[ARVADOS] created: 6e5158294c7e19af9031fc43fefc21275e758911

git at public.curoverse.com git at public.curoverse.com
Thu Aug 20 16:03:26 EDT 2015 

        at  6e5158294c7e19af9031fc43fefc21275e758911 (commit)


commit 6e5158294c7e19af9031fc43fefc21275e758911
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date:   Thu Aug 20 16:04:41 2015 -0400

    6918: Update documentation to remove CORS headers from sample nginx
    configuration.  Add sample ssl_, proxy_ and client_ settings as well.

diff --git a/doc/install/install-keepproxy.html.textile.liquid b/doc/install/install-keepproxy.html.textile.liquid
index f46e650..69a298a 100644
--- a/doc/install/install-keepproxy.html.textile.liquid
+++ b/doc/install/install-keepproxy.html.textile.liquid
@@ -71,22 +71,39 @@ Because the Keepproxy is intended for access from anywhere on the internet, it i
 
 This is best achieved by putting a reverse proxy with SSL support in front of Keepproxy. Keepproxy itself runs on port 25107 by default; your reverse proxy can run on port 443 and pass requests to Keepproxy on port 25107.
 
-If possible, the proxy should be configured to add CORS headers to its own error responses -- otherwise in-browser applications can't report proxy errors. For example, in nginx >= 1.7.5:
-
 <notextile><pre>
+upstream keepproxy {
+  server     127.0.0.1:25107  fail_timeout=10s;
+}
+
 server {
+  listen       <span class="userinput">[your public IP address]</span>:443 ssl;
   server_name keep.example.com
+
+  ssl on;
+  ssl_certificate           /etc/nginx/keep.example.com-ssl.crt;
+  ssl_certificate_key       /etc/nginx/keep.example.com-ssl.key;
+
   # Clients need to be able to upload blocks of data up to 64MiB in size.
-  client_max_body_size 70m;
-  ...
-  add_header 'Access-Control-Allow-Methods' 'GET, HEAD, POST, PUT, OPTIONS' always
-  add_header 'Access-Control-Allow-Origin' '*' always
-  add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Length, Content-Type, X-Keep-Desired-Replicas' always
-  add_header 'Access-Control-Max-Age' '86486400' always
+  client_max_body_size 64m;
+  client_body_buffer_size 64M;
+
+  location / {
+    proxy_pass            http://keepproxy;
+    proxy_redirect        off;
+    proxy_connect_timeout 90;
+    proxy_read_timeout    300;
+
+    proxy_set_header      X-Forwarded-Proto https;
+    proxy_set_header      Host $http_host;
+    proxy_set_header      X-External-Client $external_client;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
 }
 </pre></notextile>
 
-*Warning:* Make sure you don't inadvertently add CORS headers for services _other than keepproxy_ while you're doing this.
+Note: if the Web uploader is failing to upload data and there are no logs from keepproxy, be sure to check the nginx proxy logs.  In addition to "GET" and "PUT", The nginx proxy must pass "OPTIONS" requests to keepproxy, which should respond with appropriate Cross-origin resource sharing headers.  If the CORS headers are not present, brower security policy will cause the upload request to silently fail.  The CORS headers are generated by keepproxy and should not be set in nginx.
 
 h3. Tell the API server about the Keepproxy server
 
@@ -104,4 +121,3 @@ The API server needs to be informed about the presence of your Keepproxy server.
 }
 EOF</span>
 </code></pre></notextile>
-

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list