feat: no-tls option + factor out cbioportal conf to seperate .conf.tpl

conf/cbioportal.conf.tpl

@@ -0,0 +1,31 @@
+server {
+    # tpl__tls_yes__start
+    # Use 444 for internal SSL to allow streaming back to self (above)
+    listen 444 ssl;
+    # tpl__tls_yes__end
+
+    # tpl__tls_no__start
+    listen 80;
+    # tpl__tls_no__end
+
+    server_name ${BENTOV2_CBIOPORTAL_DOMAIN};
+
+    ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_FULLCHAIN_RELATIVE_PATH};
+    ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_PRIVKEY_RELATIVE_PATH};
+
+    # Frame embedding: allow private portal to embed cBioPortal as an iframe:
+    add_header Content-Security-Policy "frame-ancestors 'self' https://${BENTOV2_PORTAL_DOMAIN};";
+
+    # Proxy pass to cBioPortal container
+    location / {
+        # Reverse proxy settings
+        include /gateway/conf/proxy.conf;
+        include /gateway/conf/proxy_cbioportal.conf;
+
+        # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal)
+        set $upstream_cbio http://${BENTO_CBIOPORTAL_CONTAINER_NAME}:${BENTO_CBIOPORTAL_INTERNAL_PORT};
+
+        proxy_pass $upstream_cbio;
+        error_log /var/log/bentov2_cbio_errors.log;
+    }
+}

conf/nginx.conf.tpl

@@ -10,6 +10,7 @@ events {
     worker_connections 1024;
 }
 
+# tpl__tls_yes__start
 # Pass through SSL connection to either Keycloak or the Bento gateway.
 # - Don't change the # -- ... -- lines, as they are used to find/replace chunks.
 # - Can't add security headers on stream blocks - rely on Keycloak's own security settings.
@@ -39,6 +40,7 @@ stream {
         proxy_pass  $name;
     }
 }
+# tpl__tls_yes__end
 
 http {
     # Use the Docker embedded DNS server
@@ -75,11 +77,12 @@ http {
         ''      close;
     }
 
+    # tpl__tls_yes__start
+
     # Configure Lua HTTPS verification
     lua_ssl_verify_depth        2;
     lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 
-
     # Redirect all http to https
     server {
         listen 80 default_server;
@@ -96,27 +99,37 @@ http {
         return 301 https://$host$request_uri;
     }
 
-
     # No unspecified domain funnies allowed!
     server {
         listen 444 ssl;
         ssl_reject_handshake on;
     }
 
+    # tpl__tls_yes__end
+
     # Bento Public
     map $http_origin $public_cors {
         default                          '';
         https://${BENTOV2_DOMAIN}        https://${BENTOV2_DOMAIN};
         https://${BENTOV2_PORTAL_DOMAIN} https://${BENTOV2_PORTAL_DOMAIN};
     }
     server {
+        # tpl__tls_yes__start
         # Use 444 for internal SSL to allow streaming back to self (above)
         listen 444 ssl;
+        # tpl__tls_yes__end
+
+        # tpl__tls_no__start
+        # Use 81 for internal HTTP to allow streaming back to self (above)
+        listen 80;
+        # tpl__tls_no__end
 
         server_name ${BENTOV2_DOMAIN};
 
+        # tpl__tls_yes__start
         ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_FULLCHAIN_RELATIVE_PATH};
         ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PRIVKEY_RELATIVE_PATH};
+        # tpl__tls_yes__end
 
         # Security --
         add_header Content-Security-Policy "frame-src 'self' ${BENTOV2_GATEWAY_PUBLIC_ALLOW_FRAME_DOMAINS};";
@@ -149,13 +162,21 @@ http {
 
     # Bento Portal
     server {
+        # tpl__tls_yes__start
         # Use 444 for internal SSL to allow streaming back to self (above)
         listen 444 ssl;
+        # tpl__tls_yes__end
+
+        # tpl__tls_no__start
+        listen 80;
+        # tpl__tls_no__end
 
         server_name ${BENTOV2_PORTAL_DOMAIN};
 
+        # tpl__tls_yes__start
         ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PORTAL_FULLCHAIN_RELATIVE_PATH};
         ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_PORTAL_PRIVKEY_RELATIVE_PATH};
+        # tpl__tls_yes__end
 
         # Security --
         add_header X-Frame-Options "SAMEORIGIN";
@@ -191,30 +212,6 @@ http {
 
     # tpl__use_cbioportal__start
     # cBioPortal
-    server {
-        # Use 444 for internal SSL to allow streaming back to self (above)
-        listen 444 ssl;
-
-        server_name ${BENTOV2_CBIOPORTAL_DOMAIN};
-
-        ssl_certificate ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_FULLCHAIN_RELATIVE_PATH};
-        ssl_certificate_key ${BENTOV2_GATEWAY_INTERNAL_CERTS_DIR}${BENTOV2_GATEWAY_INTERNAL_CBIOPORTAL_PRIVKEY_RELATIVE_PATH};
-
-        # Frame embedding: allow private portal to embed cBioPortal as an iframe:
-        add_header Content-Security-Policy "frame-ancestors 'self' https://${BENTOV2_PORTAL_DOMAIN};";
-
-        # Proxy pass to cBioPortal container
-        location / {
-            # Reverse proxy settings
-            include /gateway/conf/proxy.conf;
-            include /gateway/conf/proxy_cbioportal.conf;
-
-            # Immediate set/re-use means we don't get resolve errors if not up (as opposed to passing as a literal)
-            set $upstream_cbio http://${BENTO_CBIOPORTAL_CONTAINER_NAME}:${BENTO_CBIOPORTAL_INTERNAL_PORT};
-
-            proxy_pass $upstream_cbio;
-            error_log /var/log/bentov2_cbio_errors.log;
-        }
-    }
+    include /gateway/conf/cbioportal.conf;
     # tpl__use_cbioportal__end
 }

entrypoint.bash

@@ -52,9 +52,14 @@ for v in $(env | awk -F "=" '{print $1}' | grep "GATEWAY*"); do
   echo "\${${v}}" >> ./VARIABLES
 done
 
-# Process the main NGINX conf. template, using only the selected variables:
-#  - this avoids the ${DOLLAR}-type hack needed before
-echo "[bento_gateway] [entrypoint] writing main NGINX configuration"
+# Process the NGINX configuration templates, using only the selected variables:  ---------------------------------------
+
+echo "[bento_gateway] [entrypoint] writing NGINX configuration files"
+
+echo "[bento_gateway] [entrypoint] creating cbioportal.conf.pre"
+envsubst "$(cat ./VARIABLES)" \
+  < ./conf/cbioportal.conf.tpl \
+  > ./cbioportal.conf.pre
 
 CORS_PATH="${BENTO_GATEWAY_CONF_DIR}/cors.conf"
 echo "[bento_gateway] [entrypoint] creating ${CORS_PATH}"
@@ -67,7 +72,38 @@ envsubst "$(cat ./VARIABLES)" \
   < ./conf/nginx.conf.tpl \
   > ./nginx.conf.pre
 
+# ----------------------------------------------------------------------------------------------------------------------
+
+# Run "fine-tuning", i.e., processing the configuration files to *remove* chunks that aren't relevant to the environment
+# variable settings for this instance. ---------------------------------------------------------------------------------
+
+no_tls="$(true_values_to_1 $BENTO_GATEWAY_NO_TLS)"
+
+# Run fine-tuning on cbioportal.conf.pre
+if [[ "${no_tls}" == 1 ]]; then
+  echo "[bento_gateway] [entrypoint] Fine-tuning cbioportal.conf to not use TLS"
+  sed -i.bak \
+      '/tpl__tls_yes__start/,/tpl__tls_yes__end/d' \
+      ./cbioportal.conf.pre
+else
+  echo "[bento_gateway] [entrypoint] Fine-tuning cbioportal.conf to use TLS"
+  sed -i.bak \
+      '/tpl__tls_no__start/,/tpl__tls_no__end/d' \
+      ./cbioportal.conf.pre
+fi
+
 # Run fine-tuning on nginx.conf.pre
+if [[ "${no_tls}" == 1 ]]; then
+  echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to not use TLS"
+  sed -i.bak \
+      '/tpl__tls_yes__start/,/tpl__tls_yes__end/d' \
+      ./nginx.conf.pre
+else
+  echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use TLS"
+  sed -i.bak \
+      '/tpl__tls_no__start/,/tpl__tls_no__end/d' \
+      ./nginx.conf.pre
+fi
 if [[ "$(true_values_to_1 $BENTOV2_USE_EXTERNAL_IDP)" == 1 ]]; then
   echo "[bento_gateway] [entrypoint] Fine-tuning nginx.conf to use an external IDP"
   sed -i.bak \
@@ -96,9 +132,16 @@ else
       ./nginx.conf.pre
 fi
 
-# Move nginx.conf into position
+# ----------------------------------------------------------------------------------------------------------------------
+
+# Generate final configuration files / locations -----------------------------------------------------------------------
+#  - Move cbioportal.conf into position
+cp ./cbioportal.conf.pre "${BENTO_GATEWAY_CONF_DIR}/cbioportal.conf"
+#  - Move nginx.conf into position
 cp ./nginx.conf.pre "${BENTO_GATEWAY_CONF_DIR}/nginx.conf"
-rm ./nginx.conf.pre*  # Remove pre-final file + any backups
+#  - Remove pre-final configuration files + any backups
+rm ./*.conf.pre*
+# ----------------------------------------------------------------------------------------------------------------------
 
 cat "${BENTO_GATEWAY_CONF_DIR}/nginx.conf"