self/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Egor Matveev 2025-06-02 01:10:38 +03:00
parent d5cc340e32
commit 2970f41b5e
4 changed files with 39 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nginx/nginx-dev/Dockerfile
View File

@ -2,6 +2,7 @@ FROM nginx
RUN apt-get update
RUN apt-get install certbot --yes
RUN apt-get install python3-certbot-nginx --yes
RUN pip3 install requests
COPY ./config /etc/nginx
COPY ./privkey.pem /etc/nginx/privkey.pem
COPY ./fullchain.pem /etc/nginx/fullchain.pem
COPY run.py run.py
CMD ["python3", "run.py"]

162
nginx/nginx-dev/config/guavo.conf
View File

@ -1,162 +0,0 @@
# server {
# listen 80;
# server_name *.develop.guavo.tech;
# return 301 https://$host$request_uri;
# }
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name swarmpit.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:888/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name portainer.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:8888/;
}
location /api/websocket/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://develop.guavo.tech:8888/api/websocket/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rabbitmq.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:15672/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name minio.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:9001/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name grafana.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
proxy_set_header Host $http_host;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:3000/;
}
location /api/live/ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://develop.guavo.tech:3000/api/live/ws;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
resolver 127.0.0.11 ipv6=off;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
location / {
proxy_pass http://$domain-nginx:1238$request_uri;
}
}
server {
listen 80;
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
resolver 127.0.0.11 ipv6=off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
location / {
proxy_pass http://$domain-nginx:1238$request_uri;
}
}

2
nginx/nginx-dev/config/nginx.conf
View File

@ -8,6 +8,6 @@ http {
'' close;
}
# include ./guavo.conf;
include ./hosts.conf;
include ./sprinthub.conf;
}

35
nginx/nginx-dev/run.py Normal file
View File

@ -0,0 +1,35 @@
from requests import get
from subprocess import call
hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts']
hosts = list(set(hosts + ['platform.develop.sprinthub.ru']))
config = ''
for host in hosts:
config += '''
server \{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {0};
ssl_certificate /etc/nginx/{0}/fullchain.pem;
ssl_certificate_key /etc/nginx/{0}/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / \{
proxy_pass http://{1}-nginx:1238$request_uri;
\}
\}\n\n
'''.format(host, host.split('.')[0])
with open('/etc/nginx/hosts.conf', 'w') as fp:
fp.write(config)
call('nginx -g daemon off;', shell=True)