about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <vincent@kivra.com>2016-03-23T14·13+0100
committerVincent Ambo <vincent@kivra.com>2016-03-23T14·13+0100
commitf3d71cf5fe1174802687c86eff2abb2e17522504 (patch)
treee600dc57208538c1876d992f15bdbd23e509b7a1
parent196de927527862aa0bd9606f139622a2ef84adce (diff)
[nginx] Split config into multiple files
Diffstat
-rw-r--r--nginx/conf/http.conf42


-rw-r--r--nginx/conf/main.conf52


-rw-r--r--nginx/conf/stream.conf6


-rw-r--r--nginx/nginx-rc.yaml16


-rwxr-xr-xnginx/replace-config8


-rw-r--r--nginx/server.conf58


6 files changed, 116 insertions, 66 deletions
diff --git a/nginx/conf/http.conf b/nginx/conf/http.conf
new file mode 100644
index 000000000000..fc287e5f6bc6
--- /dev/null
+++ b/nginx/conf/http.conf
@@ -0,0 +1,42 @@
+# Default TLS redirect
+server {
+    listen       80;
+    server_name  *.tazj.in tazj.in;
+    return       301 https://$server_name$request_uri;
+}
+
+# Simple IP echo thing
+server {
+    listen 80;
+    server_name ip.tazj.in;
+    access_log off;
+    add_header "Content-Type" "text/plain";
+    return 200 "$remote_addr\n";
+}
+
+# Redirect for oslo.pub
+server {
+	listen 80;
+    listen 443 ssl;
+	server_name oslo.pub *.oslo.pub;
+	return 302 https://git.tazj.in/tazjin/pubkartet;
+}
+
+# Gogs web interface
+server {
+    listen 443 ssl http2;
+    server_name git.tazj.in;
+    location / {
+        proxy_pass http://gogs-priv.default.svc.cluster.local:3000;
+    }
+}
+
+# TazBlog
+server {
+    listen      443 ssl http2 default_server;
+    server_name www.tazj.in tazj.in default;
+
+    location / {
+        proxy_pass http://tazblog-priv.default.svc.cluster.local/;
+    }
+}
diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf
new file mode 100644
index 000000000000..7c25877b27d8
--- /dev/null
+++ b/nginx/conf/main.conf
@@ -0,0 +1,52 @@
+user  nginx;
+worker_processes  1;
+daemon off;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+
+    keepalive_timeout  65;
+    gzip  on;
+
+    # Modern SSL config
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
+
+    # Logstash log format
+    log_format logstash '$http_host '
+    '$remote_addr [$time_local] '
+    '"$request" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" '
+    '$request_time '
+    '$upstream_response_time';
+
+    access_log   /var/log/nginx/access.log  logstash;
+
+    # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
+    ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
+    ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
+
+    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+    add_header Strict-Transport-Security max-age=15768000;
+
+    include /etc/nginx/conf/http.conf;
+}
+
+stream {
+    include /etc/nginx/conf/stream.conf;
+}
diff --git a/nginx/conf/stream.conf b/nginx/conf/stream.conf
new file mode 100644
index 000000000000..6b13de67773c
--- /dev/null
+++ b/nginx/conf/stream.conf
@@ -0,0 +1,6 @@
+# Gogs SSH tunneling
+
+server {
+    listen 22;
+    proxy_pass gogs-priv.default.svc.cluster.local:22;
+}
diff --git a/nginx/nginx-rc.yaml b/nginx/nginx-rc.yaml
index 3f3a923efe3a..65f282a2ede1 100644
--- a/nginx/nginx-rc.yaml
+++ b/nginx/nginx-rc.yaml
@@ -2,22 +2,22 @@
 apiVersion: v1
 kind: ReplicationController
 metadata:
-  name: nginx-v3
+  name: nginx-v4
   labels:
     app: nginx
-    version: 1.9.11
-    spec: v3
+    version: 1.9.12
+    spec: v4
 spec:
   replicas: 2
   selector:
     app: nginx
-    rcv: v3
+    rcv: v4
   template:
     metadata:
       labels:
         app: nginx
         lb-target: nginx
-        rcv: v3
+        rcv: v4
     spec:
       containers:
         - image: nginx:1.9.11
@@ -28,9 +28,13 @@ spec:
             - name: nginx-dhparam
               mountPath: /etc/nginx/ssl/dhparam
             - name: nginx-config
-              mountPath: /etc/nginx/conf.d
+              mountPath: /etc/nginx/conf
             - name: nginx-logs
               mountPath: /var/log/nginx
+          command:
+            - '/usr/sbin/nginx'
+            - '-c'
+            - '/etc/nginx/conf/main.conf'
           ports:
             - containerPort: 80
             - containerPort: 443
diff --git a/nginx/replace-config b/nginx/replace-config
index 5640b8200aa0..2542a2c683e3 100755
--- a/nginx/replace-config
+++ b/nginx/replace-config
@@ -1,7 +1,9 @@
 #!/bin/bash
 set -ueo pipefail
 
-readonly server_conf=$(cat server.conf | base64 -w0)
+readonly main_conf=$(cat conf/main.conf | base64 -w0)
+readonly http_conf=$(cat conf/http.conf | base64 -w0)
+readonly stream_conf=$(cat conf/stream.conf | base64 -w0)
 
 echo "Replacing nginx configuration ..."
 kubectl replace --force -f - <<EOF
@@ -10,5 +12,7 @@ kind: Secret
 metadata:
   name: nginx-config
 data:
-  server.conf: ${server_conf}
+  main.conf: ${main_conf}
+  http.conf: ${http_conf}
+  stream.conf: ${stream_conf}
 EOF
diff --git a/nginx/server.conf b/nginx/server.conf
deleted file mode 100644
index 218775ba7dbc..000000000000
--- a/nginx/server.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Logstash log format
-log_format logstash '$http_host '
-'$remote_addr [$time_local] '
-'"$request" $status $body_bytes_sent '
-'"$http_referer" "$http_user_agent" '
-'$request_time '
-'$upstream_response_time';
-
-access_log   /var/log/nginx/access.log  logstash;
-
-# Modern SSL config
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
-ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
-
-# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
-ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
-ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
-
-# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-add_header Strict-Transport-Security max-age=15768000;
-
-server {
-    listen       80;
-    server_name  *.tazj.in tazj.in;
-    return       301 https://$server_name$request_uri;
-}
-
-# Simple IP echo thing
-server {
-    listen 80;
-    server_name ip.tazj.in;
-    access_log off;
-    add_header "Content-Type" "text/plain";
-    return 200 "$remote_addr\n";
-}
-
-# Redirect for oslo.pub
-server {
-	listen 80;
-    listen 443 ssl;
-	server_name oslo.pub *.oslo.pub;
-	return 302 https://git.tazj.in/tazjin/pubkartet;
-}
-
-# TazBlog
-server {
-    listen      443 ssl http2 default_server;
-    server_name www.tazj.in tazj.in default;
-
-    location / {
-        proxy_pass http://tazblog-priv.default.svc.cluster.local/;
-    }
-}

 

generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-10T06·46+0000