proxy: Access CMS instances through subpaths

docker-compose-proxy.yml

@@ -23,13 +23,10 @@ services:
       - http_proxy=$HTTP_PROXY
       - https_proxy=$HTTPS_PROXY
       - no_proxy=localhost
+    expose:
+      - 443
     ports:
-      - 28180:28180 # medcat-snomed
-      - 28181:28181 # medcat-icd10
-#      - 28182:28182 # de-identification (deprecated)
-      - 28183:28183 # medcat-deid (anoncat)
-      - 28184:28184 # medcat-umls
-      - 28185:28185 # huggingface-ner
+      - 443:443     # cms
       - 28199:28199 # minio
       - 28200:28200 # mlflow-ui
       - 28201:28201 # prometheus
@@ -43,4 +40,4 @@ services:
 
 networks:
   cogstack-model-serve_cms:
-    external: true
+    external: true

docker/nginx/etc/nginx/nginx.conf

@@ -16,21 +16,85 @@ http {
     client_max_body_size 500M;
 
     server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name localhost;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        ssl_session_cache shared:SSL:20m;
+        ssl_session_timeout 10m;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 8.8.8.8 8.8.4.4;
+
+        ssl_certificate /etc/nginx/root-ca.pem;
+        ssl_certificate_key /etc/nginx/root-ca.key;
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
         location /health {
             include cors.conf;
             access_log off;
             return 200 "OK\n";
         }
+
+        location ~ ^/cms/(?<service>[^/]+)(?<subpath>/.*)?$ {
+            include cors.conf;
+            resolver 127.0.0.11 valid=30s;
+            set $upstream $service:8000;
+
+            # FIXME: Access web interfaces (e.g. Grafana, MLflow) through subpaths on the proxy.
+            # The following services only work when accessed directly through their respective APIs.
+            # Attempting to access their UI through the proxy leads to issues due to the way they
+            # handle redirects (even though we can employ certain heuristics to rewrite local URLs
+            # we can't account for all possible cases, e.g. local paths in HTML responses). As a
+            # result, accessing these web intercases through the proxy is only possible using the
+            # available host port mappings instead of the subpaths under /cms for the time being.
+            if ($service = "grafana") {
+                set $upstream $service:3000;
+            }
+
+            if ($service = "graylog") {
+                set $upstream $service:9000;
+            }
+
+            if ($service = "minio") {
+                set $upstream $service:9001;
+            }
+
+            if ($service = "mlflow-ui") {
+                set $upstream $service:5000;
+            }
+
+            if ($service = "prometheus") {
+                set $upstream $service:9090;
+            }
+
+            proxy_pass http://$upstream$subpath;
+
+            proxy_redirect http://$upstream$subpath $scheme://$host/cms/$service$subpath;
+            proxy_redirect http://$upstream/ $scheme://$host/cms/$service/;
+            proxy_redirect http://$upstream $scheme://$host/cms/$service;
+            proxy_redirect / $scheme://$host/cms/$service/;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            error_page 502 503 504 = @fallback;
+        }
+
+        location @fallback {
+            return 503 "Service is temporarily unavailable. Please try again later.";
+        }
     }
 
-    include sites-enabled/medcat-snomed;
-    include sites-enabled/medcat-icd10;
-    include sites-enabled/medcat-deid;
-    include sites-enabled/medcat-umls;
-    include sites-enabled/huggingface-ner;
-    include sites-enabled/mlflow-ui;
-    include sites-enabled/minio;
-    include sites-enabled/prometheus;
-    include sites-enabled/grafana;
-    include sites-enabled/graylog;
-}
+    include sites-enabled/*;
+}