Skip to content

Commit

Permalink
OZ-457: Switch reverse proxy from Apache 2 to Nginx (#66)
Browse files Browse the repository at this point in the history
  • Loading branch information
enyachoke authored Jan 9, 2024
1 parent 08a98f4 commit d477745
Show file tree
Hide file tree
Showing 19 changed files with 217 additions and 275 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ It may take some time to setup Ozone for the first time, so hang tight :hourglas

When ready Gitpod will launch the tab for OpenMRS 3.

## (option 2) Try Ozone locally using the embedded Apache 2 proxy
## (option 2) Try Ozone locally using the embedded Nginx reverse proxy

Clone the repo
```bash
Expand Down
2 changes: 0 additions & 2 deletions docker-compose-openmrs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ services:
networks:
- ozone
- web
ports:
- "8080:8080"
restart: unless-stopped
volumes:
- "openmrs-data:/openmrs/data"
Expand Down
2 changes: 0 additions & 2 deletions docker-compose-superset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ services:
networks:
- ozone
- web
ports:
- "8088:8088"
restart: unless-stopped
volumes:
- ${SUPERSET_CONFIG_PATH}/:/etc/superset/
Expand Down
10 changes: 4 additions & 6 deletions proxy/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
FROM httpd:2.4-alpine
FROM nginx:1.25-alpine

RUN apk add curl iproute2 iputils less nano tree ca-certificates lsof --no-cache
ENV FRAME_ANCESTORS ""

COPY resources/httpd.conf /usr/local/apache2/conf/httpd.conf
COPY resources/proxy-rules /usr/local/apache2/conf/proxy-rules
COPY resources/tls/cert.pem resources/tls/privkey.pem resources/tls/chain.pem /etc/tls/
EXPOSE 8069/tcp
COPY nginx.conf /etc/nginx/nginx.conf
COPY default.conf.template /etc/nginx/templates/
10 changes: 0 additions & 10 deletions proxy/confs/000-80.conf

This file was deleted.

18 changes: 0 additions & 18 deletions proxy/confs/010-443.conf

This file was deleted.

14 changes: 0 additions & 14 deletions proxy/confs/030-8069.conf

This file was deleted.

26 changes: 0 additions & 26 deletions proxy/confs/040-8081.conf

This file was deleted.

14 changes: 0 additions & 14 deletions proxy/confs/050-8088.conf

This file was deleted.

175 changes: 175 additions & 0 deletions proxy/default.conf.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,175 @@
map $request_uri $csp_header {
default "default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; img-src 'self' data:; frame-ancestors 'self' ${FRAME_ANCESTORS};";
"~^/openmrs/(?:admin|dictionary|module|patientDashboard.form)/" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; frame-ancestors 'self';";
"~^/openmrs/owa" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self';";
}

map $http_x_forwarded_proto $forwarded_proto {
"~.*" $http_x_forwarded_proto;
default $scheme;
}

map $http_x_real_ip $forwarded_ip {
"~.*" $http_x_real_ip;
default $remote_addr;
}

map $forwarded_proto $var_proxy_cookie_flags {
https "JSESSIONID secure samesite=strict";
default "off";
}

upstream frontend {
# always assume the frontend will be available
server frontend max_fails=0;
}

upstream backend {
server openmrs:8080 max_fails=0;
}

upstream odoo {
server odoo:8069 max_fails=0;
}
upstream odoochat {
server odoo:8072 max_fails=0;
}



upstream senaite {
server senaite:8080 max_fails=0;
}

upstream superset {
server superset:8088 max_fails=0;
}

server {
listen 80;

add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy $csp_header;
add_header X-Content-Type-Options nosniff;

proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
proxy_set_header X-Real-IP $forwarded_ip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# if serving this via HTTPS, the following is recommended
# proxy_cookie_flags $var_proxy_cookie_flags;
proxy_http_version 1.1;

gzip on;
gzip_vary on;
# 1 KiB
gzip_min_length 1024;
gzip_proxied any;
gzip_http_version 1.0;
gzip_types font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml
application/atom+xml
application/geo+json
application/importmap+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/fhir+json
application/fhir+xml
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml;

# all redirects are relative to the gateway
absolute_redirect off;

location = /openmrs/spa {
return 301 /openmrs/spa/;
}

location /openmrs/spa/ {
proxy_pass http://frontend/;
proxy_redirect http://$host/ /openmrs/spa/;
}

location /openmrs {
proxy_pass http://backend;
}

location = / {
return 301 /openmrs/spa/;
}
}

server {
listen 8069;
server_name localhost;

# Increase proxy buffer size
proxy_buffers 16 64k;
proxy_buffer_size 128k;
# Force timeouts if the backend dies
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Enable data compression
gzip on;
gzip_min_length 1100;
gzip_buffers 4 32k;
gzip_types text/plain text/xml text/css text/less application/x-javascript application/xml application/json application/javascript;
gzip_vary on;

# Proxy header and settings
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;



# Cache static data
location ~* /web/static/ {
proxy_cache_valid 200 60m;
proxy_buffering on;
expires 864000;
proxy_pass http://odoo;
}

location / {
proxy_pass http://odoo;
# The following makes the timeout broader
proxy_read_timeout 30000;
proxy_redirect off;
}

location /longpolling {
proxy_pass http://odoochat;
}
}

server {
listen 8088;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://superset;
}
}

server {
listen 8081;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
rewrite ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
proxy_pass http://senaite;
}
}
5 changes: 2 additions & 3 deletions proxy/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,12 @@
services:

# Apache HTTPD - Entry point for the application.
# Nginx - Entry point for the application.
proxy:
restart: unless-stopped
build:
context: ./
args:
TIMEZONE: "${TIMEZONE}"
command: "httpd-foreground ${PROXY_TLS:-}"
healthcheck:
test:
- CMD
Expand All @@ -18,9 +17,9 @@ services:
ozone:
ports:
- "${PROXY_PUBLIC_PORT:-80}:80"
- "${PROXY_PUBLIC_PORT_TLS:-443}:443"
- "8069:8069"
- "8081:8081"
- "8088:8088"
volumes:
- "./confs:/usr/local/apache2/conf/extra"
- "${PROXY_TLS_CERTS_PATH:-proxy-tls-certs}:/etc/tls"
Expand Down
30 changes: 30 additions & 0 deletions proxy/nginx.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
user nobody;
worker_processes auto;

error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;

keepalive_timeout 65;

include /etc/nginx/conf.d/*.conf;
}
Loading

0 comments on commit d477745

Please sign in to comment.