From 36d59e6c97c5e5321e04f1ab745b212d7d997ba6 Mon Sep 17 00:00:00 2001
From: Jeffrey Phillips Freeman <the@jeffreyfreeman.me>
Date: Fri, 16 Oct 2020 10:43:47 -0400
Subject: [PATCH] Feat: Added serv.d directory and some basic framework to
allow for improved https routing.
---
.../99-swarm-proxy-letsencrypt-entry.sh | 10 +++++
.../app/letsencrypt_service | 2 +-
swarm-proxy-letsencrypt/swarm-proxy.tmpl | 42 ------------------
swarm-proxy/01-copy-default-entry.sh | 43 +++++++++++++++----
swarm-proxy/Dockerfile | 10 +++--
swarm-proxy/https-routing.conf.tmpl | 24 +++++++++++
swarm-proxy/nginx.conf | 8 ++++
swarm-proxy/swarm-gen.conf | 12 +++++-
...swarm-proxy.tmpl => swarm-proxy.conf.tmpl} | 0
9 files changed, 95 insertions(+), 56 deletions(-)
delete mode 100644 swarm-proxy-letsencrypt/swarm-proxy.tmpl
create mode 100644 swarm-proxy/https-routing.conf.tmpl
create mode 100644 swarm-proxy/nginx.conf
rename swarm-proxy/{swarm-proxy.tmpl => swarm-proxy.conf.tmpl} (100%)
diff --git a/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh b/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
index 025edb2..5599395 100755
--- a/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
+++ b/swarm-proxy-letsencrypt/99-swarm-proxy-letsencrypt-entry.sh
@@ -180,3 +180,13 @@ cat > "/usr/share/nginx/html/.well-known/acme-challenge/active.html" << EOF
</body>
</html>
EOF
+
+
+cat > "/etc/nginx/conf.d/lb.qoto.org-activate.conf" << EOF
+server {
+ server_name lb.qoto.org;
+ listen 80;
+
+ include /etc/nginx/vhost.d/default*;
+}
+EOF
diff --git a/swarm-proxy-letsencrypt/app/letsencrypt_service b/swarm-proxy-letsencrypt/app/letsencrypt_service
index cbc68fa..f3fbc86 100755
--- a/swarm-proxy-letsencrypt/app/letsencrypt_service
+++ b/swarm-proxy-letsencrypt/app/letsencrypt_service
@@ -331,7 +331,7 @@ function update_certs {
server {
server_name ${LE_HOST};
- listen 443 ssl http2 ;
+ listen 444 ssl http2 ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
diff --git a/swarm-proxy-letsencrypt/swarm-proxy.tmpl b/swarm-proxy-letsencrypt/swarm-proxy.tmpl
deleted file mode 100644
index 1306fad..0000000
--- a/swarm-proxy-letsencrypt/swarm-proxy.tmpl
+++ /dev/null
@@ -1,42 +0,0 @@
-### BEGIN SERVICE ###
-upstream ${HOST}_upstream {
- server ${UPSTREAM}:${PORT};
-}
-
-server {
- server_name ${HOST};
- listen 80 ;
-
- location /.well-known/acme-challenge/ {
- auth_basic off;
- allow all;
- root /usr/share/nginx/html;
- try_files $uri =404;
- break;
- }
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-server {
- server_name ${HOST};
- listen 443 ssl http2 ;
- ssl_session_timeout 5m;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- ssl_certificate /etc/nginx/certs/${HOST}.crt;
- ssl_certificate_key /etc/nginx/certs/${HOST}.key;
- ssl_dhparam /etc/nginx/certs/${HOST}.dhparam.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/nginx/certs/${HOST}.chain.pem;
- add_header Strict-Transport-Security "max-age=31536000" always;
- include /etc/nginx/vhost.d/*;
-
- location / {
- proxy_pass http://${HOST}_upstream;
- }
-}
-### END SERVICE ###
diff --git a/swarm-proxy/01-copy-default-entry.sh b/swarm-proxy/01-copy-default-entry.sh
index 6589412..44ed379 100755
--- a/swarm-proxy/01-copy-default-entry.sh
+++ b/swarm-proxy/01-copy-default-entry.sh
@@ -1,7 +1,36 @@
#!/bin/bash
set -e
-echo "Copying default.conf to conf.d directory"
+echo "Copying serv.d/default.conf to serv.d directory"
+cat > "/etc/nginx/serv.d/default.conf" << EOF
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
+ '\$status $body_bytes_sent "\$http_referer" '
+ '"\$http_user_agent" "\$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ include /etc/nginx/conf.d/*;
+}
+EOF
+
+
+echo "Copying conf.d/default.conf to conf.d directory"
cat > "/etc/nginx/conf.d/default.conf" << EOF
############################################################################
## General Configuration
@@ -51,7 +80,7 @@ access_log off;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
-#resolver 10.0.0.2;
+resolver 10.0.0.2;
# HTTP 1.1 support
proxy_http_version 1.1;
@@ -73,21 +102,17 @@ proxy_set_header Proxy "";
## Catch all Servers
############################################################################
-upstream gitlab_pages_upstream {
- server host.docker.internal:8080;
+upstream fallthrough_http_upstream {
+ server ${SWARM_PROXY_FALLTHROUGH_HTTP_HOST:-host.docker.internal}:${SWARM_PROXY_FALLTHROUGH_HTTP_PORT:-8080};
}
server {
listen 80 default_server;
server_name _;
- include /etc/nginx/vhost.d/git.qoto.org*;
- include /etc/nginx/vhost.d/default*;
-
location / {
- proxy_pass http://gitlab_pages_upstream;
+ proxy_pass http://fallthrough_http_upstream;
}
}
-
EOF
diff --git a/swarm-proxy/Dockerfile b/swarm-proxy/Dockerfile
index 35f705d..9c1b813 100644
--- a/swarm-proxy/Dockerfile
+++ b/swarm-proxy/Dockerfile
@@ -6,14 +6,18 @@ LABEL maintainer="Jeffrey Phillips Freeman the@jeffreyfreeman.me"
RUN sed -i 's/worker_processes 1/worker_processes auto/' /etc/nginx/nginx.conf && \
mkdir -p /etc/swarm-proxy && \
mkdir -p /usr/share/swarm-proxy && \
- rm /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
+ rm /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh && \
+ rm /etc/nginx/nginx.conf && \
+ mkdir -p /etc/nginx/serv.d
+COPY nginx.conf /etc/nginx/
COPY dhparam.pem.default /etc/swarm-proxy/
COPY generate-dhparam /usr/bin/
COPY swarm-gen.conf /etc/swarm-gen/
-COPY swarm-proxy.tmpl /etc/swarm-gen/templates/
+COPY swarm-proxy.conf.tmpl /etc/swarm-gen/templates/
+COPY https-routing.conf.tmpl /etc/swarm-gen/templates/
COPY 01-copy-default-entry.sh /docker-entrypoint.d/
-VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam", "/etc/nginx/conf.d", "/etc/nginx/vhost.d", "/usr/share/nginx/html"]
+VOLUME ["/etc/nginx/certs", "/etc/nginx/dhparam", "/etc/nginx/conf.d", "/etc/nginx/vhost.d", "/etc/nginx/serv.d", "/usr/share/nginx/html"]
ENV DOCKER_HOST unix:///var/run/docker.sock
diff --git a/swarm-proxy/https-routing.conf.tmpl b/swarm-proxy/https-routing.conf.tmpl
new file mode 100644
index 0000000..4266bcc
--- /dev/null
+++ b/swarm-proxy/https-routing.conf.tmpl
@@ -0,0 +1,24 @@
+stream {
+
+ map $ssl_preread_server_name $name {
+### BEGIN SERVICE ###
+ ${HOST} local_https;
+### END SERVICE ###
+ default fallthrough_https_upstream;
+ }
+
+ upstream fallthrough_https_upstream {
+ server host.docker.internal:8080;
+ }
+
+ upstream local_https {
+ server 127.0.0.1:444;
+ }
+
+ server {
+ listen 443;
+ proxy_pass $name;
+ ssl_preread on;
+ }
+}
+
diff --git a/swarm-proxy/nginx.conf b/swarm-proxy/nginx.conf
new file mode 100644
index 0000000..95e556f
--- /dev/null
+++ b/swarm-proxy/nginx.conf
@@ -0,0 +1,8 @@
+user nginx;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+
+include /etc/nginx/serv.d/*;
diff --git a/swarm-proxy/swarm-gen.conf b/swarm-proxy/swarm-gen.conf
index 1397729..45f1b3d 100644
--- a/swarm-proxy/swarm-gen.conf
+++ b/swarm-proxy/swarm-gen.conf
@@ -2,6 +2,11 @@
interval=5
wait=5
+[[directory]]
+dir=/etc/nginx/serv.d
+notifycmd=nginx -s reload
+wait=5
+
[[directory]]
dir=/etc/nginx/vhost.d
notifycmd=nginx -s reload
@@ -23,6 +28,11 @@ notifycmd=nginx -s reload
wait=5
[[template]]
-template=/etc/swarm-gen/templates/swarm-proxy.tmpl
+template=/etc/swarm-gen/templates/swarm-proxy.conf.tmpl
dest=/etc/nginx/conf.d/swarm-proxy.conf
notifycmd=nginx -s reload
+
+[[template]]
+template=/etc/swarm-gen/templates/https-routing.conf.tmpl
+dest=/etc/nginx/serv.d/https-routing.conf
+notifycmd=nginx -s reload
diff --git a/swarm-proxy/swarm-proxy.tmpl b/swarm-proxy/swarm-proxy.conf.tmpl
similarity index 100%
rename from swarm-proxy/swarm-proxy.tmpl
rename to swarm-proxy/swarm-proxy.conf.tmpl
--
GitLab