From 7b1f411db450eb4ceef9b4b158b0ee1fe22e92bd Mon Sep 17 00:00:00 2001
From: cruizba <carlos.ruizbal@gmail.com>
Date: Sat, 20 May 2023 23:08:28 +0200
Subject: [PATCH] deployment: Update nginx for Enterprise HA on premises

---
 .../enterprise-ha/default.conf                | 103 ++++++++++++++++++
 .../global/ce/common_api_ce.conf              |   2 +-
 .../global/enterprise-ha/app_upstream.conf    |   4 +
 .../enterprise-ha/common_api_enterprise.conf  |  33 ++++++
 .../global/pro/common_api_pro.conf            |   4 +-
 .../default_nginx_conf/pro/default.conf       |   6 +-
 .../docker/openvidu-proxy/entrypoint.sh       |  82 ++++++++++----
 7 files changed, 204 insertions(+), 30 deletions(-)
 create mode 100644 openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf
 create mode 100644 openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf
 create mode 100644 openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf

diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf
new file mode 100644
index 00000000..2ad8a81a
--- /dev/null
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/enterprise-ha/default.conf
@@ -0,0 +1,103 @@
+{xframe_options}
+
+{enterprise_ha_nodes_upstream}
+
+{app_upstream}
+
+upstream minio {
+    server minio-s3:9001;
+}
+
+upstream kibana {
+    server kibana:5601;
+}
+
+upstream elasticsearch {
+    server elasticsearch:9200;
+}
+
+{redirect_www_ssl}
+
+##################################
+# Private Load balancer port     #
+##################################
+server {
+    listen 5443;
+
+    location / {
+        {proxy_config}
+
+        proxy_pass http://openviduserver;
+    }
+
+}
+
+##################################
+# Public Load balancer           #
+##################################
+server {
+    # Redirect to https
+    if ($host = {domain_name}) {
+        rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent;
+    } # managed by Certbot
+
+    {redirect_www}
+
+    listen {http_port} default_server;
+    listen [::]:{http_port} default_server;
+    server_name {domain_name};
+
+    # letsencrypt
+    location /.well-known/acme-challenge {
+        root /var/www/certbot;
+        try_files $uri $uri/ =404;
+    }
+
+    # Kibana panel
+    location /kibana {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+
+        rewrite ^/kibana/(.*)$ /$1 break;
+        proxy_pass http://kibana/;
+    }
+
+    {nginx_status}
+}
+
+server {
+    listen {https_port} ssl default deferred;
+    listen [::]:{https_port} ssl default deferred;
+    server_name {domain_name};
+
+    {ssl_config}
+
+    {proxy_config}
+
+    {app_config}
+
+    ########################
+    # OpenVidu Locations   #
+    ########################
+    {common_api_pro}
+
+    {deprecated_api_pro}
+
+    {common_api_enterprise}
+
+    {new_api_pro}
+
+    #################################
+    # LetsEncrypt                   #
+    #################################
+
+    location /.well-known/acme-challenge {
+        root /var/www/certbot;
+        try_files $uri $uri/ =404;
+    }
+
+    {custom_locations}
+}
\ No newline at end of file
diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf
index 1ac0df12..e49e1263 100644
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/ce/common_api_ce.conf
@@ -1,5 +1,5 @@
     #################################
-    # Common rules                  #
+    # Common rules CE              #
     #################################
     # Dashboard rule
     location /dashboard {
diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf
new file mode 100644
index 00000000..1a2054c6
--- /dev/null
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/app_upstream.conf
@@ -0,0 +1,4 @@
+# Your App
+upstream yourapp {
+    server app:5442;
+}
\ No newline at end of file
diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf
new file mode 100644
index 00000000..5b1e9ad3
--- /dev/null
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf
@@ -0,0 +1,33 @@
+    #################################
+    # Common rules Enterprise       #
+    #################################
+    location /minio/ {
+        {rules_access_dashboard}
+        deny all;
+
+        # To disable buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-NginX-Proxy true;
+
+        # This is necessary to pass the correct IP to be hashed
+        real_ip_header X-Real-IP;
+
+        proxy_connect_timeout 300;
+
+        # To support websocket
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        chunked_transfer_encoding off;
+
+        rewrite /minio(/|$)(.*) /$2  break;
+        proxy_pass http://minio;
+        proxy_redirect     off;
+    }
\ No newline at end of file
diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf
index 8a45fcca..329e48fd 100644
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/global/pro/common_api_pro.conf
@@ -1,5 +1,5 @@
     #################################
-    # Common rules                  #
+    # Common rules PRO              #
     #################################
     location /dashboard {
         {rules_access_dashboard}
@@ -25,7 +25,7 @@
     location ~ ^/openvidu/elasticsearch$ {
         {rules_access_dashboard}
         deny all;
-        
+
         rewrite ^/openvidu/elasticsearch$ / break;
         proxy_pass http://elasticsearch;
     }
diff --git a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
index ea6f4884..5ce8ab2d 100644
--- a/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
+++ b/openvidu-server/docker/openvidu-proxy/default_nginx_conf/pro/default.conf
@@ -24,7 +24,7 @@ server {
     if ($host = {domain_name}) {
         rewrite ^(.*) https://{domain_name}:{https_port}$1 permanent;
     } # managed by Certbot
-    
+
     {redirect_www}
 
