diff --git a/.deploy-infra/deploy-dev.yaml b/.deploy-infra/deploy-dev.yaml index 0b893b7..1db0504 100644 --- a/.deploy-infra/deploy-dev.yaml +++ b/.deploy-infra/deploy-dev.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-dev networks: - common-infra-nginx-development + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV ports: - published: 80 target: 80 @@ -164,3 +167,5 @@ volumes: networks: common-infra-nginx-development: external: true + configurator: + external: true diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml index 6c5ac31..aef066d 100644 --- a/.deploy-infra/deploy-prod.yaml +++ b/.deploy-infra/deploy-prod.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-prod networks: - common-infra-nginx + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_PROD ports: - published: 80 target: 80 @@ -228,4 +231,6 @@ networks: net: driver: overlay common-infra-nginx: + external: true + configurator: external: true \ No newline at end of file diff --git a/.deploy-nginx/deploy-dev.yaml b/.deploy-nginx/deploy-dev.yaml new file mode 100644 index 0000000..d481934 --- /dev/null +++ b/.deploy-nginx/deploy-dev.yaml @@ -0,0 +1,29 @@ +version: "3.6" + +services: + + nginx: + image: mathwave/sprint-repo:sprint-infra-nginx-dev + networks: + - common-infra-nginx-development + ports: + - published: 80 + target: 80 + mode: host + - published: 443 + target: 443 + mode: host + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + placement: + constraints: [node.labels.stage == development] + update_config: + parallelism: 1 + # order: stop-first + +networks: + common-infra-nginx-development: + external: true diff --git a/.deploy-nginx/deploy-prod.yaml b/.deploy-nginx/deploy-prod.yaml new file mode 100644 index 0000000..79c382b --- /dev/null +++ b/.deploy-nginx/deploy-prod.yaml @@ -0,0 +1,29 @@ +version: "3.6" + +services: + + nginx: + image: mathwave/sprint-repo:sprint-infra-nginx-prod + networks: + - common-infra-nginx + ports: + - published: 80 + target: 80 + mode: host + - published: 443 + target: 443 + mode: host + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + placement: + constraints: [node.labels.stage == production] + update_config: + parallelism: 1 + # order: start-first + +networks: + common-infra-nginx: + external: true \ No newline at end of file diff --git a/.gitea/workflows/deploy-dev.yaml b/.gitea/workflows/deploy-dev.yaml index 641f677..8489c5a 100644 --- a/.gitea/workflows/deploy-dev.yaml +++ b/.gitea/workflows/deploy-dev.yaml @@ -59,6 +59,7 @@ jobs: MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }} DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }} MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }} + MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }} REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }} RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/.gitea/workflows/deploy-prod.yaml b/.gitea/workflows/deploy-prod.yaml index d76b613..b055f86 100644 --- a/.gitea/workflows/deploy-prod.yaml +++ b/.gitea/workflows/deploy-prod.yaml @@ -63,6 +63,7 @@ jobs: MONGO_PASSWORD_PROD: ${{ secrets.MONGO_PASSWORD_PROD }} DB_PASSWORD_PROD: ${{ secrets.POSTGRES_PASSWORD_PROD }} MINIO_PASSWORD_PROD: ${{ secrets.MINIO_PASSWORD_PROD }} + MINIO_SECRET_KEY_PROD: ${{ secrets.MINIO_SECRET_KEY_PROD }} REDIS_PASSWORD_PROD: ${{ secrets.REDIS_PASSWORD_PROD }} RABBITMQ_PASSWORD_PROD: ${{ secrets.RABBITMQ_PASSWORD_PROD }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index e621173..d5818df 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -1,4 +1,13 @@ FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem COPY ./privkey.pem /etc/nginx/privkey.pem -COPY ./fullchain.pem /etc/nginx/fullchain.pem \ No newline at end of file +COPY prepare.py prepare.py +COPY run.sh run.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 5e77885..97c6f16 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -8,6 +8,6 @@ http { '' close; } - # include ./guavo.conf; + include ./hosts.conf; include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-dev/fullchain.pem b/nginx/nginx-dev/fullchain.pem index a7b2081..b2ae57e 100644 --- a/nginx/nginx-dev/fullchain.pem +++ b/nginx/nginx-dev/fullchain.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDjTCCAxOgAwIBAgISBFOrEAaTGvrTDKdeolnTvP2tMAoGCCqGSM49BAMDMDIx +MIIDmTCCAx+gAwIBAgISBmM6pAg0qa3+cxLar5nvn27GMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNTAyMTMyMDMxMTNaFw0yNTA1MTQyMDMxMTJaMCExHzAdBgNVBAMMFiou -ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW -CTHej6yeHgUhHJlGrI3/8cFlPdoVWeb4J+5DOaEKhpdeL90JWNMVIrbz4yaa9LTi -Yezrr5pXocvdS9fBT/zHo4ICGDCCAhQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW -MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRY -7KU/E/kLjq27+Bsr5myR/sry4TAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw -i9LXDTBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxl -bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAhBgNV -HREEGjAYghYqLmRldmVsb3Auc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EM -AQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAzPsPaoVxCWX+lZtTzumyfCLp -hVwNl422qX5UwP5MDbAAAAGVATe42wAABAMARzBFAiAvPfNaVjzr1bjZLfQuZku5 -1raR2QS3oPhfFcYfsKzPAgIhAJ6E1t/yKiuc3JScuUl26S4+s2noeAGhmIxB/uk+ -9KCMAHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVATe4xwAA -BAMARzBFAiASyvhckbFMsgtb7FGbF2nl0KAboDqiJK9ekpHLu41YSQIhANJjOl3+ -HHBPrLR2oMi3vE1jkJxhFYNeoQzxGGeKVstpMAoGCCqGSM49BAMDA2gAMGUCMQC2 -4UIBvoCAl54QjeXlpadTbL5hE2bsh1bEF3XNtaIsVVlBFQZwly2fp2Qil9m34BcC -MEF4eFmSQmAjc++mRA9m4qo4P5KeeakU1ccrWEypfIHnLn/UtQlG8K2+ceAQc/9K -pg== +NTAeFw0yNTA1MzAyMTEzMjZaFw0yNTA4MjgyMTEzMjVaMCExHzAdBgNVBAMMFiou +ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy +YXxx4cfN6ga0duaq7STjZxNwtFQ7c0ZAO+D7ulmdf/jpK8Xfkj5d0KMX0jhTmTEg +DUwvBMsH/fpyuuEdHNPWo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT1 +FLWsp0ksteuVXXd3pZokXOhj2DAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw +i9LXDTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxl +bmNyLm9yZy8wIQYDVR0RBBowGIIWKi5kZXZlbG9wLnNwcmludGh1Yi5ydTATBgNV +HSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5s +ZW5jci5vcmcvNzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAEvFONL1T +ckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGXI0B2OwAABAMARzBFAiBcMmQQ +PiKhuqhi3fs4yL6lfnQdZ1VlJTBifu8T6t4H3QIhAL/BdDUOafC+9nrlP7USrlCT +Oo1TA5JG/Yvxk5a/Oe1yAHYA7TxL1ugGwqSiAFfbyyTiOAHfUS/txIbFcA8g3bc+ +P+AAAAGXI0CF1gAABAMARzBFAiAHI0Z170KObyMHOQM6w/GhsazTzUpBilyQnv/b +Wr+kdwIhALS4DQNUNfiJoea0wszwoTxcnowGI7Whx8qH4Ut6st88MAoGCCqGSM49 +BAMDA2gAMGUCMGdO7CfUNB8wcMaHtED7/dy2ojOtofMze0kN0rzt2I/On55Ce84K +ZJ0Uj+Bcv/66qwIxAJ9YJTSJ1+owoICDbJekE+ejgzA+GgU2Z+RviZUTNXIdbWbX +etMXbXfP7WJPjxZ+ng== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw @@ -45,4 +45,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd VQD9F6Na/+zmXCc= ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py new file mode 100644 index 0000000..976240a --- /dev/null +++ b/nginx/nginx-dev/prepare.py @@ -0,0 +1,49 @@ +from requests import get +import os +from minio import Minio + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.develop.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; + }} + }}\n\n + '''.format(host=host, pre_domain=host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + os.mkdir(f'/etc/nginx/{host}') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) diff --git a/nginx/nginx-dev/privkey.pem b/nginx/nginx-dev/privkey.pem index dcc7b5c..3d54748 100644 --- a/nginx/nginx-dev/privkey.pem +++ b/nginx/nginx-dev/privkey.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIPXF013iLs5Jvxsj7K8xdzqyUBQxFILJ3dEyTriIJQaDoAoGCCqGSM49 -AwEHoUQDQgAEFgkx3o+snh4FIRyZRqyN//HBZT3aFVnm+CfuQzmhCoaXXi/dCVjT -FSK28+MmmvS04mHs66+aV6HL3UvXwU/8xw== ------END EC PRIVATE KEY----- +MHcCAQEEIPtfut2MheT8iyX6/EXDHHDR9yvtYLxMUg34mLeCpngpoAoGCCqGSM49 +AwEHoUQDQgAE8mF8ceHHzeoGtHbmqu0k42cTcLRUO3NGQDvg+7pZnX/46SvF35I+ +XdCjF9I4U5kxIA1MLwTLB/36crrhHRzT1g== +-----END EC PRIVATE KEY----- \ No newline at end of file diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx/nginx-dev/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 19ac378..d5818df 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -1,10 +1,13 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes -RUN apt-get install python3-certbot-nginx --yes -RUN mkdir /etc/allinvest -COPY ./nginx-prod.conf /etc/nginx/nginx.conf -COPY ./privkey.pem /etc/nginx/privkey.pem +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages requests minio +COPY ./config /etc/nginx COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./allinvest/privkey.pem /etc/allinvest/privkey.pem -COPY ./allinvest/fullchain.pem /etc/allinvest/fullchain.pem \ No newline at end of file +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx/nginx-prod/allinvest/fullchain.pem b/nginx/nginx-prod/allinvest/fullchain.pem deleted file mode 100644 index de29c73..0000000 --- a/nginx/nginx-prod/allinvest/fullchain.pem +++ /dev/null @@ -1,90 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE5TCCA82gAwIBAgISBLLA45sg/IhDBwA/vxe7YIKrMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yNDAyMDMyMTI1NDdaFw0yNDA1MDMyMTI1NDZaMBcxFTATBgNVBAMT -DHlvdXJnb2xzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFC -SqAyzSV1BHFSqKxH3GuLEVRgxUABAhveeLWOTJt3xrKTNhdgaP4fD8CZF5vmgFqx -M/Zk4mizZ9FEQeKnrmlhAL643OaGRTVwN1FfBEfvr/fT3AQD0HQB55OSsUReSFUn -yT9vR2cv+r/f6EU78Uw/svvTD7M0vY/uRfOc2qWv+I6dGsoS32iDQmsYlOK4HKWX -mfBTuGSCJKcec1nviehXXrGFP4YJa3gs6RzWTtGXxGgI0lG9O366RszkKZKVJICh -BH+YWV9KJ1hzgmRWlRJgs4t14MO2Dxw5Mu1G08WbaEQGvE7RgcBCNY8sV1K1Bx/P -NUPRsSPT6rIsX3MhQ4sCAwEAAaOCAg4wggIKMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUcY+9gyWVjqP8S2owFnPbtwbiZ1QwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA -5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu -by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w -FwYDVR0RBBAwDoIMeW91cmdvbHMuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIB -BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70A -DS1yb+H61BcAAAGNcRPt8gAABAMARjBEAiAMpD5lfh43xD1tAvsSa20OQ4LsQ8Kt -YBvl5svUTuGrHAIgPveMh3yZ6z+QLW1k8Lv7z1kyXsxSvCUQrX16k7m1V8kAdwCi -4r/WHt4vLweg1k5tN6fcZUOwxrUuotq3iviabfUX2AAAAY1xE+3xAAAEAwBIMEYC -IQD+hmWzWe0y9M8xYKvuhySnHN6AWKQpvJgTqBsCFiiy5QIhANM0ce+SEC4BlY8m -QAIGNXbAjlKU28q66EcTuSjji227MA0GCSqGSIb3DQEBCwUAA4IBAQAAfH8lbwUk -JD6voPBGCTt7XSZPl9dq4LdmOLV3bsfjtqWOeGNCznBYKfRZO/UJ/srekCjapzKy -DAmv0dl/tvBGfqhU/emOtKsq9AE0J7RqzF9SQPrVzq/VxWXGCCmtxUHEAlNk/lrg -PqxpTUZdLpeBEbNvtloSaUEpe8mkFcFhw7TZVtdkpn+pHRlltqXry/8BekFPQR5Y -qgI8akm2rXOV616MnF81DhIUVY4n6t4SVsDjSk69iDnKG97PJJK5yqsEfdZFiDRK -PlhHTYwOsypaP/JMuanK8eGjnNR9pA40DEjAJO0kvE3IE7dHD3R1iGkXjr7wIkKw -5NjP9yOv01mH ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ------END CERTIFICATE----- diff --git a/nginx/nginx-prod/allinvest/privkey.pem b/nginx/nginx-prod/allinvest/privkey.pem deleted file mode 100755 index 1efe87d..0000000 --- a/nginx/nginx-prod/allinvest/privkey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDRQkqgMs0ldQRx -UqisR9xrixFUYMVAAQIb3ni1jkybd8aykzYXYGj+Hw/AmReb5oBasTP2ZOJos2fR -REHip65pYQC+uNzmhkU1cDdRXwRH76/309wEA9B0AeeTkrFEXkhVJ8k/b0dnL/q/ -3+hFO/FMP7L70w+zNL2P7kXznNqlr/iOnRrKEt9og0JrGJTiuByll5nwU7hkgiSn -HnNZ74noV16xhT+GCWt4LOkc1k7Rl8RoCNJRvTt+ukbM5CmSlSSAoQR/mFlfSidY -c4JkVpUSYLOLdeDDtg8cOTLtRtPFm2hEBrxO0YHAQjWPLFdStQcfzzVD0bEj0+qy -LF9zIUOLAgMBAAECggEANWFhxAfxiRKWtYnOeVRDiDOLkii1aKRZM17HEBlitW4S -g89FxyTS47BsxkbHXP+p0njNtpb5opfRbfKpk/YOaddS51QlFbE+ymj704gXgXpF -O0USJPwMGuu5dU3AZp5eeUqS7dmnL01v+65UhATMgxTkxZSLtr1HdgXkVka3B/ir -Q/iqR4ftt+qT0a9mzXQOxgdN7qnNwVNO1uJi87C6fQBRB6F724U5SJyOTMl9R6ZS -+JZ9Oz5xxoGLA/Nftn078uMjf2ymWfOqicHYeXxfPYllXNuRsIf7NA00F0orwF15 -TWBZLB5GbkOIP7k7vzabZMCbGmf42XYtt1oFYIssIQKBgQD7aB8cUDVdE47VOX4p -+Bf2ilMJA2d+KsCA3uYw5VQjjxBbfN+nChOx6e6eSmy2MMtH2ECG2IgW04FDbHtZ -y2tbmRY3XIl+4dos+6ybbiYeYKRcHOQiXbjFK9ml1NpDcuLMHE3a6v0gFB8N0iB4 -J3u6h9+kHe3LGPzIVDGbITWi4wKBgQDVFQleHfRWM9/hebU8/tshY4sRJ9nA9haI -F/NDMHhE+IyX9JHxGXtVE0ihOh0+0PLKLwtOepc4vqZaquKVnzZ82+sc+C4Iqg8K -S+1NoRFOZG1AlM53UI51ZXLvXZp8gAdDBXzwBZpWZNdhJHJSnuwVI+UoDkrAQkmn -/n4jzV01OQKBgQCH8pr4JYtlxIC1XryRl13l7JDQS+339MhaJ66UfD5OaDtxLYqH -elSCHbzyDc7RinsyY4cpJAgbR84blprxSKXKR3MTBtA3M4xWTNXeyuaEAMCAKwNW -bhXPUVIFcZ+BX6uysg+LtQyh/x93ysvSDY/Do1vVFHYVIHL5JUYZ3BBz/wKBgQDT -oCYCnJtr9e9Xn6oZ30BBg/y9WCfTllVAaxEGXSBF19jCnntHyjgMga9zuSUMmzdX -CKwhEG4aRHcxu2B4m3zhOwXiarZFkqiHYGtZ2ys2AVXkeyYnqBEklVI2W2+wUPNl -ZBD2zYnAXjzu1OTaG857HIBebPtewTcoKwCajD8TOQKBgQDr07j3sx5nQsg4kHmR -kBvHHjq7kQ1pEItrD/CfLsZ7Ntip4L82UzdZm/hhdM/12fB+wLu8HcZzvY5H1J+3 -IlkKYhAAe8lgzE7hYupVD9QtdFBuNsAnQfT+VV4JnZNDVZHXfnhz19KJ+iIvqton -8WCEnmpiIKyt+Lq+Ol3n7PDMIw== ------END PRIVATE KEY----- diff --git a/nginx/nginx-prod/config/nginx.conf b/nginx/nginx-prod/config/nginx.conf new file mode 100644 index 0000000..97c6f16 --- /dev/null +++ b/nginx/nginx-prod/config/nginx.conf @@ -0,0 +1,13 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include ./hosts.conf; + include ./sprinthub.conf; +} \ No newline at end of file diff --git a/nginx/nginx-dev/config/guavo.conf b/nginx/nginx-prod/config/sprinthub.conf similarity index 56% rename from nginx/nginx-dev/config/guavo.conf rename to nginx/nginx-prod/config/sprinthub.conf index dc6696b..5e428d9 100644 --- a/nginx/nginx-dev/config/guavo.conf +++ b/nginx/nginx-prod/config/sprinthub.conf @@ -1,14 +1,14 @@ - # server { - # listen 80; - # server_name *.develop.guavo.tech; - # return 301 https://$host$request_uri; - # } + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name swarmpit.develop.guavo.tech; + server_name swarmpit.sprinthub.ru; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/privkey.pem; @@ -20,14 +20,14 @@ add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / { - proxy_pass http://develop.guavo.tech:888/; + proxy_pass http://dev.sprinthub.ru:888/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name portainer.develop.guavo.tech; + server_name portainer.sprinthub.ru; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/privkey.pem; @@ -39,7 +39,7 @@ add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / { - proxy_pass http://develop.guavo.tech:8888/; + proxy_pass http://dev.sprinthub.ru:8888/; } location /api/websocket/ { @@ -47,14 +47,14 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:8888/api/websocket/; + proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name rabbitmq.develop.guavo.tech; + server_name minio.sprinthub.ru; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/privkey.pem; @@ -66,14 +66,14 @@ add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / { - proxy_pass http://develop.guavo.tech:15672/; + proxy_pass http://dev.sprinthub.ru:9001/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name minio.develop.guavo.tech; + server_name gitea.sprinthub.ru; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/privkey.pem; @@ -85,42 +85,14 @@ add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / { - proxy_pass http://develop.guavo.tech:9001/; + proxy_pass http://dev.sprinthub.ru:3000/; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name grafana.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - proxy_set_header Host $http_host; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:3000/; - } - - location /api/live/ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:3000/api/live/ws; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.develop\.guavo\.tech$; + server_name ~^(?.*)\.sprinthub\.ru$; resolver 127.0.0.11 ipv6=off; @@ -132,30 +104,7 @@ add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-refferer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - location / { proxy_pass http://$domain-nginx:1238$request_uri; } diff --git a/nginx/nginx-prod/fullchain.pem b/nginx/nginx-prod/fullchain.pem index 2895b8d..f0ffc03 100644 --- a/nginx/nginx-prod/fullchain.pem +++ b/nginx/nginx-prod/fullchain.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDfDCCAwKgAwIBAgISA7RNvbxsQFQcAVy4rIt/qik2MAoGCCqGSM49BAMDMDIx +MIIDhzCCAw6gAwIBAgISBXELtGOqEI5IsXNFUC7cue03MAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNTAyMTMyMTAzMzdaFw0yNTA1MTQyMTAzMzZaMBkxFzAVBgNVBAMMDiou -c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnOOljp3cFclh -repAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZL0lQ8Qfvj1fVlVtah9LPuz5c -hLMNK2KoLaOCAg8wggILMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEvxI9gbpB3pH -nRkSwmBUDxbqiZMwHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYI -KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcw -IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIO -Ki5zcHJpbnRodWIucnUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5 -AgQCBIH0BIHxAO8AdQDehYHXUCR8a83Lr1Y3xeeBxkzkbtYXY5+PNKcmyeK9NwAA -AZUBVWFvAAAEAwBGMEQCIG/0w/LD2GbEa6OPYUzrQyQFbHvlCQHI8fZ9poUQ/79o -AiAQnczLXxcowqIYF+K5ppeDdVJjs9YfAX0l+7MlNiExOAB2ABNK3xq1mEIJeAxv -70x6kaQWtyNJzlhXat+u2qfCq+AiAAABlQFVYjEAAAQDAEcwRQIgSlaJ8jTrR4cb -E65bZZcqufKCDTsUIrasTjgB5wPR/CUCIQDKoTiZvY2J+CUOazRAMCLuKknvnlWb -15C9fsy1e5ZhXTAKBggqhkjOPQQDAwNoADBlAjEAh8H95ADLd8IXWPk2OG94VQ35 -ukNHsIreck5DHo/0HxKBuD+mjp8SG/vEJ0UB/65iAjBywTkv3JeaLV1SX+QUUUiF -5aNTztnM6d3vHalb+pJJ0LtO32c1iY7pQ47wqXk8fbs= +NTAeFw0yNTA1MzAyMTQ3MzZaFw0yNTA4MjgyMTQ3MzVaMBkxFzAVBgNVBAMMDiou +c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoS3M+thgeup/ +F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9azdDRAp+c2OlzJqJQC+ZefswCB +2xvjNSoL2aOCAhswggIXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu+3qfzUyaCAb +POu7GPUO6ZI2WfswHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcv +MBkGA1UdEQQSMBCCDiouc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EMAQIB +MC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9lNS5jLmxlbmNyLm9yZy81Ni5jcmww +ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA +OhQSdgosrLvIKgAAAZcjX78RAAAEAwBHMEUCIDNC6e7jNcTXW1bti1nkseruXw84 +b8dsVzBt96FtE4+aAiEAr7ugvtozhmp6JdkIEfdHKecym9TxcL1h43j6rbKU3d8A +dQAaBP9J0FQdQK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZcjX8BoAAAEAwBG +MEQCIDezeAIFZ25OWXVV9hmtzEE5ujP0IyFaLxebyXAflYZMAiAy09hFLQXapebE +5YDtvqfmefapEsr4OaWyfusWjmeaiDAKBggqhkjOPQQDAwNnADBkAjAobO18Vk18 +BG7lBbXEQ0O8RYy+CEV/ef1ni2CBQp+MtmG/ZCWAbfEXFaj2WKng5Q0CMFRR9icx +p6/tLUixnJfAusGudEtD5Leh2foPDT2jzgazaROaVFVTrCJMGcdgVukuPQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw @@ -44,4 +44,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd VQD9F6Na/+zmXCc= ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/nginx/nginx-prod/nginx-prod.conf b/nginx/nginx-prod/nginx-prod.conf deleted file mode 100644 index 91852d0..0000000 --- a/nginx/nginx-prod/nginx-prod.conf +++ /dev/null @@ -1,236 +0,0 @@ -events {} - -http { - client_max_body_size 150m; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - server { - listen 80; - server_name gitlab.sprinthub.ru; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 80; - server_name *.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitlab.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitea.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:3000/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name keycloak.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8443/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.sprinthub\.ru$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name yourgols.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name yourgols.com; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/allinvest/fullchain.pem; - ssl_certificate_key /etc/allinvest/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - location / { - proxy_pass http://yourgols-nginx:1238$request_uri; - } - } - -} diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py new file mode 100644 index 0000000..cbc95d7 --- /dev/null +++ b/nginx/nginx-prod/prepare.py @@ -0,0 +1,49 @@ +from requests import get +import os +from minio import Minio + + +minio_client = Minio( + "minio.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=production').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; + }} + }}\n\n + '''.format(host=host, pre_domain=host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + os.mkdir(f'/etc/nginx/{host}') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) diff --git a/nginx/nginx-prod/privkey.pem b/nginx/nginx-prod/privkey.pem index b33033f..925be0a 100644 --- a/nginx/nginx-prod/privkey.pem +++ b/nginx/nginx-prod/privkey.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEINNyhRc5/bs0M7kOOl2bh1BkcFyHG6m0+VSVNuMEN+E1oAoGCCqGSM49 -AwEHoUQDQgAEnOOljp3cFclhrepAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZ -L0lQ8Qfvj1fVlVtah9LPuz5chLMNK2KoLQ== ------END EC PRIVATE KEY----- +MHcCAQEEIL0TAduonJLmbcDpRxDjSfa8bMIqLOh1KQcGQvAeQTIQoAoGCCqGSM49 +AwEHoUQDQgAEoS3M+thgeup/F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9az +dDRAp+c2OlzJqJQC+ZefswCB2xvjNSoL2Q== +-----END EC PRIVATE KEY----- \ No newline at end of file diff --git a/nginx/nginx-prod/run.sh b/nginx/nginx-prod/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx/nginx-prod/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file