From 857bf699de7e408cde2cefa048f237b554a43145 Mon Sep 17 00:00:00 2001 From: richard Date: Wed, 3 Jun 2020 22:08:52 -0400 Subject: [PATCH] update the host files to point to accessible docker container names for backends added testing for this, including mock backend server. --- .gitignore | 2 +- .idea/sshConfigs.xml | 2 +- .../{localhost.conf => xai-corp.net.conf} | 0 dockerfiles/services/sslproxy/cli/build | 44 ++++++++++++------- dockerfiles/services/sslproxy/cli/create-cert | 4 +- dockerfiles/services/sslproxy/cli/exec | 7 +++ dockerfiles/services/sslproxy/cli/exec.help | 3 ++ dockerfiles/services/sslproxy/cli/exec.usage | 1 + dockerfiles/services/sslproxy/cli/up | 19 ++++++++ dockerfiles/services/sslproxy/cli/up.help | 3 ++ dockerfiles/services/sslproxy/cli/up.usage | 1 + .../sslproxy/docker-compose.build.yml | 16 +++++++ .../services/sslproxy/docker-compose.yml | 7 +-- .../metrics.xai-corp.net.conf | 5 +++ .../sslproxy/hosts/abcapi.xai-corp.net.conf | 2 +- .../sslproxy/hosts/dkui.xai-corp.net.conf | 4 +- .../sslproxy/hosts/git.xai-corp.net.conf | 5 ++- .../sslproxy/hosts/jenkins.xai-corp.net.conf | 4 +- .../services/sslproxy/hosts/letsencrypt.conf | 2 +- .../sslproxy/hosts/xaibox.xai-corp.net.conf | 3 ++ dockerfiles/services/sslproxy/test.conf | 39 ++++++++++++++++ 21 files changed, 138 insertions(+), 35 deletions(-) rename dockerfiles/services/sslproxy/certs/{localhost.conf => xai-corp.net.conf} (100%) create mode 100755 dockerfiles/services/sslproxy/cli/exec create mode 100644 dockerfiles/services/sslproxy/cli/exec.help create mode 100644 dockerfiles/services/sslproxy/cli/exec.usage create mode 100755 dockerfiles/services/sslproxy/cli/up create mode 100644 dockerfiles/services/sslproxy/cli/up.help create mode 100644 dockerfiles/services/sslproxy/cli/up.usage rename dockerfiles/services/sslproxy/{hosts => hosts-disabled}/metrics.xai-corp.net.conf (89%) create mode 100644 dockerfiles/services/sslproxy/test.conf diff --git a/.gitignore b/.gitignore index 1049ba3..1d4fbbf 100644 --- a/.gitignore +++ b/.gitignore @@ -14,5 +14,5 @@ roles/vendor/ !.idea/ password.txt -!/dockerfiles/services/sslproxy/letsencrypt/live/ +!/dockerfiles/services/sslproxy/certs/live/ diff --git a/.idea/sshConfigs.xml b/.idea/sshConfigs.xml index 774024a..8978727 100644 --- a/.idea/sshConfigs.xml +++ b/.idea/sshConfigs.xml @@ -5,7 +5,7 @@ - + \ No newline at end of file diff --git a/dockerfiles/services/sslproxy/certs/localhost.conf b/dockerfiles/services/sslproxy/certs/xai-corp.net.conf similarity index 100% rename from dockerfiles/services/sslproxy/certs/localhost.conf rename to dockerfiles/services/sslproxy/certs/xai-corp.net.conf diff --git a/dockerfiles/services/sslproxy/cli/build b/dockerfiles/services/sslproxy/cli/build index f85f281..ca3c422 100755 --- a/dockerfiles/services/sslproxy/cli/build +++ b/dockerfiles/services/sslproxy/cli/build @@ -28,24 +28,25 @@ build() { build_test() { echo -e "\e[33mtesting the image\e[39m" - dc up -d + dc up -d --force-recreate docker ps | grep sslproxy - sleep 2 - assertBadGateway https abcapi.xai-corp.net - assertBadGateway https dkui.xai-corp.net - assertBadGateway https git.xai-corp.net - assertBadGateway https jenkins.xai-corp.net - assertBadGateway https xaibox.xai-corp.net - assertBadGateway https metrics.xai-corp.net + sleep 5 + assertTeapot https abcapi.xai-corp.net + assertTeapot https dkui.xai-corp.net + assertTeapot https