Skip to content

Commit a87b73f

Browse files
robertlemkerobertlemke
authored
Merge pull request #14 from flownative/asset-proxy-endpoint
Introduce BEACH_ASSET_PROXY_ENDPOINT
2 parents 9ade8de + ac78fc9 commit a87b73f

File tree

2 files changed

+72
-27
lines changed

2 files changed

+72
-27
lines changed

README.md

+53-26
Original file line numberDiff line numberDiff line change
@@ -45,32 +45,59 @@ for possible values. The default value is `warn`.
4545

4646
### Environment variables
4747

48-
| Variable Name | Type | Default | Description |
49-
|:-----------------------------------------|:--------|:--------------------------------------|:----------------------------------------------------------------------------------------------------|
50-
| NGINX_BASE_PATH | string | /opt/flownative/nginx | Base path for Nginx |
51-
| NGINX_LOG_LEVEL | string | warn | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) |
52-
| NGINX_CACHE_ENABLE | boolean | no | If the FastCGI cache should be enabled; see section about caching |
53-
| NGINX_CACHE_NAME | string | application | Name of the memory zone Nginx should use for caching |
54-
| NGINX_CACHE_DEFAULT_LIFETIME | string | 5s | Default cache lifetime to use when caching is enabled |
55-
| NGINX_CACHE_MAX_SIZE | string | 1024m | Maximum memory size for the FastCGI cache |
56-
| NGINX_CACHE_INACTIVE | string | 1h | Time after which cache entries are removed automatically |
57-
| NGINX_CACHE_USE_STALE_OPTIONS | string | updating error timeout invalid_header | Options to pass to the `fastcgi_cache_use_stale` directive |
58-
| NGINX_CACHE_BACKGROUND_UPDATE | boolean | off | If background updates should be enabled |
59-
| NGINX_CUSTOM_ERROR_PAGE_CODES | string | 500 501 502 503 | FastCGI error codes which should redirect to the custom error page |
60-
| NGINX_CUSTOM_ERROR_PAGE_TARGET | string | | Upstream URL to use for custom FastCGI error pages |
61-
| NGINX_STATIC_ROOT | string | /var/www/html | Document root path for when BEACH_NGINX_MODE is "Static" |
62-
| NGINX_STRICT_TRANSPORT_SECURITY_ENABLE | boolean | no | If Strict-Transport-Security headers should be sent (HSTS) |
63-
| NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD | boolean | no | If site should be added to list of HTTPS-only sites by Google and others |
64-
| NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE | boolean | 31536000 | Maxmimum age for Strict-Transport-Security header, if enabled |
65-
| NGINX_AUTH_BASIC_REALM | string | off | Realm for HTTP Basic Authentication; if "off", authentication is disabled |
66-
| NGINX_AUTH_BASIC_USERNAME | string | | Username for HTTP Basic Authentication |
67-
| NGINX_AUTH_BASIC_ENCODED_HASHED_PASSWORD | string | | Base64-encoded hashed password (using httpasswd) for HTTP Basic Authentication |
68-
| BEACH_NGINX_CUSTOM_METRICS_ENABLE | boolean | no | If support for a custom metrics endpoint should be enabled |
69-
| BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH | string | /metrics | Path where metrics are located |
70-
| BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT | integer | 8082 | Port at which Nginx should listen to provide the metrics for scraping |
71-
| BEACH_NGINX_MODE | string | Flow | Either "Flow" or "Static"; this variable is going to be renamed in the future |
72-
| BEACH_STATIC_RESOURCES_LIFETIME | string | 30d | Expiration time for static resources; examples: "3600s" or "7d" or "max"
73-
| FLOW_HTTP_TRUSTED_PROXIES | string | 10.0.0.0/8 | Nginx passes FLOW_HTTP_TRUSTED_PROXIES to the virtual host using the value of this variable |
48+
| Variable Name | Type | Default | Description |
49+
|:-----------------------------------------|:--------|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
50+
| NGINX_BASE_PATH | string | /opt/flownative/nginx | Base path for Nginx |
51+
| NGINX_LOG_LEVEL | string | warn | Nginx log level (see [documentation](https://docs.nginx.com/nginx/admin-guide/monitoring/logging/)) |
52+
| NGINX_CACHE_ENABLE | boolean | no | If the FastCGI cache should be enabled; see section about caching |
53+
