diff --git a/.drone-home.star b/.drone-home.star index e8432f8..2dc4485 100644 --- a/.drone-home.star +++ b/.drone-home.star @@ -30,8 +30,8 @@ def main(ctx): ), wait(15, "wait"), build("guacamole-postgresql"), - build("ngrok-gitea"), - build("letsencrypt-nginx"), + build("ngrok-gitea"), + build("letsencrypt-nginx"), build("drone-starlark"), buildDockerFolder( "Dockerfile.home", @@ -40,6 +40,7 @@ def main(ctx): "letsencrypt-nginx", "home", ), + buildDockerFolder( "Dockerfile.blog", "$${LOCAL_DOCKER_REGISTRY}letsencrypt-nginx", diff --git a/.drone-remote.star b/.drone-remote.star index e51dbac..e4527d2 100644 --- a/.drone-remote.star +++ b/.drone-remote.star @@ -21,7 +21,7 @@ def main(ctx): if ctx.build.branch == 'remote': return [ pipeline( - 'home-deploy', + 'remote-deploy', [ printSecrets( "env-stack", diff --git a/docker-compose-home.yml b/docker-compose-home.yml index e6b7d09..514894c 100644 --- a/docker-compose-home.yml +++ b/docker-compose-home.yml @@ -46,6 +46,15 @@ services: - CERTBOT_EMAIL=${CERTBOT_EMAIL} - SERVER_NAME=${GIT_DOMAIN} - PROXY_PASS=http://gitea:3000/ + - BLOG_PROXY_PASS=http://ghost:2368 + - CHAT_PROXY_PASS=http://chat:3000 + - REMOTE_PROXY_PASS=http://guacamole:8080/guacamole/ + - DRONE_PROXY_PASS=http://drone-server:8080 + - REGISTRY_PROXY_PASS=http://registry:5000 + - LOCATION=/git/ + - BLOG_LOCATION=/blog/ + - CHAT_LOCATION=/chat/ + - REMOTE_LOCATION=/remote/ volumes: - letsencrypt-git:/etc/letsencrypt networks: diff --git a/letsencrypt-nginx/Dockerfile.git b/letsencrypt-nginx/Dockerfile.git index 4e9cadc..5771c6e 100644 --- a/letsencrypt-nginx/Dockerfile.git +++ b/letsencrypt-nginx/Dockerfile.git @@ -1,3 +1,4 @@ ARG image FROM $image +COPY website /www/data COPY ./conf/git.conf /etc/nginx/user.conf.d/server._conf \ No newline at end of file diff --git a/letsencrypt-nginx/conf/git.conf b/letsencrypt-nginx/conf/git.conf index b24170b..67f2341 100644 --- a/letsencrypt-nginx/conf/git.conf +++ b/letsencrypt-nginx/conf/git.conf @@ -1,3 +1,11 @@ + ## Set a variable to help us decide if we need to add the + ## 'Docker-Distribution-Api-Version' header. + ## The registry always sets this header. + ## In the case of nginx performing auth, the header is unset + ## since nginx is auth-ing before proxying. + map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { + '' 'registry/2.0'; + } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns @@ -21,7 +29,7 @@ # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 - listen 443 ssl; + listen 5000 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; @@ -34,6 +42,165 @@ server_name ${SERVER_NAME}; location / { - proxy_pass ${PROXY_PASS}; + proxy_pass ${DRONE_PROXY_PASS}; } } + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 5001 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + + location /v2/ { + # Do not allow connections from docker 1.5 and earlier + # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents + if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { + return 404; + } + add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; + + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${REGISTRY_PROXY_PASS}; + + } + } + + server { + # resolver 127.0.0.11 valid=30s; ## internal docker dns + #listen [::]:3011 default ipv6only=on; ## listen for ipv6 + # listen 444 + listen 443 ssl; + # this should allow large docs + client_header_timeout 120s; + client_body_timeout 120s; + client_max_body_size 0; + ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; + # save logs here + #access_log /var/log/nginx/access.log compression; + + + # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.1 TLSv1.2; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + + # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) + chunked_transfer_encoding on; + + server_name ${SERVER_NAME}; + + root /www/data; + + location / { + } + + location ${LOCATION} { + proxy_pass ${PROXY_PASS}; + } + location ${BLOG_LOCATION} { + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; + proxy_buffering off; + proxy_pass ${BLOG_PROXY_PASS}; + } + + location ${CHAT_LOCATION}sockjs { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + location ${CHAT_LOCATION}sockjs/ { + proxy_pass ${CHAT_PROXY_PASS}/chat/sockjs/; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + + } + location ${CHAT_LOCATION} { + proxy_pass ${CHAT_PROXY_PASS}; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host ${DOLLAR}http_host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + } + location ${REMOTE_LOCATION}websocket-tunnel { + proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + location ${REMOTE_LOCATION}websocket-tunnel/ { + proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel/; + proxy_http_version 1.1; + proxy_set_header Upgrade ${DOLLAR}http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host ${DOLLAR}host; + proxy_set_header X-Real-IP ${DOLLAR}remote_addr; + proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; + proxy_set_header X-Forward-Proto http; + proxy_set_header X-Nginx-Proxy true; + proxy_redirect off; + + } + + location ${REMOTE_LOCATION} { + proxy_pass ${REMOTE_PROXY_PASS}; + } + } +