diff --git a/conf/cbioportal.conf.tpl b/conf/cbioportal.conf.tpl new file mode 100644 index 0000000..de6132b --- /dev/null +++ b/conf/cbioportal.conf.tpl @@ -0,0 +1,31 @@ +server { + # tpl__tls_yes__start + # Use 444 for internal SSL to allow streaming back to self (above) + listen 444 ssl; + # tpl__tls_yes__end + + # tpl__tls_no__start + listen 80; + # tpl__tls_no__end + + server_name ${BENTOV2_CBIOPORTAL_DOMAIN}; + + ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_FULLCHAIN_RELATIVE_PATH}; + ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_PRIVKEY_RELATIVE_PATH}; + + # Frame embedding: allow private portal to embed cBioPortal as an iframe: + add_header Content-Security-Policy "frame-ancestors 'self' https://${BENTOV2_PORTAL_DOMAIN};"; + + # Proxy pass to cBioPortal container + location / { + # Reverse proxy settings + include /gateway/conf/proxy.conf; + include /gateway/conf/proxy_cbioportal.conf; + + # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal) + set $upstream_cbio http://${BENTO_CBIOPORTAL_CONTAINER_NAME}:${BENTO_CBIOPORTAL_INTERNAL_PORT}; + + proxy_pass $upstream_cbio; + error_log /var/log/bentov2_cbio_errors.log; + } +} diff --git a/conf/nginx.conf.tpl b/conf/nginx.conf.tpl index c79adbd..2118708 100644 --- a/conf/nginx.conf.tpl +++ b/conf/nginx.conf.tpl @@ -10,6 +10,7 @@ events { worker_connections 1024; } +# tpl__tls_yes__start # Pass through SSL connection to either Keycloak or the Bento gateway. # - Don't change the # -- ... -- lines, as they are used to find/replace chunks. # - Can't add security headers on stream blocks - rely on Keycloak's own security settings. @@ -39,6 +40,7 @@ stream { proxy_pass $name; } } +# tpl__tls_yes__end http { # Use the Docker embedded DNS server @@ -75,11 +77,12 @@ http { '' close; } + # tpl__tls_yes__start + # Configure Lua HTTPS verification lua_ssl_verify_depth 2; lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - # Redirect all http to https server { listen 80 default_server; @@ -96,13 +99,14 @@ http { return 301 https://$host$request_uri; } - # No unspecified domain funnies allowed! server { listen 444 ssl; ssl_reject_handshake on; } + # tpl__tls_yes__end + # Bento Public map $http_origin $public_cors { default ''; @@ -110,13 +114,22 @@ http { https://${BENTOV2_PORTAL_DOMAIN} https://${BENTOV2_PORTAL_DOMAIN}; } server { + # tpl__tls_yes__start # Use 444 for internal SSL to allow streaming back to self (above) listen 444 ssl; + # tpl__tls_yes__end + + # tpl__tls_no__start + # Use 81 for internal HTTP to allow streaming back to self (above) + listen 80; + # tpl__tls_no__end server_name ${BENTOV2_DOMAIN}; + # tpl__tls_yes__start ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_FULLCHAIN_RELATIVE_PATH}; ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PRIVKEY_RELATIVE_PATH}; + # tpl__tls_yes__end # Security -- add_header Content-Security-Policy "frame-src 'self' ${BENTOV2_GATEWAY_PUBLIC_ALLOW_FRAME_DOMAINS};"; @@ -149,13 +162,21 @@ http { # Bento Portal server { + # tpl__tls_yes__start # Use 444 for internal SSL to allow streaming back to self (above) listen 444 ssl; + # tpl__tls_yes__end + + # tpl__tls_no__start + listen 80; + # tpl__tls_no__end server_name ${BENTOV2_PORTAL_DOMAIN}; + # tpl__tls_yes__start ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PORTAL_FULLCHAIN_RELATIVE_PATH}; ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PORTAL_PRIVKEY_RELATIVE_PATH}; + # tpl__tls_yes__end # Security -- add_header X-Frame-Options "SAMEORIGIN"; @@ -191,30 +212,6 @@ http { # tpl__use_cbioportal__start # cBioPortal - server { - # Use 444 for internal SSL to allow streaming back to self (above) - listen 444 ssl; - - server_name ${BENTOV2_CBIOPORTAL_DOMAIN}; - - ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_FULLCHAIN_RELATIVE_PATH}; - ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_PRIVKEY_RELATIVE_PATH}; - - # Frame embedding: allow private portal to embed cBioPortal as an iframe: - add_header Content-Security-Policy "frame-ancestors 'self' https://${BENTOV2_PORTAL_DOMAIN};"; - - # Proxy pass to cBioPortal container - location / { - # Reverse proxy settings - include /gateway/conf/proxy.conf; - include /gateway/conf/proxy_cbioportal.conf; - - # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal) - set $upstream_cbio http://${BENTO_CBIOPORTAL_CONTAINER_NAME}:${BENTO_CBIOPORTAL_INTERNAL_PORT}; - - proxy_pass $upstream_cbio; - error_log /var/log/bentov2_cbio_errors.log; - } - } + include /gateway/conf/cbioportal.conf; # tpl__use_cbioportal__end } diff --git a/entrypoint.bash b/entrypoint.bash index 0e9c326..aa94a15 100644 --- a/entrypoint.bash +++ b/entrypoint.bash @@ -52,9 +52,14 @@ for v in $(env | awk -F "=" '{print $1}' | grep "GATEWAY*"); do echo "\${${v}}" >> ./VARIABLES done -# Process the main NGINX conf. template, using only the selected variables: -# - this avoids the ${DOLLAR}-type hack needed before -echo "[bento_gateway] [entrypoint] writing main NGINX configuration" +# Process the NGINX configuration templates, using only the selected variables: --------------------------------------- + +echo "[bento_gateway] [entrypoint] writing NGINX configuration files" + +echo "[bento_gateway] [entrypoint] creating cbioportal.conf.pre" +envsubst "$(cat ./VARIABLES)" \ + < ./conf/cbioportal.conf.tpl \ + > ./cbioportal.conf.pre CORS_PATH="${BENTO_GATEWAY_CONF_DIR}/cors.conf" echo "[bento_gateway] [entrypoint] creating ${CORS_PATH}" @@ -67,7 +72,38 @@ envsubst "$(cat ./VARIABLES)" \ < ./conf/nginx.conf.tpl \ > ./nginx.conf.pre +# ---------------------------------------------------------------------------------------------------------------------- + +# Run "fine-tuning", i.e., processing the configuration files to *remove* chunks that aren't relevant to the environment +# variable settings for this instance. --------------------------------------------------------------------------------- + +no_tls="$(true_values_to_1 $BENTO_GATEWAY_NO_TLS)" + +# Run fine-tuning on cbioportal.conf.pre +if [[ "${no_tls}" == 1 ]]; then + echo "[bento_gateway] [entrypoint] Fine-tuning cbioportal.conf to not use TLS" + sed -i.bak \ + '/tpl__tls_yes__start/,/tpl__tls_yes__end/d' \ + ./cbioportal.conf.pre +else + echo "[bento_gateway] [entrypoint] Fine-tuning cbioportal.conf to use TLS" + sed -i.bak \ + '/tpl__tls_no__start/,/tpl__tls_no__end/d' \ + ./cbioportal.conf.pre +fi + # Run fine-tuning on nginx.conf.pre +if [[ "${no_tls}" == 1 ]]; then + echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to not use TLS" + sed -i.bak \ + '/tpl__tls_yes__start/,/tpl__tls_yes__end/d' \ + ./nginx.conf.pre +else + echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use TLS" + sed -i.bak \ + '/tpl__tls_no__start/,/tpl__tls_no__end/d' \ + ./nginx.conf.pre +fi if [[ "$(true_values_to_1 $BENTOV2_USE_EXTERNAL_IDP)" == 1 ]]; then echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use an external IDP" sed -i.bak \ @@ -96,9 +132,16 @@ else ./nginx.conf.pre fi -# Move nginx.conf into position +# ---------------------------------------------------------------------------------------------------------------------- + +# Generate final configuration files / locations ----------------------------------------------------------------------- +# - Move cbioportal.conf into position +cp ./cbioportal.conf.pre "${BENTO_GATEWAY_CONF_DIR}/cbioportal.conf" +# - Move nginx.conf into position cp ./nginx.conf.pre "${BENTO_GATEWAY_CONF_DIR}/nginx.conf" -rm ./nginx.conf.pre* # Remove pre-final file + any backups +# - Remove pre-final configuration files + any backups +rm ./*.conf.pre* +# ---------------------------------------------------------------------------------------------------------------------- cat "${BENTO_GATEWAY_CONF_DIR}/nginx.conf"