From 3a528cc7de749bd2dc2e0cf8c368cc99a0550d62 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Sat, 31 May 2025 12:19:35 +0300 Subject: [PATCH 01/30] fix --- nginx/nginx-dev/fullchain.pem | 40 +++++++++++++++++----------------- nginx/nginx-dev/privkey.pem | 8 +++---- nginx/nginx-prod/fullchain.pem | 38 ++++++++++++++++---------------- nginx/nginx-prod/privkey.pem | 8 +++---- 4 files changed, 47 insertions(+), 47 deletions(-) diff --git a/nginx/nginx-dev/fullchain.pem b/nginx/nginx-dev/fullchain.pem index a7b2081..b2ae57e 100644 --- a/nginx/nginx-dev/fullchain.pem +++ b/nginx/nginx-dev/fullchain.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIDjTCCAxOgAwIBAgISBFOrEAaTGvrTDKdeolnTvP2tMAoGCCqGSM49BAMDMDIx +MIIDmTCCAx+gAwIBAgISBmM6pAg0qa3+cxLar5nvn27GMAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNTAyMTMyMDMxMTNaFw0yNTA1MTQyMDMxMTJaMCExHzAdBgNVBAMMFiou -ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW -CTHej6yeHgUhHJlGrI3/8cFlPdoVWeb4J+5DOaEKhpdeL90JWNMVIrbz4yaa9LTi -Yezrr5pXocvdS9fBT/zHo4ICGDCCAhQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW -MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRY -7KU/E/kLjq27+Bsr5myR/sry4TAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw -i9LXDTBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxl -bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAhBgNV -HREEGjAYghYqLmRldmVsb3Auc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EM -AQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAzPsPaoVxCWX+lZtTzumyfCLp -hVwNl422qX5UwP5MDbAAAAGVATe42wAABAMARzBFAiAvPfNaVjzr1bjZLfQuZku5 -1raR2QS3oPhfFcYfsKzPAgIhAJ6E1t/yKiuc3JScuUl26S4+s2noeAGhmIxB/uk+ -9KCMAHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVATe4xwAA -BAMARzBFAiASyvhckbFMsgtb7FGbF2nl0KAboDqiJK9ekpHLu41YSQIhANJjOl3+ -HHBPrLR2oMi3vE1jkJxhFYNeoQzxGGeKVstpMAoGCCqGSM49BAMDA2gAMGUCMQC2 -4UIBvoCAl54QjeXlpadTbL5hE2bsh1bEF3XNtaIsVVlBFQZwly2fp2Qil9m34BcC -MEF4eFmSQmAjc++mRA9m4qo4P5KeeakU1ccrWEypfIHnLn/UtQlG8K2+ceAQc/9K -pg== +NTAeFw0yNTA1MzAyMTEzMjZaFw0yNTA4MjgyMTEzMjVaMCExHzAdBgNVBAMMFiou +ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy +YXxx4cfN6ga0duaq7STjZxNwtFQ7c0ZAO+D7ulmdf/jpK8Xfkj5d0KMX0jhTmTEg +DUwvBMsH/fpyuuEdHNPWo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW +MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT1 +FLWsp0ksteuVXXd3pZokXOhj2DAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw +i9LXDTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxl +bmNyLm9yZy8wIQYDVR0RBBowGIIWKi5kZXZlbG9wLnNwcmludGh1Yi5ydTATBgNV +HSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5s +ZW5jci5vcmcvNzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAEvFONL1T +ckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGXI0B2OwAABAMARzBFAiBcMmQQ +PiKhuqhi3fs4yL6lfnQdZ1VlJTBifu8T6t4H3QIhAL/BdDUOafC+9nrlP7USrlCT +Oo1TA5JG/Yvxk5a/Oe1yAHYA7TxL1ugGwqSiAFfbyyTiOAHfUS/txIbFcA8g3bc+ +P+AAAAGXI0CF1gAABAMARzBFAiAHI0Z170KObyMHOQM6w/GhsazTzUpBilyQnv/b +Wr+kdwIhALS4DQNUNfiJoea0wszwoTxcnowGI7Whx8qH4Ut6st88MAoGCCqGSM49 +BAMDA2gAMGUCMGdO7CfUNB8wcMaHtED7/dy2ojOtofMze0kN0rzt2I/On55Ce84K +ZJ0Uj+Bcv/66qwIxAJ9YJTSJ1+owoICDbJekE+ejgzA+GgU2Z+RviZUTNXIdbWbX +etMXbXfP7WJPjxZ+ng== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw @@ -45,4 +45,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd VQD9F6Na/+zmXCc= ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/nginx/nginx-dev/privkey.pem b/nginx/nginx-dev/privkey.pem index dcc7b5c..3d54748 100644 --- a/nginx/nginx-dev/privkey.pem +++ b/nginx/nginx-dev/privkey.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIPXF013iLs5Jvxsj7K8xdzqyUBQxFILJ3dEyTriIJQaDoAoGCCqGSM49 -AwEHoUQDQgAEFgkx3o+snh4FIRyZRqyN//HBZT3aFVnm+CfuQzmhCoaXXi/dCVjT -FSK28+MmmvS04mHs66+aV6HL3UvXwU/8xw== ------END EC PRIVATE KEY----- +MHcCAQEEIPtfut2MheT8iyX6/EXDHHDR9yvtYLxMUg34mLeCpngpoAoGCCqGSM49 +AwEHoUQDQgAE8mF8ceHHzeoGtHbmqu0k42cTcLRUO3NGQDvg+7pZnX/46SvF35I+ +XdCjF9I4U5kxIA1MLwTLB/36crrhHRzT1g== +-----END EC PRIVATE KEY----- \ No newline at end of file diff --git a/nginx/nginx-prod/fullchain.pem b/nginx/nginx-prod/fullchain.pem index 2895b8d..f0ffc03 100644 --- a/nginx/nginx-prod/fullchain.pem +++ b/nginx/nginx-prod/fullchain.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIIDfDCCAwKgAwIBAgISA7RNvbxsQFQcAVy4rIt/qik2MAoGCCqGSM49BAMDMDIx +MIIDhzCCAw6gAwIBAgISBXELtGOqEI5IsXNFUC7cue03MAoGCCqGSM49BAMDMDIx CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF -NTAeFw0yNTAyMTMyMTAzMzdaFw0yNTA1MTQyMTAzMzZaMBkxFzAVBgNVBAMMDiou -c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnOOljp3cFclh -repAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZL0lQ8Qfvj1fVlVtah9LPuz5c -hLMNK2KoLaOCAg8wggILMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF -BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEvxI9gbpB3pH -nRkSwmBUDxbqiZMwHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYI -KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcw -IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIO -Ki5zcHJpbnRodWIucnUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5 -AgQCBIH0BIHxAO8AdQDehYHXUCR8a83Lr1Y3xeeBxkzkbtYXY5+PNKcmyeK9NwAA -AZUBVWFvAAAEAwBGMEQCIG/0w/LD2GbEa6OPYUzrQyQFbHvlCQHI8fZ9poUQ/79o -AiAQnczLXxcowqIYF+K5ppeDdVJjs9YfAX0l+7MlNiExOAB2ABNK3xq1mEIJeAxv -70x6kaQWtyNJzlhXat+u2qfCq+AiAAABlQFVYjEAAAQDAEcwRQIgSlaJ8jTrR4cb -E65bZZcqufKCDTsUIrasTjgB5wPR/CUCIQDKoTiZvY2J+CUOazRAMCLuKknvnlWb -15C9fsy1e5ZhXTAKBggqhkjOPQQDAwNoADBlAjEAh8H95ADLd8IXWPk2OG94VQ35 -ukNHsIreck5DHo/0HxKBuD+mjp8SG/vEJ0UB/65iAjBywTkv3JeaLV1SX+QUUUiF -5aNTztnM6d3vHalb+pJJ0LtO32c1iY7pQ47wqXk8fbs= +NTAeFw0yNTA1MzAyMTQ3MzZaFw0yNTA4MjgyMTQ3MzVaMBkxFzAVBgNVBAMMDiou +c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoS3M+thgeup/ +F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9azdDRAp+c2OlzJqJQC+ZefswCB +2xvjNSoL2aOCAhswggIXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF +BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu+3qfzUyaCAb +POu7GPUO6ZI2WfswHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wMgYI +KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcv +MBkGA1UdEQQSMBCCDiouc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EMAQIB +MC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9lNS5jLmxlbmNyLm9yZy81Ni5jcmww +ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA +OhQSdgosrLvIKgAAAZcjX78RAAAEAwBHMEUCIDNC6e7jNcTXW1bti1nkseruXw84 +b8dsVzBt96FtE4+aAiEAr7ugvtozhmp6JdkIEfdHKecym9TxcL1h43j6rbKU3d8A +dQAaBP9J0FQdQK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZcjX8BoAAAEAwBG +MEQCIDezeAIFZ25OWXVV9hmtzEE5ujP0IyFaLxebyXAflYZMAiAy09hFLQXapebE +5YDtvqfmefapEsr4OaWyfusWjmeaiDAKBggqhkjOPQQDAwNnADBkAjAobO18Vk18 +BG7lBbXEQ0O8RYy+CEV/ef1ni2CBQp+MtmG/ZCWAbfEXFaj2WKng5Q0CMFRR9icx +p6/tLUixnJfAusGudEtD5Leh2foPDT2jzgazaROaVFVTrCJMGcdgVukuPQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw @@ -44,4 +44,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd VQD9F6Na/+zmXCc= ------END CERTIFICATE----- +-----END CERTIFICATE----- \ No newline at end of file diff --git a/nginx/nginx-prod/privkey.pem b/nginx/nginx-prod/privkey.pem index b33033f..925be0a 100644 --- a/nginx/nginx-prod/privkey.pem +++ b/nginx/nginx-prod/privkey.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEINNyhRc5/bs0M7kOOl2bh1BkcFyHG6m0+VSVNuMEN+E1oAoGCCqGSM49 -AwEHoUQDQgAEnOOljp3cFclhrepAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZ -L0lQ8Qfvj1fVlVtah9LPuz5chLMNK2KoLQ== ------END EC PRIVATE KEY----- +MHcCAQEEIL0TAduonJLmbcDpRxDjSfa8bMIqLOh1KQcGQvAeQTIQoAoGCCqGSM49 +AwEHoUQDQgAEoS3M+thgeup/F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9az +dDRAp+c2OlzJqJQC+ZefswCB2xvjNSoL2Q== +-----END EC PRIVATE KEY----- \ No newline at end of file -- 2.45.2 From 31cb8ad545e89ea555980be215b1bfb8ab87eded Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Sat, 31 May 2025 12:54:54 +0300 Subject: [PATCH 02/30] fix --- .deploy-nginx/deploy-dev.yaml | 29 +++++++++++++++++++++++++++++ .deploy-nginx/deploy-prod.yaml | 29 +++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .deploy-nginx/deploy-dev.yaml create mode 100644 .deploy-nginx/deploy-prod.yaml diff --git a/.deploy-nginx/deploy-dev.yaml b/.deploy-nginx/deploy-dev.yaml new file mode 100644 index 0000000..d481934 --- /dev/null +++ b/.deploy-nginx/deploy-dev.yaml @@ -0,0 +1,29 @@ +version: "3.6" + +services: + + nginx: + image: mathwave/sprint-repo:sprint-infra-nginx-dev + networks: + - common-infra-nginx-development + ports: + - published: 80 + target: 80 + mode: host + - published: 443 + target: 443 + mode: host + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + placement: + constraints: [node.labels.stage == development] + update_config: + parallelism: 1 + # order: stop-first + +networks: + common-infra-nginx-development: + external: true diff --git a/.deploy-nginx/deploy-prod.yaml b/.deploy-nginx/deploy-prod.yaml new file mode 100644 index 0000000..79c382b --- /dev/null +++ b/.deploy-nginx/deploy-prod.yaml @@ -0,0 +1,29 @@ +version: "3.6" + +services: + + nginx: + image: mathwave/sprint-repo:sprint-infra-nginx-prod + networks: + - common-infra-nginx + ports: + - published: 80 + target: 80 + mode: host + - published: 443 + target: 443 + mode: host + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + placement: + constraints: [node.labels.stage == production] + update_config: + parallelism: 1 + # order: start-first + +networks: + common-infra-nginx: + external: true \ No newline at end of file -- 2.45.2 From d5cc340e323998a92a540d365fe809f7078876f9 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Sun, 1 Jun 2025 19:38:57 +0300 Subject: [PATCH 03/30] fix --- nginx/nginx-dev/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index e621173..aa5750c 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -1,4 +1,7 @@ FROM nginx +RUN apt-get update +RUN apt-get install certbot --yes +RUN apt-get install python3-certbot-nginx --yes COPY ./config /etc/nginx COPY ./privkey.pem /etc/nginx/privkey.pem COPY ./fullchain.pem /etc/nginx/fullchain.pem \ No newline at end of file -- 2.45.2 From 2970f41b5e24b4a60c766fadc1fb5cafb09dcaa9 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:10:38 +0300 Subject: [PATCH 04/30] fix --- nginx/nginx-dev/Dockerfile | 5 +- nginx/nginx-dev/config/guavo.conf | 162 ------------------------------ nginx/nginx-dev/config/nginx.conf | 2 +- nginx/nginx-dev/run.py | 35 +++++++ 4 files changed, 39 insertions(+), 165 deletions(-) delete mode 100644 nginx/nginx-dev/config/guavo.conf create mode 100644 nginx/nginx-dev/run.py diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index aa5750c..c143730 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,6 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes +RUN pip3 install requests COPY ./config /etc/nginx -COPY ./privkey.pem /etc/nginx/privkey.pem -COPY ./fullchain.pem /etc/nginx/fullchain.pem \ No newline at end of file +COPY run.py run.py +CMD ["python3", "run.py"] \ No newline at end of file diff --git a/nginx/nginx-dev/config/guavo.conf b/nginx/nginx-dev/config/guavo.conf deleted file mode 100644 index dc6696b..0000000 --- a/nginx/nginx-dev/config/guavo.conf +++ /dev/null @@ -1,162 +0,0 @@ - - # server { - # listen 80; - # server_name *.develop.guavo.tech; - # return 301 https://$host$request_uri; - # } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name grafana.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - proxy_set_header Host $http_host; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:3000/; - } - - location /api/live/ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:3000/api/live/ws; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 5e77885..97c6f16 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -8,6 +8,6 @@ http { '' close; } - # include ./guavo.conf; + include ./hosts.conf; include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/run.py new file mode 100644 index 0000000..84798f8 --- /dev/null +++ b/nginx/nginx-dev/run.py @@ -0,0 +1,35 @@ +from requests import get +from subprocess import call + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.develop.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server \{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {0}; + + ssl_certificate /etc/nginx/{0}/fullchain.pem; + ssl_certificate_key /etc/nginx/{0}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / \{ + proxy_pass http://{1}-nginx:1238$request_uri; + \} + \}\n\n + '''.format(host, host.split('.')[0]) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) + + +call('nginx -g daemon off;', shell=True) -- 2.45.2 From 3f2af3e0a4da3cc74b4a0e576e13cd105af5aec6 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:23:47 +0300 Subject: [PATCH 05/30] fix --- nginx/nginx-dev/Dockerfile | 2 +- nginx/nginx-dev/run.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index c143730..383c079 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,7 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes -RUN pip3 install requests +RUN pip3 install requests minio COPY ./config /etc/nginx COPY run.py run.py CMD ["python3", "run.py"] \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/run.py index 84798f8..738e460 100644 --- a/nginx/nginx-dev/run.py +++ b/nginx/nginx-dev/run.py @@ -1,5 +1,15 @@ from requests import get from subprocess import call +import os +from minio import Minio + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] @@ -27,6 +37,12 @@ for host in hosts: \} \}\n\n '''.format(host, host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) with open('/etc/nginx/hosts.conf', 'w') as fp: fp.write(config) -- 2.45.2 From a4b4bfbaeb385614c3dc379e4de83d3dbeca953a Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:35:47 +0300 Subject: [PATCH 06/30] fix --- .deploy-infra/deploy-dev.yaml | 5 +++++ .gitea/workflows/deploy-dev.yaml | 1 + nginx/nginx-dev/Dockerfile | 5 +++-- nginx/nginx-dev/{run.py => prepare.py} | 4 ---- nginx/nginx-dev/run.sh | 2 ++ 5 files changed, 11 insertions(+), 6 deletions(-) rename nginx/nginx-dev/{run.py => prepare.py} (95%) create mode 100644 nginx/nginx-dev/run.sh diff --git a/.deploy-infra/deploy-dev.yaml b/.deploy-infra/deploy-dev.yaml index 0b893b7..1db0504 100644 --- a/.deploy-infra/deploy-dev.yaml +++ b/.deploy-infra/deploy-dev.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-dev networks: - common-infra-nginx-development + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV ports: - published: 80 target: 80 @@ -164,3 +167,5 @@ volumes: networks: common-infra-nginx-development: external: true + configurator: + external: true diff --git a/.gitea/workflows/deploy-dev.yaml b/.gitea/workflows/deploy-dev.yaml index 641f677..8489c5a 100644 --- a/.gitea/workflows/deploy-dev.yaml +++ b/.gitea/workflows/deploy-dev.yaml @@ -59,6 +59,7 @@ jobs: MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }} DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }} MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }} + MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }} REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }} RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 383c079..57b46a1 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -4,5 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes RUN pip3 install requests minio COPY ./config /etc/nginx -COPY run.py run.py -CMD ["python3", "run.py"] \ No newline at end of file +COPY prepare.py prepare.py +COPY run.sh run.sh +CMD ["run.sh"] \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/prepare.py similarity index 95% rename from nginx/nginx-dev/run.py rename to nginx/nginx-dev/prepare.py index 738e460..d6be531 100644 --- a/nginx/nginx-dev/run.py +++ b/nginx/nginx-dev/prepare.py @@ -1,5 +1,4 @@ from requests import get -from subprocess import call import os from minio import Minio @@ -46,6 +45,3 @@ for host in hosts: with open('/etc/nginx/hosts.conf', 'w') as fp: fp.write(config) - - -call('nginx -g daemon off;', shell=True) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh new file mode 100644 index 0000000..ede1e71 --- /dev/null +++ b/nginx/nginx-dev/run.sh @@ -0,0 +1,2 @@ +python3 prepare.py +nginx -g daemon off; \ No newline at end of file -- 2.45.2 From 1633a2f8d78aaa36e50fe2c8570759b1a1b8536b Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:37:25 +0300 Subject: [PATCH 07/30] fix --- nginx/nginx-dev/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 57b46a1..1accd65 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -1,7 +1,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes -RUN apt-get install python3-certbot-nginx --yes +RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py -- 2.45.2 From 6a470e13d75ebf8f9b7788f29895f097aa19d14a Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:40:03 +0300 Subject: [PATCH 08/30] fix --- nginx/nginx-dev/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 1accd65..61c50df 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,7 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes -RUN pip3 install requests minio +RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh -- 2.45.2 From 168b5fcbe509fac89e7b506d8d7331884861e86a Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:43:46 +0300 Subject: [PATCH 09/30] fix --- nginx/nginx-dev/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 61c50df..a4efe83 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -6,4 +6,5 @@ RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh -CMD ["run.sh"] \ No newline at end of file +ENTRYPOINT [""] +CMD ["/docker-entrypoint.sh", "run.sh"] \ No newline at end of file -- 2.45.2 From a42dad8c642aa3212b01dfe3a0a3e40e5ff6e143 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:31:55 +0300 Subject: [PATCH 10/30] fix --- nginx/nginx-dev/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index a4efe83..7a25084 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -6,5 +6,5 @@ RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh -ENTRYPOINT [""] +ENTRYPOINT [] CMD ["/docker-entrypoint.sh", "run.sh"] \ No newline at end of file -- 2.45.2 From 7d530881d744a3fd81ec5cf25ab9e6ba396736e2 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:37:08 +0300 Subject: [PATCH 11/30] fix --- nginx/nginx-dev/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 7a25084..bd60a14 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -6,5 +6,4 @@ RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh -ENTRYPOINT [] -CMD ["/docker-entrypoint.sh", "run.sh"] \ No newline at end of file +ENTRYPOINT ["run.sh"] \ No newline at end of file -- 2.45.2 From 1bd251e4d80a8f7abace24d19f44d869e74d3332 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:39:18 +0300 Subject: [PATCH 12/30] fix --- nginx/nginx-dev/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index bd60a14..f9feeb4 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -6,4 +6,5 @@ RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh +ENV PYTHONUNBUFFERED=1 ENTRYPOINT ["run.sh"] \ No newline at end of file -- 2.45.2 From a496de9c7e50f8272d82364b496bbb0c6532e11e Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:41:10 +0300 Subject: [PATCH 13/30] fix --- nginx/nginx-dev/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index f9feeb4..02e3187 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -7,4 +7,4 @@ COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh ENV PYTHONUNBUFFERED=1 -ENTRYPOINT ["run.sh"] \ No newline at end of file +ENTRYPOINT ["./run.sh"] \ No newline at end of file -- 2.45.2 From fb0ea5b13d7ee3e3b30a0ccb3838116d18c42794 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:42:33 +0300 Subject: [PATCH 14/30] fix --- nginx/nginx-dev/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 02e3187..f3a1b1e 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -7,4 +7,5 @@ COPY ./config /etc/nginx COPY prepare.py prepare.py COPY run.sh run.sh ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh ENTRYPOINT ["./run.sh"] \ No newline at end of file -- 2.45.2 From f54f0bf32e75863caeea592a205469f05434d5c6 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:44:31 +0300 Subject: [PATCH 15/30] fix --- nginx/nginx-dev/run.