self/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssl

Browse Source
This commit is contained in:
Administrator 2022-09-05 19:18:35 +03:00
parent 02bcf4e558
commit 5793e735b6
12 changed files with 170 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.deploy-infra/deploy-dev.yaml
View File

@ -1,11 +1,26 @@
version: "3.6" version: "3.6"
services: services:
nginx: ssl:
image: mathwave/sprint-repo:sprint-infra-nginx-dev image: mathwave/sprint-repo:sprint-infra-ssl-dev
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"
networks:
- net
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
placement:
constraints: [node.role == manager]
update_config:
parallelism: 1
order: start-first
nginx:
image: mathwave/sprint-repo:sprint-infra-nginx-dev
networks: networks:
- net - net
- battleship-nginx - battleship-nginx

18
.deploy-infra/deploy-prod.yaml
View File

@ -1,6 +1,24 @@
version: "3.6" version: "3.6"
services: services:
ssl:
image: mathwave/sprint-repo:sprint-infra-ssl-prod
ports:
- "80:80"
- "443:443"
networks:
- net
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
placement:
constraints: [node.role == manager]
update_config:
parallelism: 1
order: start-first
nginx: nginx:
image: mathwave/sprint-repo:sprint-infra-nginx-prod image: mathwave/sprint-repo:sprint-infra-nginx-prod
ports: ports:

4
.gitlab-ci.yml
View File

@ -19,6 +19,10 @@ build:
- docker push mathwave/sprint-repo:sprint-infra-nginx-dev - docker push mathwave/sprint-repo:sprint-infra-nginx-dev
- docker build -t mathwave/sprint-repo:sprint-infra-nginx-prod nginx/nginx-prod - docker build -t mathwave/sprint-repo:sprint-infra-nginx-prod nginx/nginx-prod
- docker push mathwave/sprint-repo:sprint-infra-nginx-prod - docker push mathwave/sprint-repo:sprint-infra-nginx-prod
- docker build -t mathwave/sprint-repo:sprint-infra-ssl-dev ssl/ssl-dev
- docker push mathwave/sprint-repo:sprint-infra-ssl-dev
- docker build -t mathwave/sprint-repo:sprint-infra-ssl-prod ssl/ssl-prod
- docker push mathwave/sprint-repo:sprint-infra-ssl-prod
deploy-dev: deploy-dev:
stage: deploy-dev stage: deploy-dev

28
nginx/nginx-prod/privkey.pem
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8+Qc4BhJJBxjZ
qKeKD7zz8VmTIL3GurdnieZWcsEAlYo3tnRd0ufk+I4yl3eXrCzBmIbBwTrMC3FQ
IspTi2xhsxoYBLwPYNDyLUg1txj+k6aCbo58ZgqdsesiZeZJ8dA7j/QmHQzbS4Ne
5wkk2XspGMuxsC3maLWo2guEz91l+owWdHU+fOIxKtJ9H6R0+3hK3c8j5Wcz9UcK
rHQ/utgsZo0eU/fQ4GvoDb+5p1g14lsHoLn5bJ5mp1nKAp6zN9Hc8J4xmi4Q9fSV
gbggI2D7fTV/Wap5qUanHnJZ9NciNPa7W8baRxkrPX34sXI4MCZi3gifQbxOm777
AC6KFwKNAgMBAAECggEAaC9Tz4tpYWHMTZQyameq4UNbA0a12m7u1uKsX1T9G3lW
rsik92Vj/FUc8L+Za8G9Gy8gfIowBHb6jhfgPJdNtb+szzktBb129U4J1bOQ0CpP
TvHtFKCdkbuZy2kqwfHTwELpdGnnwK+tShFOdUaCJHJLOzfK1pE8Nk+gsiR4B9Ra
LrRxf+ab2NyrLnb4cee13aPjK/UKrhiSb7NLtMTVSqh1w+ylt19vxPgOCMPRHlMJ
xn+KVZolvC78R65JW9fr43AT0n8lJI1sqpI+rQ6cy+WjX9NE/WhNGCjjR5gG5fKQ
auP13SoD1SMnSPFoKyxph6HyKyUkHIlxE7ElrOAR8QKBgQD42mLKyVGVdf3a45Qg
2Lpg7FVpW5kEt4zFdBdRDEcuDZblcQ0wbdFm+3csqRsWnad94LcFjO/JhrE2faI6
CWxZUocwwdx83r99tmg+Io+VZRJ6CoMyat14lNBs4D7IaXqkJ/hueHztNZn/H38I
crFikcv4Keg/86XtcfaHgxRuUwKBgQDCZmQipb55UIbObVjK0uwLANObi6XsDpgO
zqC7pOxor4ioscP5xrlhVvrSbaImbeNY/T412M09AoDjy/KJt7Nwo2FMixGN6hFi
5DViE3m1dtQNApQPtAMi5DWCw/ff+Vy5slVPs6qX4uJoknQ9hx0R84INpRu1a9cV
/3xAeh3vnwKBgQDCyCUltvhNtYJSr2lFYH5Z2QJtqg2WnJjqAJkzjhm02VwwERIS
wxJxugipA2A5joMISzjWdl9F7VCOZz3wkWmmbKt2pXcQokVef8UORXz/oZIZxlq0
vuLFPC372nYp5i3hiYux5EtcXGVCRQPot+VSUu5FO4AXdn184oPlw9rdEwKBgQC2
/qOsadFPaZo8n3pCEyLXiMOpXF+oQmSpK6Dqgml4ciR2iEAu0/6VvscFZuaIvlCQ
6HKzRY6Nq9mglc+ODDsCAQoKf67apEgRizklRagARgd+57pwvcdmBOTKX6bqU1YS
B+l+yWYA7DassZByism2qD74kT/wG7+wmXthRpL/iQKBgAgtaYcKHGuqHWy2PX4b
YzZliERnkn92Ysl0AtMRYmGgmtt4lMHejVK2v+U93zw5w8oMzAOGcYcZnBW84Y05
HxHm0yA8ndNWTiOk1oDNcKUgTB6pfMux4fBbziByhAOOGZbfcsE/3QnomZeegulk
gIh/LulnrTzQWJ/XcwzI3Jic
-----END PRIVATE KEY-----

