From 64766bcf3597b79053af9bd1f9d0f84024ab0905 Mon Sep 17 00:00:00 2001 From: Mike Lang Date: Wed, 6 Nov 2019 14:50:56 -0800 Subject: [PATCH] Add SSL to nginx if certs are given --- docker-compose.jsonnet | 14 ++++++++++++-- nginx/generate-config | 15 ++++++++++++++- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/docker-compose.jsonnet b/docker-compose.jsonnet index 6959465..d876c86 100644 --- a/docker-compose.jsonnet +++ b/docker-compose.jsonnet @@ -56,6 +56,7 @@ sheetsync: 8005, segment_coverage: 8006, nginx: 80, + nginx_ssl: 443, postgres: 5432, }, @@ -76,6 +77,8 @@ nginx_serve_segments:: true, // set to false to not have nginx serve segments directly, letting restreamer do it instead. + ssl_certificate_path:: null, // set to path to SSL certs (cert chain + priv key in one file) to enable SSL + // Connection args for the database. // If database is defined in this config, host and port should be postgres:5432. db_args:: { @@ -318,7 +321,10 @@ }, image: "quay.io/ekimekim/wubloader-nginx:%s" % $.image_tag, restart: "on-failure", - [if "nginx" in $.ports then "ports"]: ["%s:80" % $.ports.nginx], + ports: std.prune([ + if "nginx" in $.ports then "%s:80" % $.ports.nginx, + if "nginx_ssl" in $.ports then "%s:443" % $.ports.nginx_ssl, + ]), environment: $.env + { SERVICES: std.join("\n", [ "%s %s" % [service, forward_ports[service]] @@ -327,8 +333,12 @@ ]), THRIMBLETRIMMER: if $.thrimbletrimmer then "true" else "", SEGMENTS: if $.nginx_serve_segments then "/mnt" else "", + SSL: if $.ssl_certificate_path != null then "/certs.pem" else "", }, - volumes: if $.nginx_serve_segments then ["%s:/mnt" % $.segments_path] else [], + volumes: std.prune([ + if $.nginx_serve_segments then "%s:/mnt" % $.segments_path, + if $.ssl_certificate_path != null then "%s:/certs.pem" % $.ssl_certificate_path, + ]), }, [if $.enabled.postgres then "postgres"]: { diff --git a/nginx/generate-config b/nginx/generate-config index 4336ab2..1273610 100755 --- a/nginx/generate-config +++ b/nginx/generate-config @@ -6,6 +6,7 @@ # Other vars: # THRIMBLETRIMMER: Set non-empty to also serve thrimbletrimmer on /thrimbletrimmer # SEGMENTS: Set to path to segments dir to also serve segments dir on /segments +# SSL: Set to path to file containing SSL cert and key, if any. generate_location() { # generate_location PATH URL @@ -29,8 +30,19 @@ LOCATIONS=$( echo -e "\t\tlocation /segments/ { alias $SEGMENTS/; }" ) +[ -n "$SSL" ] && SSL_CONF=$(cat < /etc/nginx/nginx.conf <