deployment: Update nginx for Enterprise HA on premises

2023-05-20 23:08:28 +02:00 · 2023-05-20 23:08:28 +02:00 · 7b1f411db4
parent 58c15b0e3c
commit 7b1f411db4
7 changed files with 204 additions and 30 deletions
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf
@ -0,0 +1,103 @@
+{xframe_options}
+
+{enterprise_ha_nodes_upstream}
+
+{app_upstream}
+
+upstream minio {
+    server minio-s3:9001;
+}
+
+upstream kibana {
+    server kibana:5601;
+}
+
+upstream elasticsearch {
+    server elasticsearch:9200;
+}
+
+{redirect_www_ssl}
+
+##################################
+# Private Load balancer port     #
+##################################
+server {
+    listen 5443;
+
+    location / {
+        {proxy_config}
+
+        proxy_pass http://openviduserver;
+    }
+
+}
+
+##################################
+# Public Load balancer           #
+##################################
+server {
+    # Redirect to https
+    if ($host = {domain_name}) {
+        rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent;
+    } # managed by Certbot
+
+    {redirect_www}
+
+    listen {http_port} default_server;
+    listen [::]:{http_port} default_server;
+    server_name {domain_name};
+
+    # letsencrypt
+    location /.well-known/acme-challenge {
+        root /var/www/certbot;
+        try_files $uri $uri/ =404;
+    }
+
+    # Kibana panel
+    location /kibana {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+
+        rewrite ^/kibana/(.*)$ /$1 break;
+        proxy_pass http://kibana/;
+    }
+
+    {nginx_status}
+}
+
+server {
+    listen {https_port} ssl default deferred;
+    listen [::]:{https_port} ssl default deferred;
+    server_name {domain_name};
+
+    {ssl_config}
+
+    {proxy_config}
+
+    {app_config}
+
+    ########################
+    # OpenVidu Locations   #
+    ########################
+    {common_api_pro}
+
+    {deprecated_api_pro}
+
+    {common_api_enterprise}
+
+    {new_api_pro}
+
+    #################################
+    # LetsEncrypt                   #
+    #################################
+
+    location /.well-known/acme-challenge {
+        root /var/www/certbot;
+        try_files $uri $uri/ =404;
+    }
+
+    {custom_locations}
+}
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf
@ -1,5 +1,5 @@
    #################################
-    # Common rules                  #
+    # Common rules CE              #
    #################################
    # Dashboard rule
    location /dashboard {
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf
@ -0,0 +1,4 @@
+# Your App
+upstream yourapp {
+    server app:5442;
+}
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf
@ -0,0 +1,33 @@
+    #################################
+    # Common rules Enterprise       #
+    #################################
+    location /minio/ {
+        {rules_access_dashboard}
+        deny all;
+
+        # To disable buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-NginX-Proxy true;
+
+        # This is necessary to pass the correct IP to be hashed
+        real_ip_header X-Real-IP;
+
+        proxy_connect_timeout 300;
+
+        # To support websocket
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        chunked_transfer_encoding off;
+
+        rewrite /minio(/|$)(.*) /$2  break;
+        proxy_pass http://minio;
+        proxy_redirect     off;
+    }
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf
@ -1,5 +1,5 @@
    #################################
-    # Common rules                  #
+    # Common rules PRO              #
    #################################
    location /dashboard {
        {rules_access_dashboard}
@ -25,7 +25,7 @@
    location ~ ^/openvidu/elasticsearch$ {
        {rules_access_dashboard}
        deny all;
-        
+
        rewrite ^/openvidu/elasticsearch$ / break;
        proxy_pass http://elasticsearch;
    }
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
@ -24,7 +24,7 @@ server {
    if ($host = {domain_name}) {
        rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent;
    } # managed by Certbot
-    
+
    {redirect_www}

    listen {http_port} default_server;
@ -44,7 +44,7 @@ server {
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
-        
+
        rewrite ^/kibana/(.*)$ /$1 break;
        proxy_pass http://kibana/;
    }
@ -58,7 +58,7 @@ server {
    server_name {domain_name};

    {ssl_config}
-    
+
    {proxy_config}

    {app_config}
--- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh
+++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
@ -1,5 +1,27 @@
 #!/bin/bash

