From ab6a8f838aec87bbd4bdd4602d0adc0beddb187f Mon Sep 17 00:00:00 2001 From: Jason Pincin Date: Wed, 12 Oct 2016 14:21:26 -0400 Subject: [PATCH 1/2] Combine nginx-ssl.conf.ctml and nginx.conf.ctmpl --- bin/reload.sh | 7 ++- etc/nginx/nginx-ssl.conf.ctmpl | 100 --------------------------------- etc/nginx/nginx.conf.ctmpl | 53 ++++++++++++++++- local-compose.yml | 1 + 4 files changed, 55 insertions(+), 106 deletions(-) delete mode 100644 etc/nginx/nginx-ssl.conf.ctmpl diff --git a/bin/reload.sh b/bin/reload.sh index 2b033c9..f4e221b 100755 --- a/bin/reload.sh +++ b/bin/reload.sh @@ -17,15 +17,16 @@ preStart() { # Render Nginx configuration template using values from Consul, # then gracefully reload Nginx onChange() { - local TEMPLATE="nginx.conf.ctmpl" + local SSL_READY="false" if [ -f ${CERT_DIR}/fullchain.pem -a -f ${CERT_DIR}/privkey.pem ]; then - TEMPLATE="nginx-ssl.conf.ctmpl" + SSL_READY="true" fi + export SSL_READY consul-template \ -once \ -dedup \ -consul ${CONSUL}:8500 \ - -template "/etc/nginx/${TEMPLATE}:/etc/nginx/nginx.conf:nginx -s reload" + -template "/etc/nginx/nginx.conf.ctmpl:/etc/nginx/nginx.conf:nginx -s reload" } help() { diff --git a/etc/nginx/nginx-ssl.conf.ctmpl b/etc/nginx/nginx-ssl.conf.ctmpl deleted file mode 100644 index 4f14528..0000000 --- a/etc/nginx/nginx-ssl.conf.ctmpl +++ /dev/null @@ -1,100 +0,0 @@ -# This is an example Nginx configuration template file. -# Adjust the values below as required for your application. - -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - map $status $isError { - ~^2 0; - default 1; - } - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - {{ $backend := env "BACKEND" }} - {{ $acme_domain := env "ACME_DOMAIN" }} - {{ if service $backend }} - upstream {{ $backend }} { - # write the address:port pairs for each healthy backend instance - {{range service $backend }} - server {{.Address}}:{{.Port}}; - {{end}} - least_conn; - }{{ end }} - - server { - listen 80; - server_name _; - - location / { - return 301 https://$host$request_uri; - } - - location /nginx-health { - stub_status; - allow 127.0.0.1; - deny all; - access_log /var/log/nginx/access.log main if=$isError; - } - } - - server { - listen 443 ssl; - server_name _; - - location /nginx-health { - stub_status; - allow 127.0.0.1; - deny all; - access_log /var/log/nginx/access.log main if=$isError; - } - - location /.well-known/acme-challenge { - alias /var/www/acme/challenge; - } - - ssl_certificate /var/www/ssl/fullchain.pem; - ssl_certificate_key /var/www/ssl/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_stapling on; - ssl_stapling_verify on; - add_header Strict-Transport-Security max-age=15768000; - - {{ if service $backend }} - location = /{{ $backend }} { - return 301 /{{ $backend }}/; - } - - location /{{ $backend }} { - proxy_pass http://{{ $backend }}; - proxy_redirect off; - }{{ end }} - } -} diff --git a/etc/nginx/nginx.conf.ctmpl b/etc/nginx/nginx.conf.ctmpl index 54add5d..b8e1ea2 100644 --- a/etc/nginx/nginx.conf.ctmpl +++ b/etc/nginx/nginx.conf.ctmpl @@ -11,6 +11,7 @@ events { worker_connections 1024; } + http { include /etc/nginx/mime.types; default_type application/octet-stream; @@ -35,6 +36,7 @@ http { {{ $backend := env "BACKEND" }} {{ $acme_domain := env "ACME_DOMAIN" }} + {{ $ssl_ready := env "SSL_READY" }} {{ if service $backend }} upstream {{ $backend }} { # write the address:port pairs for each healthy backend instance @@ -45,7 +47,42 @@ http { }{{ end }} server { - listen 80; + listen 80; + server_name _; + + {{ if eq $ssl_ready "true" }} + location / { + return 301 https://$host$request_uri; + } + {{ end }} + + {{ if ne $ssl_ready "true" }} + location /.well-known/acme-challenge { + alias /var/www/acme/challenge; + } + + {{ if service $backend }} + location = /{{ $backend }} { + return 301 /{{ $backend }}/; + } + location /{{ $backend }} { + proxy_pass http://{{ $backend }}; + proxy_redirect off; + } + {{ end }} + {{ end }} + + location /nginx-health { + stub_status; + allow 127.0.0.1; + deny all; + access_log /var/log/nginx/access.log main if=$isError; + } + } + + {{ if eq $ssl_ready "true" }} + server { + listen 443 ssl; server_name _; location /nginx-health { @@ -55,11 +92,20 @@ http { access_log /var/log/nginx/access.log main if=$isError; } - {{ if $acme_domain }} location /.well-known/acme-challenge { alias /var/www/acme/challenge; } - {{ end }} + + ssl_certificate /var/www/ssl/fullchain.pem; + ssl_certificate_key /var/www/ssl/privkey.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_stapling on; + ssl_stapling_verify on; + add_header Strict-Transport-Security max-age=15768000; {{ if service $backend }} location = /{{ $backend }} { @@ -71,4 +117,5 @@ http { proxy_redirect off; }{{ end }} } + {{ end }} } diff --git a/local-compose.yml b/local-compose.yml index 211450f..c511382 100644 --- a/local-compose.yml +++ b/local-compose.yml @@ -8,6 +8,7 @@ nginx: - CONSUL=consul - CONSUL_AGENT=1 - ACME_ENV=staging + - ACME_DOMAIN=dev.pincin.com links: - consul:consul ports: From e639447258bd8aa8463aabc4c70ba98674ebd476 Mon Sep 17 00:00:00 2001 From: Jason Pincin Date: Thu, 13 Oct 2016 13:49:43 -0400 Subject: [PATCH 2/2] remove test domain --- local-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/local-compose.yml b/local-compose.yml index c511382..211450f 100644 --- a/local-compose.yml +++ b/local-compose.yml @@ -8,7 +8,6 @@ nginx: - CONSUL=consul - CONSUL_AGENT=1 - ACME_ENV=staging - - ACME_DOMAIN=dev.pincin.com links: - consul:consul ports: