Initial commit
This commit is contained in:
commit
d748e19538
|
@ -0,0 +1,23 @@
|
|||
FROM debian:buster-slim
|
||||
|
||||
ARG BUILD_SERIES=dev
|
||||
ARG BUILD_ID=0
|
||||
|
||||
VOLUME ["/snikket"]
|
||||
|
||||
ENTRYPOINT ["/usr/bin/tini"]
|
||||
CMD ["/bin/sh", "/entrypoint.sh"]
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
tini nginx supervisor \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& apt-get autoremove -y \
|
||||
&& rm -rf /var/cache/*
|
||||
|
||||
ADD entrypoint.sh /entrypoint.sh
|
||||
ADD nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
ADD nginx/http.template /etc/nginx/templates/http
|
||||
ADD nginx/https.template /etc/nginx/templates/https
|
||||
ADD supervisord.conf /etc/supervisord/supervisord.conf
|
||||
ADD cert-monitor.sh /usr/local/bin/cert-monitor.sh
|
|
@ -0,0 +1,3 @@
|
|||
# Snikket web proxy
|
||||
|
||||
This component proxies HTTP/HTTPS requests to the right place.
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
|
||||
CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
|
||||
|
||||
while sleep 10; do
|
||||
if test -f "$CERT_PATH"; then
|
||||
for proto in http https; do
|
||||
sed "s/SNIKKET_DOMAIN/$SNIKKET_DOMAIN/g" /etc/nginx/templates/$proto \
|
||||
> /etc/nginx/sites-enabled/$proto;
|
||||
done
|
||||
/usr/sbin/nginx -s reload
|
||||
exit 0;
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
|
||||
CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
|
||||
|
||||
if test -f "$CERT_PATH"; then
|
||||
## Certs already exist - render and deploy configs
|
||||
for proto in http https; do
|
||||
sed "s/SNIKKET_DOMAIN/$SNIKKET_DOMAIN/g" /etc/nginx/templates/$proto \
|
||||
> /etc/nginx/sites-enabled/$proto;
|
||||
done
|
||||
fi
|
||||
|
||||
exec supervisord -c /etc/supervisord/supervisord.conf
|
|
@ -0,0 +1,15 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name SNIKKET_DOMAIN;
|
||||
server_name groups.SNIKKET_DOMAIN;
|
||||
server_name share.SNIKKET_DOMAIN;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5280/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto http;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl ipv6only=on;
|
||||
|
||||
ssl_certificate /snikket/letsencrypt/live/SNIKKET_DOMAIN/fullchain.pem;
|
||||
ssl_certificate_key /snikket/letsencrypt/live/SNIKKET_DOMAIN/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:1m;
|
||||
ssl_session_timeout 1440m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
||||
|
||||
server_name SNIKKET_DOMAIN;
|
||||
server_name groups.SNIKKET_DOMAIN;
|
||||
server_name share.SNIKKET_DOMAIN;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5280/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,85 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 768;
|
||||
# multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 65;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
# server_names_hash_bucket_size 64;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log /dev/stdout;
|
||||
error_log /dev/stdout;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
##
|
||||
# Virtual Host Configs
|
||||
##
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
|
||||
|
||||
#mail {
|
||||
# # See sample authentication script at:
|
||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
||||
#
|
||||
# # auth_http localhost/auth.php;
|
||||
# # pop3_capabilities "TOP" "USER";
|
||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
||||
#
|
||||
# server {
|
||||
# listen localhost:110;
|
||||
# protocol pop3;
|
||||
# proxy on;
|
||||
# }
|
||||
#
|
||||
# server {
|
||||
# listen localhost:143;
|
||||
# protocol imap;
|
||||
# proxy on;
|
||||
# }
|
||||
#}
|
|
@ -0,0 +1,19 @@
|
|||
[supervisord]
|
||||
nodaemon=true
|
||||
|
||||
[program:nginx]
|
||||
command=/usr/sbin/nginx -g "daemon off;"
|
||||
priority=1000
|
||||
autorestart=true
|
||||
stopwaitsecs=10
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
redirect_stderr=true
|
||||
umask=002
|
||||
|
||||
[program:cert-monitor]
|
||||
command=/bin/bash /usr/local/bin/cert-monitor.sh
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
redirect_stderr=true
|
||||
umask=002
|
Loading…
Reference in New Issue