+valid_ip_v4()
+{
+  regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$'
+
+  if [[ "$1" =~ $regex ]]; then
+    return "$?"
+  else
+    return "$?"
+  fi
+}
+
+valid_ip_v6()
+{
+  regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$'
+
+  if [[ "$1" =~ $regex ]]; then
+      return "$?"
+  else
+      return "$?"
+  fi
+}
+
 # Checks
 if [ -z "${DOMAIN_OR_PUBLIC_IP}" ]; then
  printf "\n  =======¡ERROR!======="
@ -192,6 +214,11 @@ if [ "${PROXY_MODE}" == "PRO" ]; then
  cp /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf
 fi

+if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+  [[ -f /default_nginx_conf/default.conf ]] && rm /default_nginx_conf/default.conf
+  cp /default_nginx_conf/enterprise-ha/default.conf /default_nginx_conf/default.conf
+fi
+
 # Create index.html
 mkdir -p /var/www/html
 cat> /var/www/html/index.html<<EOF
@ -227,9 +254,14 @@ sed -e '/{common_api_ce}/{r default_nginx_conf/global/ce/common_api_ce.conf' -e
 sed -e '/{new_api_ce}/{r default_nginx_conf/global/ce/new_api_ce.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{common_api_pro}/{r default_nginx_conf/global/pro/common_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{new_api_pro}/{r default_nginx_conf/global/pro/new_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/*
+sed -e '/{common_api_enterprise}/{r default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf' -e 'd}' -i /etc/nginx/conf.d/*

 if [[ "${WITH_APP}" == "true" ]]; then
-  sed -e '/{app_upstream}/{r default_nginx_conf/global/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+    sed -e '/{app_upstream}/{r default_nginx_conf/global/enterprise-ha/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  else
+    sed -e '/{app_upstream}/{r default_nginx_conf/global/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  fi
  sed -e '/{app_config}/{r default_nginx_conf/global/app_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
 elif [[ "${WITH_APP}" == "false" ]]; then
  sed -i '/{app_upstream}/d' /etc/nginx/conf.d/*
@ -256,7 +288,7 @@ if [[ "${REDIRECT_WWW}" == "true" ]]; then
    sed -e '/{redirect_www}/{r default_nginx_conf/global/ce/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/*
  fi

-  if [ "${PROXY_MODE}" == "PRO" ]; then
+  if [[ "${PROXY_MODE}" == "PRO" ]] || [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
    sed -e '/{redirect_www}/{r default_nginx_conf/global/pro/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/*
  fi
 elif [[ "${REDIRECT_WWW}" == "false" ]]; then
@ -264,6 +296,30 @@ elif [[ "${REDIRECT_WWW}" == "false" ]]; then
  sed -i '/{redirect_www_ssl}/d' /etc/nginx/conf.d/*
 fi

+if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+  TEMP_FILE_UPSTREAM=$(mktemp)
+
+  # Create upstream nodes
+  UPSTREAM="upstream openviduserver {\n"
+  IFS=','
+  for IP in $OPENVIDU_ENTERPRISE_HA_NODE_IPS;
+  do
+    if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
+      UPSTREAM+=$"    server $IP:4443 max_fails=2 fail_timeout=3s;\n"
+    else
+      printf "\n  =======¡ERROR!======="
+      printf "\n  The IP address %s defined in OPENVIDU_ENTERPRISE_HA_NODE_IPS is not valid" "$IP"
+      exit 1
+    fi
+  done
+  unset IFS
+  UPSTREAM+="}\n"
+  echo -e "$UPSTREAM" > "${TEMP_FILE_UPSTREAM}"
+
+  # Add upstream nodes to nginx config
+  sed -e '/{enterprise_ha_nodes_upstream}/{r '"${TEMP_FILE_UPSTREAM}"'' -e 'd}' -i /etc/nginx/conf.d/*
+fi
+
 # Process main configs
 sed -e '/{ssl_config}/{r default_nginx_conf/global/ssl_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{proxy_config}/{r default_nginx_conf/global/proxy_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
@ -316,28 +372,6 @@ printf "\n"

 printf "\n  Adding rules..."

-valid_ip_v4()
-{
-  regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$'
-
-  if [[ "$1" =~ $regex ]]; then
-    return "$?"
-  else
-    return "$?"
-  fi
-}
-
-valid_ip_v6()
-{
-  regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$'
-
-  if [[ "$1" =~ $regex ]]; then
-      return "$?"
-  else
-      return "$?"
-  fi
-}
-
 LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*')
 if [[ "${PUBLIC_IP}" == "auto-ipv4" ]]; then
  PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh)