Merge branch 'acs-base.proxy' into acs-share-base.acs-base

2020-12-17 16:31:16 -05:00 · 2020-12-17 16:31:16 -05:00 · 4cb5100065
commit 4cb5100065
parent c084972d39 46bbeeef30
4 changed files with 74 additions and 5 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -27,11 +27,10 @@ services:
        image: alfresco/alfresco-activemq:latest

    proxy:
-        image: alfresco/alfresco-acs-nginx:latest
-        environment:
-            REPO_URL: "http://platform:8080"
+        build: ./nginx-ingress
+        image: local/nginx-ingress:acs
+        ports:
+            - 8080:8080
        depends_on:
            - platform
            - share
-        ports:
-            - 8080:8080
--- a/nginx-ingress/Dockerfile
+++ b/nginx-ingress/Dockerfile
@ -0,0 +1,8 @@
+FROM nginx:stable-alpine
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT [ "/entrypoint.sh" ]
--- a/nginx-ingress/entrypoint.sh
+++ b/nginx-ingress/entrypoint.sh
@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [[ $ACS_PLATFORM_URL ]]; then
+  sed -i s%http:\/\/platform:8080%"$ACS_PLATFORM_URL"%g /etc/nginx/nginx.conf
+fi
+
+if [[ $ACCESS_LOG ]]; then
+  sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf
+fi
+
+nginx -g "daemon off;"
--- a/nginx-ingress/nginx.conf
+++ b/nginx-ingress/nginx.conf
@ -0,0 +1,51 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen *:8080;
+
+        client_max_body_size 0;
+
+        set  $allowOriginSite *;
+        proxy_pass_request_headers on;
+        proxy_pass_header Set-Cookie;
+
+        # External settings, do not remove
+        #ENV_ACCESS_LOG
+
+        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_set_header Host            $host:$server_port;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass_header Set-Cookie;
+        
+        # Protect access to SOLR APIs
+        location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}
+
+        location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;}
+        location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;}
+        
+        # Protect access to Prometheus endpoint
+        location ~ ^(/.*/s/prometheus)$ {return 403;}
+        
+        location / {
+            proxy_pass http://platform:8080;
+        }
+
+        location /alfresco/ {
+            proxy_pass http://platform:8080;
+
+            # If using external proxy / load balancer (for initial redirect if no trailing slash)
+            absolute_redirect off;
+        }
+    }
+}