feat(router): make default app configurable

Lachlan Evenson · Lachlan Evenson · commit 4ca3a7411e4d · 2017-01-18T05:43:32.000-07:00
Makes default application configurable when hitting / on Deis
router.
diff --git a/README.md b/README.md
@@ -250,6 +250,9 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="enforce-whitelists"></a>deis-router | deployment | [router.deis.io/nginx.enforceWhitelists](#enforce-whitelists) | `"false"` | Whether to _require_ application-level whitelists that explicitly enumerate allowed clients by IP / CIDR range.  With this enabled, each app will drop _all_ requests unless a whitelist has been defined. |
 | <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as  a comma-delimited list of addresses (using IP or CIDR notation).  Application-specific whitelists can either extend or override this default. |
 | <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined).  Valid values are `"extend"` and `"override"`. |
+| <a name="default-service-enabled"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set.  |
+| <a name="default-app-name"></a>deis-router | deployment | [router.deis.io/nginx.DefaultAppName](#default-app-name) | `""` | Default back-end application name for traffic hitting router on /. In order to work correctly both `defaultServiceIP` and `DefaultServiceEnabled` MUST also be set.  |
+| <a name="default-service-ip"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceIP](#default-service-ip) | `""` | Default back-end service ip for traffic hitting router on /. In order to work correctly both `DefaultAppName` and `DefaultServiceEnabled` MUST also be set. |
 | <a name="http2-enabled"></a>deis-router | deployment | [router.deis.io/nginx.http2Enabled](#http2-enabled) | `"true"` | Whether to enable HTTP2 for apps on the SSL ports. |
 | <a name="log-format"></a>deis-router | deployment | [router.deis.io/nginx.logFormat](#log-format) | `"[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time"` | Nginx access log format. **Warning:** if you change this to a non-default value, log parsing in monitoring subsystem will be broken. Use this parameter if you completely understand what you're doing. |
 | <a name="ssl-enforce"></a>deis-router | deployment | [router.deis.io/nginx.ssl.enforce](#ssl-enforce) | `"false"` | Whether to respond with a 301 for all HTTP requests with a permanent redirect to the HTTPS equivalent address. |
diff --git a/model/model.go b/model/model.go
@@ -51,6 +51,9 @@ type RouterConfig struct {
 	EnforceWhitelists        bool        `key:"enforceWhitelists" constraint:"(?i)^(true|false)$"`
 	DefaultWhitelist         []string    `key:"defaultWhitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	WhitelistMode            string      `key:"whitelistMode" constraint:"^(extend|override)$"`
+	DefaultServiceIP         string      `key:"defaultServiceIP"`
+	DefaultAppName           string      `key:"defaultAppName"`
+	DefaultServiceEnabled    bool        `key:"defaultServiceEnabled" constraint:"(?i)^(true|false)$"`
 	RequestIDs               bool        `key:"requestIDs" constraint:"(?i)^(true|false)$"`
 	SSLConfig                *SSLConfig  `key:"ssl"`
 	AppConfigs               []*AppConfig
@@ -77,6 +80,9 @@ func newRouterConfig() *RouterConfig {
 		WhitelistMode:            "extend",
 		RequestIDs:               false,
 		SSLConfig:                newSSLConfig(),
+		DefaultServiceEnabled:    false,
+		DefaultAppName:           "",
+		DefaultServiceIP:         "",
 		HTTP2Enabled:             true,
 		LogFormat:                `[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time`,
 	}
diff --git a/nginx/config.go b/nginx/config.go
@@ -128,6 +128,35 @@ http {
 	{{/* This means we force HTTPS if HSTS is enabled. */}}
 	{{ $enforceSecure := or $sslConfig.Enforce $hstsConfig.Enabled }}
 
+	{{ if $routerConfig.DefaultServiceEnabled }}
+	server {
+		listen 8080 default_server{{ if $routerConfig.UseProxyProtocol }} proxy_protocol{{ end }};
+		server_name _;
+		server_name_in_redirect off;
+		port_in_redirect off;
+		set $app_name "{{ $routerConfig.DefaultAppName }}";
+		vhost_traffic_status_filter_by_set_key {{ $routerConfig.DefaultAppName }} application::*;
+		location ~ ^/healthz/?$ {
+			access_log off;
+			default_type 'text/plain';
+			return 200;
+		}
+
+		location / {
+			proxy_buffering off;
+			proxy_set_header Host $host;
+			proxy_set_header X-Forwarded-For $remote_addr;
+			proxy_set_header X-Forwarded-Proto $access_scheme;
+			proxy_set_header X-Forwarded-Port $forwarded_port;
+			proxy_redirect off;
+			proxy_http_version 1.1;
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection $connection_upgrade;
+			proxy_pass http://{{$routerConfig.DefaultServiceIP}}:80;
+		}
+	}
+	{{ else }}
+
 	# Default server handles requests for unmapped hostnames, including healthchecks
 	server {
 		listen 8080 default_server reuseport{{ if $routerConfig.UseProxyProtocol }} proxy_protocol{{ end }};
@@ -152,6 +181,7 @@ http {
 			return 404;
 		}
 	}
+	{{ end }}
 
 	# Healthcheck on 9090 -- never uses proxy_protocol
 	server {
