BN: refactor nginx config

dfinity · Jan 23, 2024 · 35bb6c0 · 35bb6c0
1 parent d4879b2
commit 35bb6c0
Show file tree

Hide file tree

Showing 12 changed files with 52 additions and 96 deletions.
diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl
@@ -40,8 +40,7 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, OPTIONS";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Update the Host header so that icx-proxy is able to process the request

diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl
@@ -17,13 +17,9 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, OPTIONS";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
-        # Update the Host header so that icx-proxy is able to process the request
-        proxy_set_header Host "$inferred_canister_id.$primary_domain";
-
         # Cache
         proxy_buffering       "on";
         proxy_cache           "cache_static";
@@ -34,6 +30,9 @@ server {
         proxy_pass http://icx_proxy;
         include "includes/proxy_headers.conf";
 
+        # Update the Host header so that icx-proxy is able to process the request
+        proxy_set_header Host "$inferred_canister_id.$primary_domain";
+
         # Required for clients that have a service worker, which hasn't been uninstalled yet
         add_header "X-Ic-Gateway" "$primary_api_domain" always;
     }

diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf
@@ -16,9 +16,7 @@ server {
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query {
@@ -30,9 +28,7 @@ server {
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call {
@@ -44,9 +40,7 @@ server {
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state {
@@ -58,9 +52,7 @@ server {
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location / {

diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf
@@ -45,15 +45,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query {
@@ -65,15 +62,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call {
@@ -85,15 +79,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state {
@@ -105,15 +96,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 }
 
@@ -142,15 +130,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query {
@@ -162,15 +147,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call {
@@ -182,15 +164,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state {
@@ -202,15 +181,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://ic_boundary";
-        include "includes/proxy_x_request_id.conf";
-        include "includes/proxy_keepalive.conf";
-        include "includes/secure_headers.conf";
+        include "includes/proxy_headers.conf";
     }
 
     # Custom Domains
@@ -227,12 +203,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, POST";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://cert_issuer";
+        include "includes/proxy_headers.conf";
     }
 
     location ~ /registrations/[0-9a-zA-Z]+$ {
@@ -245,12 +221,12 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, PUT, DELETE";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Proxy
         proxy_pass "http://cert_issuer";
+        include "includes/proxy_headers.conf";
     }
 }
 
@@ -328,8 +304,7 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, OPTIONS";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Cache
@@ -399,8 +374,7 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, OPTIONS";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Cache
@@ -436,8 +410,7 @@ server {
 
         # CORS
         set $cors_allow_methods "HEAD, GET, POST, OPTIONS";
-        include "includes/cors_remove_proxy.conf";
-        include "includes/cors.conf";
+        include "includes/response_headers.conf";
         include "includes/options.conf";
 
         # Cache

diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf
@@ -6,7 +6,7 @@ if ($request_method = "OPTIONS") {
     include "includes/request_id.conf";
 
     # required because any `add_header` within an `if` will remove previously set `add_header`
-    include "includes/cors.conf";
+    include "includes/response_headers.conf";
 
     return 204;
 }
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf
@@ -1,16 +1,28 @@
+# Basic headers
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-Request-ID $request_uuid;
 proxy_set_header Connection "";
 
+# Request-ID
+proxy_set_header X-Request-ID $request_uuid;
+
+# Remove CORS-related headers
+proxy_hide_header Access-Control-Allow-Origin;
+proxy_hide_header Access-Control-Allow-Methods;
+proxy_hide_header Access-Control-Allow-Credentials;
+proxy_hide_header Access-Control-Allow-Headers;
+proxy_hide_header Access-Control-Expose-Headers;
+proxy_hide_header Access-Control-Max-Age;
+
+# Headers used for logging
 proxy_hide_header x-ic-error-cause;
+proxy_hide_header x-ic-subnet-id;
 proxy_hide_header x-ic-cache-bypass-reason;
 proxy_hide_header x-ic-node-id;
 proxy_hide_header x-ic-request-type;
 proxy_hide_header x-ic-subnet-type;
-proxy_hide_header x-ic-canister-id;
 proxy_hide_header x-ic-sender;
 proxy_hide_header x-ic-retries;
 proxy_hide_header x-ic-method-name;
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf
@@ -1 +1,2 @@
+# Response
 add_header X-Request-ID $request_uuid always;
diff --git a/...estos/rootfs/etc/nginx/includes/cors.conf → .../etc/nginx/includes/response_headers.conf b/...estos/rootfs/etc/nginx/includes/cors.conf → .../etc/nginx/includes/response_headers.conf
@@ -1,5 +1,9 @@
+# CORS
 add_header "Access-Control-Allow-Origin" "*" always;
 add_header "Access-Control-Allow-Methods" "$cors_allow_methods" always;
 add_header "Access-Control-Allow-Headers" "DNT,User-Agent,X-Requested-With,If-None-Match,If-Modified-Since,Cache-Control,Content-Type,Range,Cookie,X-Ic-Canister-Id" always;
 add_header "Access-Control-Expose-Headers" "Accept-Ranges,Content-Length,Content-Range,X-Request-Id,X-Ic-Canister-Id" always;
 add_header "Access-Control-Max-Age" "600" always;
+
+# Other
+add_header "X-Content-Type-Options" "nosniff" always;
diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf