Skip to content
Snippets Groups Projects
Commit 2d1ff5ad authored by FORESTIER Fabien's avatar FORESTIER Fabien
Browse files

Initial commit

parents
Branches
Tags
No related merge requests found
Pipeline #4501 passed
.env
\ No newline at end of file
stages:
- build
build_development:
stage: build
tags:
- build
only:
- development
script:
- export TAG=$CI_COMMIT_SHORT_SHA
- echo ${TAG}
- export NGINX_BIND_PORT=80
- docker-compose build nginx
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker-compose push
build_release:
stage: build
tags:
- build
only:
- tags
script:
- export TAG=$(echo $CI_COMMIT_TAG | sed 's/v//g')
- echo ${TAG}
- export NGINX_BIND_PORT=80
- docker-compose build nginx
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker-compose push
FROM openresty/openresty:1.13.6.2-2-stretch
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY nginx.vh.default.template.conf /tmp/nginx.vh.default.template.conf
CMD envsubst '\$ANONYMOUS_USER \
\$GHOST_EDITORS_GROUPNAME \
\$PUBLISHED_POSTS_ALIAS \
\$PUBLISHED_PAGES_ALIAS \
\$DRAFT_POSTS_ALIAS \
\$DRAFT_PAGES_ALIAS \
\$ES_ALIAS_SUFFIX \
\$ES_UPSTREAM_SERVER' < /tmp/nginx.vh.default.template.conf > /etc/nginx/conf.d/default.conf && /usr/local/openresty/bin/openresty -g "daemon off;"
\ No newline at end of file
# Authorization and cache proxy for elasticsearch
## Installation
This proxy is based on an [openresty](https://hub.docker.com/r/openresty/openresty/) image.
## Environment variables
In order to run the code, some environment variables are needed. They are specified in the `template.env` file at the root of the project.
For a local deployment:
1. `cp template.env .env`
2. Edit .env according to the chosen configuration
The values will be read from the file by default when running with docker.
## Running the proxy
```bash
# build
docker-compose build
# deploy
docker-compose up [-d]
# build and deploy
docker-compose up --build [-d]
```
version: "3.1"
services:
nginx:
build: .
image: registry.forge.grandlyon.com/web-et-numerique/web-et-numerique-internet/data.grandlyon.com/web-portal/components/proxies/authz-and-cache-for-es:${TAG}
environment:
- ES_ALIAS_SUFFIX=${ES_ALIAS_SUFFIX}
- ANONYMOUS_USER=${ANONYMOUS_USER}
- GHOST_EDITORS_GROUPNAME=${GHOST_EDITORS_GROUPNAME} # make sure to escape special characters
- PUBLISHED_POSTS_ALIAS=${PUBLISHED_POSTS_ALIAS}
- PUBLISHED_PAGES_ALIAS=${PUBLISHED_PAGES_ALIAS}
- DRAFT_POSTS_ALIAS=${DRAFT_POSTS_ALIAS}
- DRAFT_PAGES_ALIAS=${DRAFT_PAGES_ALIAS}
- ES_UPSTREAM_SERVER=${ES_UPSTREAM_SERVER}
volumes:
- nginx-cache:/var/cache/nginx/cache
- nginx-log:/var/log/nginx
ports:
- ${NGINX_BIND_PORT}:80
restart: unless-stopped
volumes:
nginx-cache:
nginx-log:
# nginx.conf -- docker-openresty
#
# This file is installed to:
# `/usr/local/openresty/nginx/conf/nginx.conf`
# and is the file loaded by nginx at startup,
# unless the user specifies otherwise.
#
# It tracks the upstream OpenResty's `nginx.conf`, but removes the `server`
# section and adds this directive:
# `include /etc/nginx/conf.d/*.conf;`
#
# The `docker-openresty` file `nginx.vh.default.conf` is copied to
# `/etc/nginx/conf.d/default.conf`. It contains the `server section
# of the upstream `nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
log_format my_log_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time $pipe "$request_body"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
