mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[nginx] Use SAN certificates

Browse source 
Use SAN certificates from k8s LE controller 1.3
This commit is contained in:
Vincent Ambo 2016-09-26 01:23:29 +02:00
parent a02148d832
commit e514f9ecff
No known key found for this signature in database
GPG key ID: 66F505681DB8F43B
4 changed files with 6 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nginx/conf/http.conf
View file

@ -8,6 +8,7 @@ server {
# Simple IP echo thing # Simple IP echo thing
server { server {
listen 80; listen 80;
listen 443 ssl http2;
server_name ip.tazj.in; server_name ip.tazj.in;
access_log off; access_log off;
add_header "Content-Type" "text/plain"; add_header "Content-Type" "text/plain";
@ -27,9 +28,6 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
server_name git.tazj.in; server_name git.tazj.in;
ssl_certificate /etc/nginx/ssl/git.tazj.in/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/git.tazj.in/key.pem;
location / { location / {
proxy_pass http://gogs-priv.default.svc.cluster.local:3000; proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
} }
@ -40,9 +38,6 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
server_name tazj.in; server_name tazj.in;
ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
location / { location / {
return 301 https://www.tazj.in$request_uri; return 301 https://www.tazj.in$request_uri;
} }

4
nginx/conf/main.conf
View file

@ -38,8 +38,8 @@ http {
access_log /var/log/nginx/access.log logstash; access_log /var/log/nginx/access.log logstash;
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
ssl_certificate /etc/nginx/ssl/www.tazj.in/fullchain.pem; ssl_certificate /etc/nginx/ssl/tazj.in/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/www.tazj.in/key.pem; ssl_certificate_key /etc/nginx/ssl/tazj.in/key.pem;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=15768000;

3
nginx/nginx-svc.yaml
View file

@ -6,7 +6,8 @@ metadata:
labels: labels:
app: nginx app: nginx
annotations: annotations:
acme/certificate: "tazj.in" acme/certificate: '["tazj.in", "www.tazj.in", "ip.tazj.in", "git.tazj.in"]'
acme/secretName: tazj.in-tls
spec: spec:
type: LoadBalancer type: LoadBalancer
loadBalancerIP: 104.155.119.229 loadBalancerIP: 104.155.119.229

12
nginx/nginx.yaml
View file

@ -19,10 +19,6 @@ spec:
volumeMounts: volumeMounts:
- name: tazj-in-tls - name: tazj-in-tls
mountPath: /etc/nginx/ssl/tazj.in mountPath: /etc/nginx/ssl/tazj.in
- name: www-tazj-in-tls
mountPath: /etc/nginx/ssl/www.tazj.in
- name: git-tazj-in-tls
mountPath: /etc/nginx/ssl/git.tazj.in
- name: nginx-dhparam - name: nginx-dhparam
mountPath: /etc/nginx/ssl/dhparam mountPath: /etc/nginx/ssl/dhparam
- name: nginx-config - name: nginx-config
@ -44,13 +40,7 @@ spec:
volumes: volumes:
- name: tazj-in-tls - name: tazj-in-tls
secret: secret:
secretName: tazj-in-tls secretName: tazj.in-tls
- name: www-tazj-in-tls
secret:
secretName: www-tazj-in-tls
- name: git-tazj-in-tls
secret:
secretName: git-tazj-in-tls
- name: nginx-dhparam - name: nginx-dhparam
secret: secret:
secretName: nginx-dhparam secretName: nginx-dhparam