git.xai-corp.net + assertTeapot https jenkins.xai-corp.net + assertTeapot https xaibox.xai-corp.net assertMisdirectedRequest https not.xai-corp.net - assertBadGateway http xai-corp.net - assertBadGateway http abcapi.xai-corp.net - assertBadGateway http dkui.xai-corp.net - assertBadGateway http git.xai-corp.net - assertBadGateway http jenkins.xai-corp.net - assertBadGateway http xaibox.xai-corp.net - assertBadGateway http metrics.xai-corp.net + + #cert renewal + assertTeapot http xai-corp.net + assertTeapot http abcapi.xai-corp.net + assertTeapot http dkui.xai-corp.net + assertTeapot http git.xai-corp.net + assertTeapot http jenkins.xai-corp.net + assertTeapot http xaibox.xai-corp.net + assertTeapot http metrics.xai-corp.net } function assertMisdirectedRequest() { @@ -53,7 +54,7 @@ function assertMisdirectedRequest() { domain=$2 set -e echo -e "\033[94m${proto}://${domain}\033[39m testing for mistrected request" - curl --no-progress-meter -skH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "421 Misdirected Request" + curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "421 Misdirected Request" } function assertBadGateway() { @@ -61,7 +62,16 @@ function assertBadGateway() { domain=$2 set -e echo -e "\033[94m${proto}://${domain}\033[39m" - curl --no-progress-meter -skH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "502 Bad Gateway" + curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "502 Bad Gateway" +} + + +function assertTeapot() { + proto=$1 + domain=$2 + set -e + echo -e "\033[94m${proto}://${domain}\033[39m" + curl --no-progress-meter -IskH "Host: ${domain}" "${proto}://localhost" | tee "$LOG" | grep "418" } build_save() { diff --git a/dockerfiles/services/sslproxy/cli/create-cert b/dockerfiles/services/sslproxy/cli/create-cert index 547a92a..110ce4a 100755 --- a/dockerfiles/services/sslproxy/cli/create-cert +++ b/dockerfiles/services/sslproxy/cli/create-cert @@ -3,7 +3,7 @@ set -e echo -e "\033[36mCreate\033[39m: self-signed certificates" -CERTS_DIR=letsencrypt/live/xai-corp.net +CERTS_DIR=certs/live/xai-corp.net function make_cert() { mkdir -p $CERTS_DIR @@ -11,7 +11,7 @@ mkdir -p $CERTS_DIR openssl req -x509 -nodes -days 365 -newkey rsa:2048 -batch \ -keyout $CERTS_DIR/privkey.pem \ -out $CERTS_DIR/fullchain.pem \ - -config certs/localhost.conf + -config certs/xai-corp.net.conf #tell chrome to trust the cert certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "www.xai-corp.net" -i $CERTS_DIR/fullchain.pem diff --git a/dockerfiles/services/sslproxy/cli/exec b/dockerfiles/services/sslproxy/cli/exec new file mode 100755 index 0000000..2b12d5e --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/exec @@ -0,0 +1,7 @@ +#!/usr/bin/env bash +set -e + +export DOCKER_HOST=${DOCKER_HOST:-'dkhost:2376'} + +docker exec $@ +#docker network inspect ingress diff --git a/dockerfiles/services/sslproxy/cli/exec.help b/dockerfiles/services/sslproxy/cli/exec.help new file mode 100644 index 0000000..7aa5493 --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/exec.help @@ -0,0 +1,3 @@ +ARGS - The arguments you wish to provide to this command + +TODO: Fill out the help information for this command. diff --git a/dockerfiles/services/sslproxy/cli/exec.usage b/dockerfiles/services/sslproxy/cli/exec.usage new file mode 100644 index 0000000..5226895 --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/exec.usage @@ -0,0 +1 @@ +ARGS... diff --git a/dockerfiles/services/sslproxy/cli/up b/dockerfiles/services/sslproxy/cli/up new file mode 100755 index 0000000..b6a456c --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/up @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +set -e +#set -x + +LOCAL_IMAGE=sslproxy +TAG=2.2.