[nginx] Split config into multiple files
This commit is contained in:
parent
196de92752
commit
f3d71cf5fe
6 changed files with 116 additions and 66 deletions
42
nginx/conf/http.conf
Normal file
42
nginx/conf/http.conf
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
# Default TLS redirect
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name *.tazj.in tazj.in;
|
||||||
|
return 301 https://$server_name$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Simple IP echo thing
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name ip.tazj.in;
|
||||||
|
access_log off;
|
||||||
|
add_header "Content-Type" "text/plain";
|
||||||
|
return 200 "$remote_addr\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
# Redirect for oslo.pub
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name oslo.pub *.oslo.pub;
|
||||||
|
return 302 https://git.tazj.in/tazjin/pubkartet;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Gogs web interface
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name git.tazj.in;
|
||||||
|
location / {
|
||||||
|
proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# TazBlog
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2 default_server;
|
||||||
|
server_name www.tazj.in tazj.in default;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
|
||||||
|
}
|
||||||
|
}
|
52
nginx/conf/main.conf
Normal file
52
nginx/conf/main.conf
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
user nginx;
|
||||||
|
worker_processes 1;
|
||||||
|
daemon off;
|
||||||
|
|
||||||
|
error_log /var/log/nginx/error.log warn;
|
||||||
|
pid /var/run/nginx.pid;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
|
||||||
|
keepalive_timeout 65;
|
||||||
|
gzip on;
|
||||||
|
|
||||||
|
# Modern SSL config
|
||||||
|
ssl_protocols TLSv1.2;
|
||||||
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
||||||
|
|
||||||
|
# Logstash log format
|
||||||
|
log_format logstash '$http_host '
|
||||||
|
'$remote_addr [$time_local] '
|
||||||
|
'"$request" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent" '
|
||||||
|
'$request_time '
|
||||||
|
'$upstream_response_time';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log logstash;
|
||||||
|
|
||||||
|
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
|
||||||
|
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||||
|
add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
|
||||||
|
include /etc/nginx/conf/http.conf;
|
||||||
|
}
|
||||||
|
|
||||||
|
stream {
|
||||||
|
include /etc/nginx/conf/stream.conf;
|
||||||
|
}
|
6
nginx/conf/stream.conf
Normal file
6
nginx/conf/stream.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
# Gogs SSH tunneling
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 22;
|
||||||
|
proxy_pass gogs-priv.default.svc.cluster.local:22;
|
||||||
|
}
|
|
@ -2,22 +2,22 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ReplicationController
|
kind: ReplicationController
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-v3
|
name: nginx-v4
|
||||||
labels:
|
labels:
|
||||||
app: nginx
|
app: nginx
|
||||||
version: 1.9.11
|
version: 1.9.12
|
||||||
spec: v3
|
spec: v4
|
||||||
spec:
|
spec:
|
||||||
replicas: 2
|
replicas: 2
|
||||||
selector:
|
selector:
|
||||||
app: nginx
|
app: nginx
|
||||||
rcv: v3
|
rcv: v4
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: nginx
|
app: nginx
|
||||||
lb-target: nginx
|
lb-target: nginx
|
||||||
rcv: v3
|
rcv: v4
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- image: nginx:1.9.11
|
- image: nginx:1.9.11
|
||||||
|
@ -28,9 +28,13 @@ spec:
|
||||||
- name: nginx-dhparam
|
- name: nginx-dhparam
|
||||||
mountPath: /etc/nginx/ssl/dhparam
|
mountPath: /etc/nginx/ssl/dhparam
|
||||||
- name: nginx-config
|
- name: nginx-config
|
||||||
mountPath: /etc/nginx/conf.d
|
mountPath: /etc/nginx/conf
|
||||||
- name: nginx-logs
|
- name: nginx-logs
|
||||||
mountPath: /var/log/nginx
|
mountPath: /var/log/nginx
|
||||||
|
command:
|
||||||
|
- '/usr/sbin/nginx'
|
||||||
|
- '-c'
|
||||||
|
- '/etc/nginx/conf/main.conf'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 80
|
- containerPort: 80
|
||||||
- containerPort: 443
|
- containerPort: 443
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -ueo pipefail
|
set -ueo pipefail
|
||||||
|
|
||||||
readonly server_conf=$(cat server.conf | base64 -w0)
|
readonly main_conf=$(cat conf/main.conf | base64 -w0)
|
||||||
|
readonly http_conf=$(cat conf/http.conf | base64 -w0)
|
||||||
|
readonly stream_conf=$(cat conf/stream.conf | base64 -w0)
|
||||||
|
|
||||||
echo "Replacing nginx configuration ..."
|
echo "Replacing nginx configuration ..."
|
||||||
kubectl replace --force -f - <<EOF
|
kubectl replace --force -f - <<EOF
|
||||||
|
@ -10,5 +12,7 @@ kind: Secret
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-config
|
name: nginx-config
|
||||||
data:
|
data:
|
||||||
server.conf: ${server_conf}
|
main.conf: ${main_conf}
|
||||||
|
http.conf: ${http_conf}
|
||||||
|
stream.conf: ${stream_conf}
|
||||||
EOF
|
EOF
|
||||||
|
|
|
@ -1,58 +0,0 @@
|
||||||
# Logstash log format
|
|
||||||
log_format logstash '$http_host '
|
|
||||||
'$remote_addr [$time_local] '
|
|
||||||
'"$request" $status $body_bytes_sent '
|
|
||||||
'"$http_referer" "$http_user_agent" '
|
|
||||||
'$request_time '
|
|
||||||
'$upstream_response_time';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log logstash;
|
|
||||||
|
|
||||||
# Modern SSL config
|
|
||||||
ssl_protocols TLSv1.2;
|
|
||||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:SSL:50m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
|
|
||||||
|
|
||||||
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
|
|
||||||
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
|
|
||||||
|
|
||||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
|
||||||
add_header Strict-Transport-Security max-age=15768000;
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name *.tazj.in tazj.in;
|
|
||||||
return 301 https://$server_name$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Simple IP echo thing
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name ip.tazj.in;
|
|
||||||
access_log off;
|
|
||||||
add_header "Content-Type" "text/plain";
|
|
||||||
return 200 "$remote_addr\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
# Redirect for oslo.pub
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen 443 ssl;
|
|
||||||
server_name oslo.pub *.oslo.pub;
|
|
||||||
return 302 https://git.tazj.in/tazjin/pubkartet;
|
|
||||||
}
|
|
||||||
|
|
||||||
# TazBlog
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2 default_server;
|
|
||||||
server_name www.tazj.in tazj.in default;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in a new issue