reworked letsencrypt to use docker containers instead of certbot on the host.

2017-10-02 06:32:53 -04:00
parent de1e0d66c3
commit 92950ffd2d
57 changed files with 632 additions and 198 deletions
--- a/dockerfiles/services/sslproxy/Dockerfile
+++ b/dockerfiles/services/sslproxy/Dockerfile
@@ -0,0 +1,4 @@
+FROM nginx:alpine
+
+COPY ./nginx.conf /etc/nginx/nginx.conf
+COPY ./hosts /etc/nginx/conf.d/
--- a/dockerfiles/services/sslproxy/cetbot/Dockerfile
+++ b/dockerfiles/services/sslproxy/cetbot/Dockerfile
@@ -0,0 +1,4 @@
+FROM nginx:alpine
+
+COPY ./nginx.conf /etc/nginx/nginx.conf
+COPY ./hosts /etc/nginx/conf.d/
--- a/dockerfiles/services/sslproxy/docker-compose-prod.yml
+++ b/dockerfiles/services/sslproxy/docker-compose-prod.yml
@@ -0,0 +1,31 @@
+---
+# DOCKER_HOST=192.168.2.41:2376 docker-compose up -d
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:2.0
+# DOCKER_HOST=dkhost01:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml sslproxy
+# DOCKER_HOST=dkhost01:2376 docker stack ps sslproxy
+
+version: '3'
+services:
+  app:
+    image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
+    volumes:
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+    ports:
+      - "443:443"
+
+#    logging:
+#      driver: syslog
+#      options:
+#        syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
+#        tag: "{{.Name}}/{{.ID}}"
+
+    deploy:
+      mode: replicated
+      replicas: 2
+      restart_policy:
+        condition: any
+        delay: 5s
+        max_attempts: 10
+      labels:
+        net.xai-corp.sslproxy.description:  proxy ssl calls to non ssl containers
--- a/dockerfiles/services/sslproxy/docker-compose.yml
+++ b/dockerfiles/services/sslproxy/docker-compose.yml
@@ -0,0 +1,25 @@
+---
+# DOCKER_HOST=192.168.2.41:2376 docker-compose up -d
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:2.0
+# DOCKER_HOST=dkhost:2376 docker stack deploy --with-registry-auth -c docker-compose.yml sslproxy
+# DOCKER_HOST=dkhost:2376 docker stack ps sslproxy
+
+version: '3'
+services:
+
+  app:
+    image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
+    build:
+      context: .
+      dockerfile: Dockerfile
+
+    volumes:
+      - /etc/letsencrypt:/etc/letsencrypt:ro
+    ports:
+      - "443:443"
+
+#  certbot:
+#    image: "dkregistry.xai-corp.net:5000/sslproxy:latest"
+#    build:
+#      context: certbot
--- a/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf
@@ -0,0 +1,57 @@
+# dkregistry.xai-corp.net
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header will be unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+'' 'registry/2.0';
+}
+
+server {
+    listen  443 ssl;
+    server_name dkregistry.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.1 TLSv1.2;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
+
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location /v2/ {
+        # Do not allow connections from docker 1.5 and earlier
+        # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+        return 404;
+        }
+
+        # To add basic authentication to v2 use auth_basic setting.
+        auth_basic "Registry realm";
+        auth_basic_user_file /opt/shared/dkregistry/auth/htpasswd;
+
+        ## If $docker_distribution_api_version is empty, the header will not be added.
+        ## See the map directive above where this variable is defined.
+        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_set_header Connection $http_connection;
+
+        proxy_pass http://dkhost.xai-corp.net:5000;
+        proxy_read_timeout                  900;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf
@@ -0,0 +1,21 @@
+# dkui.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name dkui.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
+
+    location / {
+        proxy_set_header        Connection $http_connection;
+        proxy_set_header        Host $host:$server_port;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_pass http://dkhost.xai-corp.net:9000;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf
@@ -0,0 +1,15 @@
+# fs.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name fs.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://dkhost.xai-corp.net:8081;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf
@@ -0,0 +1,15 @@
+# git.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name git.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://dkhost.xai-corp.net:10080;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf
@@ -0,0 +1,21 @@
+# jenkins.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name jenkins.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
+
+    location / {
+        proxy_set_header        Host $host:$server_port;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Host $host;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        proxy_pass http://dkhost.xai-corp.net:8080;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf
@@ -0,0 +1,15 @@
+# logs.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name logs.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
+
+    location / {
+        proxy_set_header Connection $http_connection;
+        proxy_pass http://dkhost.xai-corp.net:10090;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf
@@ -0,0 +1,14 @@
+# tripbuilder.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name tripbuilder.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem;
+    ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
+
+    location / {
+        proxy_pass http://dkhost.xai-corp.net:8080;
+    }
+}
--- a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf
@@ -0,0 +1,18 @@
+# xaibox.xai-corp.net
+server {
+    listen  443 ssl;
+    server_name xaibox.xai-corp.net;
+    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
+
+    client_max_body_size 200m;
+
+    #Strict-Transport-Security: max-age=15768000
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+
+    location / {
+        proxy_set_header Connection $http_connection;
+        proxy_pass http://dkhost.xai-corp.net:8083;
+    }
+
+}
--- a/dockerfiles/services/sslproxy/nginx.conf
+++ b/dockerfiles/services/sslproxy/nginx.conf
@@ -0,0 +1,32 @@
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
--- a/dockerfiles/services/sslproxy/readme.md
+++ b/dockerfiles/services/sslproxy/readme.md
@@ -0,0 +1 @@
+DOCKER_HOST=dkhost02:2376 docker-compose up -d --build
--- a/dockerfiles/services/sslproxy/testdata/_first.txt
+++ b/dockerfiles/services/sslproxy/testdata/_first.txt
@@ -0,0 +1 @@
+something elses.
				`@@ -0,0 +1 @@`
				`DOCKER_HOST=dkhost02:2376 docker-compose up -d --build`