about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <vincent@kivra.com>2016-03-01T00·11+0100
committerVincent Ambo <vincent@kivra.com>2016-03-01T00·11+0100
commita2c95a740d84f71158b28776b337407269251ce5 (patch)
treee8719005e6092373807933e3ddd034112e348a4f
parent4bf511ba139d03a45426bb63e86c4dc589723123 (diff)
[nginx] Add RC and config
-rwxr-xr-xnginx/generate-dhparam14
-rw-r--r--nginx/nginx-rc.yaml42
-rw-r--r--nginx/nginx-svc.yaml16
-rwxr-xr-xnginx/replace-config14
-rw-r--r--nginx/server.conf49
5 files changed, 135 insertions, 0 deletions
diff --git a/nginx/generate-dhparam b/nginx/generate-dhparam
new file mode 100755
index 000000000000..ef923cc7f6da
--- /dev/null
+++ b/nginx/generate-dhparam
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+readonly dhparam=$(openssl dhparam 2048 | base64 -w0)
+
+echo "Inserting new DH parameter ..."
+kubectl replace --force -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nginx-dhparam
+data:
+  tls.dhparam: ${dhparam}
+EOF
+
diff --git a/nginx/nginx-rc.yaml b/nginx/nginx-rc.yaml
new file mode 100644
index 000000000000..5a1c1f43689b
--- /dev/null
+++ b/nginx/nginx-rc.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+    version: 1.9.11
+    spec: v1
+spec:
+  replicas: 2
+  selector:
+    app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+        lb-target: nginx
+    spec:
+      containers:
+        - image: nginx:1.9.11
+          name: nginx
+          volumeMounts:
+            - name: tazj-in-tls
+              mountPath: /etc/nginx/ssl/tazj.in
+            - name: nginx-dhparam
+              mountPath: /etc/nginx/ssl/dhparam
+            - name: nginx-config
+              mountPath: /etc/nginx/conf.d
+          ports:
+            - containerPort: 80
+            - containerPort: 443
+      volumes:
+        - name: tazj-in-tls
+          secret:
+            secretName: tazj-in-tls
+        - name: nginx-dhparam
+          secret:
+            secretName: nginx-dhparam
+        - name: nginx-config
+          secret:
+            secretName: nginx-config
diff --git a/nginx/nginx-svc.yaml b/nginx/nginx-svc.yaml
new file mode 100644
index 000000000000..45e4e2ab1ec5
--- /dev/null
+++ b/nginx/nginx-svc.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+spec:
+  type: LoadBalancer
+  selector:
+    lb-target: nginx
+  ports:
+    - port: 80
+      name: http
+    - port: 443
+      name: https
diff --git a/nginx/replace-config b/nginx/replace-config
new file mode 100755
index 000000000000..5640b8200aa0
--- /dev/null
+++ b/nginx/replace-config
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -ueo pipefail
+
+readonly server_conf=$(cat server.conf | base64 -w0)
+
+echo "Replacing nginx configuration ..."
+kubectl replace --force -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nginx-config
+data:
+  server.conf: ${server_conf}
+EOF
diff --git a/nginx/server.conf b/nginx/server.conf
new file mode 100644
index 000000000000..965e36259dad
--- /dev/null
+++ b/nginx/server.conf
@@ -0,0 +1,49 @@
+# Logstash log format
+log_format logstash '$http_host '
+'$remote_addr [$time_local] '
+'"$request" $status $body_bytes_sent '
+'"$http_referer" "$http_user_agent" '
+'$request_time '
+'$upstream_response_time';
+
+# Modern SSL config
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam;
+
+# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub)
+ssl_certificate /etc/nginx/ssl/tazj.in/tls.key;
+ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt;
+
+# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+add_header Strict-Transport-Security max-age=15768000;
+
+server {
+    listen       80;
+    server_name  *.tazj.in tazj.in;
+    access_log   /var/log/nginx/tls_redirect.log  logstash;
+    return       301 https://$server_name$request_uri;
+}
+
+# Simple IP echo thing
+server {
+    listen 80;
+    server_name ip.tazj.in;
+    access_log off;
+    add_header "Content-Type" "text/plain";
+    return 200 "$remote_addr\n";
+}
+
+# TazBlog
+server {
+    listen      443 ssl http2 default_server;
+    server_name www.tazj.in tazj.in default;
+
+    location / {
+        proxy_pass http://tazblog-priv.default.svc.cluster.local/;
+    }
+}