| NGINX_CACHE_NAME | string | application | Name of the memory zone Nginx should use for caching |
54+
| NGINX_CACHE_DEFAULT_LIFETIME | string | 5s | Default cache lifetime to use when caching is enabled |
55+
| NGINX_CACHE_MAX_SIZE | string | 1024m | Maximum memory size for the FastCGI cache |
56+
| NGINX_CACHE_INACTIVE | string | 1h | Time after which cache entries are removed automatically |
57+
| NGINX_CACHE_USE_STALE_OPTIONS | string | updating error timeout invalid_header | Options to pass to the `fastcgi_cache_use_stale` directive |
58+
| NGINX_CACHE_BACKGROUND_UPDATE | boolean | off | If background updates should be enabled |
59+
| NGINX_CUSTOM_ERROR_PAGE_CODES | string | 500 501 502 503 | FastCGI error codes which should redirect to the custom error page |
60+
| NGINX_CUSTOM_ERROR_PAGE_TARGET | string | | Upstream URL to use for custom FastCGI error pages |
61+
| NGINX_STATIC_ROOT | string | /var/www/html | Document root path for when BEACH_NGINX_MODE is "Static" |
62+
| NGINX_STRICT_TRANSPORT_SECURITY_ENABLE | boolean | no | If Strict-Transport-Security headers should be sent (HSTS) |
63+
| NGINX_STRICT_TRANSPORT_SECURITY_PRELOAD | boolean | no | If site should be added to list of HTTPS-only sites by Google and others |
64+
| NGINX_STRICT_TRANSPORT_SECURITY_MAX_AGE | boolean | 31536000 | Maxmimum age for Strict-Transport-Security header, if enabled |
65+
| NGINX_AUTH_BASIC_REALM | string | off | Realm for HTTP Basic Authentication; if "off", authentication is disabled |
66+
| NGINX_AUTH_BASIC_USERNAME | string | | Username for HTTP Basic Authentication |
67+
| NGINX_AUTH_BASIC_ENCODED_HASHED_PASSWORD | string | | Base64-encoded hashed password (using httpasswd) for HTTP Basic Authentication |
68+
| BEACH_NGINX_CUSTOM_METRICS_ENABLE | boolean | no | If support for a custom metrics endpoint should be enabled |
69+
| BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH | string | /metrics | Path where metrics are located |
70+
| BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT | integer | 8082 | Port at which Nginx should listen to provide the metrics for scraping |
71+
| BEACH_NGINX_MODE | string | Flow | Either "Flow" or "Static"; this variable is going to be renamed in the future |
72+
| BEACH_ASSET_PROXY_ENDPOINT | string | | Endpoint of a cloud storage frontend to use for proxying requests to Flow persistent resources. Requires BEACH_PERSISTENT_RESOURCES_BASE_PATH to be set. Example: "https://assets.flownative.com/example-bucket/" |
73+
| BEACH_PERSISTENT_RESOURCES_BASE_PATH | string | | Base path of URLs pointing to Flow persistent resources; example: "https://www.flownative.com/assets/" |
74+
| BEACH_STATIC_RESOURCES_LIFETIME | string | 30d | Expiration time for static resources; examples: "3600s" or "7d" or "max" |
75+
| FLOW_HTTP_TRUSTED_PROXIES | string | 10.0.0.0/8 | Nginx passes FLOW_HTTP_TRUSTED_PROXIES to the virtual host using the value of this variable |
76+
77+
## Asset Proxy
78+
79+
By default, the direct URL of an asset stored in the cloud storage is used as
80+
part of the Flow or Neos frontend output. In order to make URLs more
81+
user-friendly or hide the fact that assets are stored in a cloud storage,
82+
Nginx can act as a reverse proxy and make assets available through a
83+
sub-path of the website's main domain.
84+
85+
For example, if the website is reachable via "https://www.example.com", the
86+
proxy can be configured to map the path "https://www.example.com/assets/" to
87+
assets stored in a cloud storage bucket which is accessible at
88+
"https://some.cloud.storage/some-bucket/".
89+
90+
The environment variables to set for the above example are as follows:
91+
92+
```
93+
BEACH_PERSISTENT_RESOURCES_BASE_PATH=/assets/
94+
BEACH_ASSET_PROXY_ENDPOINT=https://some.cloud.storage/some-bucket
95+
```
96+
97+
> Note: Make sure that both values are formatted exactly like in the given
98+
> examples, for example don't forget the trailing "/" in
99+
> `BEACH_PERSISTENT_RESOURCES_BASE_PATH` and don't add a trailing "/" in
100+
> "BEACH_ASSET_PROXY_ENDPOINT".
74101
75102
## Security aspects
76103

