diff --git a/.drone.do.yml b/.drone.do.yml index 851f696..a80acdd 100644 --- a/.drone.do.yml +++ b/.drone.do.yml @@ -35,7 +35,7 @@ steps: - cd letsencrypt-nginx - docker build . -t $${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx - docker push $${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx -- name: build-letsencrypt-git +- name: build-letsencrypt-do when: branch: - do @@ -48,7 +48,7 @@ steps: from_secret: local-docker-registry commands: - cd letsencrypt-nginx - - sh build.sh git $${LOCAL_DOCKER_REGISTRY} + - sh build.sh do $${LOCAL_DOCKER_REGISTRY} - name: scp files when: branch: diff --git a/docker-compose-do.yml b/docker-compose-do.yml index 80764ab..31fcb28 100644 --- a/docker-compose-do.yml +++ b/docker-compose-do.yml @@ -1,13 +1,13 @@ version: "3.7" services: - letsencrypt-git: + letsencrypt-do: deploy: placement: constraints: [node.labels.com.sigyl.git-stack == yes] replicas: 1 restart_policy: condition: any - image: ${LOCAL_DOCKER_REPOSITORY}letsencrypt-git + image: ${LOCAL_DOCKER_REPOSITORY}letsencrypt-do environment: - CERTBOT_EMAIL=${CERTBOT_EMAIL} - SERVER_NAME=${GIT_DOMAIN} diff --git a/letsencrypt-nginx/Dockerfile.do b/letsencrypt-nginx/Dockerfile.do new file mode 100644 index 0000000..4e9cadc --- /dev/null +++ b/letsencrypt-nginx/Dockerfile.do @@ -0,0 +1,3 @@ +ARG image +FROM $image +COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf \ No newline at end of file diff --git a/letsencrypt-nginx/conf/do.conf b/letsencrypt-nginx/conf/do.conf new file mode 100644 index 0000000..534f00b --- /dev/null +++ b/letsencrypt-nginx/conf/do.conf @@ -0,0 +1,172 @@ + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + listen 80; + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + + # save logs here + + server_name ${SERVER_NAME}; + + + location / { + return 301 https://${DOLLAR}host${DOLLAR}request_uri; + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5000 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 200m; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + server_name ${SERVER_NAME}; + + location / { + proxy_pass ${DRONE_PROXY_PASS}; + } + } + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5001 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 443 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + location ${LOCATION} { + proxy_pass ${PROXY_PASS}; + } + location ${BLOG_LOCATION} { + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${BLOG_PROXY_PASS}; + } + + location ${CHAT_LOCATION}sockjs { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + location ${CHAT_LOCATION}sockjs/ { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + + } + location ${CHAT_LOCATION} { + proxy_pass ${CHAT_PROXY_PASS}; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + } + diff --git a/letsencrypt-nginx/conf/git.conf b/letsencrypt-nginx/conf/git.conf index 534f00b..b24170b 100644 --- a/letsencrypt-nginx/conf/git.conf +++ b/letsencrypt-nginx/conf/git.conf @@ -1,11 +1,3 @@ - ## Set a variable to help us decide if we need to add the - ## 'Docker-Distribution-Api-Version' header. - ## The registry always sets this header. - ## In the case of nginx performing auth, the header is unset - ## since nginx is auth-ing before proxying. - map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { - '' 'registry/2.0'; - } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns @@ -29,7 +21,7 @@ # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 - listen 5000 ssl; + listen 443 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; @@ -42,131 +34,6 @@ server_name ${SERVER_NAME}; location / { - proxy_pass ${DRONE_PROXY_PASS}; - } - } - server { - # resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - # listen 444 - listen 5001 ssl; - # this should allow large docs - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 0; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - # save logs here - #access_log /var/log/nginx/access.log compression; - - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - server_name ${SERVER_NAME}; - - - location /v2/ { - # Do not allow connections from docker 1.5 and earlier - # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents - if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { - return 404; - } - add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; - - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; - proxy_buffering off; - proxy_pass ${REGISTRY_PROXY_PASS}; - - } - } - - server { - # resolver 127.0.0.11 valid=30s; ## internal docker dns - #listen [::]:3011 default ipv6only=on; ## listen for ipv6 - # listen 444 - listen 443 ssl; - # this should allow large docs - client_header_timeout 120s; - client_body_timeout 120s; - client_max_body_size 0; - ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; - # save logs here - #access_log /var/log/nginx/access.log compression; - - - # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:10m; - - # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) - chunked_transfer_encoding on; - - server_name ${SERVER_NAME}; - - location ${LOCATION} { proxy_pass ${PROXY_PASS}; } - location ${BLOG_LOCATION} { - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; - proxy_buffering off; - proxy_pass ${BLOG_PROXY_PASS}; - } - - location ${CHAT_LOCATION}sockjs { - proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - } - location ${CHAT_LOCATION}sockjs/ { - proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host ${DOLLAR}host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - - } - location ${CHAT_LOCATION} { - proxy_pass ${CHAT_PROXY_PASS}; - proxy_http_version 1.1; - proxy_set_header Upgrade ${DOLLAR}http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host ${DOLLAR}http_host; - proxy_set_header X-Real-IP ${DOLLAR}remote_addr; - proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; - proxy_set_header X-Forward-Proto http; - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - - } } -