From f3d71cf5fe1174802687c86eff2abb2e17522504 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Wed, 23 Mar 2016 15:13:06 +0100 Subject: [PATCH] [nginx] Split config into multiple files --- nginx/conf/http.conf | 42 ++++++++++++++++++++++++++++++ nginx/conf/main.conf | 52 +++++++++++++++++++++++++++++++++++++ nginx/conf/stream.conf | 6 +++++ nginx/nginx-rc.yaml | 16 +++++++----- nginx/replace-config | 8 ++++-- nginx/server.conf | 58 ------------------------------------------ 6 files changed, 116 insertions(+), 66 deletions(-) create mode 100644 nginx/conf/http.conf create mode 100644 nginx/conf/main.conf create mode 100644 nginx/conf/stream.conf delete mode 100644 nginx/server.conf diff --git a/nginx/conf/http.conf b/nginx/conf/http.conf new file mode 100644 index 000000000..fc287e5f6 --- /dev/null +++ b/nginx/conf/http.conf @@ -0,0 +1,42 @@ +# Default TLS redirect +server { + listen 80; + server_name *.tazj.in tazj.in; + return 301 https://$server_name$request_uri; +} + +# Simple IP echo thing +server { + listen 80; + server_name ip.tazj.in; + access_log off; + add_header "Content-Type" "text/plain"; + return 200 "$remote_addr\n"; +} + +# Redirect for oslo.pub +server { + listen 80; + listen 443 ssl; + server_name oslo.pub *.oslo.pub; + return 302 https://git.tazj.in/tazjin/pubkartet; +} + +# Gogs web interface +server { + listen 443 ssl http2; + server_name git.tazj.in; + location / { + proxy_pass http://gogs-priv.default.svc.cluster.local:3000; + } +} + +# TazBlog +server { + listen 443 ssl http2 default_server; + server_name www.tazj.in tazj.in default; + + location / { + proxy_pass http://tazblog-priv.default.svc.cluster.local/; + } +} diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf new file mode 100644 index 000000000..7c25877b2 --- /dev/null +++ b/nginx/conf/main.conf @@ -0,0 +1,52 @@ +user nginx; +worker_processes 1; +daemon off; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + + keepalive_timeout 65; + gzip on; + + # Modern SSL config + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; + + # Logstash log format + log_format logstash '$http_host ' + '$remote_addr [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time ' + '$upstream_response_time'; + + access_log /var/log/nginx/access.log logstash; + + # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) + ssl_certificate /etc/nginx/ssl/tazj.in/tls.key; + ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + include /etc/nginx/conf/http.conf; +} + +stream { + include /etc/nginx/conf/stream.conf; +} diff --git a/nginx/conf/stream.conf b/nginx/conf/stream.conf new file mode 100644 index 000000000..6b13de677 --- /dev/null +++ b/nginx/conf/stream.conf @@ -0,0 +1,6 @@ +# Gogs SSH tunneling + +server { + listen 22; + proxy_pass gogs-priv.default.svc.cluster.local:22; +} diff --git a/nginx/nginx-rc.yaml b/nginx/nginx-rc.yaml index 3f3a923ef..65f282a2e 100644 --- a/nginx/nginx-rc.yaml +++ b/nginx/nginx-rc.yaml @@ -2,22 +2,22 @@ apiVersion: v1 kind: ReplicationController metadata: - name: nginx-v3 + name: nginx-v4 labels: app: nginx - version: 1.9.11 - spec: v3 + version: 1.9.12 + spec: v4 spec: replicas: 2 selector: app: nginx - rcv: v3 + rcv: v4 template: metadata: labels: app: nginx lb-target: nginx - rcv: v3 + rcv: v4 spec: containers: - image: nginx:1.9.11 @@ -28,9 +28,13 @@ spec: - name: nginx-dhparam mountPath: /etc/nginx/ssl/dhparam - name: nginx-config - mountPath: /etc/nginx/conf.d + mountPath: /etc/nginx/conf - name: nginx-logs mountPath: /var/log/nginx + command: + - '/usr/sbin/nginx' + - '-c' + - '/etc/nginx/conf/main.conf' ports: - containerPort: 80 - containerPort: 443 diff --git a/nginx/replace-config b/nginx/replace-config index 5640b8200..2542a2c68 100755 --- a/nginx/replace-config +++ b/nginx/replace-config @@ -1,7 +1,9 @@ #!/bin/bash set -ueo pipefail -readonly server_conf=$(cat server.conf | base64 -w0) +readonly main_conf=$(cat conf/main.conf | base64 -w0) +readonly http_conf=$(cat conf/http.conf | base64 -w0) +readonly stream_conf=$(cat conf/stream.conf | base64 -w0) echo "Replacing nginx configuration ..." kubectl replace --force -f - <