Updated upstream
Fixed _limit.conf salt template.
diff --git a/README.rst b/README.rst
index 4df896c..4eadf2b 100644
--- a/README.rst
+++ b/README.rst
@@ -144,6 +144,57 @@
name: gitlab.domain.com
port: 80
+Simple HTTP proxy with multiple locations
+If proxy part is defined and location is missing `/`, then proxy part is used. If `/` location is defined then it overrides proxy part.
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ site:
+ nginx_proxy_site01:
+ enabled: true
+ type: nginx_proxy
+ name: site01
+ proxy:
+ host: local.domain.com
+ port: 80
+ protocol: http
+ location:
+ /internal/:
+ host: 172.120.10.200
+ port: 80
+ protocol: http
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: gitlab.domain.com
+ port: 80
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ site:
+ nginx_proxy_site01:
+ enabled: true
+ type: nginx_proxy
+ name: site01
+ location:
+ /:
+ host: 172.120.10.200
+ port: 80
+ protocol: http
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: gitlab.domain.com
+ port: 80
+
Simple Websocket proxy
.. code-block:: yaml
diff --git a/nginx/files/_limit.conf b/nginx/files/_limit.conf
index b1d88ad..e0ff102 100644
--- a/nginx/files/_limit.conf
+++ b/nginx/files/_limit.conf
@@ -1,3 +1,5 @@
+{%- set site = salt['pillar.get']('nginx:server:site:'+site_name) %}
+
{%- if site.get('limit', {}).get('enabled', False) %}
# Create whitelist for ip addresses
geo $geo_{{ site_name }} {
diff --git a/nginx/files/_ssl_secure.conf b/nginx/files/_ssl_secure.conf
index 8435478..5f14a05 100644
--- a/nginx/files/_ssl_secure.conf
+++ b/nginx/files/_ssl_secure.conf
@@ -10,6 +10,5 @@
{%- endif %}
ssl_dhparam /etc/ssl/dhparams.pem;
- ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
diff --git a/nginx/files/proxy.conf b/nginx/files/proxy.conf
index 9a60194..8b4601a 100644
--- a/nginx/files/proxy.conf
+++ b/nginx/files/proxy.conf
@@ -7,34 +7,40 @@
{%- include "nginx/files/_name.conf" %}
{%- include "nginx/files/_ssl.conf" %}
- {%- if site.get('ssl', {'enabled': False}).get('enabled', False) %}
- ssl_session_cache shared:SSL:10m;
- {%- endif %}
-
{%- if site.get('underscores_in_headers', False) %}
underscores_in_headers on;
{%- endif %}
{%- include "nginx/files/_auth.conf" %}
+ {%- set location = {} %}
+ {%- if site.get('location') %}
+ {%- do location.update(site.location) %}
+ {# If site has proxy and not location '/' defined in model, update location dictionary to contain proxy part definition #}
+ {%- if site.get('proxy') and not location.get('/')%}
+ {%- do location.update({'/': site.proxy}) %}
+ {%- endif %}
+ {%- else %}
+ {# If location is not defined in model, use proxy definition by default #}
+ {%- do location.update({'/': site.proxy}) %}
+ {%- endif %}
{%- if site.get('limit', {}).get('enabled', False) %}
limit_req_status {{ site.limit.get('status_code', '429') }};
limit_conn_status {{ site.limit.get('status_code', '429') }};
{%- endif %}
-
-
- location / {
- {%- if site.proxy.upstream_proxy_pass is defined %}
- proxy_pass {{ site.proxy.upstream_proxy_pass }};
+ {%- for path, location in location.items() %}
+ location {{ path }} {
+ {%- if location.upstream_proxy_pass is defined %}
+ proxy_pass {{ location.upstream_proxy_pass }};
{%- else %}
- proxy_pass {{ site.proxy.protocol }}://{{ site.proxy.host }}:{{ site.proxy.port }};
+ proxy_pass {{ location.protocol }}://{{ location.host }}:{{ location.port }};
{%- endif %}
{%- include "nginx/files/_access_policy.conf" %}
- {%- if site.proxy.size is defined %}
- client_max_body_size {{ site.proxy.size }};
- {%- if site.proxy.size > 200 %}
+ {%- if location.size is defined %}
+ client_max_body_size {{ location.size }};
+ {%- if location.size > 200 %}
client_body_buffer_size 200m;
{%- else %}
client_body_buffer_size 20m;
@@ -44,11 +50,11 @@
client_body_buffer_size 20m;
{% endif %}
- {%- if site.proxy.timeout is defined %}
- proxy_connect_timeout {{ site.proxy.timeout }};
- proxy_send_timeout {{ site.proxy.timeout }};
- proxy_read_timeout {{ site.proxy.timeout }};
- send_timeout {{ site.proxy.timeout }};
+ {%- if location.timeout is defined %}
+ proxy_connect_timeout {{ location.timeout }};
+ proxy_send_timeout {{ location.timeout }};
+ proxy_read_timeout {{ location.timeout }};
+ send_timeout {{ location.timeout }};
{%- else %}
proxy_connect_timeout 600;
proxy_send_timeout 600;
@@ -56,8 +62,8 @@