4
ssl/ssl-dev/Dockerfile Normal file
View File

@ -0,0 +1,4 @@
FROM nginx
COPY ./nginx-dev.conf /etc/nginx/nginx.conf
COPY ./privkey.pem /etc/nginx/privkey.pem
COPY ./fullchain.pem /etc/nginx/fullchain.pem

54
nginx/nginx-prod/fullchain.pem → ssl/ssl-dev/fullchain.pem
View File

@ -1,32 +1,32 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBEHkox8LkkM+/1MvLy38wPTNMA0GCSqGSIb3DQEBCwUA MIIFMTCCBBmgAwIBAgISBJgd3mowGlIiuVJYGYl+KutHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA4MzAxNjM1MTVaFw0yMjExMjgxNjM1MTRaMBkxFzAVBgNVBAMM EwJSMzAeFw0yMjA5MDUxNDUxMjZaFw0yMjEyMDQxNDUxMjVaMCExHzAdBgNVBAMM
Diouc3ByaW50aHViLnJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA FiouZGV2ZWxvcC5zcHJpbnRodWIucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
vPkHOAYSSQcY2ainig+88/FZkyC9xrq3Z4nmVnLBAJWKN7Z0XdLn5PiOMpd3l6ws ggEKAoIBAQDfxwyifWyZ5MBBGj3V2y6HqeOWvIneDRo+m33hHGB7FvUo/yfGu0Oz
wZiGwcE6zAtxUCLKU4tsYbMaGAS8D2DQ8i1INbcY/pOmgm6OfGYKnbHrImXmSfHQ psEgOwiuKHHre/2Xy1oxki0iVV9ANmHYuk7rgBQxJn0MN1suvq2JUq4X6uy9nr9a
O4/0Jh0M20uDXucJJNl7KRjLsbAt5mi1qNoLhM/dZfqMFnR1PnziMSrSfR+kdPt4 C7/0B9QbqQB9+tiGJbPEoPV+p5Mqk86s+semJfLlDRvFT1mdETErbuAi2ei90NUZ
St3PI+VnM/VHCqx0P7rYLGaNHlP30OBr6A2/uadYNeJbB6C5+WyeZqdZygKeszfR 8Oa8UWYny3AdVswBHYzdULCrzHlr7y+Bju0xJ5isDQwVeslw02yRhOnSiTsFvrhc
3PCeMZouEPX0lYG4ICNg+301f1mqealGpx5yWfTXIjT2u1vG2kcZKz19+LFyODAm aDysBs+8APXgFiRPLNea289mfznm5883h2FnH/P+3K71jGWkIC9K0hL12Umw1wMf
Yt4In0G8Tpu++wAuihcCjQIDAQABo4ICSTCCAkUwDgYDVR0PAQH/BAQDAgWgMB0G Tvw0PDdn6XP3NA0ivkixgIUDu8WIHxBNAgMBAAGjggJQMIICTDAOBgNVHQ8BAf8E
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
DgQWBBRfNprTyB3Sf/URUsJCafiKlpRnAjAfBgNVHSMEGDAWgBQULrMXt1hWy65Q MAAwHQYDVR0OBBYEFIEqTa4VQLAvVMinVGrIKzb4BSsMMB8GA1UdIwQYMBaAFBQu
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
LzAZBgNVHREEEjAQgg4qLnNwcmludGh1Yi5ydTBMBgNVHSAERTBDMAgGBmeBDAEC ZW5jci5vcmcvMCEGA1UdEQQaMBiCFiouZGV2ZWxvcC5zcHJpbnRodWIucnUwTAYD
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ACl5vvCeOTkh8FZz aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHx
n2Old+W+V32cYAr4+U1dJlwlXceEAAABgu/SVT4AAAQDAEcwRQIhAObRl/xR4xx7 AO8AdQBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAYMOWXPFAAAE
dJVl+S7jp9bDSQFYF9s2ED4FCmClggKpAiB1Zq9cevxvs0r9xW6+0RIH09aP+ncr AwBGMEQCID3S1Vt0TzBKDoxfS56HkVQjzdpCeuy11rkjuVPQPcc2AiAQvDszF3k7
ukTwiIVtQpc34AB2AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAAB VdKvu8twSfKSfU2Ppu9MCCBEwcNWhznexAB2ACl5vvCeOTkh8FZzn2Old+W+V32c
gu/SVz4AAAQDAEcwRQIhAPtY74N+QgT0Wdy66Tqg6x6GQKrvYyvRadXS8TBiO9Da YAr4+U1dJlwlXceEAAABgw5Zc6QAAAQDAEcwRQIgQM/VQGeG4G2tgqGWVu32wm3T
AiAFohkEDYv8nwZh5EcxCuKQqM6HUkfXd0TebUs2o1ZVvTANBgkqhkiG9w0BAQsF izo3yLCD8Lm3YOAAxA8CIQDZBI/+87wqZ7IpIfbENJaZ7FIw/qbGnTy4A1wtNNG4
AAOCAQEAuss4/CIzVk51fRH7sRS1SbAHbZZq7bu7fS7I7U+tBj1vyG+4dcTqVIp/ kTANBgkqhkiG9w0BAQsFAAOCAQEAdVXjCzYL1MwbqzP6elltCQPsaK4XTKGa8faI
t/dPQx4SRW4DmjDlmQMsI6Ua05bp0F/44JXqSNUXK3GuWYiCnVJm76Pd24tN6G3b OheXA3bDD0kap4JQgj7bsxuA3nQT1ERbmqHsv/kHFU4HMV5rqsuNauw1gkk57qpM
7U/SCnsTlqTDXbEMHqIucqj4dp1rJNonjkZ4l4oIM8rUyjt8k6eYUBCzKiF7fdQP +L9mwQXvIpq4ABStVQTxsoCLfinDWD9rLYWQRJaqSEU6KtKQ6xji3+8s7uCek86K
usU5XAwOEOyBf0dfp2pc+Yxo5XfuMEH42Ujxp9aQwyD1LCkfQ5tGuHgCw5NXwQuW OqKUl9B/82nq2jEcNfBnNCakQc4asf5wdh8KqF8KZ8r+PI10JoJQjwpEs/PMB/b+
iyZCHtHFihy0cV/Z2RzSvjWVHwc+S9kKgR9znGnfHihIOaXUcYngrQLzIdgRodX2 sMuqOydB832/ACyi/+8cuzc+Q58FkmbFVb2EOF9ohSlYFdFrJIYalwtX1utIvcey
3RONoGlh4DfSMQEzRcoFGXTQwhQP1A== VzME4Csk7I50I5NIpbDT32bYpKRDd2noSB6gwEI7yxvLdxydkg==
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw

34
ssl/ssl-dev/nginx-dev.conf Normal file
View File

@ -0,0 +1,34 @@
events {}
http {
client_max_body_size 50m;
server {
listen 80;
server_name *.develop.sprinthub.ru;
location / {
proxy_pass http://nginx:80/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.develop.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://nginx:80/;
}
}
}

28
ssl/ssl-dev/privkey.pem Executable file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDfxwyifWyZ5MBB
Gj3V2y6HqeOWvIneDRo+m33hHGB7FvUo/yfGu0OzpsEgOwiuKHHre/2Xy1oxki0i
VV9ANmHYuk7rgBQxJn0MN1suvq2JUq4X6uy9nr9aC7/0B9QbqQB9+tiGJbPEoPV+
p5Mqk86s+semJfLlDRvFT1mdETErbuAi2ei90NUZ8Oa8UWYny3AdVswBHYzdULCr
zHlr7y+Bju0xJ5isDQwVeslw02yRhOnSiTsFvrhcaDysBs+8APXgFiRPLNea289m
fznm5883h2FnH/P+3K71jGWkIC9K0hL12Umw1wMfTvw0PDdn6XP3NA0ivkixgIUD
u8WIHxBNAgMBAAECggEAUey0gnR6ouitPehWhQmmQkJ/MLs7mhCf8BXLAvP5mnaw
MF8hd88tHQNKpvsV1XS3KCgPklf/YDCM14n7wi1mqwqiQ/Ny8P+PPj6x4i4qqCCd
3eHC5DTPBy9QCg4nqCy6ImUIiiwZYT4wQjslVKwiOQ/iscAo6ZRf+19uhmM55hUV
Agh+LKiQvvEB2167d3Q1/TF228i8vatG0qM4mOqsu0aEFHAciMusaIzgB7KvZJBF
2Tz0NDPT9WjDOF3l2chXdIDZo22bEVDNuGtZdJiC7o8KcKbQZM44MEn3wsd345Vc
4zYMPEgqJl41rZP2BxquafRE/KeGOUgVZcfThTRrnQKBgQD7RQ8eBEThzSBfMlrk
1QgfLXEqkoU2u0zMFUvH3pXMRSQp37cwWUqk7AXlqxM3+y7Uvoopth+URxrm2G1R
paT2jsIs23nS+uHqhNBoELmXNqoiLttSv23uAGo6yiyggFH33L5zZdVdpOzO/35B
OKYHeE514QuA8ecflMBxYlv0NwKBgQDj/X9VP7jP/7/YFL/FXMvFxwxZxWigU4Bf
Oi04rDl/2lZ51fofZXYXLcvSJooWW2va3nfbAAvM3aw/NIs+/VunQvwLzpI5e9w+
C+nCyDxJXMNqWa7hCSjbKDf8jtKyylD7q2ClCavNrRUbuHQhiQVJxPq0+8NfgbuI
QtliimvlmwKBgE30AtihIm2bIevmx2Qu4zIo+u7mPgXY3d6CzNvZJkgVOz7ydPa+
/PVlc/7osDGx77l404xVQD7UQHhVtLSb2y3S5FLeVFEsHGKRicZ/SdSr1OR9/PUT
BpvL7SkICAhTRxrKlRtgAG3o+L7PbO/3DytKG61egB8k7TtS/tEuXrDJAoGATWyZ
AWpSaNCBZfAl7/BDgzbFivbvQQMaZTxsfwJ9xF1xYI66Ek9yewyiWwubeVwylHFY
YpbxavEcvZoqb4m6xmKJFblhDwRxFuEU0YEOeBt4gXVTXjiuFz7hRHN8OhtaxRy+
BU3zejV9JZzOU1Uk5phuS2f0QUrdVLje+gfn/GECgYAVHT1FClfCSURx47WaBd0H
3WSsB+ewJAjY7GZTmgs/M9MXOqUAtpi0OPWw1+GVdHs05DlHz0/WSR/fjx/opmqa
aGFq/K8yZmwCAKtrbEimDDattFQy86ehZ3Ec6n1h2n6uxeH95sTypZkyFn53TRJu
Z8SSd/sHS820RDRLj8Oh6w==
-----END PRIVATE KEY-----

4
ssl/ssl-prod/Dockerfile Normal file
View File

@ -0,0 +1,4 @@
FROM nginx
COPY ./nginx-prod.conf /etc/nginx/nginx.conf
COPY ./privkey.pem /etc/nginx/privkey.pem
COPY ./fullchain.pem /etc/nginx/fullchain.pem

0
nginx/nginx-dev/fullchain.pem → ssl/ssl-prod/fullchain.pem
View File

34
ssl/ssl-prod/nginx-prod.conf Normal file
View File

@ -0,0 +1,34 @@
events {}
http {
client_max_body_size 50m;
server {
listen 80;
server_name *.sprinthub.ru;
location / {
proxy_pass http://nginx:80/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name *.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://nginx:80/;
}
}
}

0
nginx/nginx-dev/privkey.pem → ssl/ssl-prod/privkey.pem
View File