From 8bcd9c6eb6a603a090a09ad9e96734c7eea5e86c Mon Sep 17 00:00:00 2001 From: Stanislaw Adaszewski Date: Thu, 7 May 2020 00:00:43 +0200 Subject: [PATCH] Started working on nginx reverse proxy + Letsencrypt gateway example. --- example/gateway/files/cookiecutter.json | 1 + example/gateway/focker-compose.yml | 30 ++++++++++++++++ example/gateway/getmetadata.py | 37 ++++++++++++++++++++ example/gateway/nginx-http/Fockerfile | 22 ++++++++++++ example/gateway/nginx-http/files/nginx.conf | 25 +++++++++++++ example/gateway/nginx-https/Fockerfile | 22 ++++++++++++ example/gateway/nginx-https/files/nginx.conf | 23 ++++++++++++ 7 files changed, 160 insertions(+) create mode 100644 example/gateway/files/cookiecutter.json create mode 100644 example/gateway/focker-compose.yml create mode 100644 example/gateway/getmetadata.py create mode 100644 example/gateway/nginx-http/Fockerfile create mode 100644 example/gateway/nginx-http/files/nginx.conf create mode 100644 example/gateway/nginx-https/Fockerfile create mode 100644 example/gateway/nginx-https/files/nginx.conf diff --git a/example/gateway/files/cookiecutter.json b/example/gateway/files/cookiecutter.json new file mode 100644 index 0000000..df14c80 --- /dev/null +++ b/example/gateway/files/cookiecutter.json @@ -0,0 +1 @@ +{"directory_name": "nginx_conf", "ips": [["127.0.8.1"]], "domains": [[["xyz.com", "www.xyz.com"]]]} \ No newline at end of file diff --git a/example/gateway/focker-compose.yml b/example/gateway/focker-compose.yml new file mode 100644 index 0000000..1783d90 --- /dev/null +++ b/example/gateway/focker-compose.yml @@ -0,0 +1,30 @@ +prebuild: + - python3 getmetadata.py + + +volumes: + certbot-data: {} + certbot-webroot: {} + + +images: + nginx-http: ./nginx-http + nginx-https: ./nginx-https + certbot: ./certbot + + +jails: + nginx-http: + image: nginx-http + mounts: + certbot-webroot: /srv/certbot-webroot + + certbot: + image: certbot + depend: nginx-http + mounts: + certbot-data: / + + nginx-https: + image: nginx-https + depend: certbot diff --git a/example/gateway/getmetadata.py b/example/gateway/getmetadata.py new file mode 100644 index 0000000..b22ba05 --- /dev/null +++ b/example/gateway/getmetadata.py @@ -0,0 +1,37 @@ +import glob +import yaml +import json + + +def main(): + res_ips = [] + res_domains = [] + for fname in glob.glob('../**/focker-compose.yml'): + print(fname) + with open(fname, 'r') as f: + spec = yaml.safe_load(f) + if 'jails' not in spec: + continue + for j in spec['jails'].values(): + if 'ip4.addr' not in j: + continue + if 'meta' not in j: + continue + if 'domains' not in j['meta']: + continue + if not j['meta']['domains']: + continue + domains = j['meta']['domains'] + if not isinstance(domains, list): + domains = [ domains ] + res_ips.append(j['ip4.addr']) + res_domains.append(domains) + res = { 'directory_name': 'nginx_conf', + 'ips': [ res_ips ], + 'domains': [ res_domains ] } + with open('./files/cookiecutter.json', 'w') as f: + json.dump(res, f) + + +if __name__ == '__main__': + main() diff --git a/example/gateway/nginx-http/Fockerfile b/example/gateway/nginx-http/Fockerfile new file mode 100644 index 0000000..69e65a6 --- /dev/null +++ b/example/gateway/nginx-http/Fockerfile @@ -0,0 +1,22 @@ +base: freebsd-latest + +steps: + - run: + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install python3 nginx py37-cookiecutter + - copy: + - [ ../files/cookiecutter.json, + /root/cookiecutter.json ] + - [ files/nginx.conf, + /root/nginx.conf ] + - run: + - mkdir -p /root/nginx_template/\{\{cookiecutter.directory_name\}\} + - mv -v /root/nginx.conf /root/nginx_template/\{\{cookiecutter.directory_name\}\}/nginx.conf + - mv -v /root/cookiecutter.json /root/nginx_template/cookiecutter.json + - run: + - cookiecutter --no-input /root/nginx_template + - mv -v ./nginx_conf/nginx.conf /usr/local/etc/nginx/nginx.conf + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg remove python3 py37-cookiecutter + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove + - rm -rvf /root/nginx_template + - rm -rvf ./nginx_conf + - mkdir -p /srv/certbot-webroot diff --git a/example/gateway/nginx-http/files/nginx.conf b/example/gateway/nginx-http/files/nginx.conf new file mode 100644 index 0000000..26ce672 --- /dev/null +++ b/example/gateway/nginx-http/files/nginx.conf @@ -0,0 +1,25 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + {% for i in range(cookiecutter.ips|length) %} + server { + listen 80; + server_name {{ ' '.join(cookiecutter.domains[i]) }}; + + location /.well-known/ { + root /srv/certbot-webroot; + } + + location / { + proxy_pass http://{{ cookiecutter.ips[i] }}/; + } + } + {% endfor %} +} diff --git a/example/gateway/nginx-https/Fockerfile b/example/gateway/nginx-https/Fockerfile new file mode 100644 index 0000000..841774f --- /dev/null +++ b/example/gateway/nginx-https/Fockerfile @@ -0,0 +1,22 @@ +base: freebsd-latest + +steps: + - run: + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg install python3 nginx py37-cookiecutter + - copy: + - [ ../files/cookiecutter.json, + /root/cookiecutter.json ] + - [ files/nginx.conf, + /root/nginx.conf ] + - run: + - mkdir -p /root/nginx_template/\{\{cookiecutter.directory_name\}\} + - mv -v /root/nginx.conf /root/nginx_template/\{\{cookiecutter.directory_name\}\}/nginx.conf + - mv -v /root/cookiecutter.json /root/nginx_template/cookiecutter.json + - run: + - cookiecutter --no-input /root/nginx_template + - mv -v ./nginx_conf/nginx.conf /usr/local/etc/nginx/nginx.conf + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg remove python3 py37-cookiecutter + - ASSUME_ALWAYS_YES=yes IGNORE_OSVERSION=yes pkg autoremove + - rm -rvf /root/nginx_template + - rm -rvf ./nginx_conf + - mkdir /certbot-data diff --git a/example/gateway/nginx-https/files/nginx.conf b/example/gateway/nginx-https/files/nginx.conf new file mode 100644 index 0000000..a9bf1a5 --- /dev/null +++ b/example/gateway/nginx-https/files/nginx.conf @@ -0,0 +1,23 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + {% for i in range(cookiecutter.ips|length) %} + server { + listen 443 ssl; + server_name {{ ' '.join(cookiecutter.domains[i]) }}; + ssl_certificate /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.crt; + ssl_certificate_key /certbot-data/config/live/{{ cookiecutter.domains[i][0] }}/{{ cookiecutter.domains[i][0] }}.key; + + location / { + proxy_pass http://{{ cookiecutter.ips[i] }}/; + } + } + {% endfor %} +}