nginx-sites.d/ci-narrative | 3 +-- nginx-sites.d/next-narrative | 3 +-- nginx-sites.d/prod-narrative | 1 - 6 files changed, 4 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3cf49c2..9a0a97b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -43,7 +43,6 @@ ENTRYPOINT [ "/kb/deployment/bin/dockerize" ] # Here are some default params passed to dockerize. They would typically # be overidden by docker-compose at startup CMD [ "-template", "/kb/deployment/conf/.templates/openresty.conf.templ:/etc/nginx/nginx.conf", \ - "-template", "/kb/deployment/conf/.templates/minikb-narrative.templ:/etc/nginx/sites-enabled/minikb-narrative", \ "-env", "/kb/deployment/conf/localhost.ini", \ "-stdout", "/var/log/nginx/access.log", \ "-stdout", "/var/log/nginx/error.log", \ diff --git a/deployment/conf/localhost.ini b/deployment/conf/localhost.ini index 1a38fad..fd6ec03 100644 --- a/deployment/conf/localhost.ini +++ b/deployment/conf/localhost.ini @@ -1 +1 @@ -nginx_site_cfg=minikb-narrative +nginx_site_cfg=ci-narrative diff --git a/nginx-sites.d/appdev-narrative b/nginx-sites.d/appdev-narrative index 674d88a..86e5d17 100644 --- a/nginx-sites.d/appdev-narrative +++ b/nginx-sites.d/appdev-narrative @@ -75,7 +75,6 @@ server { # Proxy for the nginx remote api server { listen 127.0.0.1:65000; - ssl off; auth_basic_user_file /etc/nginx/htpasswd; location / { @@ -117,7 +116,7 @@ server { # # this resolver is the internal rancher resolver - define it in the http scope. -resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; +resolver 169.254.169.250 valid=5s ipv6=off; server { listen 443 ssl; diff --git a/nginx-sites.d/ci-narrative b/nginx-sites.d/ci-narrative index 253bc3c..885a343 100644 --- a/nginx-sites.d/ci-narrative +++ b/nginx-sites.d/ci-narrative @@ -73,7 +73,6 @@ server { # Proxy for the nginx remote api server { listen 127.0.0.1:65000; - ssl off; auth_basic_user_file /etc/nginx/htpasswd; location / { @@ -121,7 +120,7 @@ server { # this resolver is the internal rancher resolver # see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 -resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; +resolver 169.254.169.250 valid=5s ipv6=off; server { listen 443 ssl; diff --git a/nginx-sites.d/next-narrative b/nginx-sites.d/next-narrative index 2be5bea..f980344 100644 --- a/nginx-sites.d/next-narrative +++ b/nginx-sites.d/next-narrative @@ -91,7 +91,6 @@ server { # Proxy for the nginx remote api server { listen 127.0.0.1:65000; - ssl off; auth_basic_user_file /etc/nginx/htpasswd; location / { @@ -137,7 +136,7 @@ server { # this resolver is the internal rancher resolver, define it in the http scope to ensure # that it is inherited in location blocks nested in the server block # see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 -resolver {{ default .Env.resolver "169.254.169.250" }} valid=5s ipv6=off; +resolver 169.254.169.250 valid=5s ipv6=off; server { listen 443 ssl; diff --git a/nginx-sites.d/prod-narrative b/nginx-sites.d/prod-narrative index f827e30..6998cf0 100644 --- a/nginx-sites.d/prod-narrative +++ b/nginx-sites.d/prod-narrative @@ -265,7 +265,6 @@ server { # Proxy for the nginx remote api server { listen 127.0.0.1:65000; - ssl off; auth_basic_user_file /etc/nginx/htpasswd; location / { From 5a9fbb7f5f453f36caaced39812603313c751ab6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 15:54:33 +0000 Subject: [PATCH 05/19] Clarify log directory creation in Dockerfile Agent-Logs-Url: https://github.com/kbase/nginx/sessions/5fe01df0-25e8-4876-b562-a53c8d76cf36 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9a0a97b..ddc41fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,8 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ RUN rm -rf /etc/nginx && \ ln -s /usr/local/openresty/nginx/conf /etc/nginx && \ cd /etc/nginx && \ - mkdir -p ssl /var/log/nginx sites-enabled conf.d && \ + mkdir -p ssl sites-enabled conf.d && \ + mkdir -p /var/log/nginx && \ openssl req -x509 -newkey rsa:4096 -keyout ssl/key.pem -out ssl/cert.pem -days 365 -nodes \ -subj '/C=US/ST=California/L=Berkeley/O=Lawrence Berkeley National Lab/OU=KBase/CN=localhost' && \ cd /tmp && \ From 2dbc05522044bec3176e45b4dff056130f2c4aa6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:01:28 +0000 Subject: [PATCH 06/19] Rebase nginx runtime on OpenResty and remove template/hook config pipeline Agent-Logs-Url: https://github.com/kbase/nginx/sessions/cc9cc014-1f13-496d-bd5a-0c36cdd37c84 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 7 +- Makefile | 2 +- hooks/build => build-image.sh | 0 .../conf/.templates/minikb-narrative.templ | 296 ------------------ .../conf/.templates/openresty.conf.templ | 91 ------ deployment/conf/openresty.conf | 87 +++++ .../conf/sites-enabled}/appdev-narrative | 0 .../conf/sites-enabled}/ci-narrative | 0 .../conf/sites-enabled}/next-narrative | 0 .../conf/sites-enabled}/prod-narrative | 0 10 files changed, 91 insertions(+), 392 deletions(-) rename hooks/build => build-image.sh (100%) delete mode 100644 deployment/conf/.templates/minikb-narrative.templ delete mode 100644 deployment/conf/.templates/openresty.conf.templ create mode 100644 deployment/conf/openresty.conf rename {nginx-sites.d => deployment/conf/sites-enabled}/appdev-narrative (100%) rename {nginx-sites.d => deployment/conf/sites-enabled}/ci-narrative (100%) rename {nginx-sites.d => deployment/conf/sites-enabled}/next-narrative (100%) rename {nginx-sites.d => deployment/conf/sites-enabled}/prod-narrative (100%) diff --git a/Dockerfile b/Dockerfile index ddc41fc..9a1d809 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,8 @@ RUN rm -rf /etc/nginx && \ rm dockerize-linux-amd64-v0.6.1.tar.gz && \ mv dockerize /kb/deployment/bin -COPY nginx-sites.d/ /usr/local/openresty/nginx/conf/sites-enabled +COPY deployment/conf/sites-enabled/ /usr/local/openresty/nginx/conf/sites-enabled +COPY deployment/conf/openresty.conf /usr/local/openresty/nginx/conf/nginx.conf # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to @@ -43,8 +44,6 @@ ENTRYPOINT [ "/kb/deployment/bin/dockerize" ] # Here are some default params passed to dockerize. They would typically # be overidden by docker-compose at startup -CMD [ "-template", "/kb/deployment/conf/.templates/openresty.conf.templ:/etc/nginx/nginx.conf", \ - "-env", "/kb/deployment/conf/localhost.ini", \ - "-stdout", "/var/log/nginx/access.log", \ +CMD [ "-stdout", "/var/log/nginx/access.log", \ "-stdout", "/var/log/nginx/error.log", \ "nginx" ] diff --git a/Makefile b/Makefile index 4985033..ad5030f 100644 --- a/Makefile +++ b/Makefile @@ -9,7 +9,7 @@ NAME := "kbase/nginx:$(BRANCH)" all: docker_image docker_image: - IMAGE_NAME=$(NAME) hooks/build + IMAGE_NAME=$(NAME) ./build-image.sh push_image: IMAGE_NAME=$(NAME) ./push2dockerhub.sh diff --git a/hooks/build b/build-image.sh similarity index 100% rename from hooks/build rename to build-image.sh diff --git a/deployment/conf/.templates/minikb-narrative.templ b/deployment/conf/.templates/minikb-narrative.templ deleted file mode 100644 index 526cc3f..0000000 --- a/deployment/conf/.templates/minikb-narrative.templ +++ /dev/null @@ -1,296 +0,0 @@ -# Setup a DNS resolver in the http scope, not the server scope -resolver {{ default .Env.resolver "127.0.0.11" }} valid=5s ipv6=off; - -server { - root /kb/deployment; - index home.html home.shtml; - - # Name of this site - server_name {{ default .Env.server_name "localhost" }}; - - location / { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - - #auth_basic "KBase Dev Website"; - #auth_basic_user_file htpasswd; - return 301 https://ci.kbase.us$request_uri; - } - - # This is for letsencrypt - location ^~ /.well-known { - root /certs/; - allow all; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - location ^~ /narrative_shutdown { - allow 127.0.0.1; - allow 172.17.0.0/16; - default_type 'application/json'; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - location ^~ /data_source_config.json { - set $proxyhost narrative_version; - proxy_pass http://$proxyhost:80/data_source_config.json; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /(narrative_version) { - proxy_pass http://$1:80/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic service rule. This usees rancher DNS names to redirect - location ~ /dynserv/([^/\.\:]+)/(.*) { - proxy_pass http://$1:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Anything under services gets proxied to the servicename port 80 - location ~ /services/([^/\.\:]+)/?(.*) { - proxy_pass http://$1:8080/$2; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Grandfathered entry for kbase-ui as root - location ~ /?(.*) { - proxy_pass http://kbase-ui:8080/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -} - -# Proxy for the nginx remote api -server { - listen 127.0.0.1:65000; - ssl off; - - auth_basic_user_file /etc/nginx/htpasswd; - location / { - proxy_pass http://unix:/var/run/docker.sock:/; - } -} - -# Proxy for globus online - non-blocking lua code doesn't handle https, so -# we build an internal proxy to the Globus Nexus API endpoint -server { - listen 127.0.0.1:65001; - - location / { - proxy_pass https://nexus.api.globusonline.org/; - proxy_set_header Host nexus.api.globusonline.org; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -# Proxy added to support narrative -server { - listen 127.0.0.1:65002; - location ~ /(.*) { - resolver 8.8.8.8 valid=5s; - set $auth "127.0.0.1/services/auth"; - proxy_pass https://$auth/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_intercept_errors on; - error_page 301 302 307 = @handle_redirect; - } - location @handle_redirect { - resolver 8.8.8.8 valid=5s; - set $saved_redirect_loc '$upstream_http_location'; - proxy_pass $saved_redirect_loc; - } -} - - -# Main HTTPS server. This handles services and the narrative plus other stuff -# -# XXX the rate below is 1r/m because that's the slowest that this version of nginx will allow -# there is a patch to support tth which would allow one request every 16 minutes -# may no longer need this -# limit_req_zone $1 zone=shockapi:10m rate=1r/m; - -server { - listen 443 ssl; - server_name {{ default .Env.server_name "localhost" }} - - # this resolver is the internal rancher resolver - # see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 - resolver {{ default .Env.resolver "127.0.0.11" }} valid=5s ipv6=off; - - # taken from next-www - client_max_body_size 100000m; - client_body_temp_path /tmp 1 2; - proxy_max_temp_file_size 0; - proxy_headers_hash_max_size 4096; - proxy_headers_hash_bucket_size 4096; - # added kkeller 30sep2015 for kbase-2777 - proxy_request_buffering off; - - # Letsencrypt generated certs - ssl_certificate {{ default .Env.ssl_certificate "/kb/deployment/conf/localhost.crt" }}; - ssl_certificate_key {{ default .Env.ssl_certificate_key "/kb/deployment/conf/localhost.key" }}; - - ssl_session_timeout 5m; - #ssl_protocols TLSv1; - #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - ssl_prefer_server_ciphers on; - - root /kb/deployment; - index home.html home.shtml; - - access_by_lua_block { - ngx.header["X-kbaseuser"] = proxymgr:get_session() - return - } - - location ^~ /bad_request { - internal; - content_by_lua ' - ngx.log(ngx.ERR, "badrequest") - '; - - return 404; - } - - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - - } - # Shutdown utility - location ^~ /narrative_shutdown { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - - set $uri_base '/narrative_shutdown'; - content_by_lua 'proxymgr:narrative_shutdown()'; - - } - - # Narrative redirect rule - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - location ^~ /data_source_config.json { - set $proxyhost narrative_version; - proxy_pass http://$proxyhost:80/data_source_config.json; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /(narrative_version) { - proxy_pass http://$1:80/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic service rule. This usees rancher DNS names to redirect - location ~ /dynserv/([^/\.\:]+)/(.*) { - proxy_pass http://$1:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Anything under services gets proxied to the servicename port 80 - location ~ /services/([^/\.\:]+)/?(.*) { - proxy_pass http://$1:8080/$2; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Grandfathered entry for kbase-ui as root - location ~ /?(.*) { - set $kbaseui kbase-ui; - proxy_pass http://$kbaseui/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - -} -# End of https server block diff --git a/deployment/conf/.templates/openresty.conf.templ b/deployment/conf/.templates/openresty.conf.templ deleted file mode 100644 index 555fe2e..0000000 --- a/deployment/conf/.templates/openresty.conf.templ +++ /dev/null @@ -1,91 +0,0 @@ -user {{ default .Env.runuser "root"}}; -daemon off; -error_log /dev/stdout {{ default .Env.loglevel "info" }}; - -worker_processes auto; -pid /run/nginx.pid; - -events { - worker_connections 768; - # multi_accept on; -} - -http { - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - proxy_read_timeout 6000; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - ## - # SSL Settings - ## - - # Dropping SSLv3, ref: POODLE. We may need to drop TLSv1 and 1.1 in the future as well. - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA256'; - - ssl_prefer_server_ciphers on; - ssl_certificate {{ default .Env.sslcertpath "/kb/deployment/conf/localhost.crt"}}; - ssl_certificate_key {{ default .Env.sslcertkeypath "/kb/deployment/conf/localhost.key"}}; - - - ## - # Logging Settings - ## - log_format kbase_combined '$remote_addr - $sent_http_X_kbaseuser [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - - access_log /var/log/nginx/access.log kbase_combined; - error_log /var/log/nginx/error.log {{ default .Env.loglevel "info" }}; -{{ if .Env.syslog_server }} - access_log syslog:server={{ .Env.syslog_server }},facility=local2,tag=ci,severity=info combined; - error_log syslog:server={{ .Env.syslog_server }},facility=local2,tag=ci,severity=info {{ default .Env.loglevel "info" }}; -{{ end }} - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - - ## - # Virtual Host Configs - ## - client_max_body_size 100000m; - client_body_temp_path /tmp 1 2; - proxy_max_temp_file_size 0; - proxy_headers_hash_max_size 4096; - proxy_headers_hash_bucket_size 4096; - # added kkeller 30sep2015 for kbase-2777 - proxy_request_buffering off; - - # added kkeller 03feb2017 for "kernel starting" issue - # see: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#running-behind-a-nginx-proxy - # http://nginx.org/en/docs/http/websocket.html - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - include /etc/nginx/sites-enabled/{{ default .Env.nginx_site_cfg "ci-narrative"}}; - -} diff --git a/deployment/conf/openresty.conf b/deployment/conf/openresty.conf new file mode 100644 index 0000000..806df32 --- /dev/null +++ b/deployment/conf/openresty.conf @@ -0,0 +1,87 @@ +user root; +daemon off; +error_log /dev/stdout info; + +worker_processes auto; +pid /run/nginx.pid; + +events { +worker_connections 768; +# multi_accept on; +} + +http { +## +# Basic Settings +## + +sendfile on; +tcp_nopush on; +tcp_nodelay on; +keepalive_timeout 65; +types_hash_max_size 2048; +# server_tokens off; +proxy_read_timeout 6000; + +include /etc/nginx/mime.types; +default_type application/octet-stream; + +## +# SSL Settings +## + +# Dropping SSLv3, ref: POODLE. We may need to drop TLSv1 and 1.1 in the future as well. +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA256'; + +ssl_prefer_server_ciphers on; +ssl_certificate /kb/deployment/conf/localhost.crt; +ssl_certificate_key /kb/deployment/conf/localhost.key; + +## +# Logging Settings +## +log_format kbase_combined '$remote_addr - $sent_http_X_kbaseuser [$time_local] ' +'"$request" $status $body_bytes_sent ' +'"$http_referer" "$http_user_agent"'; + +access_log /var/log/nginx/access.log kbase_combined; +error_log /var/log/nginx/error.log info; + +## +# Gzip Settings +## + +gzip on; +gzip_disable "msie6"; + +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + +## +# Virtual Host Configs +## +client_max_body_size 100000m; +client_body_temp_path /tmp 1 2; +proxy_max_temp_file_size 0; +proxy_headers_hash_max_size 4096; +proxy_headers_hash_bucket_size 4096; +# added kkeller 30sep2015 for kbase-2777 +proxy_request_buffering off; + +# added kkeller 03feb2017 for "kernel starting" issue +# see: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#running-behind-a-nginx-proxy +# http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { +default upgrade; +'' close; +} + + include /etc/nginx/sites-enabled/ci-narrative; + +} diff --git a/nginx-sites.d/appdev-narrative b/deployment/conf/sites-enabled/appdev-narrative similarity index 100% rename from nginx-sites.d/appdev-narrative rename to deployment/conf/sites-enabled/appdev-narrative diff --git a/nginx-sites.d/ci-narrative b/deployment/conf/sites-enabled/ci-narrative similarity index 100% rename from nginx-sites.d/ci-narrative rename to deployment/conf/sites-enabled/ci-narrative diff --git a/nginx-sites.d/next-narrative b/deployment/conf/sites-enabled/next-narrative similarity index 100% rename from nginx-sites.d/next-narrative rename to deployment/conf/sites-enabled/next-narrative diff --git a/nginx-sites.d/prod-narrative b/deployment/conf/sites-enabled/prod-narrative similarity index 100% rename from nginx-sites.d/prod-narrative rename to deployment/conf/sites-enabled/prod-narrative From 6e3487ac3fd194972ec251b4422817a3b857e2f1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:04:23 +0000 Subject: [PATCH 07/19] Bump OpenResty base image to 1.31.0.1 Agent-Logs-Url: https://github.com/kbase/nginx/sessions/76c35ff3-6146-40b6-9034-936c512326fd Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9a1d809..cf6f590 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.29.2.3-bookworm-fat +FROM openresty/openresty:1.31.0.1-bookworm-fat # These ARGs values are passed in via the docker build command ARG BUILD_DATE From a0274b827d0f2cccc071e79f239ba4feff93e522 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:06:37 +0000 Subject: [PATCH 08/19] Revert unavailable OpenResty 1.31 image tag bump Agent-Logs-Url: https://github.com/kbase/nginx/sessions/76c35ff3-6146-40b6-9034-936c512326fd Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cf6f590..9a1d809 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.31.0.1-bookworm-fat +FROM openresty/openresty:1.29.2.3-bookworm-fat # These ARGs values are passed in via the docker build command ARG BUILD_DATE From 0ab279affa28a031a07d35a7eb99158a41aa3039 Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:19:25 -0500 Subject: [PATCH 09/19] Delete Makefile --- Makefile | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 Makefile diff --git a/Makefile b/Makefile deleted file mode 100644 index ad5030f..0000000 --- a/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# Makefile for KBase specific nginx alpine -# -# Author: Steve Chan sychan@lbl.gov -# - -BRANCH := $(shell git symbolic-ref --short HEAD ) -NAME := "kbase/nginx:$(BRANCH)" - -all: docker_image - -docker_image: - IMAGE_NAME=$(NAME) ./build-image.sh - -push_image: - IMAGE_NAME=$(NAME) ./push2dockerhub.sh From 519f176999810dd77b7ca171e35c60f326030b51 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:24:20 +0000 Subject: [PATCH 10/19] Restore templated openresty config and remove static conf Agent-Logs-Url: https://github.com/kbase/nginx/sessions/40b3f6b6-fcad-4bd0-8096-06eb852f302b Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 2 +- .../conf/.templates/openresty.conf.templ | 91 +++++++++++++++++++ deployment/conf/openresty.conf | 87 ------------------ 3 files changed, 92 insertions(+), 88 deletions(-) create mode 100644 deployment/conf/.templates/openresty.conf.templ delete mode 100644 deployment/conf/openresty.conf diff --git a/Dockerfile b/Dockerfile index 9a1d809..cd05d44 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,7 +27,6 @@ RUN rm -rf /etc/nginx && \ mv dockerize /kb/deployment/bin COPY deployment/conf/sites-enabled/ /usr/local/openresty/nginx/conf/sites-enabled -COPY deployment/conf/openresty.conf /usr/local/openresty/nginx/conf/nginx.conf # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to @@ -46,4 +45,5 @@ ENTRYPOINT [ "/kb/deployment/bin/dockerize" ] # be overidden by docker-compose at startup CMD [ "-stdout", "/var/log/nginx/access.log", \ "-stdout", "/var/log/nginx/error.log", \ + "-template", "/kb/deployment/conf/.templates/openresty.conf.templ:/etc/nginx/nginx.conf", \ "nginx" ] diff --git a/deployment/conf/.templates/openresty.conf.templ b/deployment/conf/.templates/openresty.conf.templ new file mode 100644 index 0000000..555fe2e --- /dev/null +++ b/deployment/conf/.templates/openresty.conf.templ @@ -0,0 +1,91 @@ +user {{ default .Env.runuser "root"}}; +daemon off; +error_log /dev/stdout {{ default .Env.loglevel "info" }}; + +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + proxy_read_timeout 6000; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + # Dropping SSLv3, ref: POODLE. We may need to drop TLSv1 and 1.1 in the future as well. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA256'; + + ssl_prefer_server_ciphers on; + ssl_certificate {{ default .Env.sslcertpath "/kb/deployment/conf/localhost.crt"}}; + ssl_certificate_key {{ default .Env.sslcertkeypath "/kb/deployment/conf/localhost.key"}}; + + + ## + # Logging Settings + ## + log_format kbase_combined '$remote_addr - $sent_http_X_kbaseuser [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /var/log/nginx/access.log kbase_combined; + error_log /var/log/nginx/error.log {{ default .Env.loglevel "info" }}; +{{ if .Env.syslog_server }} + access_log syslog:server={{ .Env.syslog_server }},facility=local2,tag=ci,severity=info combined; + error_log syslog:server={{ .Env.syslog_server }},facility=local2,tag=ci,severity=info {{ default .Env.loglevel "info" }}; +{{ end }} + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + client_max_body_size 100000m; + client_body_temp_path /tmp 1 2; + proxy_max_temp_file_size 0; + proxy_headers_hash_max_size 4096; + proxy_headers_hash_bucket_size 4096; + # added kkeller 30sep2015 for kbase-2777 + proxy_request_buffering off; + + # added kkeller 03feb2017 for "kernel starting" issue + # see: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#running-behind-a-nginx-proxy + # http://nginx.org/en/docs/http/websocket.html + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/sites-enabled/{{ default .Env.nginx_site_cfg "ci-narrative"}}; + +} diff --git a/deployment/conf/openresty.conf b/deployment/conf/openresty.conf deleted file mode 100644 index 806df32..0000000 --- a/deployment/conf/openresty.conf +++ /dev/null @@ -1,87 +0,0 @@ -user root; -daemon off; -error_log /dev/stdout info; - -worker_processes auto; -pid /run/nginx.pid; - -events { -worker_connections 768; -# multi_accept on; -} - -http { -## -# Basic Settings -## - -sendfile on; -tcp_nopush on; -tcp_nodelay on; -keepalive_timeout 65; -types_hash_max_size 2048; -# server_tokens off; -proxy_read_timeout 6000; - -include /etc/nginx/mime.types; -default_type application/octet-stream; - -## -# SSL Settings -## - -# Dropping SSLv3, ref: POODLE. We may need to drop TLSv1 and 1.1 in the future as well. -ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA256'; - -ssl_prefer_server_ciphers on; -ssl_certificate /kb/deployment/conf/localhost.crt; -ssl_certificate_key /kb/deployment/conf/localhost.key; - -## -# Logging Settings -## -log_format kbase_combined '$remote_addr - $sent_http_X_kbaseuser [$time_local] ' -'"$request" $status $body_bytes_sent ' -'"$http_referer" "$http_user_agent"'; - -access_log /var/log/nginx/access.log kbase_combined; -error_log /var/log/nginx/error.log info; - -## -# Gzip Settings -## - -gzip on; -gzip_disable "msie6"; - -gzip_vary on; -gzip_proxied any; -gzip_comp_level 6; -gzip_buffers 16 8k; -gzip_http_version 1.1; -gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - - -## -# Virtual Host Configs -## -client_max_body_size 100000m; -client_body_temp_path /tmp 1 2; -proxy_max_temp_file_size 0; -proxy_headers_hash_max_size 4096; -proxy_headers_hash_bucket_size 4096; -# added kkeller 30sep2015 for kbase-2777 -proxy_request_buffering off; - -# added kkeller 03feb2017 for "kernel starting" issue -# see: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#running-behind-a-nginx-proxy -# http://nginx.org/en/docs/http/websocket.html -map $http_upgrade $connection_upgrade { -default upgrade; -'' close; -} - - include /etc/nginx/sites-enabled/ci-narrative; - -} From b1cac5b0da52cf0219d6e4428d9064dfcdd3b71d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:26:15 +0000 Subject: [PATCH 11/19] Add dockerize env file loading with restored template config Agent-Logs-Url: https://github.com/kbase/nginx/sessions/40b3f6b6-fcad-4bd0-8096-06eb852f302b Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index cd05d44..92426a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,4 +46,5 @@ ENTRYPOINT [ "/kb/deployment/bin/dockerize" ] CMD [ "-stdout", "/var/log/nginx/access.log", \ "-stdout", "/var/log/nginx/error.log", \ "-template", "/kb/deployment/conf/.templates/openresty.conf.templ:/etc/nginx/nginx.conf", \ + "-env", "/kb/deployment/conf/localhost.ini", \ "nginx" ] From 1ffbae6b46848679b393d359adb47543e25f82a5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:27:51 +0000 Subject: [PATCH 12/19] Revert Dockerfile changes per new requirement Agent-Logs-Url: https://github.com/kbase/nginx/sessions/40b3f6b6-fcad-4bd0-8096-06eb852f302b Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 92426a0..9a1d809 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,6 +27,7 @@ RUN rm -rf /etc/nginx && \ mv dockerize /kb/deployment/bin COPY deployment/conf/sites-enabled/ /usr/local/openresty/nginx/conf/sites-enabled +COPY deployment/conf/openresty.conf /usr/local/openresty/nginx/conf/nginx.conf # The BUILD_DATE value seem to bust the docker cache when the timestamp changes, move to @@ -45,6 +46,4 @@ ENTRYPOINT [ "/kb/deployment/bin/dockerize" ] # be overidden by docker-compose at startup CMD [ "-stdout", "/var/log/nginx/access.log", \ "-stdout", "/var/log/nginx/error.log", \ - "-template", "/kb/deployment/conf/.templates/openresty.conf.templ:/etc/nginx/nginx.conf", \ - "-env", "/kb/deployment/conf/localhost.ini", \ "nginx" ] From 630536e6f0a0a4cc56758f706488aba3c97506cd Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:29:22 -0500 Subject: [PATCH 13/19] Delete deployment/conf/sites-enabled directory --- .../conf/sites-enabled/appdev-narrative | 442 -------------- deployment/conf/sites-enabled/ci-narrative | 540 ------------------ deployment/conf/sites-enabled/next-narrative | 501 ---------------- deployment/conf/sites-enabled/prod-narrative | 302 ---------- 4 files changed, 1785 deletions(-) delete mode 100644 deployment/conf/sites-enabled/appdev-narrative delete mode 100644 deployment/conf/sites-enabled/ci-narrative delete mode 100644 deployment/conf/sites-enabled/next-narrative delete mode 100644 deployment/conf/sites-enabled/prod-narrative diff --git a/deployment/conf/sites-enabled/appdev-narrative b/deployment/conf/sites-enabled/appdev-narrative deleted file mode 100644 index 86e5d17..0000000 --- a/deployment/conf/sites-enabled/appdev-narrative +++ /dev/null @@ -1,442 +0,0 @@ - -server { - root /kb/deployment; - index home.html home.shtml; - - # Make site accessible from http://localhost/ - server_name appdev.kbase.us; - - # Setup a DNS resolver - resolver 8.8.8.8; - - location / { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - - #auth_basic "KBase Dev Website"; - #auth_basic_user_file htpasswd; - return 301 https://appdev.kbase.us$request_uri; - } - - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } - - # Dynamic proxy manager - location /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - location /narrative_shutdown { - allow 127.0.0.1; - default_type 'application/json'; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:narrative_shutdown()'; - - } - - location /narrative/ { - - default_type 'text/plain'; - error_page 401 /index.html; - - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } -} - -# Proxy for the nginx remote api -server { - listen 127.0.0.1:65000; - - auth_basic_user_file /etc/nginx/htpasswd; - location / { - proxy_pass http://unix:/var/run/docker.sock:/; - } -} - -# Proxy for globus online - non-blocking lua code doesn't handle https, so -# we build an internal proxy to the Globus Nexus API endpoint -server { - listen 127.0.0.1:65001; - - location / { - proxy_pass https://nexus.api.globusonline.org/; - proxy_set_header Host nexus.api.globusonline.org; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -# Proxy for auth2, see note above -server { - listen 127.0.0.1:65002; - location ~ /(.*) { - resolver 8.8.8.8 valid=5s; - set $auth "kbase.us/services/auth"; - proxy_pass https://$auth/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_intercept_errors on; - error_page 301 302 307 = @handle_redirect; - } - location @handle_redirect { - resolver 8.8.8.8 valid=5s; - set $saved_redirect_loc '$upstream_http_location'; - proxy_pass $saved_redirect_loc; - } -} - -# Main HTTPS server. This handles services and the narrative plus other stuff -# - -# this resolver is the internal rancher resolver - define it in the http scope. -resolver 169.254.169.250 valid=5s ipv6=off; - -server { - listen 443 ssl; - server_name appdev.kbase.us localhost; - - - # taken from next-www - client_max_body_size 100000m; - client_body_temp_path /tmp 1 2; - proxy_max_temp_file_size 0; - proxy_headers_hash_max_size 4096; - proxy_headers_hash_bucket_size 4096; - # added kkeller 30sep2015 for kbase-2777 - proxy_request_buffering off; - - # Letsencrypt generated certs - ssl_certificate /etc/letsencrypt/live/appdev.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/appdev.kbase.us/privkey.pem; - - ssl_session_timeout 5m; - #ssl_protocols TLSv1; - #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - ssl_prefer_server_ciphers on; - - root /kb/deployment; - index home.html home.shtml; - - access_by_lua_block { - ngx.header["X-kbaseuser"] = proxymgr:get_session() - return - } - - - location ~ /dynserv/([^/]+)/(.*) { - set $dynservhost $1; - set $dynservurl $2; - proxy_pass http://$dynservhost:5000/$dynservurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # match urls with no slash (to make it behave just like /) - location ~ /dynserv/([^/]+)$ { - proxy_pass http://$1:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - # Shutdown utility - location ^~ /narrative_shutdown { - default_type 'application/json'; - allow 127.0.0.1; - - set $uri_base '/narrative_shutdown'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - # Narrative redirect rule - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - location ^~ /narrativelegacy/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr2:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - location ^~ /narrative_version { - set $servhost narrative-version.appdev-core; - set $servport 80; - proxy_pass http://$servhost:$servport/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Start of core service proxies - # - location ^~ /services/auth { - # Use production auth2 - proxy_pass https://kbase.us/services/auth; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /services/auth/login/start { - root /config/config/auth2hack ; - # total hack - error_page 405 = $uri.html; - } - - location ^~ /services/auth/link/ { - root /config/config/auth2hack ; - # total hack - error_page 405 = $uri.link.html; - } - - location ^~ /services/narrative_method_store { - # Use production NMS - proxy_pass https://kbase.us/services/narrative_method_store; - #proxy_pass http://narrativemethodstore:7125/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /services/catalog { - # Use production catalog - proxy_pass https://kbase.us/services/catalog; - #proxy_pass http://catalog:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /services/user_profile { -# proxy_pass http://userprofile:7126/; - # Use production user profile - proxy_pass https://kbase.us/services/user_profile; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /services/searchapi { - set $servicehost searchapi2.appdev-core; - proxy_pass http://$servicehost:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/searchapi2 { - set $servicehost searchapi2.appdev-core; - proxy_pass http://$servicehost:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/shock-api { - proxy_pass http://shock:7044/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/awe-api { - proxy_pass http://awe:7107/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/userandjobstate { - proxy_pass http://ujs:7083/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/ws { - proxy_pass http://ws:7058/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handlemngr { - proxy_pass http://handlemngr:9001/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handle_service { - proxy_pass http://handleservice:7109/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handleservice { - proxy_pass http://handleservice:7109/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/service_wizard { - proxy_pass http://servicewizard:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/njs_wrapper { - proxy_pass http://appdev.kbase.us:8200/; - # maybe rancher dns works? not yet - # proxy_pass http://njswrapper2.appdev-core:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/njsw2 { - proxy_pass http://appdev.kbase.us:8200/; - # maybe rancher dns works? not yet - # proxy_pass http://njswrapper2.appdev-core:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/data_import_export { - proxy_pass http://dataimportexport:8200/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/staging_service/ { - proxy_pass http://ftp.kbase.us:3015/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/ { - proxy_pass http://ftp.kbase.us:3002/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/v0/ { - proxy_pass http://ftp.kbase.us:3002/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - # for live kbase-ui container - location ~ /(.*) { - # rancher-managed kbaseui instance, use next time container is recreated - set $servhost kbase-ui.appdev-core; - # temporary measure to work around name resolution issue - # set $servhost 172.17.0.6; - set $servurl $1; - proxy_pass http://$servhost:80/$servurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ~ / { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - } - - -} -# End of https appdev server block diff --git a/deployment/conf/sites-enabled/ci-narrative b/deployment/conf/sites-enabled/ci-narrative deleted file mode 100644 index 885a343..0000000 --- a/deployment/conf/sites-enabled/ci-narrative +++ /dev/null @@ -1,540 +0,0 @@ -server { - root /kb/deployment; - index home.html home.shtml; - - # Name of this site - server_name ci.kbase.us; - - # Setup a DNS resolver - resolver 8.8.8.8; - - location / { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - - #auth_basic "KBase Dev Website"; - #auth_basic_user_file htpasswd; - return 301 https://ci.kbase.us$request_uri; - } - - # This is for letsencrypt - location ^~ /.well-known { - root /certs/; - allow all; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - location ^~ /narrative_shutdown { - allow 127.0.0.1; - allow 172.17.0.0/16; - default_type 'application/json'; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } -} - -# Proxy for the nginx remote api -server { - listen 127.0.0.1:65000; - - auth_basic_user_file /etc/nginx/htpasswd; - location / { - proxy_pass http://unix:/var/run/docker.sock:/; - } -} - -# Proxy for globus online - non-blocking lua code doesn't handle https, so -# we build an internal proxy to the Globus Nexus API endpoint -server { - listen 127.0.0.1:65001; - - location / { - proxy_pass https://nexus.api.globusonline.org/; - proxy_set_header Host nexus.api.globusonline.org; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -# Proxy added to support narrative -server { - listen 127.0.0.1:65002; - location ~ /(.*) { - resolver 8.8.8.8 valid=5s; - set $auth "ci.kbase.us/services/auth"; - proxy_pass https://$auth/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_intercept_errors on; - error_page 301 302 307 = @handle_redirect; - } - location @handle_redirect { - resolver 8.8.8.8 valid=5s; - set $saved_redirect_loc '$upstream_http_location'; - proxy_pass $saved_redirect_loc; - } -} - - -# Main HTTPS server. This handles services and the narrative plus other stuff -# -# XXX the rate below is 1r/m because that's the slowest that this version of nginx will allow -# there is a patch to support tth which would allow one request every 16 minutes -# may no longer need this -# limit_req_zone $1 zone=shockapi:10m rate=1r/m; - -# this resolver is the internal rancher resolver -# see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 -resolver 169.254.169.250 valid=5s ipv6=off; - -server { - listen 443 ssl; - server_name ci.kbase.us localhost; - - # taken from next-www - client_max_body_size 100000m; - client_body_temp_path /tmp 1 2; - proxy_max_temp_file_size 0; - proxy_headers_hash_max_size 4096; - proxy_headers_hash_bucket_size 4096; - # added kkeller 30sep2015 for kbase-2777 - proxy_request_buffering off; - - # Letsencrypt generated certs - ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; - # godaddy certs - #ssl_certificate /etc/nginx/ssl/server.chained.crt; - #ssl_certificate_key /etc/nginx/ssl/server.key; - - ssl_session_timeout 5m; - #ssl_protocols TLSv1; - #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - ssl_prefer_server_ciphers on; - - root /kb/deployment; - index home.html home.shtml; - - access_by_lua_block { - ngx.header["X-kbaseuser"] = proxymgr:get_session() - return - } - - location ^~ /bad_request { - internal; - content_by_lua ' - ngx.log(ngx.ERR, "badrequest") - '; - - return 404; - } - - ### auth2 - location ^~ /services/auth/ { - proxy_pass http://auth2:8080/; - proxy_cookie_path /login /services/auth/login; - proxy_cookie_path /link /services/auth/link; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Authorization, Content-Type, Accept'; - } - - # Dynamic service rule. This uses rancher DNS names to redirect - # match urls with a / in it - location ~ /dynserv/([^/]+)/(.*) { - # try to address TASK-920 (spaces in URLs, for serving filenames generated - # by tools which use spaces) - # setting explicit vars seems to tell nginx not to mess with the uri - set $dynservhost $1; - set $dynservurl $2; - proxy_pass http://$dynservhost:5000/$dynservurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - # match urls with no slash (to make it behave just like /) - location ~ /dynserv/([^/]+)$ { - proxy_pass http://$1:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - - } - # Shutdown utility - location ^~ /narrative_shutdown { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - - set $uri_base '/narrative_shutdown'; - content_by_lua 'proxymgr:narrative_shutdown()'; - - } - - # Narrative redirect rule - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - location ^~ /data_source_config.json { - proxy_pass http://narrative-version:80/data_source_config.json; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /narrative_version { - proxy_pass http://narrative-version:80/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - - location ^~ /services/shock-direct { - if ($kb_trusted) { - return 302 http://ci.kbase.us:7044/; - } - return 404; - } - - # Start of core service proxies - # - location ^~ /services/shock-api { - proxy_pass http://shock:7044/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/userandjobstate { - proxy_pass http://ujs:7083/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(ws)$ { - set $servicehost $1; - proxy_pass http://$servicehost:7058/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(ws)/(.*) { - set $servicehost $1; - set $serviceurl $2; - proxy_pass http://$servicehost:7058/$serviceurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handlemngr { - proxy_pass http://handlemngr:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handle_service { - proxy_pass http://handleservice:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handleservice { - proxy_pass http://handleservice:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/narrative_method_store { - proxy_pass http://narrativemethodstore:7125/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/catalog { - proxy_pass http://catalog:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/service_wizard { - proxy_pass http://servicewizard:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(njs_wrapper)$ { - # the hostname is different from the url name - set $servicehost njswrapper; - # condor-based njsw at njswrapper on 8080 - proxy_pass http://$servicehost:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(njs_wrapper)/(.*) { - set $servicehost njswrapper; - set $serviceurl $2; - proxy_pass http://$servicehost:8080/$serviceurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/user_profile { - proxy_pass http://userprofile:7126/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/data_import_export/ { - proxy_pass http://dataimportexport:8200/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(searchapi)$ { - set $servicehost $1; - proxy_pass http://$servicehost:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(searchapi)/(.*) { - set $servicehost $1; - set $serviceurl $2; - proxy_pass http://$servicehost:8080/$serviceurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(search)$ { - set $servicehost $1; - proxy_pass http://$servicehost:7078/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(idmapper)/(.*) { - set $servicehost $1; - set $serviceurl $2; - proxy_pass http://$servicehost:8080/$serviceurl$is_args$args; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /services/(cache)/(.*) { - set $servicehost $1; - set $serviceurl $2; - proxy_pass http://$servicehost:5000/$serviceurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/staging_service/ { - proxy_pass http://ftp.kbase.us:3014/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/v0/ { - proxy_pass http://ftp.kbase.us:3004/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/ { - proxy_pass http://ftp.kbase.us:3004/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/relationengine/ { - proxy_pass http://dev01.kbase.lbl.gov:29999/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -# IMPORTANT!!!! -# Keep this one at the end so that it only matches if all previous -# regex matches fail -# - location ~ /(.*) { - proxy_pass http://kbase-ui:80/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - -} -# End of https ci server block - -# -# dockerhub-ci entries -# -server { - listen 80; ## listen for ipv4; this line is default and implied - - root /usr/share/nginx/www; - index index.html index.htm; - - server_name dockerhub-ci.kbase.us; - - location / { - limit_except GET HEAD OPTIONS { - # public berkeley ips - allow 128.3.56.0/24; - # private berkeley ips - allow 10.58.0.0/20; - allow 192.168.1.0/24; - # docker internal ips - allow 172.17.0.0/16; - # rancher internal ips - allow 10.42.0.0/16; - deny all; - } - proxy_pass http://ci-dockerregistry:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } -} - -server { - listen 443 ssl; - server_name dockerhub-ci.kbase.us; - - # letsencrypt certs - ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; - ssl_session_timeout 5m; - - location / { - limit_except GET HEAD OPTIONS { - # public berkeley ips - allow 128.3.56.0/24; - # private berkeley ips - allow 10.58.0.0/20; - allow 192.168.1.0/24; - # docker internal ips - allow 172.17.0.0/16; - # rancher internal ips - allow 10.42.0.0/16; - deny all; - } - proxy_pass http://ci-dockerregistry:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -} - -# dockerhub-ciauth2 (for testing with auth2catalog) -server { - listen 443 ssl; - server_name dockerhub-ciauth2.kbase.us; - - #ssl_certificate /etc/letsencrypt/live/ci.kbase.us/fullchain.pem; - #ssl_certificate_key /etc/letsencrypt/live/ci.kbase.us/privkey.pem; - ssl_certificate /etc/nginx/ssl/server.chained.crt; - ssl_certificate_key /etc/nginx/ssl/server.key; - ssl_session_timeout 5m; -} diff --git a/deployment/conf/sites-enabled/next-narrative b/deployment/conf/sites-enabled/next-narrative deleted file mode 100644 index f980344..0000000 --- a/deployment/conf/sites-enabled/next-narrative +++ /dev/null @@ -1,501 +0,0 @@ -server { - root /kb/deployment; - index home.html home.shtml; - - # Make site accessible from http://localhost/ - server_name next.kbase.us; - - # Setup a DNS resolver - resolver 8.8.8.8; - - location / { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - return 301 https://next.kbase.us$request_uri; - } - - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } - - location /basic_stats { - stub_status on; - access_log off; - } - - location ^~ /data_source_config.json { - proxy_pass http://narrative-version:80/data_source_config.json; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /narrative_version { - proxy_pass http://narrative-version:80/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic proxy manager - location /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.1; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - location /narrative_shutdown { - allow 127.0.0.1; - default_type 'application/json'; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - location /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - -} - -# Proxy for the nginx remote api -server { - listen 127.0.0.1:65000; - - auth_basic_user_file /etc/nginx/htpasswd; - location / { - proxy_pass http://unix:/var/run/docker.sock:/; - } -} - -# Proxy for globus online - non-blocking lua code doesn't handle https, so -# we build an internal proxy to the Globus Nexus API endpoint -server { - listen 127.0.0.1:65001; - - location / { - proxy_pass https://nexus.api.globusonline.org/; - proxy_set_header Host nexus.api.globusonline.org; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -server { - listen 127.0.0.1:65002; - location ~ /(.*) { - resolver 8.8.8.8 valid=5s; - set $auth "next.kbase.us/services/auth"; - proxy_pass https://$auth/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_intercept_errors on; - error_page 301 302 307 = @handle_redirect; - } - location @handle_redirect { - resolver 8.8.8.8 valid=5s; - set $saved_redirect_loc '$upstream_http_location'; - proxy_pass $saved_redirect_loc; - } -} - -# Main HTTPS server. This handles services and the narrative plus other stuff -# -#XXX the rate below is 1r/m because that's the slowest that this version of nginx will allow -#there is a patch to support tth which would allow one request every 16 minutes -#limit_req_zone $1 zone=shockapi:10m rate=1r/s; - -# this resolver is the internal rancher resolver, define it in the http scope to ensure -# that it is inherited in location blocks nested in the server block -# see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 -resolver 169.254.169.250 valid=5s ipv6=off; - -server { - listen 443 ssl; - server_name next.kbase.us localhost; - - # taken from next-www - client_max_body_size 100000m; - client_body_temp_path /tmp 1 2; - proxy_max_temp_file_size 0; - proxy_headers_hash_max_size 4096; - proxy_headers_hash_bucket_size 4096; - # added kkeller 30sep2015 for kbase-2777 - proxy_request_buffering off; - - # Letsencrypt generated certs - ssl_certificate /etc/letsencrypt/live/next.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/next.kbase.us/privkey.pem; - - ssl_session_timeout 5m; - #ssl_protocols TLSv1; - #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - ssl_prefer_server_ciphers on; - - root /kb/deployment; - index home.html home.shtml; - - access_by_lua_block { - ngx.header["X-kbaseuser"] = proxymgr:get_session() - return - } - - location ^~ /bad_request { - internal; - content_by_lua ' - ngx.log(ngx.ERR, "badrequest") - '; - - return 404; - } - - location ^~ /data_source_config.json { - proxy_pass http://narrative-version:80/data_source_config.json; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /narrative_version { - proxy_pass http://narrative-version:80/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location ^~ /services/auth/ { - proxy_pass http://auth2:8080/; - proxy_cookie_path /login /services/auth/login; - proxy_cookie_path /link /services/auth/link; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - # proxy_set_header Host $http_host; - # proxy_set_header X-Forwarded-Proto $scheme; - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Authorization, Content-Type, Accept'; - } - - # Dynamic service rules. This uses rancher DNS names to redirect - # match urls with a / in it - location ~ /dynserv/([^/]+)/(.*) { - set $dynservhost $1; - set $dynservurl $2; - proxy_pass http://$dynservhost:5000/$dynservurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - # match urls with no slash (to make it behave just like /) - location ~ /dynserv/([^/]+)$ { - proxy_pass http://$1:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.1; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - - } - # Shutdown utility - location ^~ /narrative_shutdown { - default_type 'application/json'; - allow 127.0.0.1; - - set $uri_base '/narrative_shutdown'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - location ^~ /narrative/ws1 { - return 301 https://next.kbase.us/narrativelegacy/ws1; - } - location ^~ /narrative/ws.379.obj.1 { - return 301 https://next.kbase.us/narrativelegacy/ws.379.obj.1; - } - - # Narrative redirect rule - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - location ^~ /narrativelegacy/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr2:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - # Start of core service proxies - # - # Use ci search for now - location ^~ /services/search { - proxy_pass https://ci.kbase.us/services/search; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/searchapi { - set $servicehost searchapi; - proxy_pass http://$servicehost:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/shock-api { - proxy_pass http://shock:7044/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/userandjobstate { - proxy_pass http://ujs:7083/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/ws { - set $servicehost ws; - proxy_pass http://$servicehost:7058/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handlemngr { - proxy_pass http://handlemngr:9001/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handle_service { - proxy_pass http://handleservice:7109/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/handleservice { - proxy_pass http://handleservice:7109/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/narrative_method_store { - proxy_pass http://narrativemethodstore:7125/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/catalog { - proxy_pass http://catalog:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/service_wizard { - proxy_pass http://servicewizard:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/njs_wrapper { - proxy_pass http://njswrapper:8080/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/user_profile { - proxy_pass http://userprofile:7126/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/data_import_export { - proxy_pass http://dataimportexport:8200/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/v0/ { - proxy_pass http://ftp.kbase.us:3001/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/kb-ftp-api/ { - proxy_pass http://ftp.kbase.us:3001/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ^~ /services/staging_service/ { - proxy_pass http://ftp.kbase.us:3012/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - location ~ /(.*) { - proxy_pass http://kbase-ui:80/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -# End of https next server block - -# -# dockerhub-next entries -# -server { - listen 80; ## listen for ipv4; this line is default and implied - - root /usr/share/nginx/www; - index index.html index.htm; - - server_name dockerhub-next.kbase.us; - - location / { - limit_except GET HEAD OPTIONS { - # public berkeley ips - allow 128.3.56.0/24; - # private berkeley ips - allow 10.58.0.0/20; - allow 192.168.1.0/24; - # docker internal ips - allow 172.17.0.0/16; - # rancher internal ips - allow 10.42.0.0/16; - deny all; - } - proxy_pass http://next-dockerregistry:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } -} - -server { - listen 443 ssl; - server_name dockerhub-next.kbase.us; - - ssl_certificate /etc/letsencrypt/live/next.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/next.kbase.us/privkey.pem; - ssl_session_timeout 5m; - - #ssl_protocols SSLv3 TLSv1; - #ssl_ciphers ALL:!ADH:!EXPORT:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - #ssl_prefer_server_ciphers on; - - location / { - limit_except GET HEAD OPTIONS { - # public berkeley ips - allow 128.3.56.0/24; - # private berkeley ips - allow 10.58.0.0/20; - allow 192.168.1.0/24; - # docker internal ips - allow 172.17.0.0/16; - # rancher internal ips - allow 10.42.0.0/16; - deny all; - } - proxy_pass http://next-dockerregistry:5000/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -} diff --git a/deployment/conf/sites-enabled/prod-narrative b/deployment/conf/sites-enabled/prod-narrative deleted file mode 100644 index 6998cf0..0000000 --- a/deployment/conf/sites-enabled/prod-narrative +++ /dev/null @@ -1,302 +0,0 @@ -server { - - root /usr/share/nginx/html/www; - index index.html index.htm; - - # Make site accessible from http://localhost/ - server_name localhost narrative narrative.kbase.us; - #client_max_body_size 10m; - return 301 https://narrative.kbase.us$request_uri; - - # Dynamic proxy manager - location /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - } - - location /narrative_shutdown { - allow 127.0.0.1; - allow 172.17.0.0/16; - default_type 'application/json'; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:narrative_shutdown()'; - } - - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } - -#End manual modification - - location /services { - root /kb/docs; - autoindex on; - } - - location /doc { - root /usr/share; - autoindex on; - allow 127.0.0.1; - deny all; - } - -} - - -# HTTPS server -# -server { - listen 443 ssl; - server_name localhost narrative narrative.kbase.us; - # Setup a DNS resolver - # kkeller 13jul2017: should not need the rancher resolver here -# resolver 169.254.169.250; -# try putting the docker resolver here -# resolver 172.0.0.11; - - # Letsencrypt generated certs - ssl_certificate /etc/letsencrypt/live/narrative.kbase.us/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/narrative.kbase.us/privkey.pem; - - - ssl_session_timeout 5m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_prefer_server_ciphers on; - - #root /usr/share/nginx/html; - root /usr/share/nginx/kbase-maintenance-site/htdocs; - index index.html index.htm; - - access_by_lua_block { - ngx.header["X-kbaseuser"] = proxymgr:get_session() - return - } - - # This is for letsencrypt - location /.well-known { - root /certs/; - allow all; - } - - location /services { - root /kb/docs; - autoindex on; - } - location ^~ /services/data_import_export { - proxy_pass http://kbase.us:8201/; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - #Begin manual modification - - # Added to support JGI import (NAR-856) - rewrite ^/functional-site/(.*)$ /$1 last; - - location /ui { - root /kb/deployment/services/kbase-ui; - index index.html; - #ssi on; - ssi_silent_errors off; - allow all; - } - - #End manual modification - location /doc { - root /usr/share; - autoindex on; - allow 127.0.0.1; - deny all; - } - - ### auth2 - location ^~ /auth/ { - proxy_pass https://kbase.us/services/auth/; - proxy_cookie_path /login /auth/login; - proxy_cookie_path /link /auth/link; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Authorization, Content-Type, Accept'; - } - - # Dynamic proxy manager - location ^~ /proxy_map { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - deny all; - - set $uri_base '/proxy_map'; - content_by_lua 'proxymgr:set_proxy()'; - - } - # Shutdown utility - location ^~ /narrative_shutdown { - default_type 'application/json'; - allow 127.0.0.1; - allow 172.17.0.0/16; - - set $uri_base '/narrative_shutdown'; - content_by_lua 'proxymgr:narrative_shutdown()'; - - } - # Begin legacy - location ^~ /narrative/ws.10779.obj.1 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.10779.obj.1; - } - location ^~ /narrative/ws.10786.obj.1 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.10786.obj.1; - } - location ^~ /narrative/ws.15122.obj.2 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.15122.obj.2; - } - location ^~ /narrative/ws.10824.obj.1 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.10824.obj.1; - } - location ^~ /narrative/ws.10778.obj.1 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.10778.obj.1; - } - location ^~ /narrative/ws.14533.obj.1 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.14533.obj.1; - } - # End legacy - - location ^~ /narrative/notebooks/ws.15122.obj.2 { - return 301 https://narrative.kbase.us/narrativelegacy/ws.15122.obj.2; - } - - # Narrative redirect rule - location ^~ /narrative/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - location ^~ /narrativelegacy/ { - default_type 'text/plain'; - error_page 401 /index.html; - set $target ''; - - access_by_lua ' - proxymgr2:use_proxy() - '; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - proxy_pass http://$target; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - } - - # for narrative version container - location ^~ /narrative_version { - set $servhost 172.17.0.16; - set $servport 80; - proxy_pass http://$servhost:$servport/narrative_version; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # for testing kbase-ui container - location ~ /services/kbase-ui/(.*) { - # docker-compose-managed kbaseui instance - # update IP if it changes - set $servhost 172.17.0.17; - set $servport 80; - - set $servurl $1; - proxy_pass http://$servhost:$servport/$servurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } - - # for live kbase-ui container - location ~ /(.*) { - # docker-compose-managed kbaseui instance - # update IP if it changes - set $servhost 172.17.0.17; - set $servport 80; - set $servurl $1; - proxy_pass http://$servhost:$servport/$servurl; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - } -} -# Proxy for the nginx remote api -server { - listen 127.0.0.1:65000; - - auth_basic_user_file /etc/nginx/htpasswd; - location / { - proxy_pass http://unix:/var/run/docker.sock:/; - } -} - -# Proxy for globus online - non-blocking lua code doesn't handle https, so -# we build an internal proxy to the Globus Nexus API endpoint -server { - listen 127.0.0.1:65001; - - location / { - proxy_pass https://nexus.api.globusonline.org/; - proxy_set_header Host nexus.api.globusonline.org; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} - -server { - listen 127.0.0.1:65002; - location ~ /(.*) { - resolver 140.221.43.7 valid=5s; - set $auth "kbase.us/services/auth"; - proxy_pass https://$auth/$1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_intercept_errors on; - error_page 301 302 307 = @handle_redirect; - } - location @handle_redirect { - resolver 140.221.43.7 valid=5s; - set $saved_redirect_loc '$upstream_http_location'; - proxy_pass $saved_redirect_loc; - } -} From 64749d16044ce50d737e693184bc69aa864d9363 Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:29:37 -0500 Subject: [PATCH 14/19] Delete deployment/conf/localhost.crt --- deployment/conf/localhost.crt | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 deployment/conf/localhost.crt diff --git a/deployment/conf/localhost.crt b/deployment/conf/localhost.crt deleted file mode 100644 index 72ece66..0000000 --- a/deployment/conf/localhost.crt +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIC5TCCAc2gAwIBAgIJAIfh8ptSUJ2LMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV -BAMMCWxvY2FsaG9zdDAeFw0xODA1MDgyMjU1NDZaFw0xODA2MDcyMjU1NDZaMBQx -EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALi48UBljsO8zG9TJSHGhu24L4MEMX90RcRluBLeE9WpKDcxJj0VGcmCHkH9 -NFMDd3Xo5qtL6/qbQCt44Va4NNO9/u4kJAu/RXKjA27xr7BAtpIGmOVZeFHU2WAT -L4FgM3na+lt2xJ2yMvQjh1f6gtUxp4+XBqvC1DMCM2fgZSXJ+J/rwcTe0LeXkuxi -1CLL0FCBohCqeG6uko7amduskdBJtilJl/Ev5OzZ85GXSRWlOAm+8iRaGXqQL8y/ -m34VJ4pzJTrEqyJJsaTHFS94khdHbtBilIQZFq8++oPdW8TVSYAxHSMRYWZbN/kj -koO3s2InIJaJt2ROqGkFCUYLBSUCAwEAAaM6MDgwFAYDVR0RBA0wC4IJbG9jYWxo -b3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0B -AQsFAAOCAQEAEC8iZiPgsCiZ72HxxFsR11+TRvAwZf2UyFy3uR8/L3EZkNwFCgrD -/8Nv/otj25Fhea80M7+3nbn5kGt5NcCUFU0oR/xRD8vRJUM6rso1D9/+Pz+VyDEa -RhntGSrNATOmAJWxlIe4AxMPo1LuskkQRKBZiLbsBUVl2YrAN5sBLlN+YpsWR0jP -ifcMt3nxBBLjf/Ser0GIN9icT0BlDvnIL4ItnGog3Bt+pXW3xbXD5gtHAaGjIubV -+M6mp8aBtYFa0q8305sFc5pymKimCzhkQgh9DCelHtaGkXrDb0waiIFLtpQ5Wg0H -Sdb1EYTtjQ8lueVBoRZJTgMnKyr/nXU8BQ== ------END CERTIFICATE----- From e3095797facdff3ccddc9e86741a6422b6b22340 Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:29:45 -0500 Subject: [PATCH 15/19] Delete deployment/conf/localhost.ini --- deployment/conf/localhost.ini | 1 - 1 file changed, 1 deletion(-) delete mode 100644 deployment/conf/localhost.ini diff --git a/deployment/conf/localhost.ini b/deployment/conf/localhost.ini deleted file mode 100644 index fd6ec03..0000000 --- a/deployment/conf/localhost.ini +++ /dev/null @@ -1 +0,0 @@ -nginx_site_cfg=ci-narrative From 7b7952160ae78b55cde776b8a37e9943ecf976df Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:29:51 -0500 Subject: [PATCH 16/19] Delete deployment/conf/localhost.key --- deployment/conf/localhost.key | 27 --------------------------- 1 file changed, 27 deletions(-) delete mode 100644 deployment/conf/localhost.key diff --git a/deployment/conf/localhost.key b/deployment/conf/localhost.key deleted file mode 100644 index 8f8a632..0000000 --- a/deployment/conf/localhost.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAuLjxQGWOw7zMb1MlIcaG7bgvgwQxf3RFxGW4Et4T1akoNzEm -PRUZyYIeQf00UwN3dejmq0vr+ptAK3jhVrg0073+7iQkC79FcqMDbvGvsEC2kgaY -5Vl4UdTZYBMvgWAzedr6W3bEnbIy9COHV/qC1TGnj5cGq8LUMwIzZ+BlJcn4n+vB -xN7Qt5eS7GLUIsvQUIGiEKp4bq6SjtqZ26yR0Em2KUmX8S/k7NnzkZdJFaU4Cb7y -JFoZepAvzL+bfhUninMlOsSrIkmxpMcVL3iSF0du0GKUhBkWrz76g91bxNVJgDEd -IxFhZls3+SOSg7ezYicglom3ZE6oaQUJRgsFJQIDAQABAoIBAQCRXzq9ay9Ha7WX -ht+aDRryyhjaCtrJaz/cqBCNCKijZVR42v005P4+T2BwnkwnaHsDGB8wf7deqf9+ -Nstf6+fnG4cc8uRLOmP1K8Tv8tRI6STFFtwM4rSF8fSAX5jrQEJCi8qrYHSrhioD -aFKDMmr0TPeJUVm2osVMv1alUTtI2KvBkaqAjJuoaOOTlLZNvUfk73KsNftyk0tY -0uBx9dKgRRV7BflQ/Ua9SPUE24oKKAKn7qwgFvKNbm7jmfe8c13fSSBzke4+KLV2 -BTKVUuP2mWiYAc42wBuJ8J5VVttfn7Oey+ncXt7+L7TvAnMe2DucLb13TjCZSuqi -zEdE7F+hAoGBANp/eJ3XPtCyJqs3KWuBLPI1UAvRA0OIebUc5wJYxFeC8LUMBy8r -AWQaJF/rdPlI6WzYM540K1/jJDZkdjI860UL5Str8xaSH7MYO6G2cUFOSKPP+DHC -cTsyuOJHYoFDb3uRAHEU9118z6CDkcjGQln32qFkQ26zORlVmz9piQXbAoGBANht -atxc2kVoGASX6wPW2gt7XuVotVgyfhj8vb2v02//UnawuB+EbnmLMiuViHykVweX -HJnKmmaonFFPyE13bfkdbs5X9aqPpy1KxkGWJbnOcskCWXBp1D1v1hDmfEeNX9UC -h8n+acXSrgDaCOcUAYwkAh1oxqliXV8y6EoIuZD/AoGAI2xhIK3h2DHZxQ5XX798 -ivQLuy6yqcM5gBxkc2PyyQFIhwGhNItzWUhHt2lT+IpSlbvjenWYxp3rpAnbg7+O -oQ4RpF2G9pTQINf/6vLKH71SV4SDB4Yvl1pc0QqjtLM7IrxaZvrwM67ldm9+Nh+2 -aCGfx2Sa7hqOWkYfukMg3NsCgYEArBERzHDl+BhyP/SoHD1MzaQgJjPBOYWrSyJl -l9GaQIi1fzewqx4W1vsbwBr6kF3380jorDyv1L5oyRytGynAfTYxSkwUPK5JM3En -fi1pgPfpunXrtbvtyYqInpcgZ6K2dhu06ZsjbOu6+2JdgZoeQNS/+bG7gB98LJvE -oledcPECgYBab3WRxCdkxLpiEeTna9ezZ5qERxCqacstSN6O4OLr/16FjqxFm6lg -ODYwybNVM/M0uZ197XjobC2inUktcGo+WNrUu7eRQ0SOP1gXEdBbTDolQFj+K+RF -E92rAiUXy6Rtg/jQhxpKq/9KTvNgyvYleZZDZUoc0yvMURZKQSTJkA== ------END RSA PRIVATE KEY----- From 53c5110bb12a078b712da860f92ec38702773e79 Mon Sep 17 00:00:00 2001 From: bio-boris Date: Thu, 14 May 2026 11:29:59 -0500 Subject: [PATCH 17/19] Delete deployment/conf/sources.list --- deployment/conf/sources.list | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 deployment/conf/sources.list diff --git a/deployment/conf/sources.list b/deployment/conf/sources.list deleted file mode 100644 index b7d102b..0000000 --- a/deployment/conf/sources.list +++ /dev/null @@ -1,2 +0,0 @@ -deb http://httpredir.debian.org/debian jessie main -deb http://security.debian.org/ jessie/updates main From 1858001c26f1e75229a81bed3e45aa5cedfa9669 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:35:10 +0000 Subject: [PATCH 18/19] Restore missing nginx config files to fix image build Agent-Logs-Url: https://github.com/kbase/nginx/sessions/a7e9dbf4-9da0-423c-83f1-b85de9de58b3 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- deployment/conf/localhost.crt | 18 ++ deployment/conf/localhost.ini | 1 + deployment/conf/localhost.key | 27 ++ deployment/conf/openresty.conf | 87 ++++++ .../conf/sites-enabled/minikb-narrative | 294 ++++++++++++++++++ 5 files changed, 427 insertions(+) create mode 100644 deployment/conf/localhost.crt create mode 100644 deployment/conf/localhost.ini create mode 100644 deployment/conf/localhost.key create mode 100644 deployment/conf/openresty.conf create mode 100644 deployment/conf/sites-enabled/minikb-narrative diff --git a/deployment/conf/localhost.crt b/deployment/conf/localhost.crt new file mode 100644 index 0000000..72ece66 --- /dev/null +++ b/deployment/conf/localhost.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5TCCAc2gAwIBAgIJAIfh8ptSUJ2LMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV +BAMMCWxvY2FsaG9zdDAeFw0xODA1MDgyMjU1NDZaFw0xODA2MDcyMjU1NDZaMBQx +EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBALi48UBljsO8zG9TJSHGhu24L4MEMX90RcRluBLeE9WpKDcxJj0VGcmCHkH9 +NFMDd3Xo5qtL6/qbQCt44Va4NNO9/u4kJAu/RXKjA27xr7BAtpIGmOVZeFHU2WAT +L4FgM3na+lt2xJ2yMvQjh1f6gtUxp4+XBqvC1DMCM2fgZSXJ+J/rwcTe0LeXkuxi +1CLL0FCBohCqeG6uko7amduskdBJtilJl/Ev5OzZ85GXSRWlOAm+8iRaGXqQL8y/ +m34VJ4pzJTrEqyJJsaTHFS94khdHbtBilIQZFq8++oPdW8TVSYAxHSMRYWZbN/kj +koO3s2InIJaJt2ROqGkFCUYLBSUCAwEAAaM6MDgwFAYDVR0RBA0wC4IJbG9jYWxo +b3N0MAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0B +AQsFAAOCAQEAEC8iZiPgsCiZ72HxxFsR11+TRvAwZf2UyFy3uR8/L3EZkNwFCgrD +/8Nv/otj25Fhea80M7+3nbn5kGt5NcCUFU0oR/xRD8vRJUM6rso1D9/+Pz+VyDEa +RhntGSrNATOmAJWxlIe4AxMPo1LuskkQRKBZiLbsBUVl2YrAN5sBLlN+YpsWR0jP +ifcMt3nxBBLjf/Ser0GIN9icT0BlDvnIL4ItnGog3Bt+pXW3xbXD5gtHAaGjIubV ++M6mp8aBtYFa0q8305sFc5pymKimCzhkQgh9DCelHtaGkXrDb0waiIFLtpQ5Wg0H +Sdb1EYTtjQ8lueVBoRZJTgMnKyr/nXU8BQ== +-----END CERTIFICATE----- diff --git a/deployment/conf/localhost.ini b/deployment/conf/localhost.ini new file mode 100644 index 0000000..1a38fad --- /dev/null +++ b/deployment/conf/localhost.ini @@ -0,0 +1 @@ +nginx_site_cfg=minikb-narrative diff --git a/deployment/conf/localhost.key b/deployment/conf/localhost.key new file mode 100644 index 0000000..8f8a632 --- /dev/null +++ b/deployment/conf/localhost.