root-files/opt/flownative/lib/nginx-legacy.sh

+19-1
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ else
4646
fi
4747
export BEACH_PERSISTENT_RESOURCES_FALLBACK_BASE_URI=${BEACH_PERSISTENT_RESOURCES_FALLBACK_BASE_URI:-}
4848
export BEACH_PERSISTENT_RESOURCES_BASE_PATH=${BEACH_PERSISTENT_RESOURCES_BASE_PATH:-/_Resources/Persistent/}
49+
export BEACH_ASSET_PROXY_ENDPOINT=${BEACH_ASSET_PROXY_ENDPOINT:-}
4950
export BEACH_PHP_FPM_HOST=${BEACH_PHP_FPM_HOST:-localhost}
5051
export BEACH_PHP_FPM_PORT=${BEACH_PHP_FPM_PORT:-9000}
5152
export BEACH_NGINX_MODE=${BEACH_NGINX_MODE:-Flow}
@@ -180,7 +181,24 @@ EOM
180181
}
181182
EOM
182183

183-
if [ -n "${BEACH_GOOGLE_CLOUD_STORAGE_PUBLIC_BUCKET}" ]; then
184+
if [ -n "${BEACH_ASSET_PROXY_ENDPOINT}" ]; then
185+
cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM
186+
# redirect "subdivided" persistent resource requests to remove the subdivision parts
187+
# e.g. _Resources/Persistent/1/2/3/4/123456789… to _Resources/Persistent/123456789…
188+
location ~* "^${BEACH_PERSISTENT_RESOURCES_BASE_PATH}(?:[0-9a-f]/){4}([0-9a-f]{40}/.*)" {
189+
return 301 \$scheme://\$host${BEACH_PERSISTENT_RESOURCES_BASE_PATH}\$1;
190+
}
191+
# pass persistent resource requests to the custom endpoint (S3, Minio, GCS ...)
192+
location ~* "^${BEACH_PERSISTENT_RESOURCES_BASE_PATH}([a-f0-9]{40})/" {
193+
resolver 8.8.8.8;
194+
proxy_set_header Authorization "";
195+
add_header Via 'Beach Asset Proxy';
196+
${addHeaderStrictTransportSecurity}
197+
proxy_pass ${BEACH_ASSET_PROXY_ENDPOINT}/\$1\$is_args\$args?reqid=\$request_id;
198+
expires ${NGINX_STATIC_FILES_LIFETIME};
199+
}
200+
EOM
201+
elif [ -n "${BEACH_GOOGLE_CLOUD_STORAGE_PUBLIC_BUCKET}" ]; then
184202
cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM
185203
# redirect "subdivided" persistent resource requests to remove the subdivision parts
186204
# e.g. _Resources/Persistent/1/2/3/4/123456789… to _Resources/Persistent/123456789…

0 commit comments

Comments
 (0)