Merge pull request 'master' (#69) from master into prod
Reviewed-on: #69
This commit is contained in:
commit
a1fcd98eba
@ -6,6 +6,9 @@ services:
|
||||
image: mathwave/sprint-repo:sprint-infra-nginx-dev
|
||||
networks:
|
||||
- common-infra-nginx-development
|
||||
- configurator
|
||||
environment:
|
||||
MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV
|
||||
ports:
|
||||
- published: 80
|
||||
target: 80
|
||||
@ -164,3 +167,5 @@ volumes:
|
||||
networks:
|
||||
common-infra-nginx-development:
|
||||
external: true
|
||||
configurator:
|
||||
external: true
|
||||
|
||||
@ -6,6 +6,9 @@ services:
|
||||
image: mathwave/sprint-repo:sprint-infra-nginx-prod
|
||||
networks:
|
||||
- common-infra-nginx
|
||||
- configurator
|
||||
environment:
|
||||
MINIO_SECRET_KEY: $MINIO_SECRET_KEY_PROD
|
||||
ports:
|
||||
- published: 80
|
||||
target: 80
|
||||
@ -228,4 +231,6 @@ networks:
|
||||
net:
|
||||
driver: overlay
|
||||
common-infra-nginx:
|
||||
external: true
|
||||
configurator:
|
||||
external: true
|
||||
29
.deploy-nginx/deploy-dev.yaml
Normal file
29
.deploy-nginx/deploy-dev.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
|
||||
nginx:
|
||||
image: mathwave/sprint-repo:sprint-infra-nginx-dev
|
||||
networks:
|
||||
- common-infra-nginx-development
|
||||
ports:
|
||||
- published: 80
|
||||
target: 80
|
||||
mode: host
|
||||
- published: 443
|
||||
target: 443
|
||||
mode: host
|
||||
deploy:
|
||||
mode: replicated
|
||||
replicas: 1
|
||||
restart_policy:
|
||||
condition: any
|
||||
placement:
|
||||
constraints: [node.labels.stage == development]
|
||||
update_config:
|
||||
parallelism: 1
|
||||
# order: stop-first
|
||||
|
||||
networks:
|
||||
common-infra-nginx-development:
|
||||
external: true
|
||||
29
.deploy-nginx/deploy-prod.yaml
Normal file
29
.deploy-nginx/deploy-prod.yaml
Normal file
@ -0,0 +1,29 @@
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
|
||||
nginx:
|
||||
image: mathwave/sprint-repo:sprint-infra-nginx-prod
|
||||
networks:
|
||||
- common-infra-nginx
|
||||
ports:
|
||||
- published: 80
|
||||
target: 80
|
||||
mode: host
|
||||
- published: 443
|
||||
target: 443
|
||||
mode: host
|
||||
deploy:
|
||||
mode: replicated
|
||||
replicas: 1
|
||||
restart_policy:
|
||||
condition: any
|
||||
placement:
|
||||
constraints: [node.labels.stage == production]
|
||||
update_config:
|
||||
parallelism: 1
|
||||
# order: start-first
|
||||
|
||||
networks:
|
||||
common-infra-nginx:
|
||||
external: true
|
||||
@ -59,6 +59,7 @@ jobs:
|
||||
MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }}
|
||||
DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }}
|
||||
MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }}
|
||||
MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }}
|
||||
REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }}
|
||||
RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }}
|
||||
REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }}
|
||||
|
||||
@ -63,6 +63,7 @@ jobs:
|
||||
MONGO_PASSWORD_PROD: ${{ secrets.MONGO_PASSWORD_PROD }}
|
||||
DB_PASSWORD_PROD: ${{ secrets.POSTGRES_PASSWORD_PROD }}
|
||||
MINIO_PASSWORD_PROD: ${{ secrets.MINIO_PASSWORD_PROD }}
|
||||
MINIO_SECRET_KEY_PROD: ${{ secrets.MINIO_SECRET_KEY_PROD }}
|
||||
REDIS_PASSWORD_PROD: ${{ secrets.REDIS_PASSWORD_PROD }}
|
||||
RABBITMQ_PASSWORD_PROD: ${{ secrets.RABBITMQ_PASSWORD_PROD }}
|
||||
REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }}
|
||||
|
||||
@ -1,4 +1,13 @@
|
||||
FROM nginx
|
||||
RUN apt-get update
|
||||
RUN apt-get install certbot --yes
|
||||
RUN apt-get install python3-certbot-nginx python3-pip --yes
|
||||
RUN pip3 install --break-system-packages requests minio
|
||||
COPY ./config /etc/nginx
|
||||
COPY ./fullchain.pem /etc/nginx/fullchain.pem
|
||||
COPY ./privkey.pem /etc/nginx/privkey.pem
|
||||
COPY ./fullchain.pem /etc/nginx/fullchain.pem
|
||||
COPY prepare.py prepare.py
|
||||
COPY run.sh run.sh
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
RUN chmod 777 run.sh
|
||||
ENTRYPOINT ["./run.sh"]
|
||||
@ -8,6 +8,6 @@ http {
|
||||
'' close;
|
||||
}
|
||||
|
||||
# include ./guavo.conf;
|
||||
include ./hosts.conf;
|
||||
include ./sprinthub.conf;
|
||||
}
|
||||
@ -1,24 +1,24 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDjTCCAxOgAwIBAgISBFOrEAaTGvrTDKdeolnTvP2tMAoGCCqGSM49BAMDMDIx
|
||||
MIIDmTCCAx+gAwIBAgISBmM6pAg0qa3+cxLar5nvn27GMAoGCCqGSM49BAMDMDIx
|
||||
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
|
||||
NTAeFw0yNTAyMTMyMDMxMTNaFw0yNTA1MTQyMDMxMTJaMCExHzAdBgNVBAMMFiou
|
||||
ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW
|
||||
CTHej6yeHgUhHJlGrI3/8cFlPdoVWeb4J+5DOaEKhpdeL90JWNMVIrbz4yaa9LTi
|
||||
Yezrr5pXocvdS9fBT/zHo4ICGDCCAhQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
|
||||
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRY
|
||||
7KU/E/kLjq27+Bsr5myR/sry4TAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw
|
||||
i9LXDTBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxl
|
||||
bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAhBgNV
|
||||
HREEGjAYghYqLmRldmVsb3Auc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EM
|
||||
AQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAzPsPaoVxCWX+lZtTzumyfCLp
|
||||
hVwNl422qX5UwP5MDbAAAAGVATe42wAABAMARzBFAiAvPfNaVjzr1bjZLfQuZku5
|
||||
1raR2QS3oPhfFcYfsKzPAgIhAJ6E1t/yKiuc3JScuUl26S4+s2noeAGhmIxB/uk+
|
||||
9KCMAHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVATe4xwAA
|
||||
BAMARzBFAiASyvhckbFMsgtb7FGbF2nl0KAboDqiJK9ekpHLu41YSQIhANJjOl3+
|
||||
HHBPrLR2oMi3vE1jkJxhFYNeoQzxGGeKVstpMAoGCCqGSM49BAMDA2gAMGUCMQC2
|
||||
4UIBvoCAl54QjeXlpadTbL5hE2bsh1bEF3XNtaIsVVlBFQZwly2fp2Qil9m34BcC
|
||||
MEF4eFmSQmAjc++mRA9m4qo4P5KeeakU1ccrWEypfIHnLn/UtQlG8K2+ceAQc/9K
|
||||
pg==
|
||||
NTAeFw0yNTA1MzAyMTEzMjZaFw0yNTA4MjgyMTEzMjVaMCExHzAdBgNVBAMMFiou
|
||||
ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy
|
||||
YXxx4cfN6ga0duaq7STjZxNwtFQ7c0ZAO+D7ulmdf/jpK8Xfkj5d0KMX0jhTmTEg
|
||||
DUwvBMsH/fpyuuEdHNPWo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
|
||||
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT1
|
||||
FLWsp0ksteuVXXd3pZokXOhj2DAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw
|
||||
i9LXDTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxl
|
||||
bmNyLm9yZy8wIQYDVR0RBBowGIIWKi5kZXZlbG9wLnNwcmludGh1Yi5ydTATBgNV
|
||||
HSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5s
|
||||
ZW5jci5vcmcvNzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAEvFONL1T
|
||||
ckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGXI0B2OwAABAMARzBFAiBcMmQQ
|
||||
PiKhuqhi3fs4yL6lfnQdZ1VlJTBifu8T6t4H3QIhAL/BdDUOafC+9nrlP7USrlCT
|
||||
Oo1TA5JG/Yvxk5a/Oe1yAHYA7TxL1ugGwqSiAFfbyyTiOAHfUS/txIbFcA8g3bc+
|
||||
P+AAAAGXI0CF1gAABAMARzBFAiAHI0Z170KObyMHOQM6w/GhsazTzUpBilyQnv/b
|
||||
Wr+kdwIhALS4DQNUNfiJoea0wszwoTxcnowGI7Whx8qH4Ut6st88MAoGCCqGSM49
|
||||
BAMDA2gAMGUCMGdO7CfUNB8wcMaHtED7/dy2ojOtofMze0kN0rzt2I/On55Ce84K
|
||||
ZJ0Uj+Bcv/66qwIxAJ9YJTSJ1+owoICDbJekE+ejgzA+GgU2Z+RviZUTNXIdbWbX
|
||||
etMXbXfP7WJPjxZ+ng==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
