Add nginx files from omnibus-chef-server

Repo https://github.com/opscode/omnibus-chef-server.git Revision 8fc56f1e0c20cd8109d85d512b1d81066951ad8a

Add nginx files from omnibus-chef-server
Repo https://github.com/opscode/omnibus-chef-server.git Revision 8fc56f1e0c20cd8109d85d512b1d81066951ad8a
Jacob Vosmaer
1 parent 4b40b09a
Showing 6 changed files with 329 additions and 0 deletions Show diff stats
files/gitlab-cookbooks/gitlab/recipes/nginx.rb
files/gitlab-cookbooks/gitlab/recipes/nginx_disable.rb
files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/nginx_chef_api_lb.conf.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-log-run.erb
files/gitlab-cookbooks/gitlab/templates/default/sv-nginx-run.erb
@@ -0,0 +1,154 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+nginx_dir = node['chef_server']['nginx']['dir']
+nginx_etc_dir = File.join(nginx_dir, "etc")
+nginx_cache_dir = File.join(nginx_dir, "cache")
+nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
+nginx_html_dir = File.join(nginx_dir, "html")
+nginx_ca_dir = File.join(nginx_dir, "ca")
+nginx_log_dir = node['chef_server']['nginx']['log_directory']
+
+[
+  nginx_dir,
+  nginx_etc_dir,
+  nginx_cache_dir,
+  nginx_cache_tmp_dir,
+  nginx_html_dir,
+  nginx_ca_dir,
+  nginx_log_dir,
+].each do |dir_name|
+  directory dir_name do
+    owner node['chef_server']['user']['username']
+    mode '0700'
+    recursive true
+  end
+end
+
+ssl_keyfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.key")
+ssl_crtfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.crt")
+ssl_signing_conf = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}-ssl.conf")
+
+unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
+  file ssl_keyfile do
+    owner "root"
+    group "root"
+    mode "0644"
+    content `/opt/chef-server/embedded/bin/openssl genrsa 2048`
+    not_if { File.exists?(ssl_keyfile) }
+  end
+
+  file ssl_signing_conf do
+    owner "root"
+    group "root"
+    mode "0644"
+    not_if { File.exists?(ssl_signing_conf) }
+    content <<-EOH
+  [ req ]
+  distinguished_name = req_distinguished_name
+  prompt = no
+
+  [ req_distinguished_name ]
+  C                      = #{node['chef_server']['nginx']['ssl_country_name']}
+  ST                     = #{node['chef_server']['nginx']['ssl_state_name']}
+  L                      = #{node['chef_server']['nginx']['ssl_locality_name']}
+  O                      = #{node['chef_server']['nginx']['ssl_company_name']}
+  OU                     = #{node['chef_server']['nginx']['ssl_organizational_unit_name']}
+  CN                     = #{node['chef_server']['nginx']['server_name']}
+  emailAddress           = #{node['chef_server']['nginx']['ssl_email_address']}
+  EOH
+  end
+
+  ruby_block "create crtfile" do
+    block do
+      r = Chef::Resource::File.new(ssl_crtfile, run_context)
+      r.owner "root"
+      r.group "root"
+      r.mode "0644"
+      r.content `/opt/chef-server/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
+      r.not_if { File.exists?(ssl_crtfile) }
+      r.run_action(:create)
+    end
+  end
+end
+
+node.default['chef_server']['nginx']['ssl_certificate'] ||= ssl_crtfile
+node.default['chef_server']['nginx']['ssl_certificate_key'] ||= ssl_keyfile
+
+remote_directory nginx_html_dir do
+  source "html"
+  files_backup false
+  files_owner "root"
+  files_group "root"
+  files_mode "0644"
+  owner node['chef_server']['user']['username']
+  mode "0700"
+end
+
+nginx_config = File.join(nginx_etc_dir, "nginx.conf")
+nginx_vars = node['chef_server']['nginx'].to_hash.merge({
+  :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
+  :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
+})
+
+# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
+# config file will only be active if the user set `nginx['enable_non_ssl']` to
+# true. Default behavior is to redirect all HTTP requests to HTTPS.