${BUILD_NUMBER:-dev} +REMOTE_IMAGE=dkregistry.xai-corp.net:5000/${LOCAL_IMAGE}:${TAG} + +LOG=$(mktemp) + +export LOCAL_IMAGE +export REMOTE_IMAGE +export TAG + + # shellcheck disable=SC2068 + docker-compose \ + -f docker-compose.yml \ + -f docker-compose.build.yml \ + up $@ diff --git a/dockerfiles/services/sslproxy/cli/up.help b/dockerfiles/services/sslproxy/cli/up.help new file mode 100644 index 0000000..7aa5493 --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/up.help @@ -0,0 +1,3 @@ +ARGS - The arguments you wish to provide to this command + +TODO: Fill out the help information for this command. diff --git a/dockerfiles/services/sslproxy/cli/up.usage b/dockerfiles/services/sslproxy/cli/up.usage new file mode 100644 index 0000000..5226895 --- /dev/null +++ b/dockerfiles/services/sslproxy/cli/up.usage @@ -0,0 +1 @@ +ARGS... diff --git a/dockerfiles/services/sslproxy/docker-compose.build.yml b/dockerfiles/services/sslproxy/docker-compose.build.yml index 2699cf1..6d4a786 100644 --- a/dockerfiles/services/sslproxy/docker-compose.build.yml +++ b/dockerfiles/services/sslproxy/docker-compose.build.yml @@ -7,3 +7,19 @@ services: build: context: . dockerfile: Dockerfile + + + mock: + image: library/nginx:alpine + volumes: + - ./test.conf:/etc/nginx/nginx.conf + networks: + default: + aliases: + - abc-api_nginx + - dkui_app + - gitea_app + - jenkins_app + - sslproxy_renew + - xaibox_app + diff --git a/dockerfiles/services/sslproxy/docker-compose.yml b/dockerfiles/services/sslproxy/docker-compose.yml index 2913bf0..38a3221 100644 --- a/dockerfiles/services/sslproxy/docker-compose.yml +++ b/dockerfiles/services/sslproxy/docker-compose.yml @@ -14,15 +14,10 @@ services: app: image: ${LOCAL_IMAGE}:${TAG} volumes: - - ./letsencrypt:/etc/letsencrypt + - ./certs:/etc/letsencrypt - ./hosts:/etc/nginx/conf.d:ro - ./nginx.conf:/etc/nginx/nginx.conf - cache:/data/nginx/cache ports: - 443:443 - 80:80 - -# certbot: -# image: "dkregistry.xai-corp.net:5000/sslproxy:latest" -# build: -# context: certbot diff --git a/dockerfiles/services/sslproxy/hosts/metrics.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts-disabled/metrics.xai-corp.net.conf similarity index 89% rename from dockerfiles/services/sslproxy/hosts/metrics.xai-corp.net.conf rename to dockerfiles/services/sslproxy/hosts-disabled/metrics.xai-corp.net.conf index e938e27..b6e02de 100644 --- a/dockerfiles/services/sslproxy/hosts/metrics.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts-disabled/metrics.xai-corp.net.conf @@ -17,6 +17,11 @@ server { client_max_body_size 200m; + # this is the internal Docker DNS, cache only for 30s + resolver 127.0.0.11 valid=5s; + + set $backend http://metrics_app:3001; + #Strict-Transport-Security: max-age=15768000 add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; diff --git a/dockerfiles/services/sslproxy/hosts/abcapi.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/abcapi.xai-corp.net.conf index 8ab8519..9c381a5 100644 --- a/dockerfiles/services/sslproxy/hosts/abcapi.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/abcapi.xai-corp.net.conf @@ -8,7 +8,7 @@ proxy_cache_path /data/nginx/cache/abcapi levels=1:2 keys_zone=abcapi:10m max_si server { # this is the internal Docker DNS, cache only for 30s - resolver 127.0.0.11 valid=30s; + resolver 127.0.0.11 valid=5s; set $backend http://abc-api_nginx; diff --git a/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf index 59f9a7b..23a47e9 100644 --- a/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf @@ -8,9 +8,9 @@ proxy_cache_path /data/nginx/cache/dkui levels=1:2 keys_zone=dkui:10m max_size=1 # dkui.xai-corp.net server { # this is the internal Docker DNS, cache only for 30s - resolver 127.0.0.11 valid=30s; + resolver 127.0.0.11 valid=5s; - set $backend http://tasks.dkui_app:9000; + set $backend http://dkui_app:9000; # listen 443 ssl ipv6only=off; listen 443 ssl; diff --git a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf index d8a764b..44fbc82 100644 --- a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf @@ -7,9 +7,10 @@ server { server_name git.xai-corp.net; # this is the internal Docker DNS, cache only for 30s - #resolver 127.0.0.11 valid=30s; + resolver 127.0.0.11 valid=5s; - set $backend http://dkhost.xai-corp.net:10080; + set $backend http://gitea_app:10080; + #set $backend http://dkhost.xai-corp.net:10080; ssl_certificate /etc/letsencrypt/live/xai-corp.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem; diff --git a/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf index c9cfc2f..508fbd7 100644 --- a/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf @@ -4,9 +4,9 @@ proxy_cache_path /data/nginx/cache/jenkins levels=1:2 keys_zone=jenkins:10m max_ # jenkins.xai-corp.net server { # this is the internal Docker DNS, cache only for 30s - #resolver 127.0.0.11 valid=30s; + resolver 127.0.0.11 valid=5s; - set $backend http://dkhost.xai-corp.net:8080; + set $backend http://jenkins_app:8080; listen 443 ssl; server_name jenkins.xai-corp.net; diff --git a/dockerfiles/services/sslproxy/hosts/letsencrypt.conf b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf index ebb41cf..4028159 100644 --- a/dockerfiles/services/sslproxy/hosts/letsencrypt.conf +++ b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf @@ -6,7 +6,7 @@ server { #server_name _ #server_name xai-corp.net - set $backend http://tasks.acme_certbot_app:83; + set $backend http://sslproxy_renew:80; client_max_body_size 200m; diff --git a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf index 3b64805..ed428d7 100644 --- a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf +++ b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf @@ -16,6 +16,9 @@ server { ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem; client_max_body_size 200m; + + # this is the internal Docker DNS, cache only for 30s + resolver 127.0.0.11 valid=5s; set $backend http://xaibox_app; #Strict-Transport-Security: max-age=15768000 diff --git a/dockerfiles/services/sslproxy/test.conf b/dockerfiles/services/sslproxy/test.conf new file mode 100644 index 0000000..8d7a950 --- /dev/null +++ b/dockerfiles/services/sslproxy/test.conf @@ -0,0 +1,39 @@ + +user nginx; +worker_processes 1; + +error_log /proc/self/fd/2 info; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /proc/self/fd/2 main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + server { + listen 80 default_server; + listen 10080 default_server; + listen 8080 default_server; + listen 9000 default_server; + + return 418; + } +}