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAuLjxQGWOw7zMb1MlIcaG7bgvgwQxf3RFxGW4Et4T1akoNzEm +PRUZyYIeQf00UwN3dejmq0vr+ptAK3jhVrg0073+7iQkC79FcqMDbvGvsEC2kgaY +5Vl4UdTZYBMvgWAzedr6W3bEnbIy9COHV/qC1TGnj5cGq8LUMwIzZ+BlJcn4n+vB +xN7Qt5eS7GLUIsvQUIGiEKp4bq6SjtqZ26yR0Em2KUmX8S/k7NnzkZdJFaU4Cb7y +JFoZepAvzL+bfhUninMlOsSrIkmxpMcVL3iSF0du0GKUhBkWrz76g91bxNVJgDEd +IxFhZls3+SOSg7ezYicglom3ZE6oaQUJRgsFJQIDAQABAoIBAQCRXzq9ay9Ha7WX +ht+aDRryyhjaCtrJaz/cqBCNCKijZVR42v005P4+T2BwnkwnaHsDGB8wf7deqf9+ +Nstf6+fnG4cc8uRLOmP1K8Tv8tRI6STFFtwM4rSF8fSAX5jrQEJCi8qrYHSrhioD +aFKDMmr0TPeJUVm2osVMv1alUTtI2KvBkaqAjJuoaOOTlLZNvUfk73KsNftyk0tY +0uBx9dKgRRV7BflQ/Ua9SPUE24oKKAKn7qwgFvKNbm7jmfe8c13fSSBzke4+KLV2 +BTKVUuP2mWiYAc42wBuJ8J5VVttfn7Oey+ncXt7+L7TvAnMe2DucLb13TjCZSuqi +zEdE7F+hAoGBANp/eJ3XPtCyJqs3KWuBLPI1UAvRA0OIebUc5wJYxFeC8LUMBy8r +AWQaJF/rdPlI6WzYM540K1/jJDZkdjI860UL5Str8xaSH7MYO6G2cUFOSKPP+DHC +cTsyuOJHYoFDb3uRAHEU9118z6CDkcjGQln32qFkQ26zORlVmz9piQXbAoGBANht +atxc2kVoGASX6wPW2gt7XuVotVgyfhj8vb2v02//UnawuB+EbnmLMiuViHykVweX +HJnKmmaonFFPyE13bfkdbs5X9aqPpy1KxkGWJbnOcskCWXBp1D1v1hDmfEeNX9UC +h8n+acXSrgDaCOcUAYwkAh1oxqliXV8y6EoIuZD/AoGAI2xhIK3h2DHZxQ5XX798 +ivQLuy6yqcM5gBxkc2PyyQFIhwGhNItzWUhHt2lT+IpSlbvjenWYxp3rpAnbg7+O +oQ4RpF2G9pTQINf/6vLKH71SV4SDB4Yvl1pc0QqjtLM7IrxaZvrwM67ldm9+Nh+2 +aCGfx2Sa7hqOWkYfukMg3NsCgYEArBERzHDl+BhyP/SoHD1MzaQgJjPBOYWrSyJl +l9GaQIi1fzewqx4W1vsbwBr6kF3380jorDyv1L5oyRytGynAfTYxSkwUPK5JM3En +fi1pgPfpunXrtbvtyYqInpcgZ6K2dhu06ZsjbOu6+2JdgZoeQNS/+bG7gB98LJvE +oledcPECgYBab3WRxCdkxLpiEeTna9ezZ5qERxCqacstSN6O4OLr/16FjqxFm6lg +ODYwybNVM/M0uZ197XjobC2inUktcGo+WNrUu7eRQ0SOP1gXEdBbTDolQFj+K+RF +E92rAiUXy6Rtg/jQhxpKq/9KTvNgyvYleZZDZUoc0yvMURZKQSTJkA== +-----END RSA PRIVATE KEY----- diff --git a/deployment/conf/openresty.conf b/deployment/conf/openresty.conf new file mode 100644 index 0000000..bc65b9b --- /dev/null +++ b/deployment/conf/openresty.conf @@ -0,0 +1,87 @@ +user root; +daemon off; +error_log /dev/stdout info; + +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 768; + # multi_accept on; +} + +http { + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + proxy_read_timeout 6000; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + # Dropping SSLv3, ref: POODLE. We may need to drop TLSv1 and 1.1 in the future as well. + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA128-SHA256'; + + ssl_prefer_server_ciphers on; + ssl_certificate /kb/deployment/conf/localhost.crt; + ssl_certificate_key /kb/deployment/conf/localhost.key; + + + ## + # Logging Settings + ## + log_format kbase_combined '$remote_addr - $sent_http_X_kbaseuser [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /var/log/nginx/access.log kbase_combined; + error_log /var/log/nginx/error.log info; + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + client_max_body_size 100000m; + client_body_temp_path /tmp 1 2; + proxy_max_temp_file_size 0; + proxy_headers_hash_max_size 4096; + proxy_headers_hash_bucket_size 4096; + # added kkeller 30sep2015 for kbase-2777 + proxy_request_buffering off; + + # added kkeller 03feb2017 for "kernel starting" issue + # see: https://github.com/jupyter/docker-stacks/wiki/Docker-Recipes#running-behind-a-nginx-proxy + # http://nginx.org/en/docs/http/websocket.html + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include /etc/nginx/sites-enabled/minikb-narrative; + +} diff --git a/deployment/conf/sites-enabled/minikb-narrative b/deployment/conf/sites-enabled/minikb-narrative new file mode 100644 index 0000000..e7a9843 --- /dev/null +++ b/deployment/conf/sites-enabled/minikb-narrative @@ -0,0 +1,294 @@ +# Setup a DNS resolver in the http scope, not the server scope +resolver 127.0.0.11 valid=5s ipv6=off; + +server { + root /kb/deployment; + index home.html home.shtml; + + # Name of this site + server_name localhost; + + location / { + root /kb/deployment/services/kbase-ui; + index index.html; + #ssi on; + ssi_silent_errors off; + allow all; + + #auth_basic "KBase Dev Website"; + #auth_basic_user_file htpasswd; + return 301 https://ci.kbase.us$request_uri; + } + + # This is for letsencrypt + location ^~ /.well-known { + root /certs/; + allow all; + } + + # Dynamic proxy manager + location ^~ /proxy_map { + default_type 'application/json'; + allow 127.0.0.1; + allow 172.17.0.0/16; + deny all; + + set $uri_base '/proxy_map'; + content_by_lua 'proxymgr:set_proxy()'; + } + + location ^~ /narrative_shutdown { + allow 127.0.0.1; + allow 172.17.0.0/16; + default_type 'application/json'; + + set $uri_base '/proxy_map'; + content_by_lua 'proxymgr:narrative_shutdown()'; + } + + location ^~ /narrative/ { + default_type 'text/plain'; + error_page 401 /index.html; + + set $target ''; + + access_by_lua ' + proxymgr:use_proxy() + '; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass http://$target; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + location ^~ /data_source_config.json { + set $proxyhost narrative_version; + proxy_pass http://$proxyhost:80/data_source_config.json; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + location ^~ /(narrative_version) { + proxy_pass http://$1:80/narrative_version; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Dynamic service rule. This usees rancher DNS names to redirect + location ~ /dynserv/([^/\.\:]+)/(.*) { + proxy_pass http://$1:5000/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Anything under services gets proxied to the servicename port 80 + location ~ /services/([^/\.\:]+)/?(.*) { + proxy_pass http://$1:8080/$2; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Grandfathered entry for kbase-ui as root + location ~ /?(.*) { + proxy_pass http://kbase-ui:8080/$1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +# Proxy for the nginx remote api +server { + listen 127.0.0.1:65000; + auth_basic_user_file /etc/nginx/htpasswd; + location / { + proxy_pass http://unix:/var/run/docker.sock:/; + } +} + +# Proxy for globus online - non-blocking lua code doesn't handle https, so +# we build an internal proxy to the Globus Nexus API endpoint +server { + listen 127.0.0.1:65001; + + location / { + proxy_pass https://nexus.api.globusonline.org/; + proxy_set_header Host nexus.api.globusonline.org; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} + +# Proxy added to support narrative +server { + listen 127.0.0.1:65002; + location ~ /(.*) { + resolver 8.8.8.8 valid=5s; + set $auth "127.0.0.1/services/auth"; + proxy_pass https://$auth/$1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_intercept_errors on; + error_page 301 302 307 = @handle_redirect; + } + location @handle_redirect { + resolver 8.8.8.8 valid=5s; + set $saved_redirect_loc '$upstream_http_location'; + proxy_pass $saved_redirect_loc; + } +} + + +# Main HTTPS server. This handles services and the narrative plus other stuff +# +# XXX the rate below is 1r/m because that's the slowest that this version of nginx will allow +# there is a patch to support tth which would allow one request every 16 minutes +# may no longer need this +# limit_req_zone $1 zone=shockapi:10m rate=1r/m; + +server { + listen 443 ssl; + server_name localhost; + + # this resolver is the internal rancher resolver + # see https://github.com/rancher/rancher/issues/7691#issuecomment-277635645 + resolver 127.0.0.11 valid=5s ipv6=off; + + # taken from next-www + client_max_body_size 100000m; + client_body_temp_path /tmp 1 2; + proxy_max_temp_file_size 0; + proxy_headers_hash_max_size 4096; + proxy_headers_hash_bucket_size 4096; + # added kkeller 30sep2015 for kbase-2777 + proxy_request_buffering off; + + # Letsencrypt generated certs + ssl_certificate /kb/deployment/conf/localhost.crt; + ssl_certificate_key /kb/deployment/conf/localhost.key; + + ssl_session_timeout 5m; + #ssl_protocols TLSv1; + #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; + ssl_prefer_server_ciphers on; + + root /kb/deployment; + index home.html home.shtml; + + access_by_lua_block { + ngx.header["X-kbaseuser"] = proxymgr:get_session() + return + } + + location ^~ /bad_request { + internal; + content_by_lua ' + ngx.log(ngx.ERR, "badrequest") + '; + + return 404; + } + + location ^~ /proxy_map { + default_type 'application/json'; + allow 127.0.0.1; + allow 172.17.0.0/16; + deny all; + + set $uri_base '/proxy_map'; + content_by_lua 'proxymgr:set_proxy()'; + + } + # Shutdown utility + location ^~ /narrative_shutdown { + default_type 'application/json'; + allow 127.0.0.1; + allow 172.17.0.0/16; + + set $uri_base '/narrative_shutdown'; + content_by_lua 'proxymgr:narrative_shutdown()'; + + } + + # Narrative redirect rule + location ^~ /narrative/ { + default_type 'text/plain'; + error_page 401 /index.html; + set $target ''; + + access_by_lua ' + proxymgr:use_proxy() + '; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; + proxy_pass http://$target; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + } + + location ^~ /data_source_config.json { + set $proxyhost narrative_version; + proxy_pass http://$proxyhost:80/data_source_config.json; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + location ^~ /(narrative_version) { + proxy_pass http://$1:80/narrative_version; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Dynamic service rule. This usees rancher DNS names to redirect + location ~ /dynserv/([^/\.\:]+)/(.*) { + proxy_pass http://$1:5000/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Anything under services gets proxied to the servicename port 80 + location ~ /services/([^/\.\:]+)/?(.*) { + proxy_pass http://$1:8080/$2; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # Grandfathered entry for kbase-ui as root + location ~ /?(.*) { + set $kbaseui kbase-ui; + proxy_pass http://$kbaseui/$1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto $scheme; + } + +} +# End of https server block From 42265fbc5eb32350a23b9055881f86624384c77a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 14 May 2026 16:36:03 +0000 Subject: [PATCH 19/19] Fix comment typos in restored nginx site config Agent-Logs-Url: https://github.com/kbase/nginx/sessions/a7e9dbf4-9da0-423c-83f1-b85de9de58b3 Co-authored-by: bio-boris <1258634+bio-boris@users.noreply.github.com> --- deployment/conf/sites-enabled/minikb-narrative | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/conf/sites-enabled/minikb-narrative b/deployment/conf/sites-enabled/minikb-narrative index e7a9843..bcc28a3 100644 --- a/deployment/conf/sites-enabled/minikb-narrative +++ b/deployment/conf/sites-enabled/minikb-narrative @@ -84,7 +84,7 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - # Dynamic service rule. This usees rancher DNS names to redirect + # Dynamic service rule. This uses rancher DNS names to redirect location ~ /dynserv/([^/\.\:]+)/(.*) { proxy_pass http://$1:5000/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -262,7 +262,7 @@ server { proxy_set_header X-Forwarded-Proto $scheme; } - # Dynamic service rule. This usees rancher DNS names to redirect + # Dynamic service rule. This uses rancher DNS names to redirect location ~ /dynserv/([^/\.\:]+)/(.*) { proxy_pass http://$1:5000/; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;