+["https", "http"].each do |server_proto|
+  config_key = "chef_#{server_proto}_config".to_sym
+  lb_config = nginx_vars[config_key]
+
+  server_port = (server_proto == 'https') ?
+                 nginx_vars['ssl_port'] :
+                 nginx_vars['non_ssl_port']
+
+  template lb_config do
+    source "nginx_chef_api_lb.conf.erb"
+    owner "root"
+    group "root"
+    mode "0644"
+    variables(nginx_vars.merge({
+      :server_proto => server_proto,
+      :server_port => server_port
+    }))
+    notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+  end
+
+end
+
+template nginx_config do
+  source "nginx.conf.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+  variables nginx_vars
+  notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
+end
+
+runit_service "nginx" do
+  down node['chef_server']['nginx']['ha']
+  options({
+    :log_directory => nginx_log_dir
+  }.merge(params))
+end
+
+if node['chef_server']['bootstrap']['enable']
+	execute "/opt/chef-server/bin/chef-server-ctl start nginx" do
+		retries 20
+	end
+end
+
@@ -0,0 +1,21 @@
+#
+# Copyright:: Copyright (c) 2012 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "nginx" do
+  action :disable
+end
+
@@ -0,0 +1,63 @@
+user <%= node['chef_server']['user']['username'] %> <%= node['chef_server']['user']['username']%>;
+worker_processes <%= @worker_processes %>;
+error_log /var/log/chef-server/nginx/error.log<%= node['chef_server']['lb']['debug'] ? " debug" : "" %>;
+
+daemon off;
+
+events {
+  worker_connections <%= @worker_connections %>;
+}
+
+http {
+  log_format opscode '$remote_addr - $remote_user [$time_local]  '
+                    '"$request" $status "$request_time" $body_bytes_sent '
+                    '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
+
+  sendfile <%= @sendfile %>;
+  tcp_nopush <%= @tcp_nopush %>;
+  tcp_nodelay <%= @tcp_nodelay %>;
+
+  keepalive_timeout <%= @keepalive_timeout %>;
+
+  gzip <%= @gzip %>;
+  gzip_http_version <%= @gzip_http_version %>;
+  gzip_comp_level <%= @gzip_comp_level %>;
+  gzip_proxied <%= @gzip_proxied %>;
+  gzip_types <%= @gzip_types.join(' ') %>;
+
+  include /opt/chef-server/embedded/conf/mime.types;
+
+  <%- node['chef_server']['lb']['upstream'].each do |uname, servers| -%>
+  upstream <%= uname.gsub(/-/, '_') %> {
+    <%- servers.each do |server| -%>
+    server <%= server %>:<%= node['chef_server'][uname]['port'] %>;
+    <%- end -%>
+  }
+  <%- end -%>
+
+  # external lb config for Chef API
+  <%- if node['chef_server']['lb']['enable'] -%>
+  proxy_cache_path  <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
+  proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
+
+  # We support three options: serve nothing on non_ssl_port (80),
+  # redirect to https, or actually serve the API.
+  <%- if @non_ssl_port -%>
+  <%- if @enable_non_ssl -%>
+
+  # Chef HTTP API
+  include <%= @chef_http_config %>;
+  <%- else -%>
+
+  server {
+    listen <%= @non_ssl_port %>;
+    access_log /var/log/chef-server/nginx/rewrite-port-<%= @non_ssl_port %>.log;
+    return 301 https://$host:<%= @ssl_port %>$request_uri;
+  }
+  <%- end -%>
+  <%-  end -%>
+
+  # Chef HTTPS API
+  include <%= @chef_https_config %>;
+  <%- end -%>
+}
@@ -0,0 +1,85 @@
+server {
+  listen <%= @server_port %>;
+  server_name <%= @server_name %>;
+  access_log /var/log/chef-server/nginx/access.log opscode;
+
+  <% if @server_proto == "https" -%>
+  ssl on;
