Merge branch 'ssl' into 'master'

Ssl See merge request self/infra!1
2022-08-31 15:33:57 +00:00 · 2022-08-31 15:33:57 +00:00 · 1beecfe48d
commit 1beecfe48d
parent b4e569562e 71ade2d9f1
5 changed files with 27 additions and 3 deletions
--- a/.deploy/deploy-dev.yaml
+++ b/.deploy/deploy-dev.yaml
@ -5,6 +5,7 @@ services:
    image: mathwave/sprint-repo:sprint-infra-nginx-dev
    ports:
      - "80:80"
+      - "443:443"
    networks:
      - battleship-nginx
      - sprint-nginx
--- a/.deploy/deploy-prod.yaml
+++ b/.deploy/deploy-prod.yaml
@ -5,6 +5,7 @@ services:
    image: mathwave/sprint-repo:sprint-infra-nginx-prod
    ports:
      - "80:80"
+      - "443:443"
    networks:
      - battleship-nginx
      - sprint-nginx
--- a/nginx/nginx-dev/nginx-dev.conf
+++ b/nginx/nginx-dev/nginx-dev.conf
@ -31,9 +31,19 @@ http {
    }

    server {
-        listen      80;
+        listen      443 ssl http2;
+        listen      [::]:443 ssl http2;
        server_name battleship.develop.sprinthub.ru;

+        ssl_certificate /etc/nginx/fullchain.pem;
+        ssl_certificate_key /etc/nginx/privkey.pem;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-refferer-when-downgrade" always;
+        add_header Content-Secure-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
        location / {
            proxy_pass http://battleship-nginx:1236/;
        }
--- a/nginx/nginx-prod/Dockerfile
+++ b/nginx/nginx-prod/Dockerfile
@ -1,2 +1,4 @@
 FROM nginx
-COPY ./nginx-prod.conf /etc/nginx/nginx.conf
+COPY ./nginx-prod.conf /etc/nginx/nginx.conf
+COPY ./privkey.pem /etc/nginx/privkey.pem
+COPY ./fullchain.pem /etc/nginx/fullchain.pem
--- a/nginx/nginx-prod/nginx-prod.conf
+++ b/nginx/nginx-prod/nginx-prod.conf
@ -40,9 +40,19 @@ http {
    }

    server {
-        listen      80;
+        listen      443 ssl http2;
+        listen      [::]:443 ssl http2;
        server_name battleship.sprinthub.ru;

+        ssl_certificate /etc/nginx/fullchain.pem;
+        ssl_certificate_key /etc/nginx/privkey.pem;
+
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "no-refferer-when-downgrade" always;
+        add_header Content-Secure-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
        location / {
            proxy_pass http://battleship-nginx:1236/;
        }