Merged in NRRPLT-8243-redrawing-proxy-architecture (pull request #88)

[NRRPLT-8243] New proxy architecture * [NRRPLT-8243] not using hard-coded IPs for nrpBackendProxy config.json * [NRRPLT-8243] add cle-haproxy and cle-reverse-proxies * [NRRPLT-8243] create .local/var/run and fix a bug * [NRRPLT-8243] use container's name instead of IP * [NRRPLT-8243] remove unnecessary nrp-postgres Approved-by: Ugo Albanese Approved-by: Viktor Vorobev

Merged in NRRPLT-8243-redrawing-proxy-architecture (pull request #88)
[NRRPLT-8243] New proxy architecture * [NRRPLT-8243] not using hard-coded IPs for nrpBackendProxy config.json * [NRRPLT-8243] add cle-haproxy and cle-reverse-proxies * [NRRPLT-8243] create .local/var/run and fix a bug * [NRRPLT-8243] use container's name instead of IP * [NRRPLT-8243] remove unnecessary nrp-postgres Approved-by: Ugo Albanese Approved-by: Viktor Vorobev
94cc216e · vahid zolfaghari · Ugo Albanese · 723b4fe5 · 94cc216e · 94cc216e
Commit 94cc216e authored 3 years ago by vahid zolfaghari Committed by Ugo Albanese 3 years ago
--- a/config_files/haproxy/local_docker/backend_extractor.lua
+++ b/config_files/haproxy/local_docker/backend_extractor.lua
+function mysplit (inputstr, sep)
+        if sep == nil then
+                sep = "%s"
+        end
+        local t={}
+        for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
+                table.insert(t, str)
+        end
+        return t
+end
+
+function get_backend(txn)
+    local my_path = txn.sf:path()
+    local mytbl = mysplit(my_path,"/")
+    return tostring(mytbl[1])
+end
+
+core.register_fetches("get_backend", get_backend) 
--- a/config_files/haproxy/local_docker/haproxy.cfg
+++ b/config_files/haproxy/local_docker/haproxy.cfg
+global
+    log /dev/log	local0
+    log /dev/log	local1 notice
+    chroot /var/lib/haproxy
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+    lua-load /etc/haproxy/lua_scripts/cors.lua
+    lua-load /etc/haproxy/lua_scripts/backend_extractor.lua
+
+defaults
+    log	global
+    mode	http
+    option	httplog
+    option	dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+    timeout tunnel        3600s
+    timeout http-keep-alive  1s
+    timeout http-request    15s
+    timeout queue           30s
+    timeout tarpit          60s
+    default-server inter 3s rise 2 fall 3
+    option forwardfor
+
+
+# HAproxy for web servers
+frontend web-frontend
+    bind *:9000
+
+    ## routing based on Host header
+    acl host_ws hdr_beg(Host) -i ws.
+
+    ## routing based on websocket protocol header
+    acl hdr_connection_upgrade hdr(connection)  -i Upgrade
+    acl hdr_upgrade_websocket  hdr(upgrade)     -i websocket
+
+    use_backend nrp-proxy if { path_beg /proxy/ } || { path_beg /storage/ }
+
+    use_backend backend-%[lua.get_backend]
+    use_backend backend-%[lua.get_backend]  if hdr_connection_upgrade  hdr_upgrade_websocket host_ws
+
+    default_backend nrp_frontend_robodesigner
+
+
+backend nrp-proxy
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "*" "*"
+    http-response lua.cors
+
+    # Compatible with haproxy versions >= 2.0
+    http-request replace-uri (/(proxy|storage))(/.*) \3
+    server nrp-proxy localhost:8443
+
+backend backend-local_docker-8090
+
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "*" "*"
+    http-response lua.cors
+
+    http-request replace-uri (.*)-(8090)(/.*) \3
+    server local_docker nrp:8090
+
+
+backend nrp_frontend_robodesigner
+    # enable CORS
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "*" "*"
+    http-response lua.cors
+
+    server nrp-frontend frontend:9002
+
--- a/config_files/haproxy/local_source/haproxy.cfg
+++ b/config_files/haproxy/local_source/haproxy.cfg
+global
+    log /dev/log	local0
+    log /dev/log	local1 notice
+    stats timeout 30s
+    daemon
+    lua-load /home/<username>/.local/etc/haproxy/cors.lua
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+defaults
+    log	global
+    mode	http
+    option	httplog
+    option	dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+    timeout tunnel        3600s
+    timeout http-keep-alive  1s
+    timeout http-request    15s
+    timeout queue           30s
+    timeout tarpit          60s
+    default-server inter 3s rise 2 fall 3
+
+
+frontend web-frontend
+    bind 0.0.0.0:9000
+
+    # enable CORS
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "localhost:9000" "*" 
+    http-response lua.cors 
+    
+    use_backend nrp-proxy if { path_beg /proxy } || { path_beg /storage/ }
+
+
+    default_backend nrp_frontend_robodesigner
+
+frontend nrp-services
+    bind 0.0.0.0:8080
+    
+    
+    
+    # ACLs for capturing websocket traffic 
+    acl host_ws hdr_beg(Host) -i ws.
+    acl hdr_connection_upgrade hdr(connection)  -i Upgrade
+    acl hdr_upgrade_websocket  hdr(upgrade)     -i websocket
+
+    acl path_nrp_services path_beg -i /rosbridge
+    acl path_nrp_services path_beg -i /gzbridge
+    
+    # ACL for rosbridge
+    use_backend nrp-services if path_nrp_services hdr_connection_upgrade
+    use_backend nrp-services if path_nrp_services hdr_upgrade_websocket
+    use_backend nrp-services if path_nrp_services host_ws
+    
+    
+    default_backend nrp-services
+
+backend nrp-proxy
+    # enable CORS
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "localhost:9000" "*" 
+    http-response lua.cors 
+    
+    # Compatible with haproxy versions >= 2.0
+    http-request replace-uri (/(proxy|storage))(/.*) \3
+    
+    server nrp-proxy 127.0.0.1:8443
+
+backend nrp_frontend_robodesigner
+    # enable CORS
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "localhost:9000" "*" 
+    http-response lua.cors 
+    
+    http-request replace-value Host (.*):9000 \1:9002
+    server nrp-frontend 127.0.0.1:9002
+
+
+backend nrp-services
+    # enable CORS
+    http-request lua.cors "GET,PUT,POST,DELETE,OPTIONS" "localhost:9000" "*" 
+    http-response lua.cors 
+        
+    server backend 127.0.0.1:8090
+    
+
--- a/config_files/nginx/conf.d/frontend.conf
+++ b/config_files/nginx/conf.d/frontend.conf
 server {
-    listen *:9000 default_server;
+    listen *:9002 default_server;
    server_name 127.0.0.1 localhost;


@@ -19,41 +19,9 @@ server {

        root <HBP>/ExDFrontend/dist/;
    }
-    
-    # template on how to serve external packages on the frontend
-    #location /frontendStateMachineEditor/ {
-    #    alias <HBP>/frontendStateMachineEditor/build/;
-    #    index index.html index.htm; 
-    #}

    location /robot-designer/ {
        root <HBP>/ExDFrontend/dist/node_modules;
    }

-    location /proxy/ {
-
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-
-        if ($request_uri ~* "/proxy/(.*)") {
-            proxy_pass http://127.0.0.1:8443/$1;
-            break;
-        }
-
-        proxy_pass http://127.0.0.1:8443/;
-    }
-
-    location /storage/ {
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade;
-
-        if ($request_uri ~* "/storage/(.*)") {
-            proxy_pass http://127.0.0.1:8443/$1;
-            break;
-        }
-
-        proxy_pass http://127.0.0.1:8443/;
-    }
 }
--- a/config_files/nginx/conf.d/nrp-services.conf
+++ b/config_files/nginx/conf.d/nrp-services.conf
@@ -7,8 +7,6 @@ map $http_upgrade $connection_upgrade {
    '' close;
 }

-
-
 upstream rosbridge {
    server 127.0.0.1:9090;
 }
@@ -17,9 +15,8 @@ upstream gzbridge {
    server 127.0.0.1:7681;
 }

-
 server {
-        listen *:8080 default_server;
+        listen *:8090 default_server;
        server_name 127.0.0.1 localhost;

        # UPDATE to match your local Experiments folder
@@ -36,11 +33,11 @@ server {

        set $accept_client_auth true;

-        location /webstream/ {                
+        location /webstream/ {
                add_header Access-Control-Allow-Origin $cors_origin always;
                add_header Access-Control-Allow-Methods $cors_methods always;
                add_header Access-Control-Allow-Headers $cors_headers always;
-      
+
                proxy_pass http://127.0.0.1:8081/;
                proxy_set_header Host $host;
        }
@@ -81,11 +78,6 @@ server {
                proxy_set_header Host $http_host;
        }

-        # Incinga2 monitoring services
-#        location /health {
-#                include            uwsgi_params;
-#                uwsgi_pass         uwsgicluster;
-#        }

        # Swagger interface
        location /api {

--- a/config_files/nrpBackendProxy/config.json.sample.docker
+++ b/config_files/nrpBackendProxy/config.json.sample.docker
+{
+  "refreshInterval": 5000,
+  "auth": {
+        "renewInternal": 600000,
+        "clientId": "nrp-backend-proxy",
+        "clientSecret": "<client_oidc_secret>",
+        "url": "https://iam.ebrains.eu/auth/realms/hbp",
+        "deactivate": true
+  },
+  "port": 8443,
+  "modelsPath": "$HBP/Models",
+  "experimentsPath": "$HBP/Experiments",
+  "servers": {
+        "local_docker-8090": {
+          "internalIp": "http://<nrp_IP>:<nrp_port>",
+          "gzweb": {
+                "assets": "http://<proxy_ip>:<proxy_port>/local_docker-8090/assets",
+                "nrp-services": "http://<proxy_ip>:<proxy_port>/local_docker-8090",
+                "videoStreaming": "http://<proxy_ip>:<proxy_port>/local_docker-8090/webstream/",
+                "websocket": "ws://<proxy_ip>:<proxy_port>/local_docker-8090/gzbridge"
+          },
+          "rosbridge": {
+                "websocket": "ws://<proxy_ip>:<proxy_port>/local_docker-8090/rosbridge"
+          },
+          "serverJobLocation": "local"
+        }
+  },
+  "storage": "FS",
+  "authentication": "FS",
+  "backendScripts": {
+        "restart-backend":
+          "$HBP/user-scripts/config_files/nrpBackendProxy/restart-backend.sh"
+  },
+  "activity-logs": {
+        "localfile": "/tmp/nrp_activity.log"
+  }
+}
--- a/configure_nrp
+++ b/configure_nrp
@@ -5,7 +5,10 @@ source "$HBP"/user-scripts/repos.txt

 $HBP/user-scripts/purge
 export GROUPNAME=`/usr/bin/id -gn`
-mkdir -p -v $HOME/.local/etc/nginx $HOME/.local/etc/init.d $HOME/.local/etc/default $HOME/nginx $HOME/.local/var/log/nginx $HOME/.local/etc/nginx/lua $HOME/.local/etc/nginx/conf.d $HOME/.opt/bbp
+mkdir -p -v $HOME/.local/etc/nginx $HOME/.local/etc/init.d $HOME/.local/etc/default $HOME/nginx $HOME/.local/var/log/nginx $HOME/.local/etc/nginx/lua $HOME/.local/etc/nginx/conf.d $HOME/.opt/bbp $HOME/.local/run/haproxy
+
+# Create haproxy folder in .local
+mkdir -p -v $HOME/.local/etc/haproxy $HOME/.local/var/log/haproxy $HOME/.local/var/run

 echo "Copying user_makefile to python repos"
 for i in ${nrp_python[@]} ; do cp -f $HBP/user-scripts/config_files/user_makefile $HBP/$i; done
@@ -51,7 +54,12 @@ echo "Copying Nginx config files"
 cp -r /etc/nginx/* $HOME/.local/etc/nginx/
 cp /etc/init.d/nginx $HOME/.local/etc/init.d/nginx

-# as of nginx 2.9 in order to use lua related commands we have to dynamically load 
+echo "Copying Haproxy config files"
+
+cp -r /etc/haproxy/* $HOME/.local/etc/haproxy/
+cp /etc/init.d/haproxy $HOME/.local/etc/init.d/haproxy
+
+# as of nginx 2.9 in order to use lua related commands we have to dynamically load
 # the following two modules, which are found in /usr/lib/nginx/modules
 # since we are running everything in $HOME/.local the libraries have to be copied manually
 # to $HOME/.local/etc/nginx/modules
@@ -60,6 +68,11 @@ cp /usr/lib/nginx/modules/ndk_http_module.so $HOME/.local/etc/nginx/modules
 cp /usr/lib/nginx/modules/ngx_http_lua_module.so $HOME/.local/etc/nginx/modules

 sed -e 's: \/etc\/: '"$HOME"'\/.local\/etc\/:' -i $HOME/.local/etc/init.d/nginx
+sed -e 's:\/var\/run\/:'"$HOME"'\/.local\/var\/run\/:' -i $HOME/.local/etc/init.d/haproxy
+sed -e 's:=\/etc\/:='"$HOME"'\/.local\/etc\/:' -i $HOME/.local/etc/init.d/haproxy
+sed -e 's:chown haproxy:#chown haproxy:' -i $HOME/.local/etc/init.d/haproxy
+sed -e 's:chmod 2775:#chmod 2775:' -i $HOME/.local/etc/init.d/haproxy
+sed -e 's:start-stop-daemon --quiet:start-stop-daemon --quiet --chuid $USER\:$USER:' -i $HOME/.local/etc/init.d/haproxy
 echo 'DAEMON_OPTS="-c $HOME/.local/etc/nginx/nginx.conf -p $HOME/.local/etc/nginx"' >  $HOME/.local/etc/default/nginx

 cp $HBP/user-scripts/config_files/nginx/nginx.conf $HOME/.local/etc/nginx/nginx.conf
@@ -72,6 +85,11 @@ sed -e 's/<username>/'"$USER"'/' -i $HOME/.local/etc/nginx/conf.d/nrp-services.c

