[nginx] Split config into multiple files

This commit is contained in:
Vincent Ambo 2016-03-23 15:13:06 +01:00
parent 196de92752
commit f3d71cf5fe
No known key found for this signature in database
GPG key ID: 66F505681DB8F43B
6 changed files with 116 additions and 66 deletions

42
nginx/conf/http.conf Normal file
View file

@ -0,0 +1,42 @@
# Default TLS redirect
server {
listen 80;
server_name *.tazj.in tazj.in;
return 301 https://$server_name$request_uri;
}
# Simple IP echo thing
server {
listen 80;
server_name ip.tazj.in;
access_log off;
add_header "Content-Type" "text/plain";
return 200 "$remote_addr\n";
}
# Redirect for oslo.pub
server {
listen 80;
listen 443 ssl;
server_name oslo.pub *.oslo.pub;
return 302 https://git.tazj.in/tazjin/pubkartet;
}
# Gogs web interface
server {
listen 443 ssl http2;
server_name git.tazj.in;
location / {
proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
}
}
# TazBlog
server {
listen 443 ssl http2 default_server;
server_name www.tazj.in tazj.in default;
location / {
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
}
}

52
nginx/conf/main.conf Normal file
View file

@ -0,0 +1,52 @@
user nginx;
worker_processes 1;
daemon off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
# Modern SSL config
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
# Logstash log format
log_format logstash '$http_host '
'$remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time '
'$upstream_response_time';
access_log /var/log/nginx/access.log logstash;
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
include /etc/nginx/conf/http.conf;
}
stream {
include /etc/nginx/conf/stream.conf;
}

6
nginx/conf/stream.conf Normal file
View file

@ -0,0 +1,6 @@
# Gogs SSH tunneling
server {
listen 22;
proxy_pass gogs-priv.default.svc.cluster.local:22;
}

View file

@ -2,22 +2,22 @@
apiVersion: v1 apiVersion: v1
kind: ReplicationController kind: ReplicationController
metadata: metadata:
name: nginx-v3 name: nginx-v4
labels: labels:
app: nginx app: nginx
version: 1.9.11 version: 1.9.12
spec: v3 spec: v4
spec: spec:
replicas: 2 replicas: 2
selector: selector:
app: nginx app: nginx
rcv: v3 rcv: v4
template: template:
metadata: metadata:
labels: labels:
app: nginx app: nginx
lb-target: nginx lb-target: nginx
rcv: v3 rcv: v4
spec: spec:
containers: containers:
- image: nginx:1.9.11 - image: nginx:1.9.11
@ -28,9 +28,13 @@ spec:
- name: nginx-dhparam - name: nginx-dhparam
mountPath: /etc/nginx/ssl/dhparam mountPath: /etc/nginx/ssl/dhparam
- name: nginx-config - name: nginx-config
mountPath: /etc/nginx/conf.d mountPath: /etc/nginx/conf
- name: nginx-logs - name: nginx-logs
mountPath: /var/log/nginx mountPath: /var/log/nginx
command:
- '/usr/sbin/nginx'
- '-c'
- '/etc/nginx/conf/main.conf'
ports: ports:
- containerPort: 80 - containerPort: 80
- containerPort: 443 - containerPort: 443

View file

@ -1,7 +1,9 @@
#!/bin/bash #!/bin/bash
set -ueo pipefail set -ueo pipefail
readonly server_conf=$(cat server.conf | base64 -w0) readonly main_conf=$(cat conf/main.conf | base64 -w0)
readonly http_conf=$(cat conf/http.conf | base64 -w0)
readonly stream_conf=$(cat conf/stream.conf | base64 -w0)
echo "Replacing nginx configuration ..." echo "Replacing nginx configuration ..."
kubectl replace --force -f - <<EOF kubectl replace --force -f - <<EOF
@ -10,5 +12,7 @@ kind: Secret
metadata: metadata:
name: nginx-config name: nginx-config
data: data:
server.conf: ${server_conf} main.conf: ${main_conf}
http.conf: ${http_conf}
stream.conf: ${stream_conf}
EOF EOF

View file

@ -1,58 +0,0 @@
# Logstash log format
log_format logstash '$http_host '
'$remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time '
'$upstream_response_time';
access_log /var/log/nginx/access.log logstash;
# Modern SSL config
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
server {
listen 80;
server_name *.tazj.in tazj.in;
return 301 https://$server_name$request_uri;
}
# Simple IP echo thing
server {
listen 80;
server_name ip.tazj.in;
access_log off;
add_header "Content-Type" "text/plain";
return 200 "$remote_addr\n";
}
# Redirect for oslo.pub
server {
listen 80;
listen 443 ssl;
server_name oslo.pub *.oslo.pub;
return 302 https://git.tazj.in/tazjin/pubkartet;
}
# TazBlog
server {
listen 443 ssl http2 default_server;
server_name www.tazj.in tazj.in default;
location / {
proxy_pass http://tazblog-priv.default.svc.cluster.local/;
}
}