From 9969e56150488bb10e0797de77ecb49d5fb0a149 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Sun, 3 May 2020 18:16:25 +0100 Subject: [PATCH] . --- docker-compose.yml | 4 +- letsencrypt-nginx/Dockerfile | 1 + letsencrypt-nginx/conf/git.conf | 360 +++++++++++++------------------- letsencrypt-nginx/nginx.conf | 4 +- 4 files changed, 155 insertions(+), 214 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index e19ec27..e24fa45 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,10 +15,10 @@ services: - SERVER_NAME=${GIT_DOMAIN} - PROXY_PASS=http://gitea:3000/ - BLOG_PROXY_PASS=http://ghost:2368/ - - CHAT_PROXY_PASS=http://chat:3000 + - CHAT_PROXY_PASS=http://chat:3000/ - REMOTE_PROXY_PASS=http://guacamole:8080/guacamole/ - DRONE_PROXY_PASS=http://drone-server:8080/ - - REGISTRY_PROXY_PASS=http://registry-1:5000 + - REGISTRY_PROXY_PASS=http://registry-1:5000/ - PORTAINER_PROXY_PASS=http://portainer:9000/ - PORTAINER_LOCATION=/portainer/ - GIT_LOCATION=/git/ diff --git a/letsencrypt-nginx/Dockerfile b/letsencrypt-nginx/Dockerfile index ab969c5..c37d985 100644 --- a/letsencrypt-nginx/Dockerfile +++ b/letsencrypt-nginx/Dockerfile @@ -1,3 +1,4 @@ FROM staticfloat/nginx-certbot +COPY nginx.conf /etc/nginx/nginx.conf COPY run.sh / CMD sh /run.sh \ No newline at end of file diff --git a/letsencrypt-nginx/conf/git.conf b/letsencrypt-nginx/conf/git.conf index fbf1769..4fadcb9 100644 --- a/letsencrypt-nginx/conf/git.conf +++ b/letsencrypt-nginx/conf/git.conf @@ -1,220 +1,158 @@ - ## Set a variable to help us decide if we need to add the - ## 'Docker-Distribution-Api-Version' header. - ## The registry always sets this header. - ## In the case of nginx performing auth, the header is unset - ## since nginx is auth-ing before proxying. - map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { - '' 'registry/2.0'; - } +## Set a variable to help us decide if we need to add the +## 'Docker-Distribution-Api-Version' header. +## The registry always sets this header. +## In the case of nginx performing auth, the header is unset +## since nginx is auth-ing before proxying. +map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; +} - server { - resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - listen 80; - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 200m; +server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + listen 80; + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + # save logs here + server_name ${SERVER_NAME}; + location / { + return 301 https://${DOLLAR}host${DOLLAR}request_uri; + } +} - # save logs here +server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5000 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + server_name ${SERVER_NAME}; - server_name ${SERVER_NAME}; - - - location / { - return 301 https://${DOLLAR}host${DOLLAR}request_uri; - } + location / { + proxy_pass ${DRONE_PROXY_PASS}; + } +} +server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5001 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + server_name ${SERVER_NAME}; + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + } +} - server { - resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - # listen 444 - listen 5000 ssl; - # this should allow large docs - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 200m; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - # save logs here - #access_log /var/log/nginx/access.log compression; +server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 443 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; - server_name ${SERVER_NAME}; + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; - location / { - proxy_pass ${DRONE_PROXY_PASS}; - } - } - server { - resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - # listen 444 - listen 5001 ssl; - # this should allow large docs - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 0; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - # save logs here - #access_log /var/log/nginx/access.log compression; + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + server_name ${SERVER_NAME}; - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - server_name ${SERVER_NAME}; - - - location /v2/ { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; - - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; - proxy_buffering off; - proxy_pass ${REGISTRY_PROXY_PASS}; - - } - } - - server { - resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - # listen 444 - listen 443 ssl; - # this should allow large docs - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 0; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - # save logs here - #access_log /var/log/nginx/access.log compression; - - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - server_name ${SERVER_NAME}; - - # root /www/data; - - location ${GIT_LOCATION} { - set ${DOLLAR}upstream ${PROXY_PASS}; - proxy_pass ${DOLLAR}upstream; - } - location ${BLOG_LOCATION} { - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; - proxy_buffering off; - set ${DOLLAR}upstream ${BLOG_PROXY_PASS}; - proxy_pass ${DOLLAR}upstream; - } - location ${PORTAINER_LOCATION} { - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; - proxy_buffering off; - set ${DOLLAR}upstream ${PORTAINER_PROXY_PASS}; - proxy_pass ${DOLLAR}upstream; - } - - location ${CHAT_LOCATION}sockjs { - set ${DOLLAR}upstream ${CHAT_PROXY_PASS}/chat/sockjs; - proxy_pass ${DOLLAR}upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - } - location ${CHAT_LOCATION}sockjs/ { - set ${DOLLAR}upstream ${CHAT_PROXY_PASS}/chat/sockjs; - proxy_pass ${DOLLAR}upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - - } - location ${CHAT_LOCATION} { - set ${DOLLAR}upstream ${CHAT_PROXY_PASS}; - proxy_pass ${DOLLAR}upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - } - location ${REMOTE_LOCATION}websocket-tunnel { - set ${DOLLAR}upstream ${REMOTE_PROXY_PASS}websocket-tunnel; - proxy_pass ${DOLLAR}upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - } - location ${REMOTE_LOCATION}websocket-tunnel/ { - set ${DOLLAR}upstream ${REMOTE_PROXY_PASS}websocket-tunnel/; - proxy_pass ${DOLLAR}upstream; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - } - - location ${REMOTE_LOCATION} { - set ${DOLLAR}upstream ${REMOTE_PROXY_PASS}; - proxy_pass ${DOLLAR}upstream; - } - } - + location ~ ${GIT_LOCATION}(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + set ${DOLLAR}upstream ${PROXY_PASS}${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + } + location ~ ${CHAT_LOCATION}sockjs(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + set ${DOLLAR}upstream ${CHAT_PROXY_PASS}chat/sockjs${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + } + location ~ ${CHAT_LOCATION}(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + set ${DOLLAR}upstream ${CHAT_PROXY_PASS}chat/${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + } + location ~ ${REMOTE_LOCATION}websocket-tunnel(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + set ${DOLLAR}upstream ${REMOTE_PROXY_PASS}websocket-tunnel${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + } + location ~ ${REMOTE_LOCATION}(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + set ${DOLLAR}upstream ${REMOTE_PROXY_PASS}${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + } + location ~ ${BLOG_LOCATION}(.*) { + resolver 127.0.0.11 ipv6=off valid=30s; ## internal docker dns + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + set ${DOLLAR}upstream ${BLOG_PROXY_PASS}${DOLLAR}1${DOLLAR}is_args${DOLLAR}args; + proxy_pass ${DOLLAR}upstream; + } +} diff --git a/letsencrypt-nginx/nginx.conf b/letsencrypt-nginx/nginx.conf index 4e751bf..066395d 100644 --- a/letsencrypt-nginx/nginx.conf +++ b/letsencrypt-nginx/nginx.conf @@ -1,3 +1,4 @@ + user nginx; worker_processes 1; @@ -16,7 +17,8 @@ http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; + '"$http_user_agent" "$http_x_forwarded_for"' + '"$proxy_host" "$upstream_addr"'; access_log /var/log/nginx/access.log main;