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index ede1e71..154f920 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,2 +1,4 @@ +#!/bin/bash + python3 prepare.py nginx -g daemon off; \ No newline at end of file -- 2.45.2 From c54c8897ac6fbf1783b0d6659366f1d2d7ac590e Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:50:22 +0300 Subject: [PATCH 16/30] fix --- nginx/nginx-dev/prepare.py | 10 +++++----- nginx/nginx-dev/run.sh | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index d6be531..88104e1 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -20,10 +20,10 @@ for host in hosts: server \{ listen 443 ssl http2; listen [::]:443 ssl http2; - server_name {0}; + server_name {host}; - ssl_certificate /etc/nginx/{0}/fullchain.pem; - ssl_certificate_key /etc/nginx/{0}/privkey.pem; + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; @@ -32,10 +32,10 @@ for host in hosts: add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / \{ - proxy_pass http://{1}-nginx:1238$request_uri; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; \} \}\n\n - '''.format(host, host.split('.')[0]) + '''.format(host=host, pre_domain=host.split('.')[0]) fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index 154f920..f4b12dc 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -nginx -g daemon off; \ No newline at end of file +/docker-entrypoint.sh nginx -g daemon off; \ No newline at end of file -- 2.45.2 From b3e1195975c5e038d52bddca7873e194d4889d60 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 02:54:38 +0300 Subject: [PATCH 17/30] fix --- nginx/nginx-dev/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index f4b12dc..c5f03dd 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx -g daemon off; \ No newline at end of file +/docker-entrypoint.sh nginx -g daemon; \ No newline at end of file -- 2.45.2 From 81afaa3f16c41a0e308b7052bfe49ef9432c06d9 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:01:52 +0300 Subject: [PATCH 18/30] fix --- nginx/nginx-dev/prepare.py | 8 ++++---- nginx/nginx-dev/run.sh | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 88104e1..85e16cb 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -17,7 +17,7 @@ hosts = list(set(hosts + ['platform.develop.sprinthub.ru'])) config = '' for host in hosts: config += ''' - server \{ + server {{ listen 443 ssl http2; listen [::]:443 ssl http2; server_name {host}; @@ -31,10 +31,10 @@ for host in hosts: add_header Referrer-Policy "no-refferer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - location / \{ + location / {{ proxy_pass http://{pre_domain}-nginx:1238$request_uri; - \} - \}\n\n + }} + }}\n\n '''.format(host=host, pre_domain=host.split('.')[0]) fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index c5f03dd..f4b12dc 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx -g daemon; \ No newline at end of file +/docker-entrypoint.sh nginx -g daemon off; \ No newline at end of file -- 2.45.2 From b9252cf38d5ed16a9949978c01d2aa77fd87fb72 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:04:32 +0300 Subject: [PATCH 19/30] fix --- nginx/nginx-dev/prepare.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 85e16cb..99e98d0 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -38,6 +38,7 @@ for host in hosts: '''.format(host=host, pre_domain=host.split('.')[0]) fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + os.mkdir(f'/etc/ngionx/{host}') with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: fp.write(fullchain.data) with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: -- 2.45.2 From 5c2bbb6751c8bebe1bf032092007dbf379c42712 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:06:26 +0300 Subject: [PATCH 20/30] fix --- nginx/nginx-dev/prepare.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 99e98d0..20b905a 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -38,7 +38,7 @@ for host in hosts: '''.format(host=host, pre_domain=host.split('.')[0]) fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') - os.mkdir(f'/etc/ngionx/{host}') + os.mkdir(f'/etc/nginx/{host}') with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: fp.write(fullchain.data) with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: -- 2.45.2 From 125e7cbcb168a4e3a737525710d69eacfce0e192 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:08:57 +0300 Subject: [PATCH 21/30] fix --- nginx/nginx-dev/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index f4b12dc..f236d92 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx -g daemon off; \ No newline at end of file +/docker-entrypoint.sh nginx -g daemon on; \ No newline at end of file -- 2.45.2 From 97e70d55ce70be8572bed10893c8864df33a2b91 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:10:50 +0300 Subject: [PATCH 22/30] fix --- nginx/nginx-dev/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index f236d92..c5f03dd 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx -g daemon on; \ No newline at end of file +/docker-entrypoint.sh nginx -g daemon; \ No newline at end of file -- 2.45.2 From 32f4530d32f67bbab3a4e41a11fdba321e866e76 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:14:14 +0300 Subject: [PATCH 23/30] fix --- nginx/nginx-dev/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index c5f03dd..68b872a 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx -g daemon; \ No newline at end of file +/docker-entrypoint.sh nginx; \ No newline at end of file -- 2.45.2 From d16e897dd909e1ad9c015b600ce5e793970d2d70 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:19:08 +0300 Subject: [PATCH 24/30] fix --- nginx/nginx-dev/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index f3a1b1e..d5818df 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -4,6 +4,8 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx python3-pip --yes RUN pip3 install --break-system-packages requests minio COPY ./config /etc/nginx +COPY ./fullchain.pem /etc/nginx/fullchain.pem +COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py COPY run.sh run.sh ENV PYTHONUNBUFFERED=1 -- 2.45.2 From 01f490f10f7d1c1662c9447d66db08770167afb3 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 03:23:19 +0300 Subject: [PATCH 25/30] fix --- nginx/nginx-dev/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh index 68b872a..55dfbaa 100644 --- a/nginx/nginx-dev/run.sh +++ b/nginx/nginx-dev/run.sh @@ -1,4 +1,4 @@ #!/bin/bash python3 prepare.py -/docker-entrypoint.sh nginx; \ No newline at end of file +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file -- 2.45.2 From 8f350225a4ef74cd747a53fe4c43c2fd762a2f8b Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Tue, 3 Jun 2025 21:54:25 +0300 Subject: [PATCH 26/30] fix --- nginx/nginx-dev/prepare.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 20b905a..3541a6f 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -31,8 +31,10 @@ for host in hosts: add_header Referrer-Policy "no-refferer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + set $pre_domain {pre_domain}; + location / {{ - proxy_pass http://{pre_domain}-nginx:1238$request_uri; + proxy_pass http://$pre_domain-nginx:1238$request_uri; }} }}\n\n '''.format(host=host, pre_domain=host.split('.')[0]) -- 2.45.2 From d2fa346a86924fece6bd3339da92365931543bb6 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Tue, 3 Jun 2025 21:59:42 +0300 Subject: [PATCH 27/30] fix --- nginx/nginx-dev/prepare.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 3541a6f..8bb4f61 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -31,10 +31,9 @@ for host in hosts: add_header Referrer-Policy "no-refferer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - set $pre_domain {pre_domain}; - location / {{ - proxy_pass http://$pre_domain-nginx:1238$request_uri; + resolver 1.1.1.1 8.8.8.8; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; }} }}\n\n '''.format(host=host, pre_domain=host.split('.')[0]) -- 2.45.2 From 394cc647229d704742f6bd1c94b79f030327981c Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Tue, 3 Jun 2025 22:08:28 +0300 Subject: [PATCH 28/30] fix --- nginx/nginx-dev/prepare.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 8bb4f61..976240a 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -32,7 +32,7 @@ for host in hosts: add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; location / {{ - resolver 1.1.1.1 8.8.8.8; + resolver 127.0.0.11; proxy_pass http://{pre_domain}-nginx:1238$request_uri; }} }}\n\n -- 2.45.2 From 8db60c72d0c1fe20a9f55b2fa01256584ff58e39 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Wed, 4 Jun 2025 02:45:28 +0300 Subject: [PATCH 29/30] fix --- .deploy-infra/deploy-prod.yaml | 3 + .gitea/workflows/deploy-prod.yaml | 1 + nginx/nginx-prod/Dockerfile | 15 +- nginx/nginx-prod/allinvest/fullchain.pem | 90 --------- nginx/nginx-prod/allinvest/privkey.pem | 28 --- nginx/nginx-prod/config/nginx.conf | 13 ++ nginx/nginx-prod/config/sprinthub.conf | 111 +++++++++++ nginx/nginx-prod/nginx-prod.conf | 236 ----------------------- nginx/nginx-prod/prepare.py | 49 +++++ nginx/nginx-prod/run.sh | 4 + 10 files changed, 190 insertions(+), 360 deletions(-) delete mode 100644 nginx/nginx-prod/allinvest/fullchain.pem delete mode 100755 nginx/nginx-prod/allinvest/privkey.pem create mode 100644 nginx/nginx-prod/config/nginx.conf create mode 100644 nginx/nginx-prod/config/sprinthub.conf delete mode 100644 nginx/nginx-prod/nginx-prod.conf create mode 100644 nginx/nginx-prod/prepare.py create mode 100644 nginx/nginx-prod/run.sh diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml index 6c5ac31..5776cc3 100644 --- a/.deploy-infra/deploy-prod.yaml +++ b/.deploy-infra/deploy-prod.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-prod networks: - common-infra-nginx + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_PROD ports: - published: 80 target: 80 diff --git a/.gitea/workflows/deploy-prod.yaml b/.gitea/workflows/deploy-prod.yaml index d76b613..b055f86 100644 --- a/.gitea/workflows/deploy-prod.yaml +++ b/.gitea/workflows/deploy-prod.yaml @@ -63,6 +63,7 @@ jobs: MONGO_PASSWORD_PROD: ${{ secrets.MONGO_PASSWORD_PROD }} DB_PASSWORD_PROD: ${{ secrets.POSTGRES_PASSWORD_PROD }} MINIO_PASSWORD_PROD: ${{ secrets.MINIO_PASSWORD_PROD }} + MINIO_SECRET_KEY_PROD: ${{ secrets.MINIO_SECRET_KEY_PROD }} REDIS_PASSWORD_PROD: ${{ secrets.REDIS_PASSWORD_PROD }} RABBITMQ_PASSWORD_PROD: ${{ secrets.RABBITMQ_PASSWORD_PROD }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 19ac378..d5818df 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -1,10 +1,13 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes -RUN apt-get install python3-certbot-nginx --yes -RUN mkdir /etc/allinvest -COPY ./nginx-prod.conf /etc/nginx/nginx.conf -COPY ./privkey.pem /etc/nginx/privkey.pem +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages requests minio +COPY ./config /etc/nginx COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./allinvest/privkey.pem /etc/allinvest/privkey.pem -COPY ./allinvest/fullchain.pem /etc/allinvest/fullchain.pem \ No newline at end of file +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx/nginx-prod/allinvest/fullchain.pem b/nginx/nginx-prod/allinvest/fullchain.pem deleted file mode 100644 index de29c73..0000000 --- a/nginx/nginx-prod/allinvest/fullchain.pem +++ /dev/null @@ -1,90 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE5TCCA82gAwIBAgISBLLA45sg/IhDBwA/vxe7YIKrMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yNDAyMDMyMTI1NDdaFw0yNDA1MDMyMTI1NDZaMBcxFTATBgNVBAMT -DHlvdXJnb2xzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFC -SqAyzSV1BHFSqKxH3GuLEVRgxUABAhveeLWOTJt3xrKTNhdgaP4fD8CZF5vmgFqx -M/Zk4mizZ9FEQeKnrmlhAL643OaGRTVwN1FfBEfvr/fT3AQD0HQB55OSsUReSFUn -yT9vR2cv+r/f6EU78Uw/svvTD7M0vY/uRfOc2qWv+I6dGsoS32iDQmsYlOK4HKWX -mfBTuGSCJKcec1nviehXXrGFP4YJa3gs6RzWTtGXxGgI0lG9O366RszkKZKVJICh -BH+YWV9KJ1hzgmRWlRJgs4t14MO2Dxw5Mu1G08WbaEQGvE7RgcBCNY8sV1K1Bx/P -NUPRsSPT6rIsX3MhQ4sCAwEAAaOCAg4wggIKMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUcY+9gyWVjqP8S2owFnPbtwbiZ1QwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA -5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu -by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w -FwYDVR0RBBAwDoIMeW91cmdvbHMuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIB -BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70A -DS1yb+H61BcAAAGNcRPt8gAABAMARjBEAiAMpD5lfh43xD1tAvsSa20OQ4LsQ8Kt -YBvl5svUTuGrHAIgPveMh3yZ6z+QLW1k8Lv7z1kyXsxSvCUQrX16k7m1V8kAdwCi -4r/WHt4vLweg1k5tN6fcZUOwxrUuotq3iviabfUX2AAAAY1xE+3xAAAEAwBIMEYC -IQD+hmWzWe0y9M8xYKvuhySnHN6AWKQpvJgTqBsCFiiy5QIhANM0ce+SEC4BlY8m -QAIGNXbAjlKU28q66EcTuSjji227MA0GCSqGSIb3DQEBCwUAA4IBAQAAfH8lbwUk -JD6voPBGCTt7XSZPl9dq4LdmOLV3bsfjtqWOeGNCznBYKfRZO/UJ/srekCjapzKy -DAmv0dl/tvBGfqhU/emOtKsq9AE0J7RqzF9SQPrVzq/VxWXGCCmtxUHEAlNk/lrg -PqxpTUZdLpeBEbNvtloSaUEpe8mkFcFhw7TZVtdkpn+pHRlltqXry/8BekFPQR5Y -qgI8akm2rXOV616MnF81DhIUVY4n6t4SVsDjSk69iDnKG97PJJK5yqsEfdZFiDRK -PlhHTYwOsypaP/JMuanK8eGjnNR9pA40DEjAJO0kvE3IE7dHD3R1iGkXjr7wIkKw -5NjP9yOv01mH ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ------END CERTIFICATE----- diff --git a/nginx/nginx-prod/allinvest/privkey.pem b/nginx/nginx-prod/allinvest/privkey.pem deleted file mode 100755 index 1efe87d..0000000 --- a/nginx/nginx-prod/allinvest/privkey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDRQkqgMs0ldQRx -UqisR9xrixFUYMVAAQIb3ni1jkybd8aykzYXYGj+Hw/AmReb5oBasTP2ZOJos2fR -REHip65pYQC+uNzmhkU1cDdRXwRH76/309wEA9B0AeeTkrFEXkhVJ8k/b0dnL/q/ -3+hFO/FMP7L70w+zNL2P7kXznNqlr/iOnRrKEt9og0JrGJTiuByll5nwU7hkgiSn -HnNZ74noV16xhT+GCWt4LOkc1k7Rl8RoCNJRvTt+ukbM5CmSlSSAoQR/mFlfSidY -c4JkVpUSYLOLdeDDtg8cOTLtRtPFm2hEBrxO0YHAQjWPLFdStQcfzzVD0bEj0+qy -LF9zIUOLAgMBAAECggEANWFhxAfxiRKWtYnOeVRDiDOLkii1aKRZM17HEBlitW4S -g89FxyTS47BsxkbHXP+p0njNtpb5opfRbfKpk/YOaddS51QlFbE+ymj704gXgXpF -O0USJPwMGuu5dU3AZp5eeUqS7dmnL01v+65UhATMgxTkxZSLtr1HdgXkVka3B/ir -Q/iqR4ftt+qT0a9mzXQOxgdN7qnNwVNO1uJi87C6fQBRB6F724U5SJyOTMl9R6ZS -+JZ9Oz5xxoGLA/Nftn078uMjf2ymWfOqicHYeXxfPYllXNuRsIf7NA00F0orwF15 -TWBZLB5GbkOIP7k7vzabZMCbGmf42XYtt1oFYIssIQKBgQD7aB8cUDVdE47VOX4p -+Bf2ilMJA2d+KsCA3uYw5VQjjxBbfN+nChOx6e6eSmy2MMtH2ECG2IgW04FDbHtZ -y2tbmRY3XIl+4dos+6ybbiYeYKRcHOQiXbjFK9ml1NpDcuLMHE3a6v0gFB8N0iB4 -J3u6h9+kHe3LGPzIVDGbITWi4wKBgQDVFQleHfRWM9/hebU8/tshY4sRJ9nA9haI -F/NDMHhE+IyX9JHxGXtVE0ihOh0+0PLKLwtOepc4vqZaquKVnzZ82+sc+C4Iqg8K -S+1NoRFOZG1AlM53UI51ZXLvXZp8gAdDBXzwBZpWZNdhJHJSnuwVI+UoDkrAQkmn -/n4jzV01OQKBgQCH8pr4JYtlxIC1XryRl13l7JDQS+339MhaJ66UfD5OaDtxLYqH -elSCHbzyDc7RinsyY4cpJAgbR84blprxSKXKR3MTBtA3M4xWTNXeyuaEAMCAKwNW -bhXPUVIFcZ+BX6uysg+LtQyh/x93ysvSDY/Do1vVFHYVIHL5JUYZ3BBz/wKBgQDT -oCYCnJtr9e9Xn6oZ30BBg/y9WCfTllVAaxEGXSBF19jCnntHyjgMga9zuSUMmzdX -CKwhEG4aRHcxu2B4m3zhOwXiarZFkqiHYGtZ2ys2AVXkeyYnqBEklVI2W2+wUPNl -ZBD2zYnAXjzu1OTaG857HIBebPtewTcoKwCajD8TOQKBgQDr07j3sx5nQsg4kHmR -kBvHHjq7kQ1pEItrD/CfLsZ7Ntip4L82UzdZm/hhdM/12fB+wLu8HcZzvY5H1J+3 -IlkKYhAAe8lgzE7hYupVD9QtdFBuNsAnQfT+VV4JnZNDVZHXfnhz19KJ+iIvqton -8WCEnmpiIKyt+Lq+Ol3n7PDMIw== ------END PRIVATE KEY----- diff --git a/nginx/nginx-prod/config/nginx.conf b/nginx/nginx-prod/config/nginx.conf new file mode 100644 index 0000000..97c6f16 --- /dev/null +++ b/nginx/nginx-prod/config/nginx.conf @@ -0,0 +1,13 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include ./hosts.conf; + include ./sprinthub.conf; +} \ No newline at end of file diff --git a/nginx/nginx-prod/config/sprinthub.conf b/nginx/nginx-prod/config/sprinthub.conf new file mode 100644 index 0000000..5e428d9 --- /dev/null +++ b/nginx/nginx-prod/config/sprinthub.conf @@ -0,0 +1,111 @@ + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name swarmpit.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:888/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name portainer.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:8888/; + } + + location /api/websocket/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name minio.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:9001/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name gitea.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:3000/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ~^(?.*)\.sprinthub\.ru$; + + resolver 127.0.0.11 ipv6=off; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + proxy_set_header X-Real-IP $remote_addr; + location / { + proxy_pass http://$domain-nginx:1238$request_uri; + } + } diff --git a/nginx/nginx-prod/nginx-prod.conf b/nginx/nginx-prod/nginx-prod.conf deleted file mode 100644 index 91852d0..0000000 --- a/nginx/nginx-prod/nginx-prod.conf +++ /dev/null @@ -1,236 +0,0 @@ -events {} - -http { - client_max_body_size 150m; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - server { - listen 80; - server_name gitlab.sprinthub.ru; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 80; - server_name *.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitlab.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitea.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:3000/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name keycloak.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8443/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.sprinthub\.ru$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name yourgols.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name yourgols.com; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/allinvest/fullchain.pem; - ssl_certificate_key /etc/allinvest/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - location / { - proxy_pass http://yourgols-nginx:1238$request_uri; - } - } - -} diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py new file mode 100644 index 0000000..cbc95d7 --- /dev/null +++ b/nginx/nginx-prod/prepare.py @@ -0,0 +1,49 @@ +from requests import get +import os +from minio import Minio + + +minio_client = Minio( + "minio.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=production').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; + }} + }}\n\n + '''.format(host=host, pre_domain=host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + os.mkdir(f'/etc/nginx/{host}') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) diff --git a/nginx/nginx-prod/run.sh b/nginx/nginx-prod/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx/nginx-prod/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file -- 2.45.2 From 78550c3e6c0d12386511b6da723f706169e40e1e Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Wed, 4 Jun 2025 02:46:56 +0300 Subject: [PATCH 30/30] fix --- .deploy-infra/deploy-prod.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml index 5776cc3..aef066d 100644 --- a/.deploy-infra/deploy-prod.yaml +++ b/.deploy-infra/deploy-prod.yaml @@ -231,4 +231,6 @@ networks: net: driver: overlay common-infra-nginx: + external: true + configurator: external: true \ No newline at end of file -- 2.45.2