diff --git a/backend/requirements/ee.txt b/backend/requirements/ee.txt index e587869fd..395060935 100644 --- a/backend/requirements/ee.txt +++ b/backend/requirements/ee.txt @@ -1,3 +1,4 @@ cohere==5.6.1 posthog==3.7.4 python3-saml==1.15.0 +xmlsec==1.3.14 diff --git a/deployment/data/nginx/app.conf.template b/deployment/data/nginx/app.conf.template index b698c744b..83311b240 100644 --- a/deployment/data/nginx/app.conf.template +++ b/deployment/data/nginx/app.conf.template @@ -4,6 +4,24 @@ log_format custom_main '$remote_addr - $remote_user [$time_local] "$request" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'rt=$request_time'; +# Map X-Forwarded-Proto or fallback to $scheme +map $http_x_forwarded_proto $forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; +} + +# Map X-Forwarded-Host or fallback to $host +map $http_x_forwarded_host $forwarded_host { + default $http_x_forwarded_host; + "" $host; +} + +# Map X-Forwarded-Port or fallback to server port +map $http_x_forwarded_port $forwarded_port { + default $http_x_forwarded_port; + "" $server_port; +} + upstream api_server { # fail_timeout=0 means we always retry an upstream even if it failed # to return a good HTTP response @@ -21,8 +39,7 @@ upstream web_server { } server { - listen 80; - server_name ${DOMAIN}; + listen 80 default_server; client_max_body_size 5G; # Maximum upload size @@ -36,8 +53,9 @@ server { # misc headers proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + proxy_set_header X-Forwarded-Host $forwarded_host; + proxy_set_header X-Forwarded-Port $forwarded_port; proxy_set_header Host $host; # need to use 1.1 to support chunked transfers @@ -54,8 +72,9 @@ server { # misc headers proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + proxy_set_header X-Forwarded-Host $forwarded_host; + proxy_set_header X-Forwarded-Port $forwarded_port; proxy_set_header Host $host; proxy_http_version 1.1; @@ -72,14 +91,25 @@ server { } server { - listen 443 ssl; - server_name ${DOMAIN}; + listen 443 ssl default_server; client_max_body_size 5G; # Maximum upload size location / { + # misc headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # don't use forwarded schema, host, or port here - this is the entry point + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + proxy_http_version 1.1; proxy_buffering off; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; proxy_pass http://localhost:80; } diff --git a/deployment/data/nginx/app.conf.template.dev b/deployment/data/nginx/app.conf.template.dev index a7a0efa19..0c1ed5f6a 100644 --- a/deployment/data/nginx/app.conf.template.dev +++ b/deployment/data/nginx/app.conf.template.dev @@ -21,8 +21,7 @@ upstream web_server { } server { - listen 80; - server_name ${DOMAIN}; + listen 80 default_server; client_max_body_size 5G; # Maximum upload size @@ -37,7 +36,8 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $host; # need to use 1.1 to support chunked transfers @@ -55,7 +55,8 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Host $host; proxy_http_version 1.1; diff --git a/deployment/data/nginx/app.conf.template.no-letsencrypt b/deployment/data/nginx/app.conf.template.no-letsencrypt index 4d5096374..bce75f659 100644 --- a/deployment/data/nginx/app.conf.template.no-letsencrypt +++ b/deployment/data/nginx/app.conf.template.no-letsencrypt @@ -4,6 +4,24 @@ log_format custom_main '$remote_addr - $remote_user [$time_local] "$request" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'rt=$request_time'; +# Map X-Forwarded-Proto or fallback to $scheme +map $http_x_forwarded_proto $forwarded_proto { + default $http_x_forwarded_proto; + "" $scheme; +} + +# Map X-Forwarded-Host or fallback to $host +map $http_x_forwarded_host $forwarded_host { + default $http_x_forwarded_host; + "" $host; +} + +# Map X-Forwarded-Port or fallback to server port +map $http_x_forwarded_port $forwarded_port { + default $http_x_forwarded_port; + "" $server_port; +} + upstream api_server { # fail_timeout=0 means we always retry an upstream even if it failed # to return a good HTTP response @@ -21,8 +39,7 @@ upstream web_server { } server { - listen 80; - server_name ${DOMAIN}; + listen 80 default_server; client_max_body_size 5G; # Maximum upload size @@ -36,8 +53,9 @@ server { # misc headers proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + proxy_set_header X-Forwarded-Host $forwarded_host; + proxy_set_header X-Forwarded-Port $forwarded_port; proxy_set_header Host $host; # need to use 1.1 to support chunked transfers @@ -54,8 +72,9 @@ server { # misc headers proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + proxy_set_header X-Forwarded-Host $forwarded_host; + proxy_set_header X-Forwarded-Port $forwarded_port; proxy_set_header Host $host; proxy_http_version 1.1; @@ -68,14 +87,25 @@ server { } server { - listen 443 ssl; - server_name ${DOMAIN}; + listen 443 ssl default_server; client_max_body_size 5G; # Maximum upload size location / { + # misc headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # don't use forwarded schema, host, or port here - this is the entry point + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header Host $host; + proxy_http_version 1.1; proxy_buffering off; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; proxy_pass http://localhost:80; } diff --git a/deployment/data/nginx/run-nginx.sh b/deployment/data/nginx/run-nginx.sh index 01f9c1497..5f18b0d6b 100755 --- a/deployment/data/nginx/run-nginx.sh +++ b/deployment/data/nginx/run-nginx.sh @@ -1,5 +1,5 @@ # fill in the template -envsubst '$DOMAIN $SSL_CERT_FILE_NAME $SSL_CERT_KEY_FILE_NAME' < "/etc/nginx/conf.d/$1" > /etc/nginx/conf.d/app.conf +envsubst '$SSL_CERT_FILE_NAME $SSL_CERT_KEY_FILE_NAME' < "/etc/nginx/conf.d/$1" > /etc/nginx/conf.d/app.conf # wait for the api_server to be ready echo "Waiting for API server to boot up; this may take a minute or two..."