diff --git a/.gitignore b/.gitignore index 28cffa051..a02b0b3cf 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,5 @@ htmlcov Dockerfile-e build/ .vscode +*.iml +.DS_Store diff --git a/Dockerfile b/Dockerfile index 32540a991..b0bf9558a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -119,7 +119,6 @@ RUN curl -fsSL https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver # Set up the init system RUN mkdir -p /etc/my_init.d /etc/systlog-ng /usr/local/bin /etc/monit static/fonts static/ldn /usr/local/nginx/logs/ \ - && cp $QUAYCONF/init/*.sh /etc/my_init.d/ \ && cp $QUAYCONF/init/syslog-ng.conf /etc/syslog-ng/ \ && cp $QUAYCONF/kill-buildmanager.sh /usr/local/bin/kill-buildmanager.sh \ && cp $QUAYCONF/monitrc /etc/monit/monitrc \ diff --git a/config_app/conf/dhparams.pem b/config_app/conf/dhparams.pem new file mode 100644 index 000000000..130ed84e3 --- /dev/null +++ b/config_app/conf/dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEAk7fEh4MFr446aU61ZGxCl8VHvcJhDGcdd+3zaNxdWF7Wvr5QE8zX +QswoM5K2szlK7klcJOXer2IToHHQQn00nuWO3m6quZGV6EPbRmRKfRGa8pzSwH+R +Ph0OUpEQPh7zvegeVwEbrblD7i53ookbHlYGtxsPb28Y06OP5/xpks9C815Zy4gy +tx2yHi4FkFo52yErBF9jD/glsZYVHCo42LFrVGa5/7V0g++fG8yXCrBnqmz2d8FF +uU6/KJcmDCUn1m3mDfcf5HgeXSIsukW/XMZ3l9w1fdluJRwdEE9W2ePgqMiG3eC0 +2T1sPfXCdXPQ7/5Gzf1eMtRZ/McipxVbgwIBAg== +-----END DH PARAMETERS----- diff --git a/config_app/conf/gunicorn_web.py b/config_app/conf/gunicorn_web.py index 4c4e1a152..14225fe72 100644 --- a/config_app/conf/gunicorn_web.py +++ b/config_app/conf/gunicorn_web.py @@ -10,7 +10,7 @@ from config_app.config_util.log import logfile_path logconfig = logfile_path(debug=True) -bind = '0.0.0.0:80' +bind = 'unix:/tmp/gunicorn_web.sock' workers = 1 worker_class = 'gevent' pythonpath = '.' diff --git a/config_app/conf/http-base.conf b/config_app/conf/http-base.conf new file mode 100644 index 000000000..b757ad8e9 --- /dev/null +++ b/config_app/conf/http-base.conf @@ -0,0 +1,41 @@ +# vim: ft=nginx + +set_real_ip_from 0.0.0.0/0; +real_ip_recursive on; +log_format lb_logs '$remote_addr ($proxy_protocol_addr) ' + '- $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '($request_time $request_length $upstream_response_time)'; + +types_hash_max_size 2048; +include /etc/nginx/mime.types; + +default_type application/octet-stream; +access_log /dev/stdout; +sendfile on; + +gzip on; +gzip_http_version 1.0; +gzip_proxied any; +gzip_min_length 500; +gzip_disable "MSIE [1-6]\."; +gzip_types text/plain text/xml text/css + text/javascript application/x-javascript + application/javascript image/svg+xml + application/octet-stream; + +map $proxy_protocol_addr $proper_forwarded_for { + "" $proxy_add_x_forwarded_for; + default $proxy_protocol_addr; +} + +map $http_x_forwarded_proto $proper_scheme { + default $scheme; + https https; +} + +upstream web_app_server { + server unix:/tmp/gunicorn_web.sock fail_timeout=0; +} + diff --git a/config_app/conf/nginx.conf b/config_app/conf/nginx.conf new file mode 100644 index 000000000..55a941720 --- /dev/null +++ b/config_app/conf/nginx.conf @@ -0,0 +1,26 @@ +# vim: ft=nginx + +include root-base.conf; + +http { + include http-base.conf; + + ssl_certificate /quay-registry/config_app/quay-config.cert; + ssl_certificate_key /quay-registry/config_app/quay-config.key; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache shared:SSL:60m; + ssl_session_timeout 2h; + ssl_session_tickets on; + ssl_prefer_server_ciphers on; + ssl_dhparam dhparams.pem; + + server { + include server-base.conf; + + listen 443 ssl http2 default; + + + access_log /dev/stdout lb_logs; + } +} diff --git a/config_app/conf/root-base.conf b/config_app/conf/root-base.conf new file mode 100644 index 000000000..31afc6f82 --- /dev/null +++ b/config_app/conf/root-base.conf @@ -0,0 +1,17 @@ +# vim: ft=nginx + +pid /tmp/nginx.pid; +error_log /dev/stdout; + +worker_processes auto; +worker_priority -10; +worker_rlimit_nofile 10240; + +user root nogroup; + +daemon off; + +events { + worker_connections 10240; + accept_mutex off; +} diff --git a/config_app/conf/server-base.conf b/config_app/conf/server-base.conf new file mode 100644 index 000000000..b1732ed20 --- /dev/null +++ b/config_app/conf/server-base.conf @@ -0,0 +1,16 @@ +# vim: ft=nginx + +server_name _; + +# Proxy Headers +proxy_set_header X-Forwarded-For $proper_forwarded_for; +proxy_set_header X-Forwarded-Proto $proper_scheme; +proxy_set_header Host $host; +proxy_redirect off; + +proxy_set_header Transfer-Encoding $http_transfer_encoding; + +location / { + proxy_pass http://web_app_server; +} + diff --git a/config_app/init/certs_create.sh b/config_app/init/certs_create.sh new file mode 100755 index 000000000..ae758453c --- /dev/null +++ b/config_app/init/certs_create.sh @@ -0,0 +1,12 @@ +#! /bin/bash +set -e +QUAYPATH=${QUAYPATH:-"."} +QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf"} +cd ${QUAYDIR:-"/"} + +echo 'Creating self-signed certs for quay-config app' + +# Create certs to secure connections while uploading config for secrets +echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare quay-config +cp quay-config-key.pem $QUAYDIR/config_app/quay-config.key +cp quay-config.pem $QUAYDIR/config_app/quay-config.cert diff --git a/config_app/init/service/nginx/run b/config_app/init/service/nginx/run new file mode 100755 index 000000000..7c4c96026 --- /dev/null +++ b/config_app/init/service/nginx/run @@ -0,0 +1,12 @@ +#! /bin/bash + +echo 'Starting nginx' + +QUAYPATH=${QUAYPATH:-"."} +cd ${QUAYDIR:-"/"} +PYTHONPATH=$QUAYPATH +QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf"} + +/usr/sbin/nginx -c $QUAYDIR/config_app/conf/nginx.conf + +echo 'Nginx exited' diff --git a/quay-entrypoint.sh b/quay-entrypoint.sh index 7401e511d..8207acd47 100755 --- a/quay-entrypoint.sh +++ b/quay-entrypoint.sh @@ -43,20 +43,24 @@ case "$MODE" in "config") echo "Entering config mode, only copying config-app entrypoints" cp -r ${QUAYDIR}/config_app/init/service/* /etc/service + cp $QUAYDIR/config_app/init/*.sh /etc/my_init.d/ exec /sbin/my_init ;; "interactive") echo "Copying $MODE files" + cp $QUAYCONF/init/*.sh /etc/my_init.d/ cp -r ${QUAYCONF}/init/service/interactive/* /etc/service exec /sbin/my_init ;; "batch") echo "Copying $MODE files" + cp $QUAYCONF/init/*.sh /etc/my_init.d/ cp -r ${QUAYCONF}/init/service/batch/* /etc/service exec /sbin/my_init ;; "") echo "Copying all files" + cp $QUAYCONF/init/*.sh /etc/my_init.d/ cp -r ${QUAYCONF}/init/service/interactive/* /etc/service cp -r ${QUAYCONF}/init/service/batch/* /etc/service exec /sbin/my_init