{%- set TRUE_VALUES = ['y', 'yes', '1', 'true'] %} {%- set enable_cache = slave_parameter.get('enable_cache', '').lower() in TRUE_VALUES %} {%- set disable_no_cache_header = slave_parameter.get('disable-no-cache-request', '').lower() in TRUE_VALUES %} {%- set disable_via_header = slave_parameter.get('disable-via-header', '').lower() in TRUE_VALUES %} {%- set prefer_gzip = slave_parameter.get('prefer-gzip-encoding-to-backend', '').lower() in TRUE_VALUES %} {%- set proxy_append_list = [('', 'Default proxy configuration')] %} {%- if prefer_gzip %} {%- do proxy_append_list.append(('prefer-gzip', 'Proxy which always overrides Accept-Encoding to gzip if such is found')) %} {%- endif %} {#- if prefer_gzip #} {%- set server_alias_list = slave_parameter.get('server-alias', '').split() %} {%- set enable_h2 = slave_parameter['global_disable_http2'].lower() not in TRUE_VALUES and slave_parameter.get('enable-http2', slave_parameter['enable_http2_by_default']).lower() in TRUE_VALUES %} {%- set ssl_proxy_verify = slave_parameter.get('ssl-proxy-verify', '').lower() in TRUE_VALUES %} {%- set disabled_cookie_list = slave_parameter.get('disabled-cookie-list', '').split() %} {%- set https_only = slave_parameter.get('https-only', 'true').lower() in TRUE_VALUES %} {%- set slave_type = slave_parameter.get('type', '') %} {%- set host_list = server_alias_list %} {%- set cipher_list = slave_parameter.get('cipher_list', '').strip() %} {%- if slave_parameter.get('custom_domain') not in host_list %} {%- do host_list.append(slave_parameter.get('custom_domain')) %} {%- endif %} {%- set http_host_list = [] %} {%- set https_host_list = [] %} {%- for host in host_list %} {%- do http_host_list.append('http://%s:%s' % (host, slave_parameter['http_port'] )) %} {%- do https_host_list.append('https://%s:%s' % (host, slave_parameter['https_port'] )) %} {%- endfor %} {#- for host in host_list #} {%- set default_path = slave_parameter.get('default-path', '').strip('/') | urlencode %} {%- set websocket_path_list = [] %} {%- for websocket_path in slave_parameter.get('websocket-path-list', '').split() %} {%- set websocket_path = websocket_path.strip('/') %} {#- Unquote the path, so %20 and similar can be represented correctly #} {%- set websocket_path = urllib_module.unquote(websocket_path.strip()) %} {%- if websocket_path %} {%- do websocket_path_list.append(websocket_path) %} {%- endif %} {%- endfor %} {%- set websocket_transparent = slave_parameter.get('websocket-transparent', 'true').lower() in TRUE_VALUES %} {%- if slave_type in ['notebook', 'websocket'] %} {# websocket style needs http 1.1 max #} {%- set enable_h2 = False %} {%- endif %} {%- macro proxy_header() %} try_duration {{ slave_parameter['proxy_try_duration'] }}s try_interval {{ slave_parameter['proxy_try_interval'] }}ms timeout {{ slave_parameter['request_timeout'] }}s {%- if ssl_proxy_verify %} {%- if 'path_to_ssl_proxy_ca_crt' in slave_parameter %} ca_certificates {{ slave_parameter['path_to_ssl_proxy_ca_crt'] }} {%- endif %} {#- if 'path_to_ssl_proxy_ca_crt' in slave_parameter #} {%- else %} {#- if ssl_proxy_verify #} insecure_skip_verify {%- endif %} {#- if ssl_proxy_verify #} # force reset of X-Forwarded-For header_upstream X-Forwarded-For {remote} {%- if enable_cache %} # provide a header for other components header_upstream X-Forwarded-For-Real {remote} {%- endif %} {%- endmacro %} {# proxy_header #} {%- for tls in [True, False] %} {%- if tls %} {%- set backend_url = slave_parameter.get('https-url', slave_parameter.get('url', '')).rstrip('/') %} # SSL enabled hosts {{ https_host_list|join(', ') }} { {%- else %} {%- set backend_url = slave_parameter.get('url', '').rstrip('/') %} # SSL-disabled hosts {{ http_host_list|join(', ') }} { {%- endif %} bind {{ slave_parameter['local_ipv4'] }} {%- if tls %} tls {{ slave_parameter['certificate'] }} {{ slave_parameter['certificate'] }} { {%- if cipher_list %} ciphers {{ cipher_list }} {%- endif %} {%- if enable_h2 %} # Allow HTTP2 alpn h2 http/1.1 {%- else %} {#- if enable_h2 #} # Disallow HTTP2 alpn http/1.1 {%- endif %} {#- if enable_h2 #} } {# tls #} {%- endif %} {#- if tls #} log / {{ slave_parameter.get('access_log') }} "{remote} - {>REMOTE_USER} [{when}] \"{method} {uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {latency_ms}" { rotate_size 0 } errors {{ slave_parameter.get('error_log') }} { rotate_size 0 } {%- if not (slave_type == 'zope' and backend_url) %} {% if prefer_gzip and not (not tls and https_only) %} rewrite { regexp (.