fix: host header for apiProxy

wearefrank · Jul 4, 2023 · a0f0bac · a0f0bac
1 parent cae9bf9
commit a0f0bac
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 7 deletions.
diff --git a/charts/zaakbrug/templates/configmap-nginx.yaml b/charts/zaakbrug/templates/configmap-nginx.yaml
@@ -7,19 +7,78 @@ metadata:
   labels:
   {{- include "zaakbrug.nginxLabels" . | nindent 4 }}
 data:
+  proxy: |
+    proxy_pass_header Server;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme $scheme;
+    proxy_connect_timeout 300s;
+    proxy_read_timeout 300s;
+    {{- if .Values.staging.settings.useXForwardedHost }}
+    proxy_set_header X-Forwarded-Host $http_host;
+    {{- else }}
+    proxy_set_header Host $http_host;
+    {{- end }}
+
+    proxy_redirect off;
+    proxy_pass_request_headers on;
+    proxy_pass http://{{ include "zaakbrug.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}/api/;
+    proxy_http_version 1.1;  # required if you're using istio, otherwise you get HTTP 426 errors
   default.conf: |-
     server {
       listen 8080 default_server;
+      server_name {{ .Values.staging.settings.allowedHosts  | replace "," " "}} localhost;
+      server_tokens off;
+
+      gzip on;
+      gzip_http_version 1.0;
+      gzip_comp_level 2;
+      gzip_min_length 1100;
+      gzip_buffers 4 8k;
+      gzip_proxied any;
+      gzip_types
+        # text/html is always compressed by HttpGzipModule
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/json
+        application/xml
+        application/rss+xml
+        font/truetypenginc
+        font/opentype
+        application/vnd.ms-fontobject
+        image/svg+xml;
+      gzip_static on;
+      gzip_proxied  expired no-cache no-store private auth;
+      gzip_disable "MSIE [1-6]\.";
+      gzip_vary on;
+
+      add_header Feature-Policy "autoplay 'none'; camera 'none'" always;
+      add_header Referrer-Policy "same-origin";
+      add_header X-Content-Type-Options "nosniff";
+      add_header X-XSS-Protection "1; mode=block";
+
       location / {
-        proxy_pass http://{{ include "zaakbrug.fullname" . }}:{{ .Values.service.port }}/api/;
-        proxy_buffering off;
-        proxy_http_version 1.1;
+          include conf.d/proxy;
+
+          location /documenten/api/v1/enkelvoudiginformatieobjecten {
+              client_max_body_size 4G;
+              include conf.d/proxy;
+          }
       }
+
       location /_health/ {
-        access_log off;
-        error_log /var/log/nginx/error.log error;
-        return 200 'OK';
-        }
+          access_log off;
+          error_log /tmp/error.log error;
+          return 200 'OK';
+      }
+
+      error_page  404              /404.html;
+      error_page  413              /413.json;
+      error_page  500 502 503 504  /500.json;
     }
 {{- end -}}
 {{- end -}}
diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml
@@ -228,6 +228,8 @@ staging:
     - name: NOTIFICATIONS_DISABLED
       value: "yes"
   settings:
+    # Leave this to false, so absolute URL's make their way though te reverse proxies.
+    useXForwardedHost: false
     debug: false
     # openzaak.settings.allowedHosts Set the (v)hosts that need to be accessible for OpenZaak
     # Add the ingress route if you have one