diff --git a/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh b/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
index 025edb22f4b700d9f70278edf3dce40ef301209b..55993953ad438de5d07d1cc55023e0114fbf5978 100755
--- a/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
+++ b/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
@@ -180,3 +180,13 @@ cat > "/usr/share/nginx/html/.well-known/acme-challenge/active.html" << EOF
</body>
</html>
EOF
+
+
+cat > "/etc/nginx/conf.d/lb.qoto.org-activate.conf" << EOF
+server {
+ server_name lb.qoto.org;
+ listen 80;
+
+ include /etc/nginx/vhost.d/default*;
+}
+EOF
diff --git a/swarm-proxy-letsencrypt/app/letsencrypt_service b/swarm-proxy-letsencrypt/app/letsencrypt_service
index cbc68fa80403edda2bd22e74f91c60c05ab38e45..f3fbc869b59b4982f1d914895fceed6f0e31fe80 100755
--- a/swarm-proxy-letsencrypt/app/letsencrypt_service
+++ b/swarm-proxy-letsencrypt/app/letsencrypt_service
@@ -331,7 +331,7 @@ function update_certs {
server {
server_name ${LE_HOST};
- listen 443 ssl http2 ;
+ listen 444 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
diff --git a/swarm-proxy-letsencrypt/swarm-proxy.tmpl b/swarm-proxy-letsencrypt/swarm-proxy.tmpl
deleted file mode 100644
index 1306fad72f636d9961f3d268ad62415f2b26be5b..0000000000000000000000000000000000000000
--- a/swarm-proxy-letsencrypt/swarm-proxy.tmpl
+++ /dev/null
@@ -1,42 +0,0 @@
-### BEGIN SERVICE ###
-upstream ${HOST}_upstream {
- server ${UPSTREAM}:${PORT};
-}
-
-server {
- server_name ${HOST};
- listen 80 ;
-
- location /.well-known/acme-challenge/ {
- auth_basic off;
- allow all;
- root /usr/share/nginx/html;
- try_files $uri =404;
- break;
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-server {
- server_name ${HOST};
- listen 443 ssl http2 ;
- ssl_session_timeout 5m;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- ssl_certificate /etc/nginx/certs/${HOST}.crt;
- ssl_certificate_key /etc/nginx/certs/${HOST}.key;
- ssl_dhparam /etc/nginx/certs/${HOST}.dhparam.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/nginx/certs/${HOST}.chain.pem;
- add_header Strict-Transport-Security "max-age=31536000" always;
- include /etc/nginx/vhost.d/*;
-
- location / {
- proxy_pass http://${HOST}_upstream;
- }
-}
-### END SERVICE ###
diff --git a/swarm-proxy/01-copy-default-entry.sh b/swarm-proxy/01-copy-default-entry.sh
index 6589412bcfad26375a51dcaf0b486acb7e956f99..44ed37904248c628f2ddcc625b88caac72fd58f8 100755
--- a/swarm-proxy/01-copy-default-entry.sh
+++ b/swarm-proxy/01-copy-default-entry.sh
@@ -1,7 +1,36 @@
#!/bin/bash
set -e
-echo "Copying default.conf to conf.d directory"
+echo "Copying serv.d/default.conf to serv.d directory"
+cat > "/etc/nginx/serv.d/default.conf" << EOF
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
+ '\$status $body_bytes_sent "\$http_referer" '
+ '"\$http_user_agent" "\$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ include /etc/nginx/conf.d/*;
+}
+EOF
+
+
+echo "Copying conf.d/default.conf to conf.d directory"
cat > "/etc/nginx/conf.d/default.conf" << EOF
############################################################################
## General Configuration
@@ -51,7 +80,7 @@ access_log off;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
-#resolver 10.0.0.2;
+resolver 10.0.0.2;
# HTTP 1.1 support
proxy_http_version 1.1;
@@ -73,21 +102,17 @@ proxy_set_header Proxy "";
## Catch all Servers
############################################################################
-upstream gitlab_pages_upstream {
- server host.docker.internal:8080;
+upstream fallthrough_http_upstream {
