nginx: forward to keycloak for login

2 years ago · 28aa60d712
parent 8af6b06330
commit 28aa60d712
7 changed files with 185 additions and 0 deletions
--- a/nginx/data/certbot/conf/options-ssl-nginx.conf
+++ b/nginx/data/certbot/conf/options-ssl-nginx.conf
@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
--- a/nginx/data/certbot/conf/ssl-dhparams.pem
+++ b/nginx/data/certbot/conf/ssl-dhparams.pem
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
--- a/nginx/data/nginx/nginx.conf
+++ b/nginx/data/nginx/nginx.conf
@ -0,0 +1,88 @@
+#user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+env DOMAIN_NAME;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	#access_log syslog:server=localhost;
+	#error_log syslog:server=localhost;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+	include /tmp/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}
--- a/nginx/data/nginx/templates/login.conf.template
+++ b/nginx/data/nginx/templates/login.conf.template
@ -0,0 +1,26 @@
+server {
+	listen 80;
+	server_name login.${DOMAIN_NAME};
+	location / {
+		return 301 https://$host$request_uri;
+	}
+}
+
+server {
+	server_name login.${DOMAIN_NAME};
+	client_max_body_size 128m;
+
+	location / {
+		proxy_pass http://spacestation:8080;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+	}
+
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+
--- a/nginx/docker-compose.yaml
+++ b/nginx/docker-compose.yaml
@ -0,0 +1,22 @@
+version: '3'
+services:
+  nginx:
+    image: nginx:1.21-alpine
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./data/nginx/nginx.conf:/etc/nginx/nginx.conf
+        #- ./data/nginx/sites-enabled:/etc/nginx/sites-enabled
+      - ./data/nginx/templates:/etc/nginx/templates
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    env_file:
+      -  env.production
+        #environment:
+            #- NGINX_ENVSUBST_OUTPUT_DIR=/tmp/sites-enabled
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
--- a/nginx/env.production
+++ b/nginx/env.production
@ -0,0 +1 @@
+DOMAIN_NAME=example.com
--- a/nginx/setup
+++ b/nginx/setup
@ -0,0 +1,26 @@
+#!/bin/bash
+ENV=env.production
+if [ ! -r "$ENV" ]; then
+	echo >&2 "$ENV: not found?"
+	exit 1
+fi
+
+source env.production
+
+if [ -z "${DOMAIN_NAME}" ]; then
+	echo >&2 "DOMAIN_NAME not set"
+	exit 1
+fi
+
+certdir="data/certbot/conf/live/${DOMAIN_NAME}"
+mkdir -p "$certdir"
+
+openssl req \
+	-x509 \
+	-newkey rsa:2048 \
+	-keyout "$certdir/privkey.pem" \
+	-out "$certdir/fullchain.pem" \
+	-sha256 \
+	-nodes \
+	-days 365 \
+	-subj "/CN=${DOMAIN_NAME}'" \