     listen {http_port} default_server;
@@ -44,7 +44,7 @@ server {
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_cache_bypass $http_upgrade;
-        
+
         rewrite ^/kibana/(.*)$ /$1 break;
         proxy_pass http://kibana/;
     }
@@ -58,7 +58,7 @@ server {
     server_name {domain_name};
 
     {ssl_config}
-    
+
     {proxy_config}
 
     {app_config}
diff --git a/openvidu-server/docker/openvidu-proxy/entrypoint.sh b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
index cc72d38e..1b15b6bb 100755
--- a/openvidu-server/docker/openvidu-proxy/entrypoint.sh
+++ b/openvidu-server/docker/openvidu-proxy/entrypoint.sh
@@ -1,5 +1,27 @@
 #!/bin/bash
 
+valid_ip_v4()
+{
+  regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$'
+
+  if [[ "$1" =~ $regex ]]; then
+    return "$?"
+  else
+    return "$?"
+  fi
+}
+
+valid_ip_v6()
+{
+  regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$'
+
+  if [[ "$1" =~ $regex ]]; then
+      return "$?"
+  else
+      return "$?"
+  fi
+}
+
 # Checks
 if [ -z "${DOMAIN_OR_PUBLIC_IP}" ]; then
   printf "\n  =======¡ERROR!======="
@@ -192,6 +214,11 @@ if [ "${PROXY_MODE}" == "PRO" ]; then
   cp /default_nginx_conf/pro/default.conf /default_nginx_conf/default.conf
 fi
 
+if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+  [[ -f /default_nginx_conf/default.conf ]] && rm /default_nginx_conf/default.conf
+  cp /default_nginx_conf/enterprise-ha/default.conf /default_nginx_conf/default.conf
+fi
+
 # Create index.html
 mkdir -p /var/www/html
 cat> /var/www/html/index.html<<EOF
@@ -227,9 +254,14 @@ sed -e '/{common_api_ce}/{r default_nginx_conf/global/ce/common_api_ce.conf' -e
 sed -e '/{new_api_ce}/{r default_nginx_conf/global/ce/new_api_ce.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{common_api_pro}/{r default_nginx_conf/global/pro/common_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{new_api_pro}/{r default_nginx_conf/global/pro/new_api_pro.conf' -e 'd}' -i /etc/nginx/conf.d/*
+sed -e '/{common_api_enterprise}/{r default_nginx_conf/global/enterprise-ha/common_api_enterprise.conf' -e 'd}' -i /etc/nginx/conf.d/*
 
 if [[ "${WITH_APP}" == "true" ]]; then
-  sed -e '/{app_upstream}/{r default_nginx_conf/global/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+    sed -e '/{app_upstream}/{r default_nginx_conf/global/enterprise-ha/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  else
+    sed -e '/{app_upstream}/{r default_nginx_conf/global/app_upstream.conf' -e 'd}' -i /etc/nginx/conf.d/*
+  fi
   sed -e '/{app_config}/{r default_nginx_conf/global/app_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
 elif [[ "${WITH_APP}" == "false" ]]; then
   sed -i '/{app_upstream}/d' /etc/nginx/conf.d/*
@@ -256,7 +288,7 @@ if [[ "${REDIRECT_WWW}" == "true" ]]; then
     sed -e '/{redirect_www}/{r default_nginx_conf/global/ce/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/*
   fi
 
-  if [ "${PROXY_MODE}" == "PRO" ]; then
+  if [[ "${PROXY_MODE}" == "PRO" ]] || [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
     sed -e '/{redirect_www}/{r default_nginx_conf/global/pro/redirect_www.conf' -e 'd}' -i /etc/nginx/conf.d/*
   fi
 elif [[ "${REDIRECT_WWW}" == "false" ]]; then
@@ -264,6 +296,30 @@ elif [[ "${REDIRECT_WWW}" == "false" ]]; then
   sed -i '/{redirect_www_ssl}/d' /etc/nginx/conf.d/*
 fi
 
+if [[ "${PROXY_MODE}" == "ENTERPRISE_HA" ]]; then
+  TEMP_FILE_UPSTREAM=$(mktemp)
+
+  # Create upstream nodes
+  UPSTREAM="upstream openviduserver {\n"
+  IFS=','
+  for IP in $OPENVIDU_ENTERPRISE_HA_NODE_IPS;
+  do
+    if valid_ip_v4 "$IP" || valid_ip_v6 "$IP"; then
+      UPSTREAM+=$"    server $IP:4443 max_fails=2 fail_timeout=3s;\n"
+    else
+      printf "\n  =======¡ERROR!======="
+      printf "\n  The IP address %s defined in OPENVIDU_ENTERPRISE_HA_NODE_IPS is not valid" "$IP"
+      exit 1
+    fi
+  done
+  unset IFS
+  UPSTREAM+="}\n"
+  echo -e "$UPSTREAM" > "${TEMP_FILE_UPSTREAM}"
+
+  # Add upstream nodes to nginx config
+  sed -e '/{enterprise_ha_nodes_upstream}/{r '"${TEMP_FILE_UPSTREAM}"'' -e 'd}' -i /etc/nginx/conf.d/*
+fi
+
 # Process main configs
 sed -e '/{ssl_config}/{r default_nginx_conf/global/ssl_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
 sed -e '/{proxy_config}/{r default_nginx_conf/global/proxy_config.conf' -e 'd}' -i /etc/nginx/conf.d/*
@@ -316,28 +372,6 @@ printf "\n"
 
 printf "\n  Adding rules..."
 
-valid_ip_v4()
-{
-  regex='^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]+)?$'
-
-  if [[ "$1" =~ $regex ]]; then
-    return "$?"
-  else
-    return "$?"
-  fi
-}
-
-valid_ip_v6()
-{
-  regex='^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(/[0-9]+)?$'
-
-  if [[ "$1" =~ $regex ]]; then
-      return "$?"
-  else
-      return "$?"
-  fi
-}
-
 LOCAL_NETWORKS=$(ip route list | grep -Eo '([0-9]*\.){3}[0-9]*/[0-9]*')
 if [[ "${PUBLIC_IP}" == "auto-ipv4" ]]; then
   PUBLIC_IP=$(/usr/local/bin/discover_my_public_ip.sh)