From 861327a0174b0ee9e054e9246af8b84feb19a720 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 13:44:20 +0300 Subject: [PATCH] fix --- nginx copy/nginx-dev/Dockerfile | 15 ++++ nginx copy/nginx-dev/config/nginx.conf | 24 ++++++ {nginx => nginx copy}/nginx-dev/fullchain.pem | 0 nginx copy/nginx-dev/prepare.py | 82 +++++++++++++++++++ {nginx => nginx copy}/nginx-dev/privkey.pem | 0 nginx copy/nginx-dev/refre.sh | 11 +++ nginx copy/nginx-dev/run.sh | 4 + nginx copy/nginx-prod/Dockerfile | 15 ++++ nginx copy/nginx-prod/config/nginx.conf | 24 ++++++ .../nginx-prod/fullchain.pem | 0 nginx copy/nginx-prod/prepare.py | 82 +++++++++++++++++++ {nginx => nginx copy}/nginx-prod/privkey.pem | 0 nginx copy/nginx-prod/refre.sh | 4 + nginx copy/nginx-prod/run.sh | 4 + nginx/nginx-dev/Dockerfile | 2 - nginx/nginx-prod/Dockerfile | 2 - 16 files changed, 265 insertions(+), 4 deletions(-) create mode 100644 nginx copy/nginx-dev/Dockerfile create mode 100644 nginx copy/nginx-dev/config/nginx.conf rename {nginx => nginx copy}/nginx-dev/fullchain.pem (100%) create mode 100644 nginx copy/nginx-dev/prepare.py rename {nginx => nginx copy}/nginx-dev/privkey.pem (100%) create mode 100644 nginx copy/nginx-dev/refre.sh create mode 100644 nginx copy/nginx-dev/run.sh create mode 100644 nginx copy/nginx-prod/Dockerfile create mode 100644 nginx copy/nginx-prod/config/nginx.conf rename {nginx => nginx copy}/nginx-prod/fullchain.pem (100%) create mode 100644 nginx copy/nginx-prod/prepare.py rename {nginx => nginx copy}/nginx-prod/privkey.pem (100%) create mode 100644 nginx copy/nginx-prod/refre.sh create mode 100644 nginx copy/nginx-prod/run.sh diff --git a/nginx copy/nginx-dev/Dockerfile b/nginx copy/nginx-dev/Dockerfile new file mode 100644 index 0000000..9982f75 --- /dev/null +++ b/nginx copy/nginx-dev/Dockerfile @@ -0,0 +1,15 @@ +FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages minio +COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +COPY refre.sh refre.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +RUN chmod 777 refre.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx copy/nginx-dev/config/nginx.conf b/nginx copy/nginx-dev/config/nginx.conf new file mode 100644 index 0000000..d5e48ab --- /dev/null +++ b/nginx copy/nginx-dev/config/nginx.conf @@ -0,0 +1,24 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + server_name *.develop.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.dev.chocomarsh.com; + return 301 https://$host$request_uri; + } + + include ./hosts.conf; +} \ No newline at end of file diff --git a/nginx/nginx-dev/fullchain.pem b/nginx copy/nginx-dev/fullchain.pem similarity index 100% rename from nginx/nginx-dev/fullchain.pem rename to nginx copy/nginx-dev/fullchain.pem diff --git a/nginx copy/nginx-dev/prepare.py b/nginx copy/nginx-dev/prepare.py new file mode 100644 index 0000000..1f4671b --- /dev/null +++ b/nginx copy/nginx-dev/prepare.py @@ -0,0 +1,82 @@ +import os +import sys +from minio import Minio +from urllib.request import urlopen +from json import loads + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False, +) + + +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=development" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) + +config = "" +for host, params in hosts.items(): + config += """ + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{target_host}:{port}$request_uri; + }} + }}\n\n + """.format( + host=host, target_host=params["host"], port=params["port"] + ) + try: + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue + + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1) diff --git a/nginx/nginx-dev/privkey.pem b/nginx copy/nginx-dev/privkey.pem similarity index 100% rename from nginx/nginx-dev/privkey.pem rename to nginx copy/nginx-dev/privkey.pem diff --git a/nginx copy/nginx-dev/refre.sh b/nginx copy/nginx-dev/refre.sh new file mode 100644 index 0000000..8a566b8 --- /dev/null +++ b/nginx copy/nginx-dev/refre.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if ! python3 prepare.py; then + echo "Error running prepare.py" >&2 + exit 1 +fi + +if ! nginx -s reload; then + echo "Error reloading nginx" >&2 + exit 1 +fi \ No newline at end of file diff --git a/nginx copy/nginx-dev/run.sh b/nginx copy/nginx-dev/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx copy/nginx-dev/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx copy/nginx-prod/Dockerfile b/nginx copy/nginx-prod/Dockerfile new file mode 100644 index 0000000..9982f75 --- /dev/null +++ b/nginx copy/nginx-prod/Dockerfile @@ -0,0 +1,15 @@ +FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages minio +COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +COPY refre.sh refre.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +RUN chmod 777 refre.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx copy/nginx-prod/config/nginx.conf b/nginx copy/nginx-prod/config/nginx.conf new file mode 100644 index 0000000..6ca7786 --- /dev/null +++ b/nginx copy/nginx-prod/config/nginx.conf @@ -0,0 +1,24 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.chocomarsh.com; + return 301 https://$host$request_uri; + } + + include ./hosts.conf; +} \ No newline at end of file diff --git a/nginx/nginx-prod/fullchain.pem b/nginx copy/nginx-prod/fullchain.pem similarity index 100% rename from nginx/nginx-prod/fullchain.pem rename to nginx copy/nginx-prod/fullchain.pem diff --git a/nginx copy/nginx-prod/prepare.py b/nginx copy/nginx-prod/prepare.py new file mode 100644 index 0000000..d4ea956 --- /dev/null +++ b/nginx copy/nginx-prod/prepare.py @@ -0,0 +1,82 @@ +import os +import sys +from minio import Minio +from urllib.request import urlopen +from json import loads + + +minio_client = Minio( + "minio.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False, +) + + +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=production" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) + +config = "" +for host, params in hosts.items(): + config += """ + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{target_host}:{port}$request_uri; + }} + }}\n\n + """.format( + host=host, target_host=params["host"], port=params["port"] + ) + try: + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue + + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1) diff --git a/nginx/nginx-prod/privkey.pem b/nginx copy/nginx-prod/privkey.pem similarity index 100% rename from nginx/nginx-prod/privkey.pem rename to nginx copy/nginx-prod/privkey.pem diff --git a/nginx copy/nginx-prod/refre.sh b/nginx copy/nginx-prod/refre.sh new file mode 100644 index 0000000..584b723 --- /dev/null +++ b/nginx copy/nginx-prod/refre.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +nginx -s reload \ No newline at end of file diff --git a/nginx copy/nginx-prod/run.sh b/nginx copy/nginx-prod/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx copy/nginx-prod/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 9982f75..3d249f1 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -4,8 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx -COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py COPY run.sh run.sh COPY refre.sh refre.sh diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 9982f75..3d249f1 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -4,8 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx -COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py COPY run.sh run.sh COPY refre.sh refre.sh