+  ssl_certificate <%= @ssl_certificate %>;
+  ssl_certificate_key <%= @ssl_certificate_key %>;
+
+  ssl_session_timeout 5m;
+
+  ssl_protocols <%= @ssl_protocols %>;
+  ssl_ciphers <%= @ssl_ciphers %>;
+  ssl_prefer_server_ciphers on;
+
+  <% end -%>
+  root <%= File.join(@dir, "html") %>;
+
+  client_max_body_size <%= @client_max_body_size %>;
+
+  proxy_set_header Host $host:$server_port;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto <%= @server_proto %>;
+  proxy_pass_request_headers on;
+  proxy_connect_timeout   1;
+  proxy_send_timeout      300;
+  proxy_read_timeout      300;
+
+  error_page 404 =404 /404.html;
+  error_page 503 =503 /503.json;
+
+  location /nginx_status {
+    stub_status on;
+    access_log   off;
+    allow 127.0.0.1;
+    deny all;
+  }
+
+  location /version {
+    types { }
+    default_type text/plain;
+    alias /opt/chef-server/version-manifest.txt;
+  }
+
+  location /docs {
+    index index.html ;
+    alias /opt/chef-server/docs;
+  }
+
+  # bookshelf
+  location ~ "/<%= node['chef_server']['erchef']['s3_bucket'] %>/{0,1}.*$" {
+    proxy_pass http://bookshelf;
+  }
+
+  location ~ "^/(?:stylesheets|javascripts|images|facebox|css|favicon|robots|humans)/{0,1}.*$" {
+    if ($http_x_chef_version ~* "^(\d+\.\d+?)\..+$") {
+      error_page 400 =400 /400-chef_client_manage.json;
+      return 400;
+    }
+    proxy_pass http://chef_server_webui;
+    proxy_pass_request_headers off;
+    proxy_cache webui-cache;
+    proxy_cache_valid 200 302 300m;
+    proxy_cache_valid 404 1m;
+  }
+
+ location = /_status {
+    proxy_pass http://erchef/_status;
+  }
+
+ location = /_status/ {
+    proxy_pass http://erchef/_status;
+  }
+
+  location / {
+    set $my_upstream erchef;
+    if ($http_x_ops_userid = "") {
+      set $my_upstream chef_server_webui;
+    }
+    proxy_redirect http://$my_upstream /;
+    proxy_pass http://$my_upstream;
+  }
+}
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec svlogd -tt <%= @options[:log_directory] %>
@@ -0,0 +1,4 @@
+#!/bin/sh
+exec 2>&1
+exec chpst -P /opt/chef-server/embedded/sbin/nginx -c <%= File.join(node['chef_server']['nginx']['dir'], "etc", "nginx.conf") %>
+
...	...	@@ -0,0 +1,154 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+nginx_dir = node['chef_server']['nginx']['dir']
	19	+nginx_etc_dir = File.join(nginx_dir, "etc")
	20	+nginx_cache_dir = File.join(nginx_dir, "cache")
	21	+nginx_cache_tmp_dir = File.join(nginx_dir, "cache-tmp")
	22	+nginx_html_dir = File.join(nginx_dir, "html")
	23	+nginx_ca_dir = File.join(nginx_dir, "ca")
	24	+nginx_log_dir = node['chef_server']['nginx']['log_directory']
	25	+
	26	+[
	27	+ nginx_dir,
	28	+ nginx_etc_dir,
	29	+ nginx_cache_dir,
	30	+ nginx_cache_tmp_dir,
	31	+ nginx_html_dir,
	32	+ nginx_ca_dir,
	33	+ nginx_log_dir,
	34	+].each do \|dir_name\|
	35	+ directory dir_name do
	36	+ owner node['chef_server']['user']['username']
	37	+ mode '0700'
	38	+ recursive true
	39	+ end
	40	+end
	41	+
	42	+ssl_keyfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.key")
	43	+ssl_crtfile = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}.crt")
	44	+ssl_signing_conf = File.join(nginx_ca_dir, "#{node['chef_server']['nginx']['server_name']}-ssl.conf")
	45	+
	46	+unless File.exists?(ssl_keyfile) && File.exists?(ssl_crtfile) && File.exists?(ssl_signing_conf)
	47	+ file ssl_keyfile do
	48	+ owner "root"
	49	+ group "root"
	50	+ mode "0644"
	51	+ content `/opt/chef-server/embedded/bin/openssl genrsa 2048`
