-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add grafana-nomad.lib.princeton.edu config
- Loading branch information
1 parent
2106acc
commit 77c7e99
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# {{ ansible_managed | comment }} | ||
proxy_cache_path /var/cache/nginx/grafana-nomad/ keys_zone=grafana-nomadcache:10m; | ||
|
||
upstream grafana-nomad { | ||
ip_hash; | ||
zone grafana-nomad 64k; | ||
server service.consul service=grafana-grafana resolve max_fails=0; | ||
sticky learn | ||
create=$upstream_cookie_grafana-nomadcookie | ||
lookup=$cookie_grafana-nomadcookie | ||
zone=grafana-nomadclient_sessions:1m; | ||
resolver nomad-host-prod1.lib.princeton.edu:8600 nomad-host-prod2.lib.princeton.edu:8600 nomad-host-prod3.lib.princeton.edu:8600 valid=5s; | ||
resolver_timeout 2s; | ||
} | ||
|
||
server { | ||
listen 80; | ||
server_name grafana-nomad.lib.princeton.edu; | ||
|
||
location / { | ||
return 301 https://$server_name$request_uri; | ||
} | ||
} | ||
|
||
server { | ||
listen 443 ssl; | ||
http2 on; | ||
server_name grafana-nomad.lib.princeton.edu; | ||
|
||
ssl_certificate /etc/letsencrypt/live/grafana-nomad.lib/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/grafana-nomad.lib/privkey.pem; | ||
ssl_session_cache shared:SSL:1m; | ||
ssl_prefer_server_ciphers on; | ||
|
||
location / { | ||
app_protect_enable off; | ||
proxy_pass http://grafana-nomad; | ||
proxy_set_header X-Forwarded-Host $host; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_cache grafana-nomadcache; | ||
proxy_read_timeout 310s; | ||
proxy_buffering off; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
proxy_set_header Origin "${scheme}://${proxy_host}"; | ||
# allow princeton network | ||
# include /etc/nginx/conf.d/templates/restrict.conf; | ||
# block all IPs outside the princeton network | ||
# deny all; | ||
} | ||
location /api/live/ { | ||
proxy_http_version 1.1; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection $connection_upgrade; | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Host $host; | ||
proxy_set_header X-NginX-Proxy true; | ||
proxy_pass http://grafana-nomad; | ||
} | ||
# | ||
# yes it is okay to be visible outside VPN | ||
# | ||
# include /etc/nginx/conf.d/templates/staging-maintenance.conf; | ||
} |