Add grafana-nomad.lib.princeton.edu config

pulibrary · Oct 25, 2024 · 77c7e99 · 77c7e99
1 parent 2106acc
commit 77c7e99
Showing 1 changed file with 66 additions and 0 deletions.
diff --git a/roles/nginxplus/files/conf/http/dev/grafana_nomad.conf b/roles/nginxplus/files/conf/http/dev/grafana_nomad.conf
@@ -0,0 +1,66 @@
+# {{ ansible_managed | comment }}
+proxy_cache_path /var/cache/nginx/grafana-nomad/ keys_zone=grafana-nomadcache:10m;
+
+upstream grafana-nomad {
+    ip_hash;
+    zone grafana-nomad 64k;
+    server service.consul service=grafana-grafana resolve max_fails=0;
+    sticky learn
+          create=$upstream_cookie_grafana-nomadcookie
+          lookup=$cookie_grafana-nomadcookie
+          zone=grafana-nomadclient_sessions:1m;
+    resolver nomad-host-prod1.lib.princeton.edu:8600 nomad-host-prod2.lib.princeton.edu:8600 nomad-host-prod3.lib.princeton.edu:8600 valid=5s;
+    resolver_timeout 2s;
+}
+
+server {
+    listen 80;
+    server_name grafana-nomad.lib.princeton.edu;
+
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    http2 on;
+    server_name grafana-nomad.lib.princeton.edu;
+
+    ssl_certificate            /etc/letsencrypt/live/grafana-nomad.lib/fullchain.pem;
+    ssl_certificate_key        /etc/letsencrypt/live/grafana-nomad.lib/privkey.pem;
+    ssl_session_cache          shared:SSL:1m;
+    ssl_prefer_server_ciphers  on;
+
+    location / {
+        app_protect_enable off;
+        proxy_pass http://grafana-nomad;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_cache grafana-nomadcache;
+        proxy_read_timeout 310s;
+        proxy_buffering off;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Origin "${scheme}://${proxy_host}";
+        # allow princeton network
+        # include /etc/nginx/conf.d/templates/restrict.conf;
+        # block all IPs outside the princeton network
+        # deny all;
+    }
+    location /api/live/ {
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-NginX-Proxy true;
+      proxy_pass http://grafana-nomad;
+    }
+    #
+    # yes it is okay to be visible outside VPN
+    #
+    # include /etc/nginx/conf.d/templates/staging-maintenance.conf;
+}