From 4f725d9857a2b6e82055df173a09d801184d1421 Mon Sep 17 00:00:00 2001 From: Eric Lipe Date: Thu, 18 Apr 2024 10:35:27 -0600 Subject: [PATCH] - added docs for dynamic locations --- tdrs-frontend/nginx/README.md | 40 +++++++++++++++++++++++++++++------ 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/tdrs-frontend/nginx/README.md b/tdrs-frontend/nginx/README.md index e6400eb37..d5beefc6b 100644 --- a/tdrs-frontend/nginx/README.md +++ b/tdrs-frontend/nginx/README.md @@ -2,7 +2,7 @@ ## 1. Installation -The Nginx uses a master process and mutiple workers to efficiently manage requests. The master process reads and evaluates config file and manages the workers. +The Nginx uses a master process and mutiple workers to efficiently manage requests. The master process reads and evaluates config file and manages the workers. In TDP, all config and associated files with it are placed in ```/tdrs-frontend/nginx``` folder. There are various differences between the local and deployed versions. Due to the fact that cloud.gov uses buildpacks and local version uses containerized docker instance, there are two separate directories for local and deployed versions. @@ -35,7 +35,35 @@ location ^~ /v1/ { The Nginx configuration files are located in: ```*'/frontend/nginx/'```* -## Backend +### Dynamic locations +In cloud environments, DNS information for applications is in a state of constant flux. To avoid having to restart Nginx each time an app's DNS information changes, Nginx provides features to resolve a host after a TTL has expired. The http block and location block below demonstrate the config updates to support dynamic locations. Note the `...` in the blocks below represents other config options in the blocks that we don't need to worry about. + +``` +http { + include mime.types; + + resolver 127.0.0.11 ipv6=off valid=5s; + ... +} +``` + +``` +location ~* ^/kibana/(.*)$ { + auth_request /kibana_auth_check; + auth_request_set $auth_status $upstream_status; + + set $kibana http://${KIBANA}:5601/; + proxy_pass $kibana$1$is_args$args; + ... +} +``` + +In the `http` block we need to include the `resolver` directive. This tells Nginx where our desired nameserver is and any other options we want to configure, such as the TTL option. +The configuration above indicates the nameserver is at `127.0.0.11`, ipv6 is disabled, and the TTL for a hostname is five seconds. However, for Nginx to re-resolve a host +we have to update the location, i.e. the `proxy_pass` in the location to use variable resolution. When Nginx resolves the variable given to the `proxy_pass` directive it will also determine if the TTL has expired for the host that the variable resolves to and will then resolve the DNS info if it has expired. If `proxy_pass` is not given a variable, Nginx will never resolve the host given to the `proxy_pass` directive no matter how short the TTL option is. + + +## 3. Backend ### Nginx @@ -43,7 +71,7 @@ The frontend then sends processing requests to the *backend* Django server, whic ### Gunicorn -Gunicorn is WSGI HTTP server based on python and uses **worker [Worker Processes](https://docs.gunicorn.org/en/stable/design.html#choosing-a-worker-type)**. The number of workers is relative to server request load. +Gunicorn is WSGI HTTP server based on python and uses **worker [Worker Processes](https://docs.gunicorn.org/en/stable/design.html#choosing-a-worker-type)**. The number of workers is relative to server request load. With having workers responding to requests in Gunicorn, it is importnat to have Nginx in front to handle requests first, otherwise DDOS attacks would consume the server (See Nginx config). @@ -55,7 +83,7 @@ workers = 2 There are two config files: one for development and one for deployed applications. Gunicorn is started from ```gunicorn_start.sh``` which starts either version of config files based on environment. -## Security +## 4. Security ### Whitelist IPs A list of IP addresses has been added to ```ip_whitelist.conf```. This means any request from an ip address not in the subnets included in this file will be rejected. This list is created manually and needs to be maintained to whitelist and include user IP subnets. @@ -63,9 +91,9 @@ A list of IP addresses has been added to ```ip_whitelist.conf```. This means any ### Security Headers All security headers are following best practices from [Mozilla](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) and [OWASP](https://owasp.org/www-project-secure-headers/) and are added with comments on the config files. -### CORS +### CORS -Cross-Origin Resource Sharing (CORS) header allows a server to indicate any origin such as domain or port other than its own from which a browser can load resources. By adding HTTP headers that let server know which origins are permitted to read that information from the web browser. It should be noted that request might be passed without implications on CORS, this includes most form requests. +Cross-Origin Resource Sharing (CORS) header allows a server to indicate any origin such as domain or port other than its own from which a browser can load resources. By adding HTTP headers that let server know which origins are permitted to read that information from the web browser. It should be noted that request might be passed without implications on CORS, this includes most form requests. Since the frontend has to send requests to the backend server, the security headers are being set when serving the frontend requests as well as when Nginx acts as proxy server for the backend API. This is to ensure the sercurity headers cannot be tampered with and are always set to the correct values.