Issue project-sunbird#1661: Nginx trace id override and volume mount

Adding X-Trace-ID false by default, so that clients should Not be able to override the config Signed-off-by: Rajesh Rajendran <rjshrjndrn@gmail.com>
rjshrjndrn · Aug 25, 2020 · 4a014e4 · 4a014e4
1 parent 114d607
commit 4a014e4
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 10 deletions.
diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/templates/daemonset.yaml b/kubernetes/helm_charts/core/nginx-public-ingress/templates/daemonset.yaml
@@ -4,8 +4,6 @@ kind: DaemonSet
 metadata:
   name: nginx-public-ingress
   namespace: {{ .Values.namespace }}
-  annotations:
-    reloader.stakater.com/auto: "true"
 spec:
   selector:
     matchLabels:
@@ -17,6 +15,7 @@ spec:
       labels:
         app: nginx-public-ingress
     spec:
+      # Running nginx with custom config
 {{- if .Values.imagepullsecrets }}
       imagePullSecrets:
       - name: {{ .Values.imagepullsecrets }}
@@ -44,13 +43,10 @@ spec:
             mountPath: /etc/secrets
             readOnly: true
           - name: proxy-config
-            mountPath: /etc/nginx/conf.d/default.conf
-            subPath: proxy-default.conf
-            readOnly: true
+            mountPath: /etc/nginx/defaults.d
           - name: nginx-config
             mountPath: /etc/nginx/nginx.conf
             subPath: nginx.conf
-            readOnly: true
 {{- if .Values.volumeMounts }}
 {{ toYaml .Values.volumeMounts | indent 10 }}
 {{- end }}

diff --git a/kubernetes/helm_charts/core/nginx-public-ingress/values.j2 b/kubernetes/helm_charts/core/nginx-public-ingress/values.j2
@@ -157,10 +157,12 @@ proxyconfig: |
       proxy_set_header X-Scheme $scheme;
       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
     location /auth/ {
       rewrite ^/auth/(.*) /auth/$1 break;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP {{ nginx_client_public_ip_header | d('$remote_addr') }};
       proxy_set_header X-Scheme $scheme;
@@ -220,6 +222,7 @@ proxyconfig: |
       proxy_send_timeout 60;
       proxy_read_timeout 70;
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
 
@@ -273,6 +276,7 @@ proxyconfig: |
       proxy_send_timeout 60;
       proxy_read_timeout 70;
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
   }
 
@@ -298,6 +302,7 @@ proxyconfig: |
       proxy_send_timeout 60;
       proxy_read_timeout 70;
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
   }
 
@@ -331,6 +336,7 @@ proxyconfig: |
         local h = ngx.req.get_headers()
         ngx.log(ngx.WARN, "Deviceid: ", h["x-device-id"], "  Channelid: ", h["x-channel-id"], "  Appid: ", h["x-app-id"])
       }
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
     }
     # Oauth2 config
@@ -340,6 +346,7 @@ proxyconfig: |
       proxy_set_header X-Real-IP               {{ nginx_client_public_ip_header | d('$remote_addr') }};
       proxy_set_header X-Scheme                $scheme;
       proxy_set_header X-Auth-Request-Redirect $request_uri;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass $target;
     }
     location = /oauth2/auth {
@@ -350,6 +357,7 @@ proxyconfig: |
       # nginx auth_request includes headers but not body
       proxy_set_header Content-Length   "";
       proxy_pass_request_body           off;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass $target;
     }
     location /dashboard/ {
@@ -366,6 +374,7 @@ proxyconfig: |
       # if you enabled --cookie-refresh, this is needed for it to work with auth_request
       auth_request_set $auth_cookie $upstream_http_set_cookie;
       add_header Set-Cookie $auth_cookie;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass $target;
     }
     location /grafana/ {
@@ -384,6 +393,8 @@ proxyconfig: |
     proxy_send_timeout 30;
     proxy_read_timeout 40;
     proxy_set_header    X-Forwarded-Proto $scheme;
+    proxy_set_header    X-Forwarded-For   $http_x_forwarded_for;
+    proxy_set_header X-Request-ID $sb_request_id;
     proxy_pass $target;
     }
     location /badging/ {
@@ -396,6 +407,7 @@ proxyconfig: |
       proxy_send_timeout 30;
       proxy_read_timeout 40;
       proxy_set_header    X-Forwarded-Proto $scheme;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass $target;
   }
     location ~* ^/assets/public/(.*) {
@@ -432,6 +444,7 @@ proxyconfig: |
       proxy_intercept_errors on;
           add_header             Access-Control-Allow-Origin "*";
           add_header             Access-Control-Allow-Methods GET;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass             https://$bucket/$url_full;
   }
    location ~* ^/content/preview/(.*) {
@@ -464,6 +477,7 @@ proxyconfig: |
       proxy_intercept_errors on;
       add_header             Access-Control-Allow-Origin "*" ;
       add_header             Access-Control-Allow-Methods GET;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass             https://$s3_bucket/v3/preview/$url_full;
   }
 
@@ -478,6 +492,7 @@ proxyconfig: |
       proxy_set_header    X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
   location ~* ^/content-editor/(.*) {
@@ -510,6 +525,7 @@ proxyconfig: |
       proxy_intercept_errors on;
       add_header             Access-Control-Allow-Origin "*" ;
       add_header             Access-Control-Allow-Methods GET;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass             https://$s3_bucket/content-editor/$url_full;
   }
     location ~* ^/collection-editor/(.*) {
@@ -542,6 +558,7 @@ proxyconfig: |
       proxy_intercept_errors on;
       add_header             Access-Control-Allow-Origin "*" ;
       add_header             Access-Control-Allow-Methods GET;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass             https://$s3_bucket/collection-editor/$url_full;
   }
     location ~* ^/generic-editor/(.*) {
@@ -574,6 +591,7 @@ proxyconfig: |
       proxy_intercept_errors on;
       add_header             Access-Control-Allow-Origin "*" ;
       add_header             Access-Control-Allow-Methods GET;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass             https://$s3_bucket/generic-editor/$url_full;
   }
   location ~* ^/content-plugins/(.*) {
@@ -610,6 +628,7 @@ proxyconfig: |
          proxy_intercept_errors on;
          add_header             Access-Control-Allow-Origin "*";
          add_header             Access-Control-Allow-Methods GET;
+         proxy_set_header X-Request-ID $sb_request_id;
          proxy_pass             https://$s3_bucket/content-plugins/$url_full;
   }
     location /thirdparty {
@@ -632,6 +651,7 @@ proxyconfig: |
       proxy_set_header    X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
   location ~* ^/desktop/(.*) {
@@ -668,6 +688,7 @@ proxyconfig: |
          proxy_intercept_errors on;
          add_header             Access-Control-Allow-Origin "*";
          add_header             Access-Control-Allow-Methods GET;
+         proxy_set_header X-Request-ID $sb_request_id;
          proxy_pass             https://$offline_bucket/$url_full;
   }
     location / {
@@ -681,9 +702,11 @@ proxyconfig: |
       proxy_set_header    X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
     location /v3/device/register {
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
       proxy_set_header Connection "";
       rewrite ^/v3/device/register/(.*) /v3/device/register/$1 break;
@@ -696,6 +719,7 @@ proxyconfig: |
       proxy_http_version 1.1;
     }
     location /action/data/v3/metrics {
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
       proxy_set_header Connection "";
       rewrite ^/action/data/v3/metrics/(.*) /data/v3/metrics/$1 break;
@@ -724,6 +748,7 @@ proxyconfig: |
       proxy_set_header X-Scheme $scheme;
       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
 
@@ -748,11 +773,13 @@ proxyconfig: |
       proxy_send_timeout 60;
       proxy_read_timeout 70;
       proxy_http_version 1.1;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://kong;
     }
 
     location ~ /chatapi/bot {
       rewrite ^/chatapi/(.*) /$1 break;
+      set $target http://router-service:8000;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP {{ nginx_client_public_ip_header | d('$remote_addr') }};
       proxy_set_header X-Scheme $scheme;
@@ -762,7 +789,7 @@ proxyconfig: |
       proxy_set_header    X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_http_version 1.1;
-      proxy_pass http://router-service:8000;
+      proxy_pass $target;
     }
 
     location /oauth2callback {
@@ -813,14 +840,21 @@ nginxconfig: |
       log_format  main  '{{ nginx_client_public_ip_header | d('$remote_addr') }} - $remote_user [$time_local] '
                         '"$request" $status $body_bytes_sent '
                         '$request_time $upstream_response_time $pipe'
-                        '"$http_referer" "$http_user_agent"';
+                        '"$http_referer" "$http_user_agent" $sb_request_id';
 
       access_log  /var/log/nginx/access.log  main;
 
       # Shared dictionary to store metrics
       lua_shared_dict prometheus_metrics 100M;
       lua_package_path "/etc/nginx/lua_modules/?.lua";
 
+      # Defining request_id
+      # If the client send request_id it should be preffered over the default one
+      map $http_x_request_id $sb_request_id {
+        default  $http_x_request_id;
+        ''  $request_id;
+      }
+
       # Defining upstream cache status for nginx metrics
       map $upstream_cache_status $cache_status {
         default  $upstream_cache_status;
@@ -877,6 +911,7 @@ nginxconfig: |
           keepalive 1000;
       }
 
+      include /etc/nginx/defaults.d/*.conf;
       include /etc/nginx/conf.d/*.conf;
 
       # local caching for images and files
@@ -966,6 +1001,7 @@ keycloakconf: |
       proxy_set_header X-Scheme $scheme;
       proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass http://player;
     }
 
@@ -975,6 +1011,7 @@ keycloakconf: |
     location /auth/ {
       set $target {{ keycloak_url }};
       rewrite ^/auth/(.*) /auth/$1 break;
+      proxy_set_header X-Request-ID $sb_request_id;
       proxy_pass $target;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP {{ nginx_client_public_ip_header | d('$remote_addr') }};
@@ -994,8 +1031,7 @@ keycloakconf: |
       proxy_set_header    X-Forwarded-Proto $scheme;
       proxy_set_header Connection "";
       proxy_http_version 1.1;
-      proxy_buffer_size  16k;
-      proxy_buffers 16 4k;
+      proxy_set_header X-Request-ID $request_id;
       proxy_pass http://player;
     }
   }