|
||||
@ -45,4 +45,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
|
||||
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
|
||||
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
|
||||
VQD9F6Na/+zmXCc=
|
||||
-----END CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
49
nginx/nginx-dev/prepare.py
Normal file
49
nginx/nginx-dev/prepare.py
Normal file
@ -0,0 +1,49 @@
|
||||
from requests import get
|
||||
import os
|
||||
from minio import Minio
|
||||
|
||||
|
||||
minio_client = Minio(
|
||||
"minio.develop.sprinthub.ru:9000",
|
||||
access_key="serviceminioadmin",
|
||||
secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"),
|
||||
secure=False
|
||||
)
|
||||
|
||||
|
||||
hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts']
|
||||
hosts = list(set(hosts + ['platform.develop.sprinthub.ru']))
|
||||
|
||||
config = ''
|
||||
for host in hosts:
|
||||
config += '''
|
||||
server {{
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {host};
|
||||
|
||||
ssl_certificate /etc/nginx/{host}/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/{host}/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {{
|
||||
resolver 127.0.0.11;
|
||||
proxy_pass http://{pre_domain}-nginx:1238$request_uri;
|
||||
}}
|
||||
}}\n\n
|
||||
'''.format(host=host, pre_domain=host.split('.')[0])
|
||||
fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem')
|
||||
privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem')
|
||||
os.mkdir(f'/etc/nginx/{host}')
|
||||
with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp:
|
||||
fp.write(fullchain.data)
|
||||
with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp:
|
||||
fp.write(privkey.data)
|
||||
|
||||
with open('/etc/nginx/hosts.conf', 'w') as fp:
|
||||
fp.write(config)
|
||||
@ -1,5 +1,5 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIPXF013iLs5Jvxsj7K8xdzqyUBQxFILJ3dEyTriIJQaDoAoGCCqGSM49
|
||||
AwEHoUQDQgAEFgkx3o+snh4FIRyZRqyN//HBZT3aFVnm+CfuQzmhCoaXXi/dCVjT
|
||||
FSK28+MmmvS04mHs66+aV6HL3UvXwU/8xw==
|
||||
-----END EC PRIVATE KEY-----
|
||||
MHcCAQEEIPtfut2MheT8iyX6/EXDHHDR9yvtYLxMUg34mLeCpngpoAoGCCqGSM49
|
||||
AwEHoUQDQgAE8mF8ceHHzeoGtHbmqu0k42cTcLRUO3NGQDvg+7pZnX/46SvF35I+
|
||||
XdCjF9I4U5kxIA1MLwTLB/36crrhHRzT1g==
|
||||
-----END EC PRIVATE KEY-----
|
||||
4
nginx/nginx-dev/run.sh
Normal file
4
nginx/nginx-dev/run.sh
Normal file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
python3 prepare.py
|
||||
/docker-entrypoint.sh nginx -g 'daemon off;'
|
||||
@ -1,10 +1,13 @@
|
||||
FROM nginx
|
||||
RUN apt-get update
|
||||
RUN apt-get install certbot --yes
|
||||
RUN apt-get install python3-certbot-nginx --yes
|
||||
RUN mkdir /etc/allinvest
|
||||
COPY ./nginx-prod.conf /etc/nginx/nginx.conf
|
||||
COPY ./privkey.pem /etc/nginx/privkey.pem
|
||||
RUN apt-get install python3-certbot-nginx python3-pip --yes
|
||||
RUN pip3 install --break-system-packages requests minio
|
||||
COPY ./config /etc/nginx
|
||||
COPY ./fullchain.pem /etc/nginx/fullchain.pem
|
||||
COPY ./allinvest/privkey.pem /etc/allinvest/privkey.pem
|
||||
COPY ./allinvest/fullchain.pem /etc/allinvest/fullchain.pem
|
||||
COPY ./privkey.pem /etc/nginx/privkey.pem
|
||||
COPY prepare.py prepare.py
|
||||
COPY run.sh run.sh
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
RUN chmod 777 run.sh
|
||||
ENTRYPOINT ["./run.sh"]
|
||||
@ -1,90 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIE5TCCA82gAwIBAgISBLLA45sg/IhDBwA/vxe7YIKrMA0GCSqGSIb3DQEBCwUA
|
||||
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
