nginx.yml

#cloud-config

# $ aws ec2 run-instances --user-data file://nginx.yml --security-groups "ssh-dns" --image-id ami-5189a661 --instance-type t2.medium --region us-west-2
# Must copy private ssl keys manually to /etc/nginx/ssl/*/server.key then restart nginx.
# Choose instance size based on network performance required.

apt_sources:
- source: ppa:nginx/stable

bootcmd:
- cloud-init-per once ssh-users-ca echo "TrustedUserCAKeys /etc/ssh/users_ca.pub" >> /etc/ssh/sshd_config

output:
  all: '| tee -a /var/log/cloud-init-output.log'

package_upgrade: true

packages:
- nginx
- ntp
- unattended-upgrades
- update-notifier-common

power_state:
  mode: reboot

write_files:
- path: /etc/apt/apt.conf.d/20auto-upgrades
  content: |
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";

- path: /etc/apt/apt.conf.d/50unattended-upgrades
  content: |
    Unattended-Upgrade::Allowed-Origins {
        "${distro_id} ${distro_codename}-security";
    };
    Unattended-Upgrade::Automatic-Reboot "true";

- path: /etc/motd
  content: |
    #############################################
    ##         Nginx proxy server              ##
    ##  For demo instances:                    ##
    ##  ssh <name>.instance.clinicalgenome.org ##
    #############################################

- path: /etc/nginx/nginx.conf
  content: |
    user www-data;
    worker_processes  auto;
    worker_rlimit_nofile 8192;
    events {
        worker_connections  2048;
    }
    http {
        resolver 172.31.0.2;  # AWS VPC DNS Server
        resolver_timeout 5s;
        include  mime.types;
        client_max_body_size 500m;
        default_type  application/octet-stream;
        keepalive_timeout  65;
        ssl_session_cache  shared:SSL:10m;
        ssl_session_timeout  10m;

        proxy_buffers 8 16k;
        proxy_send_timeout    5m;
        proxy_read_timeout    5m;
        send_timeout    5m;

        server {
            listen 80;
            location = /robots.txt {
                proxy_set_header  Host  $host;
                proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Proto  $scheme;
                proxy_pass  http://app;
                proxy_http_version  1.1;
                proxy_set_header  Connection  "";
            }
            location / {
                if ($request_method !~ ^(GET)|(HEAD)$) {
                    return 405;
                }
                return  301  https://$host$request_uri;
            }
        }

        server {
            listen 443 ssl spdy;
            server_name ~^(?<servername>[^.]+)\.demo\.clinicalgenome\.org$;
            ssl_certificate         /etc/nginx/ssl/demo.clinicalgenome.org/server.chained.crt;
            ssl_certificate_key     /etc/nginx/ssl/demo.clinicalgenome.org/server.key;
            location / {
                proxy_set_header  Host  $host;
                proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Proto  $scheme;
                proxy_pass  http://$servername.instance.clinicalgenome.org;
                proxy_http_version  1.1;
                proxy_set_header  Connection  "";
            }
            location ~ ^/_proxy/(.*)$ {
                internal;
                proxy_buffering off;
                proxy_pass $1$is_args$args;
            }
        }

