Sets up nginx on image for config app with ssl
Move copying entry scripts to quay-entrypoint
This commit is contained in:
parent
2b19e1d93f
commit
69c155ef4f
11 changed files with 139 additions and 2 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -24,3 +24,5 @@ htmlcov
|
||||||
Dockerfile-e
|
Dockerfile-e
|
||||||
build/
|
build/
|
||||||
.vscode
|
.vscode
|
||||||
|
*.iml
|
||||||
|
.DS_Store
|
||||||
|
|
|
@ -119,7 +119,6 @@ RUN curl -fsSL https://ip-ranges.amazonaws.com/ip-ranges.json -o util/ipresolver
|
||||||
|
|
||||||
# Set up the init system
|
# Set up the init system
|
||||||
RUN mkdir -p /etc/my_init.d /etc/systlog-ng /usr/local/bin /etc/monit static/fonts static/ldn /usr/local/nginx/logs/ \
|
RUN mkdir -p /etc/my_init.d /etc/systlog-ng /usr/local/bin /etc/monit static/fonts static/ldn /usr/local/nginx/logs/ \
|
||||||
&& cp $QUAYCONF/init/*.sh /etc/my_init.d/ \
|
|
||||||
&& cp $QUAYCONF/init/syslog-ng.conf /etc/syslog-ng/ \
|
&& cp $QUAYCONF/init/syslog-ng.conf /etc/syslog-ng/ \
|
||||||
&& cp $QUAYCONF/kill-buildmanager.sh /usr/local/bin/kill-buildmanager.sh \
|
&& cp $QUAYCONF/kill-buildmanager.sh /usr/local/bin/kill-buildmanager.sh \
|
||||||
&& cp $QUAYCONF/monitrc /etc/monit/monitrc \
|
&& cp $QUAYCONF/monitrc /etc/monit/monitrc \
|
||||||
|
|
8
config_app/conf/dhparams.pem
Normal file
8
config_app/conf/dhparams.pem
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEAk7fEh4MFr446aU61ZGxCl8VHvcJhDGcdd+3zaNxdWF7Wvr5QE8zX
|
||||||
|
QswoM5K2szlK7klcJOXer2IToHHQQn00nuWO3m6quZGV6EPbRmRKfRGa8pzSwH+R
|
||||||
|
Ph0OUpEQPh7zvegeVwEbrblD7i53ookbHlYGtxsPb28Y06OP5/xpks9C815Zy4gy
|
||||||
|
tx2yHi4FkFo52yErBF9jD/glsZYVHCo42LFrVGa5/7V0g++fG8yXCrBnqmz2d8FF
|
||||||
|
uU6/KJcmDCUn1m3mDfcf5HgeXSIsukW/XMZ3l9w1fdluJRwdEE9W2ePgqMiG3eC0
|
||||||
|
2T1sPfXCdXPQ7/5Gzf1eMtRZ/McipxVbgwIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -10,7 +10,7 @@ from config_app.config_util.log import logfile_path
|
||||||
|
|
||||||
logconfig = logfile_path(debug=True)
|
logconfig = logfile_path(debug=True)
|
||||||
|
|
||||||
bind = '0.0.0.0:80'
|
bind = 'unix:/tmp/gunicorn_web.sock'
|
||||||
workers = 1
|
workers = 1
|
||||||
worker_class = 'gevent'
|
worker_class = 'gevent'
|
||||||
pythonpath = '.'
|
pythonpath = '.'
|
||||||
|
|
41
config_app/conf/http-base.conf
Normal file
41
config_app/conf/http-base.conf
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
# vim: ft=nginx
|
||||||
|
|
||||||
|
set_real_ip_from 0.0.0.0/0;
|
||||||
|
real_ip_recursive on;
|
||||||
|
log_format lb_logs '$remote_addr ($proxy_protocol_addr) '
|
||||||
|
'- $remote_user [$time_local] '
|
||||||
|
'"$request" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent" '
|
||||||
|
'($request_time $request_length $upstream_response_time)';
|
||||||
|
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
|
||||||
|
default_type application/octet-stream;
|
||||||
|
access_log /dev/stdout;
|
||||||
|
sendfile on;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_http_version 1.0;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_min_length 500;
|
||||||
|
gzip_disable "MSIE [1-6]\.";
|
||||||
|
gzip_types text/plain text/xml text/css
|
||||||
|
text/javascript application/x-javascript
|
||||||
|
application/javascript image/svg+xml
|
||||||
|
application/octet-stream;
|
||||||
|
|
||||||
|
map $proxy_protocol_addr $proper_forwarded_for {
|
||||||
|
"" $proxy_add_x_forwarded_for;
|
||||||
|
default $proxy_protocol_addr;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_x_forwarded_proto $proper_scheme {
|
||||||
|
default $scheme;
|
||||||
|
https https;
|
||||||
|
}
|
||||||
|
|
||||||
|
upstream web_app_server {
|
||||||
|
server unix:/tmp/gunicorn_web.sock fail_timeout=0;
|
||||||
|
}
|
||||||
|
|
26
config_app/conf/nginx.conf
Normal file
26
config_app/conf/nginx.conf
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# vim: ft=nginx
|
||||||
|
|
||||||
|
include root-base.conf;
|
||||||
|
|
||||||
|
http {
|
||||||
|
include http-base.conf;
|
||||||
|
|
||||||
|
ssl_certificate /quay-registry/config_app/quay-config.cert;
|
||||||
|
