From e174ff26c4f1d490c82b24f3cc523315db3acb48 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 13:26:50 +0300 Subject: [PATCH 1/2] fix --- nginx/nginx-prod/Dockerfile | 2 +- nginx/nginx-prod/config/nginx.conf | 13 +++- nginx/nginx-prod/config/sprinthub.conf | 96 -------------------------- nginx/nginx-prod/prepare.py | 59 +++++++++++----- 4 files changed, 55 insertions(+), 115 deletions(-) delete mode 100644 nginx/nginx-prod/config/sprinthub.conf diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 4ca87b1..9982f75 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -2,7 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes -RUN pip3 install --break-system-packages requests minio +RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx COPY ./fullchain.pem /etc/nginx/fullchain.pem COPY ./privkey.pem /etc/nginx/privkey.pem diff --git a/nginx/nginx-prod/config/nginx.conf b/nginx/nginx-prod/config/nginx.conf index 97c6f16..6ca7786 100644 --- a/nginx/nginx-prod/config/nginx.conf +++ b/nginx/nginx-prod/config/nginx.conf @@ -7,7 +7,18 @@ http { default upgrade; '' close; } + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.chocomarsh.com; + return 301 https://$host$request_uri; + } include ./hosts.conf; - include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-prod/config/sprinthub.conf b/nginx/nginx-prod/config/sprinthub.conf deleted file mode 100644 index 5d30a37..0000000 --- a/nginx/nginx-prod/config/sprinthub.conf +++ /dev/null @@ -1,96 +0,0 @@ - - server { - listen 80; - server_name *.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 80; - server_name *.chocomarsh.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitea.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:3000/; - } - } diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py index a1bfa61..d4ea956 100644 --- a/nginx/nginx-prod/prepare.py +++ b/nginx/nginx-prod/prepare.py @@ -1,6 +1,8 @@ -from requests import get import os +import sys from minio import Minio +from urllib.request import urlopen +from json import loads minio_client = Minio( @@ -11,9 +13,20 @@ minio_client = Minio( ) -hosts = get( - "http://configurator/api/v1/fetch?project=certupdater&stage=production" -).json()["configs"]["hosts"] +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=production" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) config = "" for host, params in hosts.items(): @@ -40,18 +53,30 @@ for host, params in hosts.items(): """.format( host=host, target_host=params["host"], port=params["port"] ) - fullchain = minio_client.get_object( - "certupdater", f"certificates/{host}/fullchain.pem" - ) - privkey = minio_client.get_object("certupdater", f"certificates/{host}/privkey.pem") try: - os.mkdir(f"/etc/nginx/{host}") - except FileExistsError: - ... - with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: - fp.write(fullchain.data) - with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: - fp.write(privkey.data) + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue -with open("/etc/nginx/hosts.conf", "w") as fp: - fp.write(config) + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1) From 861327a0174b0ee9e054e9246af8b84feb19a720 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Thu, 12 Jun 2025 13:44:20 +0300 Subject: [PATCH 2/2] fix --- nginx copy/nginx-dev/Dockerfile | 15 ++++ nginx copy/nginx-dev/config/nginx.conf | 24 ++++++ {nginx => nginx copy}/nginx-dev/fullchain.pem | 0 nginx copy/nginx-dev/prepare.py | 82 +++++++++++++++++++ {nginx => nginx copy}/nginx-dev/privkey.pem | 0 nginx copy/nginx-dev/refre.sh | 11 +++ nginx copy/nginx-dev/run.sh | 4 + nginx copy/nginx-prod/Dockerfile | 15 ++++ nginx copy/nginx-prod/config/nginx.conf | 24 ++++++ .../nginx-prod/fullchain.pem | 0 nginx copy/nginx-prod/prepare.py | 82 +++++++++++++++++++ {nginx => nginx copy}/nginx-prod/privkey.pem | 0 nginx copy/nginx-prod/refre.sh | 4 + nginx copy/nginx-prod/run.sh | 4 + nginx/nginx-dev/Dockerfile | 2 - nginx/nginx-prod/Dockerfile | 2 - 16 files changed, 265 insertions(+), 4 deletions(-) create mode 100644 nginx copy/nginx-dev/Dockerfile create mode 100644 nginx copy/nginx-dev/config/nginx.conf rename {nginx => nginx copy}/nginx-dev/fullchain.pem (100%) create mode 100644 nginx copy/nginx-dev/prepare.py rename {nginx => nginx copy}/nginx-dev/privkey.pem (100%) create mode 100644 nginx copy/nginx-dev/refre.sh create mode 100644 nginx copy/nginx-dev/run.sh create mode 100644 nginx copy/nginx-prod/Dockerfile create mode 100644 nginx copy/nginx-prod/config/nginx.conf rename {nginx => nginx copy}/nginx-prod/fullchain.pem (100%) create mode 100644 nginx copy/nginx-prod/prepare.py rename {nginx => nginx copy}/nginx-prod/privkey.pem (100%) create mode 100644 nginx copy/nginx-prod/refre.sh create mode 100644 nginx copy/nginx-prod/run.sh diff --git a/nginx copy/nginx-dev/Dockerfile b/nginx copy/nginx-dev/Dockerfile new file mode 100644 index 0000000..9982f75 --- /dev/null +++ b/nginx copy/nginx-dev/Dockerfile @@ -0,0 +1,15 @@ +FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages minio +COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +COPY refre.sh refre.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +RUN chmod 777 refre.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx copy/nginx-dev/config/nginx.conf b/nginx copy/nginx-dev/config/nginx.conf new file mode 100644 index 0000000..d5e48ab --- /dev/null +++ b/nginx copy/nginx-dev/config/nginx.conf @@ -0,0 +1,24 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + server_name *.develop.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.dev.chocomarsh.com; + return 301 https://$host$request_uri; + } + + include ./hosts.conf; +} \ No newline at end of file diff --git a/nginx/nginx-dev/fullchain.pem b/nginx copy/nginx-dev/fullchain.pem similarity index 100% rename from nginx/nginx-dev/fullchain.pem rename to nginx copy/nginx-dev/fullchain.pem diff --git a/nginx copy/nginx-dev/prepare.py b/nginx copy/nginx-dev/prepare.py new file mode 100644 index 0000000..1f4671b --- /dev/null +++ b/nginx copy/nginx-dev/prepare.py @@ -0,0 +1,82 @@ +import os +import sys +from minio import Minio +from urllib.request import urlopen +from json import loads + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False, +) + + +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=development" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) + +config = "" +for host, params in hosts.items(): + config += """ + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{target_host}:{port}$request_uri; + }} + }}\n\n + """.format( + host=host, target_host=params["host"], port=params["port"] + ) + try: + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue + + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1) diff --git a/nginx/nginx-dev/privkey.pem b/nginx copy/nginx-dev/privkey.pem similarity index 100% rename from nginx/nginx-dev/privkey.pem rename to nginx copy/nginx-dev/privkey.pem diff --git a/nginx copy/nginx-dev/refre.sh b/nginx copy/nginx-dev/refre.sh new file mode 100644 index 0000000..8a566b8 --- /dev/null +++ b/nginx copy/nginx-dev/refre.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +if ! python3 prepare.py; then + echo "Error running prepare.py" >&2 + exit 1 +fi + +if ! nginx -s reload; then + echo "Error reloading nginx" >&2 + exit 1 +fi \ No newline at end of file diff --git a/nginx copy/nginx-dev/run.sh b/nginx copy/nginx-dev/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx copy/nginx-dev/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx copy/nginx-prod/Dockerfile b/nginx copy/nginx-prod/Dockerfile new file mode 100644 index 0000000..9982f75 --- /dev/null +++ b/nginx copy/nginx-prod/Dockerfile @@ -0,0 +1,15 @@ +FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages minio +COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +COPY refre.sh refre.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +RUN chmod 777 refre.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx copy/nginx-prod/config/nginx.conf b/nginx copy/nginx-prod/config/nginx.conf new file mode 100644 index 0000000..6ca7786 --- /dev/null +++ b/nginx copy/nginx-prod/config/nginx.conf @@ -0,0 +1,24 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 80; + server_name *.chocomarsh.com; + return 301 https://$host$request_uri; + } + + include ./hosts.conf; +} \ No newline at end of file diff --git a/nginx/nginx-prod/fullchain.pem b/nginx copy/nginx-prod/fullchain.pem similarity index 100% rename from nginx/nginx-prod/fullchain.pem rename to nginx copy/nginx-prod/fullchain.pem diff --git a/nginx copy/nginx-prod/prepare.py b/nginx copy/nginx-prod/prepare.py new file mode 100644 index 0000000..d4ea956 --- /dev/null +++ b/nginx copy/nginx-prod/prepare.py @@ -0,0 +1,82 @@ +import os +import sys +from minio import Minio +from urllib.request import urlopen +from json import loads + + +minio_client = Minio( + "minio.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False, +) + + +def get(url): + with urlopen(url) as response: + data = response.read().decode("utf-8") + return loads(data) + + +try: + response = get( + "http://configurator/api/v1/fetch?project=certupdater&stage=production" + ) + hosts = response["configs"]["hosts"] +except Exception as e: + print(f"Error fetching config: {e}", file=sys.stderr) + sys.exit(1) + +config = "" +for host, params in hosts.items(): + config += """ + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{target_host}:{port}$request_uri; + }} + }}\n\n + """.format( + host=host, target_host=params["host"], port=params["port"] + ) + try: + fullchain = minio_client.get_object( + "certupdater", f"certificates/{host}/fullchain.pem" + ) + privkey = minio_client.get_object( + "certupdater", f"certificates/{host}/privkey.pem" + ) + try: + os.makedirs(f"/etc/nginx/{host}", exist_ok=True) + except OSError as e: + print(f"Error creating directory: {e}", file=sys.stderr) + continue + + with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp: + fp.write(privkey.data) + except Exception as e: + print(f"Error processing host {host}: {e}", file=sys.stderr) + continue + +try: + with open("/etc/nginx/hosts.conf", "w") as fp: + fp.write(config) +except Exception as e: + print(f"Error writing config file: {e}", file=sys.stderr) + sys.exit(1) diff --git a/nginx/nginx-prod/privkey.pem b/nginx copy/nginx-prod/privkey.pem similarity index 100% rename from nginx/nginx-prod/privkey.pem rename to nginx copy/nginx-prod/privkey.pem diff --git a/nginx copy/nginx-prod/refre.sh b/nginx copy/nginx-prod/refre.sh new file mode 100644 index 0000000..584b723 --- /dev/null +++ b/nginx copy/nginx-prod/refre.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +nginx -s reload \ No newline at end of file diff --git a/nginx copy/nginx-prod/run.sh b/nginx copy/nginx-prod/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx copy/nginx-prod/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 9982f75..3d249f1 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -4,8 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx -COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py COPY run.sh run.sh COPY refre.sh refre.sh diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 9982f75..3d249f1 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -4,8 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install --break-system-packages minio COPY ./config /etc/nginx -COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py COPY run.sh run.sh COPY refre.sh refre.sh