	52	+ not_if { File.exists?(ssl_keyfile) }
	53	+ end
	54	+
	55	+ file ssl_signing_conf do
	56	+ owner "root"
	57	+ group "root"
	58	+ mode "0644"
	59	+ not_if { File.exists?(ssl_signing_conf) }
	60	+ content <<-EOH
	61	+ [ req ]
	62	+ distinguished_name = req_distinguished_name
	63	+ prompt = no
	64	+
	65	+ [ req_distinguished_name ]
	66	+ C = #{node['chef_server']['nginx']['ssl_country_name']}
	67	+ ST = #{node['chef_server']['nginx']['ssl_state_name']}
	68	+ L = #{node['chef_server']['nginx']['ssl_locality_name']}
	69	+ O = #{node['chef_server']['nginx']['ssl_company_name']}
	70	+ OU = #{node['chef_server']['nginx']['ssl_organizational_unit_name']}
	71	+ CN = #{node['chef_server']['nginx']['server_name']}
	72	+ emailAddress = #{node['chef_server']['nginx']['ssl_email_address']}
	73	+ EOH
	74	+ end
	75	+
	76	+ ruby_block "create crtfile" do
	77	+ block do
	78	+ r = Chef::Resource::File.new(ssl_crtfile, run_context)
	79	+ r.owner "root"
	80	+ r.group "root"
	81	+ r.mode "0644"
	82	+ r.content `/opt/chef-server/embedded/bin/openssl req -config '#{ssl_signing_conf}' -new -x509 -nodes -sha1 -days 3650 -key #{ssl_keyfile}`
	83	+ r.not_if { File.exists?(ssl_crtfile) }
	84	+ r.run_action(:create)
	85	+ end
	86	+ end
	87	+end
	88	+
	89	+node.default['chef_server']['nginx']['ssl_certificate'] \|\|= ssl_crtfile
	90	+node.default['chef_server']['nginx']['ssl_certificate_key'] \|\|= ssl_keyfile
	91	+
	92	+remote_directory nginx_html_dir do
	93	+ source "html"
	94	+ files_backup false
	95	+ files_owner "root"
	96	+ files_group "root"
	97	+ files_mode "0644"
	98	+ owner node['chef_server']['user']['username']
	99	+ mode "0700"
	100	+end
	101	+
	102	+nginx_config = File.join(nginx_etc_dir, "nginx.conf")
	103	+nginx_vars = node['chef_server']['nginx'].to_hash.merge({
	104	+ :chef_https_config => File.join(nginx_etc_dir, "chef_https_lb.conf"),
	105	+ :chef_http_config => File.join(nginx_etc_dir, "chef_http_lb.conf")
	106	+})
	107	+
	108	+# We will always render an HTTP and HTTPS config for the Chef API but the HTTP
	109	+# config file will only be active if the user set `nginx['enable_non_ssl']` to
	110	+# true. Default behavior is to redirect all HTTP requests to HTTPS.
	111	+["https", "http"].each do \|server_proto\|
	112	+ config_key = "chef_#{server_proto}_config".to_sym
	113	+ lb_config = nginx_vars[config_key]
	114	+
	115	+ server_port = (server_proto == 'https') ?
	116	+ nginx_vars['ssl_port'] :
	117	+ nginx_vars['non_ssl_port']
	118	+
	119	+ template lb_config do
	120	+ source "nginx_chef_api_lb.conf.erb"
	121	+ owner "root"
	122	+ group "root"
	123	+ mode "0644"
	124	+ variables(nginx_vars.merge({
	125	+ :server_proto => server_proto,
	126	+ :server_port => server_port
	127	+ }))
	128	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
	129	+ end
	130	+
	131	+end
	132	+
	133	+template nginx_config do
	134	+ source "nginx.conf.erb"
	135	+ owner "root"
	136	+ group "root"
	137	+ mode "0644"
	138	+ variables nginx_vars
	139	+ notifies :restart, 'service[nginx]' if OmnibusHelper.should_notify?("nginx")
	140	+end
	141	+
	142	+runit_service "nginx" do
	143	+ down node['chef_server']['nginx']['ha']
	144	+ options({
	145	+ :log_directory => nginx_log_dir
	146	+ }.merge(params))
	147	+end
	148	+
	149	+if node['chef_server']['bootstrap']['enable']
	150	+ execute "/opt/chef-server/bin/chef-server-ctl start nginx" do
	151	+ retries 20
	152	+ end
	153	+end
	154	+
...	...