ssl_certificate_key /quay-registry/config_app/quay-config.key;
|
||||||
|
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_session_cache shared:SSL:60m;
|
||||||
|
ssl_session_timeout 2h;
|
||||||
|
ssl_session_tickets on;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_dhparam dhparams.pem;
|
||||||
|
|
||||||
|
server {
|
||||||
|
include server-base.conf;
|
||||||
|
|
||||||
|
listen 443 ssl http2 default;
|
||||||
|
|
||||||
|
|
||||||
|
access_log /dev/stdout lb_logs;
|
||||||
|
}
|
||||||
|
}
|
17
config_app/conf/root-base.conf
Normal file
17
config_app/conf/root-base.conf
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# vim: ft=nginx
|
||||||
|
|
||||||
|
pid /tmp/nginx.pid;
|
||||||
|
error_log /dev/stdout;
|
||||||
|
|
||||||
|
worker_processes auto;
|
||||||
|
worker_priority -10;
|
||||||
|
worker_rlimit_nofile 10240;
|
||||||
|
|
||||||
|
user root nogroup;
|
||||||
|
|
||||||
|
daemon off;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 10240;
|
||||||
|
accept_mutex off;
|
||||||
|
}
|
16
config_app/conf/server-base.conf
Normal file
16
config_app/conf/server-base.conf
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
# vim: ft=nginx
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
# Proxy Headers
|
||||||
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://web_app_server;
|
||||||
|
}
|
||||||
|
|
12
config_app/init/certs_create.sh
Executable file
12
config_app/init/certs_create.sh
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#! /bin/bash
|
||||||
|
set -e
|
||||||
|
QUAYPATH=${QUAYPATH:-"."}
|
||||||
|
QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf"}
|
||||||
|
cd ${QUAYDIR:-"/"}
|
||||||
|
|
||||||
|
echo 'Creating self-signed certs for quay-config app'
|
||||||
|
|
||||||
|
# Create certs to secure connections while uploading config for secrets
|
||||||
|
echo '{"CN":"CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare quay-config
|
||||||
|
cp quay-config-key.pem $QUAYDIR/config_app/quay-config.key
|
||||||
|
cp quay-config.pem $QUAYDIR/config_app/quay-config.cert
|
12
config_app/init/service/nginx/run
Executable file
12
config_app/init/service/nginx/run
Executable file
|
@ -0,0 +1,12 @@
|
||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
echo 'Starting nginx'
|
||||||
|
|
||||||
|
QUAYPATH=${QUAYPATH:-"."}
|
||||||
|
cd ${QUAYDIR:-"/"}
|
||||||
|
PYTHONPATH=$QUAYPATH
|
||||||
|
QUAYCONF=${QUAYCONF:-"$QUAYPATH/conf"}
|
||||||
|
|
||||||
|
/usr/sbin/nginx -c $QUAYDIR/config_app/conf/nginx.conf
|
||||||
|
|
||||||
|
echo 'Nginx exited'
|
|
@ -43,20 +43,24 @@ case "$MODE" in
|
||||||
"config")
|
"config")
|
||||||
echo "Entering config mode, only copying config-app entrypoints"
|
echo "Entering config mode, only copying config-app entrypoints"
|
||||||
cp -r ${QUAYDIR}/config_app/init/service/* /etc/service
|
cp -r ${QUAYDIR}/config_app/init/service/* /etc/service
|
||||||
|
cp $QUAYDIR/config_app/init/*.sh /etc/my_init.d/
|
||||||
exec /sbin/my_init
|
exec /sbin/my_init
|
||||||
;;
|
;;
|
||||||
"interactive")
|
"interactive")
|
||||||
echo "Copying $MODE files"
|
echo "Copying $MODE files"
|
||||||
|
cp $QUAYCONF/init/*.sh /etc/my_init.d/
|
||||||
cp -r ${QUAYCONF}/init/service/interactive/* /etc/service
|
cp -r ${QUAYCONF}/init/service/interactive/* /etc/service
|
||||||
exec /sbin/my_init
|
exec /sbin/my_init
|
||||||
;;
|
;;
|
||||||
"batch")
|
"batch")
|
||||||
echo "Copying $MODE files"
|
echo "Copying $MODE files"
|
||||||
|
cp $QUAYCONF/init/*.sh /etc/my_init.d/
|
||||||
cp -r ${QUAYCONF}/init/service/batch/* /etc/service
|
cp -r ${QUAYCONF}/init/service/batch/* /etc/service
|
||||||
exec /sbin/my_init
|
exec /sbin/my_init
|
||||||
;;
|
;;
|
||||||
"")
|
"")
|
||||||
echo "Copying all files"
|
echo "Copying all files"
|
||||||
|
cp $QUAYCONF/init/*.sh /etc/my_init.d/
|
||||||
cp -r ${QUAYCONF}/init/service/interactive/* /etc/service
|
cp -r ${QUAYCONF}/init/service/interactive/* /etc/service
|
||||||
cp -r ${QUAYCONF}/init/service/batch/* /etc/service
|
cp -r ${QUAYCONF}/init/service/batch/* /etc/service
|
||||||
exec /sbin/my_init
|
exec /sbin/my_init
|
||||||
|
|
Reference in a new issue