send_timeout 600;
{%- endif %}
- {%- if site.proxy.filter is defined %}
- sub_filter '{{ site.proxy.filter.search }}' {% if site.proxy.filter.replace == '$server_addr' %}$server_addr{% else %}'{{ site.proxy.filter.replace }}'{% endif %};
+ {%- if location.filter is defined %}
+ sub_filter '{{ location.filter.search }}' {% if location.filter.replace == '$server_addr' %}$server_addr{% else %}'{{ location.filter.replace }}'{% endif %};
sub_filter_types *;
sub_filter_once off;
{%- endif %}
@@ -68,23 +74,23 @@
proxy_redirect off;
{%- endif %}
- {%- if site.proxy.buffer is defined %}
- {%- set buffer_size = site.proxy.buffer.get('size', 16) * 2 %}
+ {%- if location.buffer is defined %}
+ {%- set buffer_size = location.buffer.get('size', 16) * 2 %}
proxy_buffering on;
- proxy_buffers {{ site.proxy.buffer.get('number', 8) }} {{ site.proxy.buffer.get('size', 16) }}k;
+ proxy_buffers {{ location.buffer.get('number', 8) }} {{ location.buffer.get('size', 16) }}k;
proxy_buffer_size {{ buffer_size }}k;
- proxy_busy_buffers_size {{ site.proxy.buffer.get('busy', buffer_size) }}k;
+ proxy_busy_buffers_size {{ location.buffer.get('busy', buffer_size) }}k;
{%- else %}
proxy_buffering off;
{%- endif %}
- {%- if not site.proxy.get('request_buffer', True) %}
+ {%- if not location.get('request_buffer', True) %}
proxy_request_buffering off;
{%- endif %}
proxy_http_version 1.1;
- {%- if site.proxy.get('headers', True) %}
+ {%- if location.get('headers', True) %}
proxy_set_header Host $host{% if site.host.port is defined and site.host.port not in [80,443] %}:{{ site.host.port }}{% endif %};
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -97,7 +103,7 @@
add_header Front-End-Https on;
{%- endif %}
- {%- if site.proxy.websocket is defined %}
+ {%- if location.websocket is defined %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
{%- endif %}
@@ -110,5 +116,5 @@
{%- endfor %}
{%- endif %}
}
-
+{%- endfor %}
}
diff --git a/nginx/meta/heka.yml b/nginx/meta/heka.yml
index 7f3c1b7..102f928 100644
--- a/nginx/meta/heka.yml
+++ b/nginx/meta/heka.yml
@@ -1,5 +1,28 @@
{%- from "nginx/map.jinja" import server with context %}
{%- if server.get('enabled', False) and server.get('site', {}).nginx_stats_server is defined %}
+log_collector:
+ decoder:
+ nginx:
+ engine: sandbox
+ module_file: /usr/share/lma_collector/decoders/apache_wsgi_log.lua
+ module_dir: /usr/share/lma_collector/common;/usr/share/heka/lua_modules
+ config:
+ logger: nginx
+ apache_log_pattern: >-
+ %h - %u %t \"%r\" %s %O \"%{Referer}i\" \"%{User-Agent}i\"
+ splitter:
+ nginx:
+ engine: token
+ delimiter: '\n'
+ input:
+ nginx_log:
+ engine: logstreamer
+ log_directory: "/var/log"
+ file_match: 'nginx/(?P<Service>access)\.log\.?(?P<Seq>\d*)$'
+ differentiator: ['nginx', '_', 'Service']
+ priority: ["^Seq"]
+ decoder: "nginx_decoder"
+ splitter: "nginx_splitter"
metric_collector:
trigger:
nginx_check:
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index 5ccf27e..0da0fad 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -75,10 +75,13 @@
{% endif %}
+{%- set old_chain_file = salt['cmd.shell']('cat {0}'.format(chain_file)) %}
+{%- set new_chain_file = salt['cmd.shell']('cat {0} {1}'.format(cert_file, ca_file)) %}
+
nginx_init_{{ site.host.name }}_tls:
cmd.run:
- name: "cat {{ cert_file }} {{ ca_file }} > {{ chain_file }}"
- - creates: {{ chain_file }}
+ - onlyif: {% if old_chain_file != new_chain_file %}/bin/true{% else %}/bin/false{% endif %}
- watch_in:
- service: nginx_service
diff --git a/tests/pillar/proxy.sls b/tests/pillar/proxy.sls
index 959c9c9..8d17a3f 100644
--- a/tests/pillar/proxy.sls
+++ b/tests/pillar/proxy.sls
@@ -54,3 +54,46 @@
host:
name: cloudlab.domain.com
port: 31337
+ nginx_proxy_site03:
+ enabled: true
+ type: nginx_proxy
+ name: site03
+ proxy:
+ host: 172.120.10.100
+ port: 80
+ protocol: http
+ location:
+ /kek/:
+ host: 172.10.10.100
+ port: 80
+ protocol: http
+ size: 10000m
+ timeout: 43200
+ websocket: true
+ request_buffer: false
+ buffer:
+ number: 4
+ size: 256
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: cloudlab.domain.com
+ port: 80
+ nginx_proxy_site04:
+ enabled: true
+ type: nginx_proxy
+ name: site04
+ location:
+ /:
+ host: 172.10.10.100
+ port: 80
+ protocol: http
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: cloudlab.domain.com
+ port: 80
\ No newline at end of file