...	...	@@ -0,0 +1,21 @@
	1	+#
	2	+# Copyright:: Copyright (c) 2012 Opscode, Inc.
	3	+# License:: Apache License, Version 2.0
	4	+#
	5	+# Licensed under the Apache License, Version 2.0 (the "License");
	6	+# you may not use this file except in compliance with the License.
	7	+# You may obtain a copy of the License at
	8	+#
	9	+# http://www.apache.org/licenses/LICENSE-2.0
	10	+#
	11	+# Unless required by applicable law or agreed to in writing, software
	12	+# distributed under the License is distributed on an "AS IS" BASIS,
	13	+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	14	+# See the License for the specific language governing permissions and
	15	+# limitations under the License.
	16	+#
	17	+
	18	+runit_service "nginx" do
	19	+ action :disable
	20	+end
	21	+
...	...
...	...	@@ -0,0 +1,63 @@
	1	+user <%= node['chef_server']['user']['username'] %> <%= node['chef_server']['user']['username']%>;
	2	+worker_processes <%= @worker_processes %>;
	3	+error_log /var/log/chef-server/nginx/error.log<%= node['chef_server']['lb']['debug'] ? " debug" : "" %>;
	4	+
	5	+daemon off;
	6	+
	7	+events {
	8	+ worker_connections <%= @worker_connections %>;
	9	+}
	10	+
	11	+http {
	12	+ log_format opscode '$remote_addr - $remote_user [$time_local] '
	13	+ '"$request" $status "$request_time" $body_bytes_sent '
	14	+ '"$http_referer" "$http_user_agent" "$upstream_addr" "$upstream_status" "$upstream_response_time" "$http_x_chef_version" "$http_x_ops_sign" "$http_x_ops_userid" "$http_x_ops_timestamp" "$http_x_ops_content_hash" $request_length';
	15	+
	16	+ sendfile <%= @sendfile %>;
	17	+ tcp_nopush <%= @tcp_nopush %>;
	18	+ tcp_nodelay <%= @tcp_nodelay %>;
	19	+
	20	+ keepalive_timeout <%= @keepalive_timeout %>;
	21	+
	22	+ gzip <%= @gzip %>;
	23	+ gzip_http_version <%= @gzip_http_version %>;
	24	+ gzip_comp_level <%= @gzip_comp_level %>;
	25	+ gzip_proxied <%= @gzip_proxied %>;
	26	+ gzip_types <%= @gzip_types.join(' ') %>;
	27	+
	28	+ include /opt/chef-server/embedded/conf/mime.types;
	29	+
	30	+ <%- node['chef_server']['lb']['upstream'].each do \|uname, servers\| -%>
	31	+ upstream <%= uname.gsub(/-/, '_') %> {
	32	+ <%- servers.each do \|server\| -%>
	33	+ server <%= server %>:<%= node['chef_server'][uname]['port'] %>;
	34	+ <%- end -%>
	35	+ }
	36	+ <%- end -%>
	37	+
	38	+ # external lb config for Chef API
	39	+ <%- if node['chef_server']['lb']['enable'] -%>
	40	+ proxy_cache_path <%= File.join(@dir, "cache") %> levels=1:2 keys_zone=webui-cache:50m max_size=<%= @cache_max_size %> inactive=600m;
	41	+ proxy_temp_path <%= File.join(@dir, "cache-tmp") %>;
	42	+
	43	+ # We support three options: serve nothing on non_ssl_port (80),
	44	+ # redirect to https, or actually serve the API.
	45	+ <%- if @non_ssl_port -%>
	46	+ <%- if @enable_non_ssl -%>
	47	+
	48	+ # Chef HTTP API
	49	+ include <%= @chef_http_config %>;
	50	+ <%- else -%>
	51	+
	52	+ server {
	53	+ listen <%= @non_ssl_port %>;
	54	+ access_log /var/log/chef-server/nginx/rewrite-port-<%= @non_ssl_port %>.log;
	55	+ return 301 https://$host:<%= @ssl_port %>$request_uri;
	56	+ }
	57	+ <%- end -%>
	58	+ <%- end -%>
	59	+
	60	+ # Chef HTTPS API
	61	+ include <%= @chef_https_config %>;
	62	+ <%- end -%>
	63	+}
...	...
