From 35bb6c0ee98a1876f840e5a64617c280936d9245 Mon Sep 17 00:00:00 2001 From: Igor Novgorodov Date: Tue, 23 Jan 2024 12:25:01 +0000 Subject: [PATCH] BN: refactor nginx config --- .../certificate-syncer/domain-with-sw.tmpl | 3 +- .../certificate-syncer/domain-without-sw.tmpl | 9 +-- .../etc/nginx/conf.d/001-rosetta-nginx.conf | 16 +--- .../etc/nginx/conf.d/002-mainnet-nginx.conf | 73 ++++++------------- .../etc/nginx/includes/cors_remove_proxy.conf | 7 -- .../rootfs/etc/nginx/includes/options.conf | 2 +- .../etc/nginx/includes/proxy_headers.conf | 16 +++- .../etc/nginx/includes/proxy_keepalive.conf | 5 -- .../nginx/includes/proxy_x_request_id.conf | 5 -- .../rootfs/etc/nginx/includes/request_id.conf | 1 + .../{cors.conf => response_headers.conf} | 4 + .../etc/nginx/includes/secure_headers.conf | 7 -- 12 files changed, 52 insertions(+), 96 deletions(-) delete mode 100644 ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf delete mode 100644 ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf delete mode 100644 ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf rename ic-os/boundary-guestos/rootfs/etc/nginx/includes/{cors.conf => response_headers.conf} (87%) delete mode 100644 ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl index a9f64ecac8e..3c0d26ab93e 100644 --- a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl +++ b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-with-sw.tmpl @@ -40,8 +40,7 @@ server { # CORS set $cors_allow_methods "HEAD, GET, OPTIONS"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Update the Host header so that icx-proxy is able to process the request diff --git a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl index da2026c1d44..20ba72d5a9c 100644 --- a/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl +++ b/ic-os/boundary-guestos/rootfs/etc/certificate-syncer/domain-without-sw.tmpl @@ -17,13 +17,9 @@ server { # CORS set $cors_allow_methods "HEAD, GET, OPTIONS"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; - # Update the Host header so that icx-proxy is able to process the request - proxy_set_header Host "$inferred_canister_id.$primary_domain"; - # Cache proxy_buffering "on"; proxy_cache "cache_static"; @@ -34,6 +30,9 @@ server { proxy_pass http://icx_proxy; include "includes/proxy_headers.conf"; + # Update the Host header so that icx-proxy is able to process the request + proxy_set_header Host "$inferred_canister_id.$primary_domain"; + # Required for clients that have a service worker, which hasn't been uninstalled yet add_header "X-Ic-Gateway" "$primary_api_domain" always; } diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf index 82635716b17..3fe0571429f 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/001-rosetta-nginx.conf @@ -16,9 +16,7 @@ server { # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query { @@ -30,9 +28,7 @@ server { # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call { @@ -44,9 +40,7 @@ server { # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state { @@ -58,9 +52,7 @@ server { # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location / { diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf index 94f269c02cf..b3f1de55a5d 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/conf.d/002-mainnet-nginx.conf @@ -45,15 +45,12 @@ server { # CORS set $cors_allow_methods "HEAD, GET"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query { @@ -65,15 +62,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call { @@ -85,15 +79,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state { @@ -105,15 +96,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } } @@ -142,15 +130,12 @@ server { # CORS set $cors_allow_methods "HEAD, GET"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/query { @@ -162,15 +147,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/call { @@ -182,15 +164,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } location ~ /api/v2/canister/[0-9a-zA-Z\-]+/read_state { @@ -202,15 +181,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://ic_boundary"; - include "includes/proxy_x_request_id.conf"; - include "includes/proxy_keepalive.conf"; - include "includes/secure_headers.conf"; + include "includes/proxy_headers.conf"; } # Custom Domains @@ -227,12 +203,12 @@ server { # CORS set $cors_allow_methods "HEAD, POST"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://cert_issuer"; + include "includes/proxy_headers.conf"; } location ~ /registrations/[0-9a-zA-Z]+$ { @@ -245,12 +221,12 @@ server { # CORS set $cors_allow_methods "HEAD, GET, PUT, DELETE"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Proxy proxy_pass "http://cert_issuer"; + include "includes/proxy_headers.conf"; } } @@ -328,8 +304,7 @@ server { # CORS set $cors_allow_methods "HEAD, GET, OPTIONS"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Cache @@ -399,8 +374,7 @@ server { # CORS set $cors_allow_methods "HEAD, GET, OPTIONS"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Cache @@ -436,8 +410,7 @@ server { # CORS set $cors_allow_methods "HEAD, GET, POST, OPTIONS"; - include "includes/cors_remove_proxy.conf"; - include "includes/cors.conf"; + include "includes/response_headers.conf"; include "includes/options.conf"; # Cache diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf deleted file mode 100644 index de515d76fdf..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors_remove_proxy.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Remove the headers that were forced by the backend, and replace them with our own values. -proxy_hide_header "Access-Control-Allow-Origin"; -proxy_hide_header "Access-Control-Allow-Methods"; -proxy_hide_header "Access-Control-Allow-Credentials"; -proxy_hide_header "Access-Control-Allow-Headers"; -proxy_hide_header "Access-Control-Expose-Headers"; -proxy_hide_header "Access-Control-Max-Age"; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf index a62a276a0de..65b443fe63a 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/options.conf @@ -6,7 +6,7 @@ if ($request_method = "OPTIONS") { include "includes/request_id.conf"; # required because any `add_header` within an `if` will remove previously set `add_header` - include "includes/cors.conf"; + include "includes/response_headers.conf"; return 204; } diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf index 0dc4103e0e2..1bfb1cdebda 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_headers.conf @@ -1,16 +1,28 @@ +# Basic headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Request-ID $request_uuid; proxy_set_header Connection ""; +# Request-ID +proxy_set_header X-Request-ID $request_uuid; + +# Remove CORS-related headers +proxy_hide_header Access-Control-Allow-Origin; +proxy_hide_header Access-Control-Allow-Methods; +proxy_hide_header Access-Control-Allow-Credentials; +proxy_hide_header Access-Control-Allow-Headers; +proxy_hide_header Access-Control-Expose-Headers; +proxy_hide_header Access-Control-Max-Age; + +# Headers used for logging proxy_hide_header x-ic-error-cause; +proxy_hide_header x-ic-subnet-id; proxy_hide_header x-ic-cache-bypass-reason; proxy_hide_header x-ic-node-id; proxy_hide_header x-ic-request-type; proxy_hide_header x-ic-subnet-type; -proxy_hide_header x-ic-canister-id; proxy_hide_header x-ic-sender; proxy_hide_header x-ic-retries; proxy_hide_header x-ic-method-name; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf deleted file mode 100644 index 4bdb8be04cc..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_keepalive.conf +++ /dev/null @@ -1,5 +0,0 @@ -# By default, nginx adds the "Connection: close" header, which results in each -# connection being closed when the request completes. By omitting the "close" -# the connection is kept open in combination with the keepalive directive in the -# upstream block. -proxy_set_header Connection ""; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf deleted file mode 100644 index 2dd3452b2e0..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/proxy_x_request_id.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Nginx maps request_id to request_uuid and logs only the latter. -# Thus nginx's request_uuid is the source of truth for logging/tracing. -# We pass the same request_uuid in the X-Request-ID header to ic-boundary. ic-boundary doesn't overwrite it by default. -# If X-Request-ID is not present in the header, ic-boundary generates one. -proxy_set_header X-Request-ID $request_uuid; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf index 759a81f5274..02f89ebf40b 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/request_id.conf @@ -1 +1,2 @@ +# Response add_header X-Request-ID $request_uuid always; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/response_headers.conf similarity index 87% rename from ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors.conf rename to ic-os/boundary-guestos/rootfs/etc/nginx/includes/response_headers.conf index 7f4a27317ea..b1b5ba7f822 100644 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/cors.conf +++ b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/response_headers.conf @@ -1,5 +1,9 @@ +# CORS add_header "Access-Control-Allow-Origin" "*" always; add_header "Access-Control-Allow-Methods" "$cors_allow_methods" always; add_header "Access-Control-Allow-Headers" "DNT,User-Agent,X-Requested-With,If-None-Match,If-Modified-Since,Cache-Control,Content-Type,Range,Cookie,X-Ic-Canister-Id" always; add_header "Access-Control-Expose-Headers" "Accept-Ranges,Content-Length,Content-Range,X-Request-Id,X-Ic-Canister-Id" always; add_header "Access-Control-Max-Age" "600" always; + +# Other +add_header "X-Content-Type-Options" "nosniff" always; diff --git a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf b/ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf deleted file mode 100644 index 3bdbbadafa8..00000000000 --- a/ic-os/boundary-guestos/rootfs/etc/nginx/includes/secure_headers.conf +++ /dev/null @@ -1,7 +0,0 @@ -# Request -proxy_set_header "Content-Type" "application/cbor"; - -# Response -proxy_hide_header "Content-Type"; -add_header "Content-Type" "application/cbor" always; -add_header "X-Content-Type-Options" "nosniff" always;