Initial commit

Dockerfile

@@ -0,0 +1,23 @@
+FROM debian:buster-slim
+
+ARG BUILD_SERIES=dev
+ARG BUILD_ID=0
+
+VOLUME ["/snikket"]
+
+ENTRYPOINT ["/usr/bin/tini"]
+CMD ["/bin/sh", "/entrypoint.sh"]
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        tini nginx supervisor \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get autoremove -y \
+    && rm -rf /var/cache/*
+
+ADD entrypoint.sh /entrypoint.sh
+ADD nginx/nginx.conf /etc/nginx/nginx.conf
+ADD nginx/http.template /etc/nginx/templates/http
+ADD nginx/https.template /etc/nginx/templates/https
+ADD supervisord.conf /etc/supervisord/supervisord.conf
+ADD cert-monitor.sh /usr/local/bin/cert-monitor.sh

README.md

@@ -0,0 +1,3 @@
+# Snikket web proxy
+
+This component proxies HTTP/HTTPS requests to the right place.

cert-monitor.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
+
+while sleep 10; do
+	if test -f "$CERT_PATH"; then
+		for proto in http https; do
+			sed "s/SNIKKET_DOMAIN/$SNIKKET_DOMAIN/g" /etc/nginx/templates/$proto \
+			    > /etc/nginx/sites-enabled/$proto;
+		done
+		/usr/sbin/nginx -s reload
+		exit 0;
+	fi
+done

entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
+
+if test -f "$CERT_PATH"; then
+	## Certs already exist - render and deploy configs
+	for proto in http https; do
+		sed "s/SNIKKET_DOMAIN/$SNIKKET_DOMAIN/g" /etc/nginx/templates/$proto \
+		    > /etc/nginx/sites-enabled/$proto;
+	done
+fi
+
+exec supervisord -c /etc/supervisord/supervisord.conf

nginx/http.template

@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name SNIKKET_DOMAIN;
+    server_name groups.SNIKKET_DOMAIN;
+    server_name share.SNIKKET_DOMAIN;
+
+    location / {
+        proxy_pass http://localhost:5280/;
+        proxy_set_header  Host            $host;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto http;
+    }
+}

nginx/https.template

@@ -0,0 +1,24 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl ipv6only=on;
+
+    ssl_certificate     /snikket/letsencrypt/live/SNIKKET_DOMAIN/fullchain.pem;
+    ssl_certificate_key /snikket/letsencrypt/live/SNIKKET_DOMAIN/privkey.pem;
+
+    ssl_session_cache shared:le_nginx_SSL:1m;
+    ssl_session_timeout 1440m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+
+    server_name SNIKKET_DOMAIN;
+    server_name groups.SNIKKET_DOMAIN;
+    server_name share.SNIKKET_DOMAIN;
+
+    location / {
+        proxy_pass http://localhost:5280/;
+        proxy_set_header  Host            $host;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto https;
+    }
+}

nginx/nginx.conf

@@ -0,0 +1,85 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /dev/stdout;
+	error_log /dev/stdout;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

supervisord.conf

@@ -0,0 +1,19 @@
+[supervisord]
+nodaemon=true
+
+[program:nginx]
+command=/usr/sbin/nginx -g "daemon off;"
+priority=1000
+autorestart=true
+stopwaitsecs=10
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+umask=002
+
+[program:cert-monitor]
+command=/bin/bash /usr/local/bin/cert-monitor.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+umask=002