...	...	@@ -0,0 +1,85 @@
	1	+server {
	2	+ listen <%= @server_port %>;
	3	+ server_name <%= @server_name %>;
	4	+ access_log /var/log/chef-server/nginx/access.log opscode;
	5	+
	6	+ <% if @server_proto == "https" -%>
	7	+ ssl on;
	8	+ ssl_certificate <%= @ssl_certificate %>;
	9	+ ssl_certificate_key <%= @ssl_certificate_key %>;
	10	+
	11	+ ssl_session_timeout 5m;
	12	+
	13	+ ssl_protocols <%= @ssl_protocols %>;
	14	+ ssl_ciphers <%= @ssl_ciphers %>;
	15	+ ssl_prefer_server_ciphers on;
	16	+
	17	+ <% end -%>
	18	+ root <%= File.join(@dir, "html") %>;
	19	+
	20	+ client_max_body_size <%= @client_max_body_size %>;
	21	+
	22	+ proxy_set_header Host $host:$server_port;
	23	+ proxy_set_header X-Real-IP $remote_addr;
	24	+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	25	+ proxy_set_header X-Forwarded-Proto <%= @server_proto %>;
	26	+ proxy_pass_request_headers on;
	27	+ proxy_connect_timeout 1;
	28	+ proxy_send_timeout 300;
	29	+ proxy_read_timeout 300;
	30	+
	31	+ error_page 404 =404 /404.html;
	32	+ error_page 503 =503 /503.json;
	33	+
	34	+ location /nginx_status {
	35	+ stub_status on;
	36	+ access_log off;
	37	+ allow 127.0.0.1;
	38	+ deny all;
	39	+ }
	40	+
	41	+ location /version {
	42	+ types { }
	43	+ default_type text/plain;
	44	+ alias /opt/chef-server/version-manifest.txt;
	45	+ }
	46	+
	47	+ location /docs {
	48	+ index index.html ;
	49	+ alias /opt/chef-server/docs;
	50	+ }
	51	+
	52	+ # bookshelf
	53	+ location ~ "/<%= node['chef_server']['erchef']['s3_bucket'] %>/{0,1}.*$" {
	54	+ proxy_pass http://bookshelf;
	55	+ }
	56	+
	57	+ location ~ "^/(?:stylesheets\|javascripts\|images\|facebox\|css\|favicon\|robots\|humans)/{0,1}.*$" {
	58	+ if ($http_x_chef_version ~* "^(\d+\.\d+?)\..+$") {
	59	+ error_page 400 =400 /400-chef_client_manage.json;
	60	+ return 400;
	61	+ }
	62	+ proxy_pass http://chef_server_webui;
	63	+ proxy_pass_request_headers off;
	64	+ proxy_cache webui-cache;
	65	+ proxy_cache_valid 200 302 300m;
	66	+ proxy_cache_valid 404 1m;
	67	+ }
	68	+
	69	+ location = /_status {
	70	+ proxy_pass http://erchef/_status;
	71	+ }
	72	+
	73	+ location = /_status/ {
	74	+ proxy_pass http://erchef/_status;
	75	+ }
	76	+
	77	+ location / {
	78	+ set $my_upstream erchef;
	79	+ if ($http_x_ops_userid = "") {
	80	+ set $my_upstream chef_server_webui;
	81	+ }
	82	+ proxy_redirect http://$my_upstream /;
	83	+ proxy_pass http://$my_upstream;
	84	+ }
	85	+}
...	...
...	...	@@ -0,0 +1,2 @@
	1	+#!/bin/sh
	2	+exec svlogd -tt <%= @options[:log_directory] %>
...	...
...	...	@@ -0,0 +1,4 @@
	1	+#!/bin/sh
	2	+exec 2>&1
	3	+exec chpst -P /opt/chef-server/embedded/sbin/nginx -c <%= File.join(node['chef_server']['nginx']['dir'], "etc", "nginx.conf") %>
	4	+
...	...