    }

- path: /etc/nginx/ssl/demo.clinicalgenome.org/server.chained.crt
  content: |
    -----BEGIN CERTIFICATE-----
    MIIE9TCCA92gAwIBAgISESGDRQa0iryNOboBDUfJaqaSMA0GCSqGSIb3DQEBCwUA
    MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD
    VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE1MDcxNDIzNTAyMFoX
    DTE4MDcxNDIzNTAyMFowRzEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
    dGVkMSIwIAYDVQQDDBkqLmRlbW8uY2xpbmljYWxnZW5vbWUub3JnMIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA27Djib6H+mbtjua0tteaCtLsqTi/wFRQ
    hY0YpzvW6nQNvivS+ZL+CpbLwHQKTkMP+vLxigoqZbaHauBQcBXDliWpeksXH6KU
    ZEuj0Xpdzz+8VGq7YYhgEtl8zKq+zBowrnNzBbZTk6C04e/2BZSpV82SY4ZBhN37
    06TqQgGa2Hsv/2AstQLrqQMiXUOq458dmLkYyssQA214X9KAnD1LlTbyNBiDVDBy
    UID9wia8vipMwWbfZ5A1Ayvzbwks3RVMOoh8fnhi7FR9H8jEH5Y3lymrmPUxvR7C
    cSgwjCxkMFtfREbfQSFh32mOykxUO8rWZwuaQZqhQzvQOgH+Bgd4tQIDAQABo4IB
    1DCCAdAwDgYDVR0PAQH/BAQDAgWgMEkGA1UdIARCMEAwPgYGZ4EMAQIBMDQwMgYI
    KwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkv
    MD0GA1UdEQQ2MDSCGSouZGVtby5jbGluaWNhbGdlbm9tZS5vcmeCF2RlbW8uY2xp
    bmljYWxnZW5vbWUub3JnMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
    CCsGAQUFBwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmwyLmFscGhhc3Ns
    LmNvbS9ncy9nc2FscGhhc2hhMmcyLmNybDCBiQYIKwYBBQUHAQEEfTB7MEIGCCsG
    AQUFBzAChjZodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxw
    aGFzaGEyZzJyMS5jcnQwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwMi5nbG9iYWxz
    aWduLmNvbS9nc2FscGhhc2hhMmcyMB0GA1UdDgQWBBQ40h5wroDOf5Cvg4R8dzNi
    EnXrrzAfBgNVHSMEGDAWgBT1zdU8CFD5ak86t5faVoPmadJo9zANBgkqhkiG9w0B
    AQsFAAOCAQEAzgpqz6B4fIvoI6ijndszsr3E/G6gevTmE1Ryz2QTmqI7N+OYkISM
    pscGNfdMiz5XULvsESZvTfW2TkhifODR/BVZS4R53PXi62QCkX9+ogAXAHdb83qj
    zXeXCLxwwc9typJpXkBWV6tLRg4329f5W7eNWEvJicH12OipjCe515TVeK+cZ7lF
    ATQfQ0KOa0nLnwWMKmtpev2nZ56iaiSWYjuXsQyGYmq3gNgruegmEx5MJLHO4xvW
    yc0iTV20Mcc5STkZqxo9iLJafBWLsJug8WXYpTojwurOgcUgJlqVgqddRyEhRcPj
    dXKCZQKH+YwRJETM8v6+ddrZT9ER5n21+A==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
    A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
    b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
    MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
    YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
    kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
    dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
    MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
    cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
    kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
    ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
    AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
    VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
    b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
    Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
    Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
    yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
    XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
    xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
    l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
    odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
    MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw==
    -----END CERTIFICATE-----

- path: /etc/ssh/users_ca.pub
  content: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiM5UBd3Rant92xxhCVZFW+U+gUN3aLkICO1gzOGr/Ps173YgzgVPmdKdiI6vBzCZ8BXMG/aeiBHk2LKA+vFjh1/sFRA51nA+hnBzXuIbWYpsTHaGG3BFhnAP8tzDm/7MYRkIeXLwZRwTeFtrMd9MR/HGBVG5HmbM/jtrvTRWZVwFnXRxLQ3Rs5Y9v1QKOrZs4w5tt3iKBiBr+kJKhDHV5O8COowxjcfSqCZmfafVJQNR+8Dg6cvaizqY+ykHpgzc+a7oXJfo1LDDQELl0DGIPDIa340jMDjSSVV0o+RpjbIXTtH4m3TDpKRmZsTQrnHCMNSp5Uk7mMkhKwIwX1SP clincoded-dev@clinicalgenome.org