[nginx] Split config into multiple files
This commit is contained in:
parent
196de92752
commit
f3d71cf5fe
6 changed files with 116 additions and 66 deletions
42
nginx/conf/http.conf
Normal file
42
nginx/conf/http.conf
Normal file
|
@ -0,0 +1,42 @@
|
|||
# Default TLS redirect
|
||||
server {
|
||||
listen 80;
|
||||
server_name *.tazj.in tazj.in;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
# Simple IP echo thing
|
||||
server {
|
||||
listen 80;
|
||||
server_name ip.tazj.in;
|
||||
access_log off;
|
||||
add_header "Content-Type" "text/plain";
|
||||
return 200 "$remote_addr\n";
|
||||
}
|
||||
|
||||
# Redirect for oslo.pub
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name oslo.pub *.oslo.pub;
|
||||
return 302 https://git.tazj.in/tazjin/pubkartet;
|
||||
}
|
||||
|
||||
# Gogs web interface
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name git.tazj.in;
|
||||
location / {
|
||||
proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
|
||||
}
|
||||
}
|
||||
|
||||
# TazBlog
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name www.tazj.in tazj.in default;
|
||||
|
||||
location / {
|
||||
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
|
||||
}
|
||||
}
|
52
nginx/conf/main.conf
Normal file
52
nginx/conf/main.conf
Normal file
|
@ -0,0 +1,52 @@
|
|||
user nginx;
|
||||
worker_processes 1;
|
||||
daemon off;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
sendfile on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
gzip on;
|
||||
|
||||
# Modern SSL config
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
||||
|
||||
# Logstash log format
|
||||
log_format logstash '$http_host '
|
||||
'$remote_addr [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time '
|
||||
'$upstream_response_time';
|
||||
|
||||
access_log /var/log/nginx/access.log logstash;
|
||||
|
||||
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
|
||||
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
|
||||
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
include /etc/nginx/conf/http.conf;
|
||||
}
|
||||
|
||||
stream {
|
||||
include /etc/nginx/conf/stream.conf;
|
||||
}
|
6
nginx/conf/stream.conf
Normal file
6
nginx/conf/stream.conf
Normal file
|
@ -0,0 +1,6 @@
|
|||
# Gogs SSH tunneling
|
||||
|
||||
server {
|
||||
listen 22;
|
||||
proxy_pass gogs-priv.default.svc.cluster.local:22;
|
||||
}
|
|
@ -2,22 +2,22 @@
|
|||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: nginx-v3
|
||||
name: nginx-v4
|
||||
labels:
|
||||
app: nginx
|
||||
version: 1.9.11
|
||||
spec: v3
|
||||
version: 1.9.12
|
||||
spec: v4
|
||||
spec:
|
||||
replicas: 2
|
||||
selector:
|
||||
app: nginx
|
||||
rcv: v3
|
||||
rcv: v4
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
lb-target: nginx
|
||||
rcv: v3
|
||||
rcv: v4
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx:1.9.11
|
||||
|
@ -28,9 +28,13 @@ spec:
|
|||
- name: nginx-dhparam
|
||||
mountPath: /etc/nginx/ssl/dhparam
|
||||
- name: nginx-config
|
||||
mountPath: /etc/nginx/conf.d
|
||||
mountPath: /etc/nginx/conf
|
||||
- name: nginx-logs
|
||||
mountPath: /var/log/nginx
|
||||
command:
|
||||
- '/usr/sbin/nginx'
|
||||
- '-c'
|
||||
- '/etc/nginx/conf/main.conf'
|
||||
ports:
|
||||
- containerPort: 80
|
||||
- containerPort: 443
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
#!/bin/bash
|
||||
set -ueo pipefail
|
||||
|
||||
readonly server_conf=$(cat server.conf | base64 -w0)
|
||||
readonly main_conf=$(cat conf/main.conf | base64 -w0)
|
||||
readonly http_conf=$(cat conf/http.conf | base64 -w0)
|
||||
readonly stream_conf=$(cat conf/stream.conf | base64 -w0)
|
||||
|
||||
echo "Replacing nginx configuration ..."
|
||||
kubectl replace --force -f - <<EOF
|
||||
|
@ -10,5 +12,7 @@ kind: Secret
|
|||
metadata:
|
||||
name: nginx-config
|
||||
data:
|
||||
server.conf: ${server_conf}
|
||||
main.conf: ${main_conf}
|
||||
http.conf: ${http_conf}
|
||||
stream.conf: ${stream_conf}
|
||||
EOF
|
||||
|
|
|
@ -1,58 +0,0 @@
|
|||
# Logstash log format
|
||||
log_format logstash '$http_host '
|
||||
'$remote_addr [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'$request_time '
|
||||
'$upstream_response_time';
|
||||
|
||||
access_log /var/log/nginx/access.log logstash;
|
||||
|
||||
# Modern SSL config
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
||||
|
||||
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
|
||||
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
|
||||
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name *.tazj.in tazj.in;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
# Simple IP echo thing
|
||||
server {
|
||||
listen 80;
|
||||
server_name ip.tazj.in;
|
||||
access_log off;
|
||||
add_header "Content-Type" "text/plain";
|
||||
return 200 "$remote_addr\n";
|
||||
}
|
||||
|
||||
# Redirect for oslo.pub
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name oslo.pub *.oslo.pub;
|
||||
return 302 https://git.tazj.in/tazjin/pubkartet;
|
||||
}
|
||||
|
||||
# TazBlog
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name www.tazj.in tazj.in default;
|
||||
|
||||
location / {
|
||||
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue