From 1b7979e37fa26768e0f875143eef3a40fc6c57fb Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 01:57:25 +0300 Subject: [PATCH 1/4] fix --- nginx/nginx-dev/config/sprinthub.conf | 6 ++++++ nginx/nginx-prod/config/sprinthub.conf | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/nginx/nginx-dev/config/sprinthub.conf b/nginx/nginx-dev/config/sprinthub.conf index ce960f2..e1092b3 100644 --- a/nginx/nginx-dev/config/sprinthub.conf +++ b/nginx/nginx-dev/config/sprinthub.conf @@ -5,6 +5,12 @@ return 301 https://$host$request_uri; } + server { + listen 80; + server_name *.develop.chocomarsh.com; + return 301 https://$host$request_uri; + } + server { listen 443 ssl http2; listen [::]:443 ssl http2; diff --git a/nginx/nginx-prod/config/sprinthub.conf b/nginx/nginx-prod/config/sprinthub.conf index 93c2dc5..5d30a37 100644 --- a/nginx/nginx-prod/config/sprinthub.conf +++ b/nginx/nginx-prod/config/sprinthub.conf @@ -5,6 +5,12 @@ return 301 https://$host$request_uri; } + server { + listen 80; + server_name *.chocomarsh.com; + return 301 https://$host$request_uri; + } + server { listen 443 ssl http2; listen [::]:443 ssl http2; From 119d0305522e5d87229b009d519c39b49d89a087 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 12:53:13 +0300 Subject: [PATCH 2/4] fix --- nginx/nginx-dev/config/nginx.conf | 13 ++- nginx/nginx-dev/config/sprinthub.conf | 124 -------------------------- 2 files changed, 12 insertions(+), 125 deletions(-) delete mode 100644 nginx/nginx-dev/config/sprinthub.conf diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 97c6f16..06bfb80 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -7,7 +7,18 @@ http { default upgrade; '' close; } + + server { + listen 80; + server_name *.develop.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.develop.chocomarsh.com; + return 301 https://$host$request_uri; + } include ./hosts.conf; - include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-dev/config/sprinthub.conf b/nginx/nginx-dev/config/sprinthub.conf deleted file mode 100644 index e1092b3..0000000 --- a/nginx/nginx-dev/config/sprinthub.conf +++ /dev/null @@ -1,124 +0,0 @@ - - server { - listen 80; - server_name *.develop.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 80; - server_name *.develop.chocomarsh.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.develop.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.develop.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.develop.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.develop.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name grafana.develop.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - proxy_set_header Host $http_host; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.sprinthub.ru:3000/; - } - - location /api/live/ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.sprinthub.ru:3000/api/live/ws; - } - } From 1f3bdc2bd3746194987fdb68c09b40b911cd6997 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 13:07:39 +0300 Subject: [PATCH 3/4] fix --- nginx/nginx-dev/config/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 06bfb80..d5e48ab 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -16,7 +16,7 @@ http { server { listen 80; - server_name *.develop.chocomarsh.com; + server_name *.dev.chocomarsh.com; return 301 https://$host$request_uri; } From e174ff26c4f1d490c82b24f3cc523315db3acb48 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 13:26:50 +0300 Subject: [PATCH 4/4] fix --- nginx/nginx-prod/Dockerfile | 2 +- nginx/nginx-prod/config/nginx.conf | 13 +++- nginx/nginx-prod/config/sprinthub.conf | 96 -------------------------- nginx/nginx-prod/prepare.py | 59 +++++++++++----- 4 files changed, 55 insertions(+), 115 deletions(-) delete mode 100644 nginx/nginx-prod/config/sprinthub.conf diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 4ca87b1..9982f75 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -2,7 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes -RUN pip3 install --break-system-packages requests minio +RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx COPY ./fullchain.pem /etc/nginx/fullchain.pem COPY ./privkey.pem /etc/nginx/privkey.pem diff --git a/nginx/nginx-prod/config/nginx.conf b/nginx/nginx-prod/config/nginx.conf index 97c6f16..6ca7786 100644 --- a/nginx/nginx-prod/config/nginx.conf +++ b/nginx/nginx-prod/config/nginx.conf @@ -7,7 +7,18 @@ http { default upgrade; '' close; } + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.chocomarsh.com; + return 301 https://$host$request_uri; + } include ./hosts.conf; - include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-prod/config/sprinthub.conf b/nginx/nginx-prod/config/sprinthub.conf deleted file mode 100644 index 5d30a37..0000000 --- a/nginx/nginx-prod/config/sprinthub.conf +++ /dev/null @@ -1,96 +0,0 @@ - - server { - listen 80; - server_name *.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 80; - server_name *.chocomarsh.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitea.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:3000/; - } - } diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py index a1bfa61..d4ea956 100644 --- a/nginx/nginx-prod/prepare.py +++ b/nginx/nginx-prod/prepare.py @@ -1,6 +1,8 @@ -from requests import get import os +import sys from minio import Minio +from urllib.request import urlopen +from json import loads minio_client = Minio( @@ -11,9 +13,20 @@ minio_client = Minio( ) -hosts = get( - "http://configurator/api/v1/fetch?project=certupdater&stage=production" -).json()["configs"]["hosts"] +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=production" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) config = "" for host, params in hosts.items(): @@ -40,18 +53,30 @@ for host, params in hosts.items(): """.format( host=host, target_host=params["host"], port=params["port"] ) - fullchain = minio_client.get_object( - "certupdater", f"certificates/{host}/fullchain.pem" - ) - privkey = minio_client.get_object("certupdater", f"certificates/{host}/privkey.pem") try: - os.mkdir(f"/etc/nginx/{host}") - except FileExistsError: - ... - with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: - fp.write(fullchain.data) - with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: - fp.write(privkey.data) + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue -with open("/etc/nginx/hosts.conf", "w") as fp: - fp.write(config) + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1)