# nginx.vh.default.conf -- docker-openresty
#
# This file is installed to:
# `/etc/nginx/conf.d/default.conf`
#
# It tracks the `server` section of the upstream OpenResty's `nginx.conf`.
#
# This config (and any other configs in `etc/nginx/conf.d/`) is loaded by
# default by the `include` directive in `/usr/local/openresty/nginx/conf/nginx.conf`.
#
# See https://github.com/openresty/docker-openresty/blob/master/README.md#nginx-config-files
#
##
# Cache Settings
##
proxy_cache_path /var/cache/nginx/cache keys_zone=elasticsearch:10m inactive=1d max_size=10g use_temp_path=off;
server {
listen 80;
server_name localhost;
#charset koi8-r;
access_log /var/log/nginx/access.log my_log_format;
error_log /var/log/nginx/error.log;
location /_search {
if ($http_x_consumer_username = '') {
set_by_lua_block $elasticsearch_alias { return ngx.md5('${ANONYMOUS_USER}') }
# set_by_lua_block $elasticsearch_alias { return '${ANONYMOUS_USER}' }
}
if ($http_x_consumer_username != '') {
set_by_lua_block $elasticsearch_alias { return ngx.md5(ngx.var.http_x_consumer_username) }
# set_by_lua_block $elasticsearch_alias { return ngx.var.http_x_consumer_username }
# set_by_lua_block $elasticsearch_alias { return '${ANONYMOUS_USER}' }
}
set_by_lua_block $ghost_alias {
if ngx.var.http_x_consumer_groups == nil then
return ",${PUBLISHED_POSTS_ALIAS},${PUBLISHED_PAGES_ALIAS}"
elseif string.find( ngx.var.http_x_consumer_groups, "${GHOST_EDITORS_GROUPNAME}" ) ~= nil then
return ",${PUBLISHED_POSTS_ALIAS},${DRAFT_POSTS_ALIAS},${PUBLISHED_PAGES_ALIAS},${DRAFT_PAGES_ALIAS}"
else
return ",${PUBLISHED_POSTS_ALIAS},${PUBLISHED_PAGES_ALIAS}"
end
}
set $aliases '${elasticsearch_alias}${ES_ALIAS_SUFFIX}${ghost_alias}';
rewrite ^/(.*)$ /$aliases/$1 break;
# FOR DEBUG PURPOSES ONLY
add_header X-Consumer-Username $http_x_consumer_username;
add_header X-Consumer-Groups $http_x_consumer_groups;
add_header X-Anonymous-Consumer $http_x_anonymous_consumer;
add_header X-Elasticsearch-Alias $elasticsearch_alias;
add_header X-Ghost-Alias $ghost_alias;
add_header X-Aliases $aliases;
#
# cache ------------------------------------------
proxy_cache elasticsearch;
proxy_cache_valid 200 302 1m;
proxy_cache_valid 404 1m;
proxy_cache_background_update on;
proxy_cache_use_stale updating;
proxy_cache_revalidate on;
proxy_cache_methods GET HEAD POST;
proxy_cache_key "$aliases|$request_uri|$request_body";
proxy_cache_bypass $http_nocache;
add_header X-Cache-Status $upstream_cache_status;
# ------------------------------------------------
proxy_http_version 1.1;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Proxy-Connection "Keep-Alive";
proxy_pass ${ES_UPSTREAM_SERVER};
}
}
TAG=<version of the proxy to be built deployed>
ES_ALIAS_SUFFIX=<suffix of es alias ex: -dev>
ANONYMOUS_USER=<anonymous username in kong>
GHOST_EDITORS_GROUPNAME=<ghost editor group name, make sure to escape special characters>
PUBLISHED_POSTS_ALIAS=<es alias of the published posts>
PUBLISHED_PAGES_ALIAS=<es alias of the published pages>
DRAFT_POSTS_ALIAS=<es alias of the draft post>
DRAFT_PAGES_ALIAS=<es alias of the draft pages>
ES_UPSTREAM_SERVER=<address of elasticsearch upstream, ex: 'elasticsearch:9200'>
NGINX_BIND_PORT=<listening port of the proxy>
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment