Merge pull request #152 from ekimekim/mike/nginx/ssl

Add SSL to nginx if certs are given
pull/155/head
Mike Lang 5 years ago committed by GitHub
commit 0ab15672ae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -56,6 +56,7 @@
sheetsync: 8005, sheetsync: 8005,
segment_coverage: 8006, segment_coverage: 8006,
nginx: 80, nginx: 80,
nginx_ssl: 443,
postgres: 5432, postgres: 5432,
}, },
@ -76,6 +77,8 @@
nginx_serve_segments:: true, // set to false to not have nginx serve segments directly, letting restreamer do it instead. nginx_serve_segments:: true, // set to false to not have nginx serve segments directly, letting restreamer do it instead.
ssl_certificate_path:: null, // set to path to SSL certs (cert chain + priv key in one file) to enable SSL
// Connection args for the database. // Connection args for the database.
// If database is defined in this config, host and port should be postgres:5432. // If database is defined in this config, host and port should be postgres:5432.
db_args:: { db_args:: {
@ -318,7 +321,10 @@
}, },
image: "quay.io/ekimekim/wubloader-nginx:%s" % $.image_tag, image: "quay.io/ekimekim/wubloader-nginx:%s" % $.image_tag,
restart: "on-failure", restart: "on-failure",
[if "nginx" in $.ports then "ports"]: ["%s:80" % $.ports.nginx], ports: std.prune([
if "nginx" in $.ports then "%s:80" % $.ports.nginx,
if "nginx_ssl" in $.ports then "%s:443" % $.ports.nginx_ssl,
]),
environment: $.env + { environment: $.env + {
SERVICES: std.join("\n", [ SERVICES: std.join("\n", [
"%s %s" % [service, forward_ports[service]] "%s %s" % [service, forward_ports[service]]
@ -327,8 +333,12 @@
]), ]),
THRIMBLETRIMMER: if $.thrimbletrimmer then "true" else "", THRIMBLETRIMMER: if $.thrimbletrimmer then "true" else "",
SEGMENTS: if $.nginx_serve_segments then "/mnt" else "", SEGMENTS: if $.nginx_serve_segments then "/mnt" else "",
SSL: if $.ssl_certificate_path != null then "/certs.pem" else "",
}, },
volumes: if $.nginx_serve_segments then ["%s:/mnt" % $.segments_path] else [], volumes: std.prune([
if $.nginx_serve_segments then "%s:/mnt" % $.segments_path,
if $.ssl_certificate_path != null then "%s:/certs.pem" % $.ssl_certificate_path,
]),
}, },
[if $.enabled.postgres then "postgres"]: { [if $.enabled.postgres then "postgres"]: {

@ -6,6 +6,7 @@
# Other vars: # Other vars:
# THRIMBLETRIMMER: Set non-empty to also serve thrimbletrimmer on /thrimbletrimmer # THRIMBLETRIMMER: Set non-empty to also serve thrimbletrimmer on /thrimbletrimmer
# SEGMENTS: Set to path to segments dir to also serve segments dir on /segments # SEGMENTS: Set to path to segments dir to also serve segments dir on /segments
# SSL: Set to path to file containing SSL cert and key, if any.
generate_location() { generate_location() {
# generate_location PATH URL # generate_location PATH URL
@ -29,8 +30,19 @@ LOCATIONS=$(
echo -e "\t\tlocation /segments/ { alias $SEGMENTS/; }" echo -e "\t\tlocation /segments/ { alias $SEGMENTS/; }"
) )
[ -n "$SSL" ] && SSL_CONF=$(cat <<EOF
server {
listen 443 ssl;
ssl_certificate $SSL;
ssl_certificate_key $SSL;
ssl_session_cache shared:SSL:10m;
$LOCATIONS
}
EOF
)
cat > /etc/nginx/nginx.conf <<EOF cat > /etc/nginx/nginx.conf <<EOF
worker_processes 1; worker_processes auto;
events { events {
worker_connections 1024; worker_connections 1024;
@ -39,6 +51,7 @@ events {
http { http {
include /etc/nginx/mime.types; include /etc/nginx/mime.types;
resolver 127.0.0.11 valid=10s; resolver 127.0.0.11 valid=10s;
$SSL_CONF
server { server {
listen 80; listen 80;
gzip on; gzip on;

Loading…
Cancel
Save