|
||||
EwJSMzAeFw0yNDAyMDMyMTI1NDdaFw0yNDA1MDMyMTI1NDZaMBcxFTATBgNVBAMT
|
||||
DHlvdXJnb2xzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFC
|
||||
SqAyzSV1BHFSqKxH3GuLEVRgxUABAhveeLWOTJt3xrKTNhdgaP4fD8CZF5vmgFqx
|
||||
M/Zk4mizZ9FEQeKnrmlhAL643OaGRTVwN1FfBEfvr/fT3AQD0HQB55OSsUReSFUn
|
||||
yT9vR2cv+r/f6EU78Uw/svvTD7M0vY/uRfOc2qWv+I6dGsoS32iDQmsYlOK4HKWX
|
||||
mfBTuGSCJKcec1nviehXXrGFP4YJa3gs6RzWTtGXxGgI0lG9O366RszkKZKVJICh
|
||||
BH+YWV9KJ1hzgmRWlRJgs4t14MO2Dxw5Mu1G08WbaEQGvE7RgcBCNY8sV1K1Bx/P
|
||||
NUPRsSPT6rIsX3MhQ4sCAwEAAaOCAg4wggIKMA4GA1UdDwEB/wQEAwIFoDAdBgNV
|
||||
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
|
||||
FgQUcY+9gyWVjqP8S2owFnPbtwbiZ1QwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
|
||||
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
|
||||
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
|
||||
FwYDVR0RBBAwDoIMeW91cmdvbHMuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIB
|
||||
BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70A
|
||||
DS1yb+H61BcAAAGNcRPt8gAABAMARjBEAiAMpD5lfh43xD1tAvsSa20OQ4LsQ8Kt
|
||||
YBvl5svUTuGrHAIgPveMh3yZ6z+QLW1k8Lv7z1kyXsxSvCUQrX16k7m1V8kAdwCi
|
||||
4r/WHt4vLweg1k5tN6fcZUOwxrUuotq3iviabfUX2AAAAY1xE+3xAAAEAwBIMEYC
|
||||
IQD+hmWzWe0y9M8xYKvuhySnHN6AWKQpvJgTqBsCFiiy5QIhANM0ce+SEC4BlY8m
|
||||
QAIGNXbAjlKU28q66EcTuSjji227MA0GCSqGSIb3DQEBCwUAA4IBAQAAfH8lbwUk
|
||||
JD6voPBGCTt7XSZPl9dq4LdmOLV3bsfjtqWOeGNCznBYKfRZO/UJ/srekCjapzKy
|
||||
DAmv0dl/tvBGfqhU/emOtKsq9AE0J7RqzF9SQPrVzq/VxWXGCCmtxUHEAlNk/lrg
|
||||
PqxpTUZdLpeBEbNvtloSaUEpe8mkFcFhw7TZVtdkpn+pHRlltqXry/8BekFPQR5Y
|
||||
qgI8akm2rXOV616MnF81DhIUVY4n6t4SVsDjSk69iDnKG97PJJK5yqsEfdZFiDRK
|
||||
PlhHTYwOsypaP/JMuanK8eGjnNR9pA40DEjAJO0kvE3IE7dHD3R1iGkXjr7wIkKw
|
||||
5NjP9yOv01mH
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
|
||||
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
|
||||
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
|
||||
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
|
||||
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
|
||||
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
|
||||
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
|
||||
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
|
||||
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
|
||||
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
|
||||
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
|
||||
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
|
||||
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
|
||||
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
|
||||
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
|
||||
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
|
||||
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
|
||||
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
|
||||
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
|
||||
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
|
||||
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
|
||||
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
|
||||
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
|
||||
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
|
||||
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
|
||||
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
|
||||
nLRbwHOoq7hHwg==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
|
||||
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
|
||||
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
|
||||
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
|
||||
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
|
||||
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
|
||||
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
|
||||
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
|
||||
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
|
||||
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
|
||||
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
|
||||
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
|
||||
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
|
||||
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
|
||||
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
|
||||
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
|
||||
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
|
||||
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
|
||||
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
|
||||
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
|
||||
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
|
||||
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
|
||||
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
|
||||
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
|
||||
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
|
||||
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
|
||||
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
|
||||
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
|
||||
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,28 +0,0 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDRQkqgMs0ldQRx
|
||||
UqisR9xrixFUYMVAAQIb3ni1jkybd8aykzYXYGj+Hw/AmReb5oBasTP2ZOJos2fR
|
||||
REHip65pYQC+uNzmhkU1cDdRXwRH76/309wEA9B0AeeTkrFEXkhVJ8k/b0dnL/q/
|
||||
3+hFO/FMP7L70w+zNL2P7kXznNqlr/iOnRrKEt9og0JrGJTiuByll5nwU7hkgiSn
|
||||
HnNZ74noV16xhT+GCWt4LOkc1k7Rl8RoCNJRvTt+ukbM5CmSlSSAoQR/mFlfSidY
|
||||
c4JkVpUSYLOLdeDDtg8cOTLtRtPFm2hEBrxO0YHAQjWPLFdStQcfzzVD0bEj0+qy
|
||||
LF9zIUOLAgMBAAECggEANWFhxAfxiRKWtYnOeVRDiDOLkii1aKRZM17HEBlitW4S
|
||||
g89FxyTS47BsxkbHXP+p0njNtpb5opfRbfKpk/YOaddS51QlFbE+ymj704gXgXpF
|
||||
O0USJPwMGuu5dU3AZp5eeUqS7dmnL01v+65UhATMgxTkxZSLtr1HdgXkVka3B/ir
|
||||
Q/iqR4ftt+qT0a9mzXQOxgdN7qnNwVNO1uJi87C6fQBRB6F724U5SJyOTMl9R6ZS
|
||||
+JZ9Oz5xxoGLA/Nftn078uMjf2ymWfOqicHYeXxfPYllXNuRsIf7NA00F0orwF15
|
||||
TWBZLB5GbkOIP7k7vzabZMCbGmf42XYtt1oFYIssIQKBgQD7aB8cUDVdE47VOX4p
|
||||
+Bf2ilMJA2d+KsCA3uYw5VQjjxBbfN+nChOx6e6eSmy2MMtH2ECG2IgW04FDbHtZ
|
||||
y2tbmRY3XIl+4dos+6ybbiYeYKRcHOQiXbjFK9ml1NpDcuLMHE3a6v0gFB8N0iB4
|
||||
J3u6h9+kHe3LGPzIVDGbITWi4wKBgQDVFQleHfRWM9/hebU8/tshY4sRJ9nA9haI
|
||||
F/NDMHhE+IyX9JHxGXtVE0ihOh0+0PLKLwtOepc4vqZaquKVnzZ82+sc+C4Iqg8K
|
||||
S+1NoRFOZG1AlM53UI51ZXLvXZp8gAdDBXzwBZpWZNdhJHJSnuwVI+UoDkrAQkmn
|
||||
/n4jzV01OQKBgQCH8pr4JYtlxIC1XryRl13l7JDQS+339MhaJ66UfD5OaDtxLYqH
|
||||
elSCHbzyDc7RinsyY4cpJAgbR84blprxSKXKR3MTBtA3M4xWTNXeyuaEAMCAKwNW
|
||||
bhXPUVIFcZ+BX6uysg+LtQyh/x93ysvSDY/Do1vVFHYVIHL5JUYZ3BBz/wKBgQDT
|
||||
oCYCnJtr9e9Xn6oZ30BBg/y9WCfTllVAaxEGXSBF19jCnntHyjgMga9zuSUMmzdX
|
||||
CKwhEG4aRHcxu2B4m3zhOwXiarZFkqiHYGtZ2ys2AVXkeyYnqBEklVI2W2+wUPNl
|
||||
ZBD2zYnAXjzu1OTaG857HIBebPtewTcoKwCajD8TOQKBgQDr07j3sx5nQsg4kHmR
|
||||
kBvHHjq7kQ1pEItrD/CfLsZ7Ntip4L82UzdZm/hhdM/12fB+wLu8HcZzvY5H1J+3
|
||||
IlkKYhAAe8lgzE7hYupVD9QtdFBuNsAnQfT+VV4JnZNDVZHXfnhz19KJ+iIvqton
|
||||
8WCEnmpiIKyt+Lq+Ol3n7PDMIw==
|
||||
-----END PRIVATE KEY-----
|
||||
13
nginx/nginx-prod/config/nginx.conf
Normal file
13
nginx/nginx-prod/config/nginx.conf
Normal file
@ -0,0 +1,13 @@
|
||||
events {}
|
||||
|
||||
http {
|
||||
client_max_body_size 50m;
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
include ./hosts.conf;
|
||||
include ./sprinthub.conf;
|
||||
}
|
||||
@ -1,14 +1,14 @@
|
||||
|
||||
# server {
|
||||
# listen 80;
|
||||
# server_name *.develop.guavo.tech;
|
||||
# return 301 https://$host$request_uri;
|
||||
# }
|
||||
server {
|
||||
listen 80;
|
||||
server_name *.sprinthub.ru;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name swarmpit.develop.guavo.tech;
|
||||
server_name swarmpit.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
@ -20,14 +20,14 @@
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://develop.guavo.tech:888/;
|
||||
proxy_pass http://dev.sprinthub.ru:888/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name portainer.develop.guavo.tech;
|
||||
server_name portainer.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
@ -39,7 +39,7 @@
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://develop.guavo.tech:8888/;
|
||||
proxy_pass http://dev.sprinthub.ru:8888/;
|
||||
}
|
||||
|
||||
location /api/websocket/ {
|
||||
@ -47,14 +47,14 @@
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://develop.guavo.tech:8888/api/websocket/;
|
||||
proxy_pass http://dev.sprinthub.ru:8888/api/websocket/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name rabbitmq.develop.guavo.tech;
|
||||
server_name minio.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
@ -66,14 +66,14 @@
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://develop.guavo.tech:15672/;
|
||||
proxy_pass http://dev.sprinthub.ru:9001/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name minio.develop.guavo.tech;
|
||||
server_name gitea.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
@ -85,42 +85,14 @@
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://develop.guavo.tech:9001/;
|
||||
proxy_pass http://dev.sprinthub.ru:3000/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name grafana.develop.guavo.tech;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://develop.guavo.tech:3000/;
|
||||
}
|
||||
|
||||
location /api/live/ws {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://develop.guavo.tech:3000/api/live/ws;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
|
||||
server_name ~^(?<domain>.*)\.sprinthub\.ru$;
|
||||
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
@ -132,30 +104,7 @@
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
location / {
|
||||
proxy_pass http://$domain-nginx:1238$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
|
||||
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
location / {
|
||||
proxy_pass http://$domain-nginx:1238$request_uri;
|
||||
}
|
||||
@ -1,23 +1,23 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDfDCCAwKgAwIBAgISA7RNvbxsQFQcAVy4rIt/qik2MAoGCCqGSM49BAMDMDIx
|
||||
MIIDhzCCAw6gAwIBAgISBXELtGOqEI5IsXNFUC7cue03MAoGCCqGSM49BAMDMDIx
|
||||
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
|
||||
NTAeFw0yNTAyMTMyMTAzMzdaFw0yNTA1MTQyMTAzMzZaMBkxFzAVBgNVBAMMDiou
|
||||
c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnOOljp3cFclh
|
||||
repAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZL0lQ8Qfvj1fVlVtah9LPuz5c
|
||||
hLMNK2KoLaOCAg8wggILMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
|
||||
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEvxI9gbpB3pH
|
||||
nRkSwmBUDxbqiZMwHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYI
|
||||
KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcw
|
||||
IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIO
|
||||
Ki5zcHJpbnRodWIucnUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5
|
||||
AgQCBIH0BIHxAO8AdQDehYHXUCR8a83Lr1Y3xeeBxkzkbtYXY5+PNKcmyeK9NwAA
|
||||
AZUBVWFvAAAEAwBGMEQCIG/0w/LD2GbEa6OPYUzrQyQFbHvlCQHI8fZ9poUQ/79o
|
||||
AiAQnczLXxcowqIYF+K5ppeDdVJjs9YfAX0l+7MlNiExOAB2ABNK3xq1mEIJeAxv
|
||||
70x6kaQWtyNJzlhXat+u2qfCq+AiAAABlQFVYjEAAAQDAEcwRQIgSlaJ8jTrR4cb
|
||||
E65bZZcqufKCDTsUIrasTjgB5wPR/CUCIQDKoTiZvY2J+CUOazRAMCLuKknvnlWb
|
||||
15C9fsy1e5ZhXTAKBggqhkjOPQQDAwNoADBlAjEAh8H95ADLd8IXWPk2OG94VQ35
|
||||
ukNHsIreck5DHo/0HxKBuD+mjp8SG/vEJ0UB/65iAjBywTkv3JeaLV1SX+QUUUiF
|
||||
5aNTztnM6d3vHalb+pJJ0LtO32c1iY7pQ47wqXk8fbs=
|
||||
NTAeFw0yNTA1MzAyMTQ3MzZaFw0yNTA4MjgyMTQ3MzVaMBkxFzAVBgNVBAMMDiou
|
||||
c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoS3M+thgeup/
|
||||
F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9azdDRAp+c2OlzJqJQC+ZefswCB
|
||||
2xvjNSoL2aOCAhswggIXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
|
||||
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu+3qfzUyaCAb
|
||||
POu7GPUO6ZI2WfswHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wMgYI
|
||||
KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcv
|
||||
MBkGA1UdEQQSMBCCDiouc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EMAQIB
|
||||
MC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9lNS5jLmxlbmNyLm9yZy81Ni5jcmww
|
||||
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA
|
||||
OhQSdgosrLvIKgAAAZcjX78RAAAEAwBHMEUCIDNC6e7jNcTXW1bti1nkseruXw84
|
||||
b8dsVzBt96FtE4+aAiEAr7ugvtozhmp6JdkIEfdHKecym9TxcL1h43j6rbKU3d8A
|
||||
dQAaBP9J0FQdQK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZcjX8BoAAAEAwBG
|
||||
MEQCIDezeAIFZ25OWXVV9hmtzEE5ujP0IyFaLxebyXAflYZMAiAy09hFLQXapebE
|
||||
5YDtvqfmefapEsr4OaWyfusWjmeaiDAKBggqhkjOPQQDAwNnADBkAjAobO18Vk18
|
||||
BG7lBbXEQ0O8RYy+CEV/ef1ni2CBQp+MtmG/ZCWAbfEXFaj2WKng5Q0CMFRR9icx
|
||||
p6/tLUixnJfAusGudEtD5Leh2foPDT2jzgazaROaVFVTrCJMGcdgVukuPQ==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
|
||||
@ -44,4 +44,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
|
||||
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
|
||||
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
|
||||
VQD9F6Na/+zmXCc=
|
||||
-----END CERTIFICATE-----
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,236 +0,0 @@
|
||||
events {}
|
||||
|
||||
http {
|
||||
client_max_body_size 150m;
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name gitlab.sprinthub.ru;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:1234/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name *.sprinthub.ru;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name gitlab.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:1234/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name swarmpit.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:888/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name portainer.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:8888/;
|
||||
}
|
||||
|
||||
location /api/websocket/ {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://dev.sprinthub.ru:8888/api/websocket/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name rabbitmq.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:15672/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name swarmpit.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:15672/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name minio.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:9001/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name gitea.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:3000/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name keycloak.sprinthub.ru;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {
|
||||
proxy_pass http://dev.sprinthub.ru:8443/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name ~^(?<domain>.*)\.sprinthub\.ru$;
|
||||
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
ssl_certificate /etc/nginx/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
location / {
|
||||
proxy_pass http://$domain-nginx:1238$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name yourgols.com;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name yourgols.com;
|
||||
|
||||
resolver 127.0.0.11 ipv6=off;
|
||||
|
||||
ssl_certificate /etc/allinvest/fullchain.pem;
|
||||
ssl_certificate_key /etc/allinvest/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
location / {
|
||||
proxy_pass http://yourgols-nginx:1238$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
49
nginx/nginx-prod/prepare.py
Normal file
49
nginx/nginx-prod/prepare.py
Normal file
@ -0,0 +1,49 @@
|
||||
from requests import get
|
||||
import os
|
||||
from minio import Minio
|
||||
|
||||
|
||||
minio_client = Minio(
|
||||
"minio.sprinthub.ru:9000",
|
||||
access_key="serviceminioadmin",
|
||||
secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"),
|
||||
secure=False
|
||||
)
|
||||
|
||||
|
||||
hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=production').json()['configs']['hosts']
|
||||
hosts = list(set(hosts + ['platform.sprinthub.ru']))
|
||||
|
||||
config = ''
|
||||
for host in hosts:
|
||||
config += '''
|
||||
server {{
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name {host};
|
||||
|
||||
ssl_certificate /etc/nginx/{host}/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/{host}/privkey.pem;
|
||||
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-refferer-when-downgrade" always;
|
||||
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
|
||||
|
||||
location / {{
|
||||
resolver 127.0.0.11;
|
||||
proxy_pass http://{pre_domain}-nginx:1238$request_uri;
|
||||
}}
|
||||
}}\n\n
|
||||
'''.format(host=host, pre_domain=host.split('.')[0])
|
||||
fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem')
|
||||
privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem')
|
||||
os.mkdir(f'/etc/nginx/{host}')
|
||||
with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp:
|
||||
fp.write(fullchain.data)
|
||||
with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp:
|
||||
fp.write(privkey.data)
|
||||
|
||||
with open('/etc/nginx/hosts.conf', 'w') as fp:
|
||||
fp.write(config)
|
||||
@ -1,5 +1,5 @@
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEINNyhRc5/bs0M7kOOl2bh1BkcFyHG6m0+VSVNuMEN+E1oAoGCCqGSM49
|
||||
AwEHoUQDQgAEnOOljp3cFclhrepAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZ
|
||||
L0lQ8Qfvj1fVlVtah9LPuz5chLMNK2KoLQ==
|
||||
-----END EC PRIVATE KEY-----
|
||||
MHcCAQEEIL0TAduonJLmbcDpRxDjSfa8bMIqLOh1KQcGQvAeQTIQoAoGCCqGSM49
|
||||
AwEHoUQDQgAEoS3M+thgeup/F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9az
|
||||
dDRAp+c2OlzJqJQC+ZefswCB2xvjNSoL2Q==
|
||||
-----END EC PRIVATE KEY-----
|
||||
4
nginx/nginx-prod/run.sh
Normal file
4
nginx/nginx-prod/run.sh
Normal file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
python3 prepare.py
|
||||
/docker-entrypoint.sh nginx -g 'daemon off;'
|
||||
Loading…
Reference in New Issue
Block a user