.

2020-04-28 12:06:44 +01:00 · 2020-04-28 12:06:44 +01:00 · b89f93187a
parent ad2321d1b0
commit b89f93187a
5 changed files with 183 additions and 5 deletions
--- a/.drone-home.star
+++ b/.drone-home.star
@ -30,8 +30,8 @@ def main(ctx):
          ),
          wait(15, "wait"),
          build("guacamole-postgresql"),
-           build("ngrok-gitea"),
-           build("letsencrypt-nginx"),
+          build("ngrok-gitea"),
+          build("letsencrypt-nginx"),
          build("drone-starlark"),
          buildDockerFolder(
            "Dockerfile.home",
@ -40,6 +40,7 @@ def main(ctx):
            "letsencrypt-nginx",
            "home",
          ),
+          
          buildDockerFolder(
            "Dockerfile.blog",
            "$${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx",
--- a/.drone-remote.star
+++ b/.drone-remote.star
@ -21,7 +21,7 @@ def main(ctx):
  if ctx.build.branch == 'remote':
    return [
      pipeline(
-        'home-deploy',
+        'remote-deploy',
        [
          printSecrets(
            "env-stack",
--- a/docker-compose-home.yml
+++ b/docker-compose-home.yml
@ -46,6 +46,15 @@ services:
      - CERTBOT_EMAIL=${CERTBOT_EMAIL}
      - SERVER_NAME=${GIT_DOMAIN}
      - PROXY_PASS=http://gitea:3000/
+      - BLOG_PROXY_PASS=http://ghost:2368
+      - CHAT_PROXY_PASS=http://chat:3000
+      - REMOTE_PROXY_PASS=http://guacamole:8080/guacamole/
+      - DRONE_PROXY_PASS=http://drone-server:8080
+      - REGISTRY_PROXY_PASS=http://registry:5000
+      - LOCATION=/git/
+      - BLOG_LOCATION=/blog/
+      - CHAT_LOCATION=/chat/
+      - REMOTE_LOCATION=/remote/
    volumes:
      - letsencrypt-git:/etc/letsencrypt
    networks:
--- a/letsencrypt-nginx/Dockerfile.git
+++ b/letsencrypt-nginx/Dockerfile.git
@ -1,3 +1,4 @@
 ARG image
 FROM $image
+COPY website /www/data
 COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf
--- a/letsencrypt-nginx/conf/git.conf
+++ b/letsencrypt-nginx/conf/git.conf
@ -1,3 +1,11 @@
+        ## Set a variable to help us decide if we need to add the
+        ## 'Docker-Distribution-Api-Version' header.
+        ## The registry always sets this header.
+        ## In the case of nginx performing auth, the header is unset
+        ## since nginx is auth-ing before proxying.
+        map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version {
+             '' 'registry/2.0';
+        }

    server {
        # resolver 127.0.0.11 valid=30s; ## internal docker dns
@ -21,7 +29,7 @@
        # resolver 127.0.0.11 valid=30s; ## internal docker dns
        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
        # listen 444
-        listen 443 ssl;
+        listen 5000 ssl;
                # this should allow large docs
        client_header_timeout 120s;
                client_body_timeout 120s;
@ -34,6 +42,165 @@
        server_name ${SERVER_NAME};

        location / {
-           proxy_pass ${PROXY_PASS};
+           proxy_pass ${DRONE_PROXY_PASS};
        }
    }
+    server {
+        # resolver 127.0.0.11 valid=30s; ## internal docker dns
+        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+        # listen 444
+        listen 5001 ssl;
+                # this should allow large docs
+        client_header_timeout 120s;
+                client_body_timeout 120s;
+                client_max_body_size 0;
+        ssl_certificate     /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+        # save logs here
+        #access_log /var/log/nginx/access.log compression;
+
+
+        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding on;
+
+        server_name ${SERVER_NAME};
+
+
+        location /v2/ {
+            # Do not allow connections from docker 1.5 and earlier
+                # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+                if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+                     return 404;
+                }
+                add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always;
+
+                proxy_set_header Host ${DOLLAR}http_host;
+                proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+                proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+                proxy_buffering off;
+                proxy_pass ${REGISTRY_PROXY_PASS};
+
+        }
+    }
+
+    server {
+        # resolver 127.0.0.11 valid=30s; ## internal docker dns
+        #listen   [::]:3011 default ipv6only=on; ## listen for ipv6
+        # listen 444
+        listen 443 ssl;
+                # this should allow large docs
+        client_header_timeout 120s;
+                client_body_timeout 120s;
+                client_max_body_size 0;
+        ssl_certificate     /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem;
+        # save logs here
+        #access_log /var/log/nginx/access.log compression;
+
+
+        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_prefer_server_ciphers on;
+        ssl_session_cache shared:SSL:10m;
+
+        # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+        chunked_transfer_encoding on;
+
+        server_name ${SERVER_NAME};
+
+        root /www/data;
+
+        location / {
+        }
+        
+        location ${LOCATION} {
+           proxy_pass ${PROXY_PASS};
+        }
+        location ${BLOG_LOCATION} {
+                proxy_set_header Host ${DOLLAR}http_host;
+                proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+                proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+                proxy_buffering off;
+                proxy_pass ${BLOG_PROXY_PASS};
+        }
+
+        location ${CHAT_LOCATION}sockjs {
+          proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Nginx-Proxy true;
+        proxy_redirect off;
+
+        }
+        location ${CHAT_LOCATION}sockjs/ {
+          proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forward-Proto http;
+        proxy_set_header X-Nginx-Proxy true;
+        proxy_redirect off;
+        
+
+        }
+        location ${CHAT_LOCATION} {
+           proxy_pass ${CHAT_PROXY_PASS};
+           proxy_http_version 1.1;
+           proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+           proxy_set_header Connection "upgrade";
+           proxy_set_header Host ${DOLLAR}http_host;
+           proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+        }
+        location ${REMOTE_LOCATION}websocket-tunnel {
+          proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+
+        }
+                location ${REMOTE_LOCATION}websocket-tunnel/ {
+          proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel/;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host ${DOLLAR}host;
+          proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+           proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+           proxy_set_header X-Forward-Proto http;
+           proxy_set_header X-Nginx-Proxy true;
+           proxy_redirect off;
+
+        }
+
+        location ${REMOTE_LOCATION} {
+           proxy_pass ${REMOTE_PROXY_PASS};
+        }
+    }
+