mirror/mxpv-podsync
1
0
Fork 0
mirror of https://github.com/mxpv/podsync.git synced 2024-05-11 05:55:04 +00:00
Code Issues Releases Activity

HTTPS support

Browse Source
This commit is contained in:
Maksym Pavlenko
2017-10-24 16:57:59 -07:00
parent 69019d6c01
commit 2c3116ad3c
7 changed files with 167 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cmd/nginx/Dockerfile
View File

@@ -1,3 +1,15 @@
FROM nginx
FROM nginx:stable-alpine
COPY nginx.conf /etc/nginx/conf.d/default.conf
ADD nginx.conf /etc/nginx/nginx.conf
ADD podsync.conf /etc/nginx/conf.d/podsync.conf
ADD entrypoint.sh /entrypoint.sh
ADD le.sh /le.sh
RUN rm /etc/nginx/conf.d/default.conf && \
chmod +x /entrypoint.sh && \
chmod +x /le.sh && \
apk add --update certbot tzdata openssl && \
rm -rf /var/cache/apk/*
CMD ["/entrypoint.sh"]

5
cmd/nginx/build.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
docker build -t nginx .
docker tag nginx gcr.io/pod-sync/nginx
gcloud docker -- push gcr.io/pod-sync/nginx

50
cmd/nginx/entrypoint.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/sh
echo "start nginx"
#set TZ
cp /usr/share/zoneinfo/$TZ /etc/localtime && \
echo $TZ > /etc/timezone && \
#setup ssl keys
echo "ssl_key=${SSL_KEY:=le-key.pem}, ssl_cert=${SSL_CERT:=le-crt.pem}"
SSL_KEY=/etc/nginx/ssl/${SSL_KEY}
SSL_CERT=/etc/nginx/ssl/${SSL_CERT}
mkdir -p /etc/nginx/conf.d
mkdir -p /etc/nginx/ssl
#copy /etc/nginx/service.conf if mounted
if [ -f /etc/nginx/service.conf ]; then
cp -fv /etc/nginx/service.conf /etc/nginx/conf.d/service.conf
fi
#replace SSL_KEY and SSL_CERT by actual keys
sed -i "s|SSL_KEY|${SSL_KEY}|g" /etc/nginx/conf.d/*.conf
sed -i "s|SSL_CERT|${SSL_CERT}|g" /etc/nginx/conf.d/*.conf
#generate dhparams.pem
if [ ! -f /etc/nginx/ssl/dhparams.pem ]; then
echo "make dhparams"
cd /etc/nginx/ssl
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem
fi
#disable ssl configuration and let it run without SSL
mv -v /etc/nginx/conf.d /etc/nginx/conf.d.disabled
(
sleep 5 #give nginx time to start
echo "start letsencrypt updater"
while :
do
echo "trying to update letsencrypt ..."
/le.sh
rm -f /etc/nginx/conf.d/default.conf 2>/dev/null #remove default config, conflicting on 80
mv -v /etc/nginx/conf.d.disabled /etc/nginx/conf.d #enable
echo "reload nginx with ssl"
nginx -s reload
sleep 60d
done
) &
nginx -g "daemon off;"

10
cmd/nginx/le.sh Normal file
View File

@@ -0,0 +1,10 @@
#!/bin/sh
if [ "$LETSENCRYPT" = "true" ]; then
certbot certonly -t -n --agree-tos --renew-by-default --email "${LE_EMAIL}" --webroot -w /usr/share/nginx/html -d $LE_FQDN
FIRST_FQDN=$(echo "$LE_FQDN" | cut -d"," -f1)
cp -fv /etc/letsencrypt/live/$FIRST_FQDN/privkey.pem /etc/nginx/ssl/le-key.pem
cp -fv /etc/letsencrypt/live/$FIRST_FQDN/fullchain.pem /etc/nginx/ssl/le-crt.pem
else
echo "letsencrypt disabled"
fi

68
cmd/nginx/nginx.conf
View File

@@ -1,16 +1,60 @@
server {
listen 80;
user nginx;
worker_processes 1;
gzip on;
server_tokens off;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
location /download {
proxy_pass http://ytdl:5002;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
gzip on;
server_tokens off;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
client_body_buffer_size 4K;
client_header_buffer_size 4k;
client_max_body_size 4k;
large_client_header_buffers 2 4k;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE (CVE-2014-3566)
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_session_cache shared:SSL:50m;
ssl_stapling_verify on;
ssl_ecdh_curve secp384r1;
server {
listen 80;
server_name _;
root /usr/share/nginx/html;
# do not redirect requests letsencrypt
location /.well-known/ {}
# the default location redirects to https
location / {
return 301 https://$host$request_uri;
}
}
location / {
proxy_pass http://app:5001;
proxy_buffers 8 16k;
proxy_buffer_size 16k;
}
}
include /etc/nginx/conf.d/*.conf;
}

22
cmd/nginx/podsync.conf Normal file
View File

@@ -0,0 +1,22 @@
server {
listen 443;
server_name _;
ssl on;
ssl_certificate SSL_CERT;
ssl_certificate_key SSL_KEY;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
access_log off;
location /download {
proxy_pass http://ytdl:5002;
}
location / {
proxy_pass http://app:5001;
proxy_buffers 8 16k;
proxy_buffer_size 16k;
}
}

12
docker-compose.yml
View File

@@ -13,7 +13,7 @@ services:
- VIMEO_API_KEY={VIMEO_API_KEY}
- PATREON_CLIENT_ID={PATREON_CLIENT_ID}
- PATREON_SECRET={PATREON_SECRET}
- PATREON_REDIRECT_URL=http://podsync.net/patreon
- PATREON_REDIRECT_URL=https://podsync.net/patreon
- COOKIE_SECRET={COOKIE_SECRET}
ytdl:
image: gcr.io/pod-sync/ytdl:latest
@@ -35,4 +35,12 @@ services:
container_name: nginx
restart: always
ports:
- 80:80
- 80:80
- 443:443
environment:
- TZ=America/Los_Angeles
- LETSENCRYPT=true
- LE_EMAIL=name@example.com
- LE_FQDN=podsync.net,www.podsync.net
volumes:
- /data/ssl:/etc/nginx/ssl