 sed -e 's|<HBP>|'"$HBP"'|' -i $HOME/.local/etc/nginx/conf.d/frontend.conf

+echo "Copying Haproxy config file"
+cp $HBP/user-scripts/config_files/haproxy/local_source/haproxy.cfg $HOME/.local/etc/haproxy/
+curl  https://raw.githubusercontent.com/haproxytech/haproxy-lua-cors/master/lib/cors.lua -o $HOME/.local/etc/haproxy/cors.lua
+sed -e 's/<username>/'"$USER"'/' -i $HOME/.local/etc/haproxy/haproxy.cfg
+

 echo "Copying uwsgi config file"
 cp $HBP/user-scripts/config_files/nginx/uwsgi-nrp.ini $HOME/.local/etc/nginx/uwsgi-nrp.ini

--- a/nrp_aliases
+++ b/nrp_aliases
@@ -13,8 +13,10 @@ alias cle-factory='$HOME/.opt/platform_venv/bin/python $HBP/ExDBackend/hbp_nrp_c
 alias cle-factory-debug='$HOME/.opt/platform_venv/bin/python $HBP/ExDBackend/hbp_nrp_cleserver/hbp_nrp_cleserver/server/ROSCLESimulationFactory.py --vsdebug'
 alias cle-rosbridge='rosrun rosbridge_server rosbridge_websocket'
 alias cle-frontend='cd $HBP/ExDFrontend && grunt serve'
-alias cle-nginx='$HOME/.local/etc/init.d/nginx restart'
 alias cle-proxy='cd $HBP/nrpBackendProxy && npm start'
+alias cle-nginx='$HOME/.local/etc/init.d/nginx restart'
+alias cle-haproxy='$HOME/.local/etc/init.d/haproxy restart'
+alias cle-reverse-proxies='cle-nginx && cle-haproxy'
 alias cle-rosvideo='rosrun web_video_server web_video_server _port:=8081'
 alias cle-use-sim-time='rosparam set use_sim_time true'

@@ -149,5 +151,4 @@ kill_hbp_processes()

 alias cle-start='export VIRTUAL_ENV=$NRP_VIRTUAL_ENV;roscore & sleep 1;cle-use-sim-time & sleep 1; cle-rosvideo & sleep 1;cle-factory & sleep 1;cle-backend & sleep 1; cle-proxy & cle-rosbridge'
 alias cle-debug='export VIRTUAL_ENV=$NRP_VIRTUAL_ENV;roscore & sleep 1;cle-use-sim-time & sleep 1; cle-rosvideo & sleep 1;cle-factory-debug & sleep 1;cle-backend-debug & sleep 1; cle-proxy & cle-rosbridge'
-alias cle-kill='kill_hbp_cle'
-alias cle-postgres='pg_ctl -D $HOME/.local/postgres/data/ -l logfile restart'
\ No newline at end of file
+alias cle-kill='kill_hbp_cle'
\ No newline at end of file
--- a/purge
+++ b/purge
@@ -18,13 +18,17 @@ function backup() {


 # Remove already existing config files that will be set-up using the configure_nrp script
-echo "Removing existing config files for nginx, ExDFrontend, ExDBackend, CLE, nrpBackendProxy and the gzserver/gzbridge scripts."
+echo "Removing existing config files for nginx, Haproxy, ExDFrontend, ExDBackend, CLE, nrpBackendProxy and the gzserver/gzbridge scripts."
 printf "\033[1;33mWould you like to NOT backup your local versions? (this also purges your existing backups) (y/N)\033[0m\n"
 read -t 5 p
 if [ "$p" == "y" -o "$p" == "Y" ]; then NOBACKUP=1;fi

 if [ -f $HOME/.local/etc/init.d/nginx ]; then $HOME/.local/etc/init.d/nginx stop; fi
+if [ -f $HOME/.local/etc/init.d/haproxy ]; then $HOME/.local/etc/init.d/haproxy stop; fi
+
 rm -rf $HOME/.local/etc/nginx $HOME/.local/etc/init.d/nginx $HOME/.local/etc/default $HOME/nginx $HOME/.local/var/log/nginx $HOME/.opt/bbp
+rm -rf $HOME/.local/etc/haproxy $HOME/.local/etc/init.d/haproxy $HOME/.local/var/log/haproxy
+
 if [ $NOBACKUP ]; then rm -f "$HBP"/ExDFrontend/app/config.json.bak*; else backup "$HBP"/ExDFrontend/app/config.json; fi
 rm -f "$HBP"/ExDFrontend/app/config.json.local
 if [ $NOBACKUP ]; then rm -f "$HBP"/CLE/hbp_nrp_cle/hbp_nrp_cle/config.ini.bak*; else backup "$HBP"/CLE/hbp_nrp_cle/hbp_nrp_cle/config.ini; fi