diff --git a/Dockerfile b/Dockerfile index 3963d6495..d5c3d41f2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,7 @@ RUN add-apt-repository ppa:nginx/development # Install system packages RUN apt-get update && apt-get upgrade -y # 22FEB2017 RUN apt-get install -y \ + dnsmasq \ g++ \ gdb \ gdebi-core \ diff --git a/conf/init/nginx_conf_create.sh b/conf/init/nginx_conf_create.sh index 557a03d66..81b564e69 100755 --- a/conf/init/nginx_conf_create.sh +++ b/conf/init/nginx_conf_create.sh @@ -6,6 +6,7 @@ import yaml import jinja2 + def generate_nginx_config(): """ Generates nginx config from the app config @@ -41,6 +42,7 @@ def generate_server_config(config): if __name__ == "__main__": - config = yaml.load(file('conf/stack/config.yaml', 'r')) - generate_server_config(config) - generate_nginx_config() + with open('conf/stack/config.yaml', 'r') as f: + config = yaml.load(f) + generate_server_config(config) + generate_nginx_config() diff --git a/conf/init/service/dnsmasq/log/run b/conf/init/service/dnsmasq/log/run new file mode 100755 index 000000000..1dae6385e --- /dev/null +++ b/conf/init/service/dnsmasq/log/run @@ -0,0 +1,7 @@ +#!/bin/sh + +# Ensure dependencies start before the logger +sv check syslog-ng > /dev/null || exit 1 + +# Start the logger +exec logger -i -t dnsmasq diff --git a/conf/init/service/dnsmasq/run b/conf/init/service/dnsmasq/run new file mode 100755 index 000000000..faa868091 --- /dev/null +++ b/conf/init/service/dnsmasq/run @@ -0,0 +1,7 @@ +#! /bin/bash + +echo 'Starting dnsmasq' + +/usr/sbin/dnsmasq --no-daemon --user=root --listen-address=127.0.0.1 + +echo 'dnsmasq' diff --git a/conf/init/service/nginx/run b/conf/init/service/nginx/run index 04e2634e7..feb4f872d 100755 --- a/conf/init/service/nginx/run +++ b/conf/init/service/nginx/run @@ -2,9 +2,6 @@ echo 'Starting nginx' -NAMESERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '` -echo "resolver $NAMESERVER valid=10s;" > /conf/nginx/resolver.conf - /usr/sbin/nginx -c /conf/nginx/nginx.conf echo 'Nginx exited' diff --git a/conf/nginx/nginx.conf.jnj b/conf/nginx/nginx.conf.jnj index 3f5a1aef0..2bc371969 100644 --- a/conf/nginx/nginx.conf.jnj +++ b/conf/nginx/nginx.conf.jnj @@ -9,6 +9,8 @@ http { include hosted-http-base.conf; include rate-limiting.conf; + resolver 127.0.0.1 valid=10s; + ssl_certificate ../stack/ssl.cert; ssl_certificate_key ../stack/ssl.key; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; @@ -57,6 +59,8 @@ http { include http-base.conf; include rate-limiting.conf; + resolver 127.0.0.1 valid=10s; + server { include server-base.conf; diff --git a/conf/nginx/resolver.conf b/conf/nginx/resolver.conf new file mode 100644 index 000000000..dfcf6faa0 --- /dev/null +++ b/conf/nginx/resolver.conf @@ -0,0 +1 @@ +resolver 127.0.0.1 valid=10s; diff --git a/conf/nginx/server-base.conf.jnj b/conf/nginx/server-base.conf.jnj index f67372967..05600d73d 100644 --- a/conf/nginx/server-base.conf.jnj +++ b/conf/nginx/server-base.conf.jnj @@ -81,7 +81,8 @@ location /secscan/ { {% if signing_enabled %} location ~ ^/v2/(.+)/_trust/tuf/(.*)$ { - proxy_pass {{ tuf_server }}; + set $upstream_tuf {{ tuf_server }}; + proxy_pass $upstream_tuf$uri; } {% endif %}