diff options
-rw-r--r-- | nginx/conf/http.conf | 42 | ||||
-rw-r--r-- | nginx/conf/main.conf | 52 | ||||
-rw-r--r-- | nginx/conf/stream.conf | 6 | ||||
-rw-r--r-- | nginx/nginx-rc.yaml | 16 | ||||
-rwxr-xr-x | nginx/replace-config | 8 | ||||
-rw-r--r-- | nginx/server.conf | 58 |
6 files changed, 116 insertions, 66 deletions
diff --git a/nginx/conf/http.conf b/nginx/conf/http.conf new file mode 100644 index 000000000000..fc287e5f6bc6 --- /dev/null +++ b/nginx/conf/http.conf @@ -0,0 +1,42 @@ +# Default TLS redirect +server { + listen 80; + server_name *.tazj.in tazj.in; + return 301 https://$server_name$request_uri; +} + +# Simple IP echo thing +server { + listen 80; + server_name ip.tazj.in; + access_log off; + add_header "Content-Type" "text/plain"; + return 200 "$remote_addr\n"; +} + +# Redirect for oslo.pub +server { + listen 80; + listen 443 ssl; + server_name oslo.pub *.oslo.pub; + return 302 https://git.tazj.in/tazjin/pubkartet; +} + +# Gogs web interface +server { + listen 443 ssl http2; + server_name git.tazj.in; + location / { + proxy_pass http://gogs-priv.default.svc.cluster.local:3000; + } +} + +# TazBlog +server { + listen 443 ssl http2 default_server; + server_name www.tazj.in tazj.in default; + + location / { + proxy_pass http://tazblog-priv.default.svc.cluster.local/; + } +} diff --git a/nginx/conf/main.conf b/nginx/conf/main.conf new file mode 100644 index 000000000000..7c25877b27d8 --- /dev/null +++ b/nginx/conf/main.conf @@ -0,0 +1,52 @@ +user nginx; +worker_processes 1; +daemon off; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + + keepalive_timeout 65; + gzip on; + + # Modern SSL config + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; + + # Logstash log format + log_format logstash '$http_host ' + '$remote_addr [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + '$request_time ' + '$upstream_response_time'; + + access_log /var/log/nginx/access.log logstash; + + # Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) + ssl_certificate /etc/nginx/ssl/tazj.in/tls.key; + ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + include /etc/nginx/conf/http.conf; +} + +stream { + include /etc/nginx/conf/stream.conf; +} diff --git a/nginx/conf/stream.conf b/nginx/conf/stream.conf new file mode 100644 index 000000000000..6b13de67773c --- /dev/null +++ b/nginx/conf/stream.conf @@ -0,0 +1,6 @@ +# Gogs SSH tunneling + +server { + listen 22; + proxy_pass gogs-priv.default.svc.cluster.local:22; +} diff --git a/nginx/nginx-rc.yaml b/nginx/nginx-rc.yaml index 3f3a923efe3a..65f282a2ede1 100644 --- a/nginx/nginx-rc.yaml +++ b/nginx/nginx-rc.yaml @@ -2,22 +2,22 @@ apiVersion: v1 kind: ReplicationController metadata: - name: nginx-v3 + name: nginx-v4 labels: app: nginx - version: 1.9.11 - spec: v3 + version: 1.9.12 + spec: v4 spec: replicas: 2 selector: app: nginx - rcv: v3 + rcv: v4 template: metadata: labels: app: nginx lb-target: nginx - rcv: v3 + rcv: v4 spec: containers: - image: nginx:1.9.11 @@ -28,9 +28,13 @@ spec: - name: nginx-dhparam mountPath: /etc/nginx/ssl/dhparam - name: nginx-config - mountPath: /etc/nginx/conf.d + mountPath: /etc/nginx/conf - name: nginx-logs mountPath: /var/log/nginx + command: + - '/usr/sbin/nginx' + - '-c' + - '/etc/nginx/conf/main.conf' ports: - containerPort: 80 - containerPort: 443 diff --git a/nginx/replace-config b/nginx/replace-config index 5640b8200aa0..2542a2c683e3 100755 --- a/nginx/replace-config +++ b/nginx/replace-config @@ -1,7 +1,9 @@ #!/bin/bash set -ueo pipefail -readonly server_conf=$(cat server.conf | base64 -w0) +readonly main_conf=$(cat conf/main.conf | base64 -w0) +readonly http_conf=$(cat conf/http.conf | base64 -w0) +readonly stream_conf=$(cat conf/stream.conf | base64 -w0) echo "Replacing nginx configuration ..." kubectl replace --force -f - <<EOF @@ -10,5 +12,7 @@ kind: Secret metadata: name: nginx-config data: - server.conf: ${server_conf} + main.conf: ${main_conf} + http.conf: ${http_conf} + stream.conf: ${stream_conf} EOF diff --git a/nginx/server.conf b/nginx/server.conf deleted file mode 100644 index 218775ba7dbc..000000000000 --- a/nginx/server.conf +++ /dev/null @@ -1,58 +0,0 @@ -# Logstash log format -log_format logstash '$http_host ' -'$remote_addr [$time_local] ' -'"$request" $status $body_bytes_sent ' -'"$http_referer" "$http_user_agent" ' -'$request_time ' -'$upstream_response_time'; - -access_log /var/log/nginx/access.log logstash; - -# Modern SSL config -ssl_protocols TLSv1.2; -ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; -ssl_prefer_server_ciphers on; -ssl_session_timeout 1d; -ssl_session_cache shared:SSL:50m; -ssl_session_tickets off; -ssl_dhparam /etc/nginx/ssl/dhparam/tls.dhparam; - -# Default tazj.in config (certs need to be overriden for other stuff, like oslo.pub) -ssl_certificate /etc/nginx/ssl/tazj.in/tls.key; -ssl_certificate_key /etc/nginx/ssl/tazj.in/tls.crt; - -# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) -add_header Strict-Transport-Security max-age=15768000; - -server { - listen 80; - server_name *.tazj.in tazj.in; - return 301 https://$server_name$request_uri; -} - -# Simple IP echo thing -server { - listen 80; - server_name ip.tazj.in; - access_log off; - add_header "Content-Type" "text/plain"; - return 200 "$remote_addr\n"; -} - -# Redirect for oslo.pub -server { - listen 80; - listen 443 ssl; - server_name oslo.pub *.oslo.pub; - return 302 https://git.tazj.in/tazjin/pubkartet; -} - -# TazBlog -server { - listen 443 ssl http2 default_server; - server_name www.tazj.in tazj.in default; - - location / { - proxy_pass http://tazblog-priv.default.svc.cluster.local/; - } -} |