Merge pull request #61 from opensafely-core/cleanups2

bloodearnest · web-flow · commit 4cf79d1bd324 · 2024-10-10T15:16:31.000+01:00
Fix deploy and more logs tweaks
diff --git a/changelogs.opensafely.org.conf.template b/changelogs.opensafely.org.conf.template
@@ -11,5 +11,9 @@ server {
         limit_except GET { deny all; }
         proxy_pass https://changelogs.ubuntu.com;
         proxy_redirect default;
+        # ensure Host header and SNI domain match
+        proxy_ssl_server_name on;
+
+
     }
 }
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -2,6 +2,8 @@ services:
   proxy:
     # use host for access to host RESOLVER
     network_mode: host
+    image: opensafely-proxy
+    container_name: proxy
     build:
       target: opensafely-proxy
       cache_from:  # should speed up the build in CI, where we have a cold cache
diff --git a/ghcr.io.conf.template b/ghcr.io.conf.template
@@ -1,4 +1,4 @@
-# Read-only proxy certain organisation to ghcr.io
+# Read-only proxy certain organisations to ghcr.io
 #
 # RESOLVER:a DNS resolver for dynamically looking up redirect domains. Defaults to 127.0.0.1
 # PORT: defaults to 8080, but dokku can override
@@ -18,8 +18,7 @@ proxy_http_version 1.1; # keep alives to upstream
 
 server {
 
-    # note: embdatalab domain is for when we are being proxied by cloudflare
-    server_name docker-proxy.opensafely.org docker-proxy.dokku2.embdatalab.net;
+    server_name docker-proxy.opensafely.org;
     root /var/www/html;
     listen ${PORT};
 
@@ -37,11 +36,10 @@ server {
     location = /v2/ {
         limit_except GET { deny all; }
         proxy_pass https://ghcr.io;
-        # explicitly change host header to expected host
-        proxy_set_header Host ghcr.io;
         proxy_redirect default;
         # ensure Host header and SNI domain match
         proxy_ssl_server_name on;
+
         # hide upstream header
         proxy_hide_header www-authenticate;
         # add our modified header 
@@ -52,9 +50,9 @@ server {
     location /token {
         limit_except GET { deny all; }
         proxy_pass https://ghcr.io;
+        proxy_redirect default;
         # ensure Host header and SNI domain match
         proxy_ssl_server_name on;
-        proxy_redirect default;
     }
 
     # opensafely images only, and handle redirects
@@ -64,6 +62,7 @@ server {
         # ensure Host header and SNI domain match
         proxy_ssl_server_name on;
         proxy_redirect default;
+
         # ghcr.io redirects to an S3 bucket, which is not accessible from
         # backends. So handle redirects to S3 here in the proxy rather than
         # passing back to the client
@@ -74,9 +73,9 @@ server {
     location @handle_redirect {
         # set saves the initial response's Location: header
         set $redirect '$upstream_http_location';
-        # strip the ghcr.io auth or else AWS rejects it, also stops it leaking
+        # strip the ghcr.io auth or else CDN rejects it, also stops it leaking
         proxy_set_header Authorization "";
-        # proxy the AWS location back to the client
+        # proxy the CDN location back to the client
         proxy_pass $redirect;
         # ensure Host header and SNI domain match
         proxy_ssl_server_name on;
diff --git a/github.com.conf.template b/github.com.conf.template
@@ -46,20 +46,26 @@ server {
         limit_except POST { deny all; }
         proxy_pass https://github.com;
         proxy_redirect default;
+        # ensure Host header and SNI domain match
+        proxy_ssl_server_name on;
     }
 
     # allow ssh keys to be retreived for a user
     location ~ ^/[^/]+\.keys {
         limit_except GET { deny all; }
         proxy_pass https://github.com;
         proxy_redirect default;
+        # ensure Host header and SNI domain match
+        proxy_ssl_server_name on;
     }
 
     # allow release artifacts to be downloaded from specified repo only
     location ~ ^/opensafely-core/backend-server/releases/download {
         limit_except GET { deny all; }
         proxy_pass https://github.com;
         proxy_redirect default;
+        # ensure Host header and SNI domain match
+        proxy_ssl_server_name on;
         # `releases/download` redirects to an S3 bucket, which is not accessible from
         # backends. So handle redirects to S3 here in the proxy rather than
         # passing back to the client
@@ -72,6 +78,8 @@ server {
         set $redirect '$upstream_http_location';
         # proxy the AWS location back to the client
         proxy_pass $redirect;
+        # ensure Host header and SNI domain match
+        proxy_ssl_server_name on;
     }
 
     location / {
diff --git a/nginx.conf b/nginx.conf
@@ -15,8 +15,12 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
-    log_format  main  'ts=$time_iso8601 status=$status req="$request" proxy=$proxy_host '
-                      'ms=$request_time bytes=$bytes_sent '
+    # custom log format
+    #  - more readable format 
+    #  - includes proxy host
+    #  - includes virtual host, because we only have one log stream, and multiple hosts
+    log_format  main  'ts=$time_iso8601 status=$status method=$request_method uri=$host$request_uri proxy=$proxy_host '
+                      'ms=$request_time bytes=$bytes_sent/$request_length '
                       'ua="$http_user_agent" ip=$remote_addr user=$remote_user';
 
     access_log  /var/log/nginx/access.log  main;

Original file line number	Diff line number	Diff line change
`@@ -11,5 +11,9 @@ server {`
`11`	`11`	`limit_except GET { deny all; }`
`12`	`12`	`proxy_pass https://changelogs.ubuntu.com;`
`13`	`13`	`proxy_redirect default;`
	`14`	`+ # ensure Host header and SNI domain match`
	`15`	`+ proxy_ssl_server_name on;`
	`16`	`+`
	`17`	`+`
`14`	`18`	`}`
`15`	`19`	`}`