*) if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" to /prefer-gzip{1} } rewrite { regexp (.*) if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" to {1} } {% elif slave_type not in ['notebook', 'websocket'] %} rewrite { regexp (.*) to {1} } {% endif %} {# elif slave_type != 'notebook' #} {%- endif %} {#- if not (slave_type == 'zope' and backend_url) #} {%- if not tls and https_only %} # Enforced redirection to SSL-enabled host redir 302 { / https://{host}{rewrite_uri} } {%- elif slave_type == 'zope' and backend_url %} # Zope configuration {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ backend_url }} { {{ proxy_header() }} {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- if default_path %} redir 301 { if {path} is / / {scheme}://{host}/{{ default_path }} } {# redir #} {%- endif %} {#- if default_path #} {%- if prefer_gzip and not (not tls and https_only) %} rewrite { regexp (.*) if {>Accept-Encoding} match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" {%- if tls %} to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- else %} to /prefer-gzip/VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- endif %} } rewrite { regexp (.*) if {>Accept-Encoding} not_match "(^gzip,.*|.*, gzip,.*|.*, gzip$|^gzip$)" {%- if tls %} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- else %} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- endif %} } {%- else %} rewrite { regexp (.*) {%- if tls %} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-https-port', '443') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- else %} to /VirtualHostBase/{scheme}%2F%2F{hostonly}:{{ slave_parameter.get('virtualhostroot-http-port', '80') | int }}%2F{{ slave_parameter.get('path', '').strip('/') }}%2FVirtualHostRoot/{1} {%- endif %} } {# rewrite #} {%- endif %} {#- if prefer_gzip #} {%- elif slave_type == 'redirect' and backend_url %} {#- if slave_type == 'zope' and backend_url #} # Redirect configuration redir 302 { / {{ backend_url }}{rewrite_uri} } {# redir #} {%- elif slave_type == 'notebook' %} proxy / {{ backend_url }} { {{ proxy_header() }} transparent } rewrite { regexp "/(api/kernels/[^/]+/(channels|iopub|shell|stdin)|terminals/websocket)/?" to /proxy/{1} } proxy /proxy/ {{ backend_url }} { {{ proxy_header() }} transparent websocket without /proxy/ } {%- elif slave_type == 'websocket' %} {%- if websocket_path_list %} proxy / {{ backend_url }} { {{ proxy_header() }} {%- if websocket_transparent %} transparent {%- endif %} } {%- for websocket_path in websocket_path_list %} proxy /{{ websocket_path }} {{ backend_url }} { {{ proxy_header() }} websocket {%- if websocket_transparent %} transparent {%- endif %} } {%- endfor %} {%- else %} proxy / {{ backend_url }} { {{ proxy_header() }} websocket {%- if websocket_transparent %} transparent {%- endif %} } {%- endif %} {%- else %} {#- if slave_type == 'zope' and backend_url #} # Default configuration {%- if default_path %} redir 301 { if {path} is / / {scheme}://{host}/{{ default_path }} } {# redir #} {%- endif %} {#- if default_path #} {%- if backend_url %} {%- for (proxy_name, proxy_comment) in proxy_append_list %} # {{ proxy_comment }} proxy /{{ proxy_name }} {{ backend_url }} { {{ proxy_header() }} {%- if proxy_name == 'prefer-gzip' %} without /prefer-gzip header_upstream Accept-Encoding gzip {%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- for disabled_cookie in disabled_cookie_list %} # Remove cookie {{ disabled_cookie }} from client Cookies header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" {%- endfor %} {#- for disabled_cookie in disabled_cookie_list #} {%- if disable_via_header %} header_downstream -Via {%- endif %} {#- if disable_via_header #} {%- if disable_no_cache_header %} header_upstream -Cache-Control header_upstream -Pragma {%- endif %} {#- if disable_no_cache_header #} transparent } {# proxy #} {%- endfor %} {#- for (proxy_name, proxy_comment) in proxy_append_list #} {%- endif %} {#- if backend_url #} {%- endif %} {#- if slave_type == 'zope' and backend_url #} } {# https_host_list|join(', ') #} {%- endfor %} {#- for tls in [True, False] #}