diff options
| author | Vincent Ambo <vincent@kivra.com> | 2016-03-24T21·27+0100 |
|---|---|---|
| committer | Vincent Ambo <vincent@kivra.com> | 2016-03-24T21·27+0100 |
| commit | 2dbff705675b0033fc957c2bc6dfb4905956e05b (patch) | |
| tree | e0730d6741c619d5fd2519b31c8a24b05dcbdbd3 | |
| parent | 1e3a90646ed91c45346c440766b7352dda75c2f7 (diff) | |
[nginx] Add Quassel TLS tunneling
| -rw-r--r-- | nginx/conf/main.conf | 18 | ||||
| -rw-r--r-- | nginx/conf/stream.conf | 7 | ||||
| -rw-r--r-- | nginx/nginx-svc.yaml | 2 | ||||
| -rw-r--r-- | quassel/quassel-svc.yaml | 12 |
4 files changed, 35 insertions, 4 deletions
diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf index 7c25877b27d8..3607aaf1bfba 100644 --- a/nginx/conf/main.conf +++ b/nginx/conf/main.conf @@ -23,7 +23,7 @@ http { ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; + ssl_session_cache shared:HTTPS:50m; ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; @@ -38,8 +38,8 @@ http { access_log /var/log/nginx/access.log logstash; # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) - ssl_certificate /etc/nginx/ssl/tazj.in/tls.key; - ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt; + ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; @@ -48,5 +48,17 @@ http { } stream { + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; + ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:STREAM:50m; + ssl_session_tickets off; + + # Default tazj.in certificate + ssl_certificate /etc/nginx/ssl/tazj.in/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.key; + include /etc/nginx/conf/stream.conf; } diff --git a/nginx/conf/stream.conf b/nginx/conf/stream.conf index 6b13de67773c..dcdf336d2627 100644 --- a/nginx/conf/stream.conf +++ b/nginx/conf/stream.conf @@ -1,6 +1,11 @@ # Gogs SSH tunneling - server { listen 22; proxy_pass gogs-priv.default.svc.cluster.local:22; } + +# Quassel TLS -> TCP tunneling +server { + listen 4242 ssl; + proxy_pass quassel-priv.default.svc.cluster.local:4242; +} diff --git a/nginx/nginx-svc.yaml b/nginx/nginx-svc.yaml index aadb72285472..bdb2f2dd47ad 100644 --- a/nginx/nginx-svc.yaml +++ b/nginx/nginx-svc.yaml @@ -17,3 +17,5 @@ spec: name: https - port: 22 name: ssh + - port: 4242 + name: quassel diff --git a/quassel/quassel-svc.yaml b/quassel/quassel-svc.yaml new file mode 100644 index 000000000000..98d8b8e20ac4 --- /dev/null +++ b/quassel/quassel-svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: quassel-priv + labels: + app: quassel +spec: + selector: + app: quassel + ports: + - port: 4242 + name: quassel-internal |