diff options
author | Vincent Ambo <vincent@kivra.com> | 2016-03-01T00·11+0100 |
---|---|---|
committer | Vincent Ambo <vincent@kivra.com> | 2016-03-01T00·11+0100 |
commit | a2c95a740d84f71158b28776b337407269251ce5 (patch) | |
tree | e8719005e6092373807933e3ddd034112e348a4f | |
parent | 4bf511ba139d03a45426bb63e86c4dc589723123 (diff) |
[nginx] Add RC and config
-rwxr-xr-x | nginx/generate-dhparam | 14 | ||||
-rw-r--r-- | nginx/nginx-rc.yaml | 42 | ||||
-rw-r--r-- | nginx/nginx-svc.yaml | 16 | ||||
-rwxr-xr-x | nginx/replace-config | 14 | ||||
-rw-r--r-- | nginx/server.conf | 49 |
5 files changed, 135 insertions, 0 deletions
diff --git a/nginx/generate-dhparam b/nginx/generate-dhparam new file mode 100755 index 000000000000..ef923cc7f6da --- /dev/null +++ b/nginx/generate-dhparam @@ -0,0 +1,14 @@ +#!/bin/bash + +readonly dhparam=$(openssl dhparam 2048 | base64 -w0) + +echo "Inserting new DH parameter ..." +kubectl replace --force -f - <<EOF +apiVersion: v1 +kind: Secret +metadata: + name: nginx-dhparam +data: + tls.dhparam: ${dhparam} +EOF + diff --git a/nginx/nginx-rc.yaml b/nginx/nginx-rc.yaml new file mode 100644 index 000000000000..5a1c1f43689b --- /dev/null +++ b/nginx/nginx-rc.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: v1 +kind: ReplicationController +metadata: + name: nginx + labels: + app: nginx + version: 1.9.11 + spec: v1 +spec: + replicas: 2 + selector: + app: nginx + template: + metadata: + labels: + app: nginx + lb-target: nginx + spec: + containers: + - image: nginx:1.9.11 + name: nginx + volumeMounts: + - name: tazj-in-tls + mountPath: /etc/nginx/ssl/tazj.in + - name: nginx-dhparam + mountPath: /etc/nginx/ssl/dhparam + - name: nginx-config + mountPath: /etc/nginx/conf.d + ports: + - containerPort: 80 + - containerPort: 443 + volumes: + - name: tazj-in-tls + secret: + secretName: tazj-in-tls + - name: nginx-dhparam + secret: + secretName: nginx-dhparam + - name: nginx-config + secret: + secretName: nginx-config diff --git a/nginx/nginx-svc.yaml b/nginx/nginx-svc.yaml new file mode 100644 index 000000000000..45e4e2ab1ec5 --- /dev/null +++ b/nginx/nginx-svc.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx + labels: + app: nginx +spec: + type: LoadBalancer + selector: + lb-target: nginx + ports: + - port: 80 + name: http + - port: 443 + name: https diff --git a/nginx/replace-config b/nginx/replace-config new file mode 100755 index 000000000000..5640b8200aa0 --- /dev/null +++ b/nginx/replace-config @@ -0,0 +1,14 @@ +#!/bin/bash +set -ueo pipefail + +readonly server_conf=$(cat server.conf | base64 -w0) + +echo "Replacing nginx configuration ..." +kubectl replace --force -f - <<EOF +apiVersion: v1 +kind: Secret +metadata: + name: nginx-config +data: + server.conf: ${server_conf} +EOF diff --git a/nginx/server.conf b/nginx/server.conf new file mode 100644 index 000000000000..965e36259dad --- /dev/null +++ b/nginx/server.conf @@ -0,0 +1,49 @@ +# Logstash log format +log_format logstash '$http_host ' +'$remote_addr [$time_local] ' +'"$request" $status $body_bytes_sent ' +'"$http_referer" "$http_user_agent" ' +'$request_time ' +'$upstream_response_time'; + +# Modern SSL config +ssl_protocols TLSv1.2; +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +ssl_prefer_server_ciphers on; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; +ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; + +# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) +ssl_certificate /etc/nginx/ssl/tazj.in/tls.key; +ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt; + +# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +add_header Strict-Transport-Security max-age=15768000; + +server { + listen 80; + server_name *.tazj.in tazj.in; + access_log /var/log/nginx/tls_redirect.log logstash; + return 301 https://$server_name$request_uri; +} + +# Simple IP echo thing +server { + listen 80; + server_name ip.tazj.in; + access_log off; + add_header "Content-Type" "text/plain"; + return 200 "$remote_addr\n"; +} + +# TazBlog +server { + listen 443 ssl http2 default_server; + server_name www.tazj.in tazj.in default; + + location / { + proxy_pass http://tazblog-priv.default.svc.cluster.local/; + } +} |