+ server ${SWARM_PROXY_FALLTHROUGH_HTTP_HOST:-host.docker.internal}:${SWARM_PROXY_FALLTHROUGH_HTTP_PORT:-8080};
}
server {
listen 80 default_server;
server_name _;
- include /etc/nginx/vhost.d/git.qoto.org*;
- include /etc/nginx/vhost.d/default*;
-
location / {
- proxy_pass http://gitlab_pages_upstream;
+ proxy_pass http://fallthrough_http_upstream;
}
}
-
EOF
diff --git a/swarm-proxy/Dockerfile b/swarm-proxy/Dockerfile
index 35f705d411345b22d9fb5a98aed97fb32258f0ef..9c1b813a4902e18dba5b1afea39d7ab8ab203bd3 100644
--- a/swarm-proxy/Dockerfile
+++ b/swarm-proxy/Dockerfile
@@ -6,14 +6,18 @@ LABEL maintainer="Jeffrey Phillips Freeman the@jeffreyfreeman.me"
RUN sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf && \
mkdir -p /etc/swarm-proxy && \
mkdir -p /usr/share/swarm-proxy && \
- rm /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
+ rm /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh && \
+ rm /etc/nginx/nginx.conf && \
+ mkdir -p /etc/nginx/serv.d
+COPY nginx.conf /etc/nginx/
COPY dhparam.pem.default /etc/swarm-proxy/
COPY generate-dhparam /usr/bin/
COPY swarm-gen.conf /etc/swarm-gen/
-COPY swarm-proxy.tmpl /etc/swarm-gen/templates/
+COPY swarm-proxy.conf.tmpl /etc/swarm-gen/templates/
+COPY https-routing.conf.tmpl /etc/swarm-gen/templates/
COPY 01-copy-default-entry.sh /docker-entrypoint.d/
-VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam", "/etc/nginx/conf.d", "/etc/nginx/vhost.d", "/usr/share/nginx/html"]
+VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam", "/etc/nginx/conf.d", "/etc/nginx/vhost.d", "/etc/nginx/serv.d", "/usr/share/nginx/html"]
ENV DOCKER_HOST unix:///var/run/docker.sock
diff --git a/swarm-proxy/https-routing.conf.tmpl b/swarm-proxy/https-routing.conf.tmpl
new file mode 100644
index 0000000000000000000000000000000000000000..4266bcc428e647e92362cf9e15fd739b3657b61e
--- /dev/null
+++ b/swarm-proxy/https-routing.conf.tmpl
@@ -0,0 +1,24 @@
+stream {
+
+ map $ssl_preread_server_name $name {
+### BEGIN SERVICE ###
+ ${HOST} local_https;
+### END SERVICE ###
+ default fallthrough_https_upstream;
+ }
+
+ upstream fallthrough_https_upstream {
+ server host.docker.internal:8080;
+ }
+
+ upstream local_https {
+ server 127.0.0.1:444;
+ }
+
+ server {
+ listen 443;
+ proxy_pass $name;
+ ssl_preread on;
+ }
+}
+
diff --git a/swarm-proxy/nginx.conf b/swarm-proxy/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..95e556fa0b319861f404ad7e543470b4bf656767
--- /dev/null
+++ b/swarm-proxy/nginx.conf
@@ -0,0 +1,8 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+include /etc/nginx/serv.d/*;
diff --git a/swarm-proxy/swarm-gen.conf b/swarm-proxy/swarm-gen.conf
index 1397729aeea0722fd045a451e0a942436fa45979..45f1b3d48f603575e3b9bb3d95433fed5ae92926 100644
--- a/swarm-proxy/swarm-gen.conf
+++ b/swarm-proxy/swarm-gen.conf
@@ -2,6 +2,11 @@
interval=5
wait=5
+[[directory]]
+dir=/etc/nginx/serv.d
+notifycmd=nginx -s reload
+wait=5
+
[[directory]]
dir=/etc/nginx/vhost.d
notifycmd=nginx -s reload
@@ -23,6 +28,11 @@ notifycmd=nginx -s reload
wait=5
[[template]]
-template=/etc/swarm-gen/templates/swarm-proxy.tmpl
+template=/etc/swarm-gen/templates/swarm-proxy.conf.tmpl
dest=/etc/nginx/conf.d/swarm-proxy.conf
notifycmd=nginx -s reload
+
+[[template]]
+template=/etc/swarm-gen/templates/https-routing.conf.tmpl
+dest=/etc/nginx/serv.d/https-routing.conf
+notifycmd=nginx -s reload
diff --git a/swarm-proxy/swarm-proxy.tmpl b/swarm-proxy/swarm-proxy.conf.tmpl
similarity index 100%
rename from swarm-proxy/swarm-proxy.tmpl
rename to swarm-proxy/swarm-proxy.conf.tmpl