Merge branch 'dev' into 'master' (30b12a44) · Commits · REDMIC Project / Gateway / Nginx proxy HTTPS

.gitlab-ci.yml

+12 −125

Original line number	Diff line number	Diff line
		include:
		- project: 'redmic-project/gitlab-ci-templates'
		ref: master
		file: '/packaging.yml'
		- project: 'redmic-project/gitlab-ci-templates'
		ref: master
		file: '/deployment.yml'

		stages:
		- package
		- test-package
		- deploy

		variables:
		DOCKER_DRIVER: overlay2
		STACK: ${CI_PROJECT_NAME}
		SERVICES_TO_CHECK: ${CI_PROJECT_NAME}_${CI_PROJECT_NAME}
		IMAGE_NAME: ${CI_REGISTRY_IMAGE}
		IMAGE_TAG: ${CI_COMMIT_SHA}

		services:
		- docker:dind

		docker-build-development:
		stage: package
		image: docker:stable
		only:
		- branches
		except:
		- master
		script:
		- docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
		- docker build -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}-latest .
		- docker push ${CI_REGISTRY_IMAGE}

		docker-build-stable:
		stage: package
		image: docker:stable
		only:
		- master
		script:
		- docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
		- docker build -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} -t ${CI_REGISTRY_IMAGE}:latest .
		- docker push ${CI_REGISTRY_IMAGE}

		container-scanning:
		stage: test-package
		image: docker:stable
		allow_failure: true
		only:
		- branches
		script:
		- docker run -d --name db arminc/clair-db:latest
		- docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
		- apk add -U wget ca-certificates
		- docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}
		- docker pull ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA}
		- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
		- mv clair-scanner_linux_amd64 clair-scanner
		- chmod +x clair-scanner
		- touch clair-whitelist.yml
		- >
		./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log
		-w clair-whitelist.yml ${CI_REGISTRY_IMAGE}:${CI_COMMIT_SHA} \|\| true
		artifacts:
		paths: [gl-sast-container-report.json]

		deploy-supporting-branch-develop:
		stage: deploy
		image: ${DOCKER_DEPLOY_IMAGE_NAME}:${DOCKER_DEPLOY_IMAGE_TAG}
		variables:
		SSH_REMOTE: ${DEV_SSH_REMOTE}
		COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.dev.yml
		PUBLIC_HOSTNAME: ${DEV_PUBLIC_HOSTNAME}
		script:
		- >
		deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}
		PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}
		environment:
		name: dev
		url: https://${DEV_PUBLIC_HOSTNAME}
		only:
		- branches
		except:
		- master
		when: manual

		deploy-stable-branch-develop:
		stage: deploy
		image: ${DOCKER_DEPLOY_IMAGE_NAME}:${DOCKER_DEPLOY_IMAGE_TAG}
		variables:
		SSH_REMOTE: ${DEV_SSH_REMOTE}
		COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.dev.yml
		PUBLIC_HOSTNAME: ${DEV_PUBLIC_HOSTNAME}
		script:
		- >
		deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}
		PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}
		environment:
		name: dev
		url: https://${DEV_PUBLIC_HOSTNAME}
		only:
		- master
		when: manual

		deploy-supporting-branch-production:
		stage: deploy
		image: ${DOCKER_DEPLOY_IMAGE_NAME}:${DOCKER_DEPLOY_IMAGE_TAG}
		variables:
		SSH_REMOTE: ${PRO_SSH_REMOTE}
		COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.prod.yml
		PUBLIC_HOSTNAME: ${PRO_PUBLIC_HOSTNAME}
		script:
		- >
		deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}
		PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}
		environment:
		name: pro
		url: https://${PRO_PUBLIC_HOSTNAME}
		only:
		- branches
		except:
		- master
		when: manual
		STACK: gateway

		deploy-stable-branch-production:
		stage: deploy
		image: ${DOCKER_DEPLOY_IMAGE_NAME}:${DOCKER_DEPLOY_IMAGE_TAG}
		.deploy:
		variables:
		SSH_REMOTE: ${PRO_SSH_REMOTE}
		COMPOSE_FILE: docker-compose.tmpl.yml:docker-compose.prod.yml
		PUBLIC_HOSTNAME: ${PRO_PUBLIC_HOSTNAME}
		script:
		- >
		deploy.sh IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} COMPOSE_FILE=${COMPOSE_FILE}
		PUBLIC_HOSTNAME=${PUBLIC_HOSTNAME}
		SERVICES_TO_CHECK: ${STACK}_${CI_PROJECT_NAME}
		environment:
		name: pro
		url: https://${PRO_PUBLIC_HOSTNAME}
		only:
		- master
		when: manual
		url: https://${PUBLIC_HOSTNAME}

Dockerfile

+13 −3

Original line number	Diff line number	Diff line
		FROM nginx:1.15-alpine
		ARG NGINX_IMAGE_TAG=1.17-alpine

		FROM nginx:${NGINX_IMAGE_TAG}

		LABEL maintainer="info@redmic.es"

		COPY nginx /etc/nginx

		COPY scripts/entrypoint.sh /entrypoint.sh

		RUN apk add --no-cache openssl
		ARG OPENSSL_VERSION=1.1.1d-r0
		RUN apk add --no-cache \
		openssl=${OPENSSL_VERSION}

		EXPOSE 443

		HEALTHCHECK --interval=30s --timeout=15s --start-period=1m --retries=10 \
		CMD wget --spider -q http://localhost/nginx-health \
		\|\| (count=$(ps aux \| grep openssl \| wc -l); [ ${count} -gt 1 ]) \
		\|\| exit 1

		CMD ["sh", "-c", "/entrypoint.sh"]

LICENSE

0 → 100644

+21 −0

Original line number	Diff line number	Diff line
		MIT License

		Copyright (c) 2019 REDMIC Project / Gateway

		Permission is hereby granted, free of charge, to any person obtaining a copy
		of this software and associated documentation files (the "Software"), to deal
		in the Software without restriction, including without limitation the rights
		to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
		copies of the Software, and to permit persons to whom the Software is
		furnished to do so, subject to the following conditions:

		The above copyright notice and this permission notice shall be included in all
		copies or substantial portions of the Software.

		THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
		IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
		FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
		AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
		LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
		OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
		SOFTWARE.

README.md

+8 −8

Original line number	Diff line number	Diff line
		# Nginx proxy
		# Nginx proxy HTTPS

		Nginx service configured to act as a proxy to Traefik service. Add caching and bot protection capabilities

		Este servicio sirve de proxy inverso al frente de Traefik, para aportar funciones de las que este último carece.


		## Funciones

		* Sustituye a Traefik (que actúa a nivel interno) como punto de entrada a los servicios web. Recibe peticiones para cualquier dominio, y las propaga para que sean resueltas por Traefik hacia los contenedores apropiados.

		* Sirve a través de HTTPS todos los servicios, que funcionan sobre HTTP localmente. Carga los certificados con la ayuda de [certificates-manager](https://gitlab.com/redmic-project/certificates-manager) y genera sus propios parámetros Diffie-Hellman cuando no los tiene disponibles (normalmente sólo la primera vez, hay que tener paciencia porque es un proceso pesado).

		* Expone ruta `/.well-known/acme-challenge/` para que certificates-manager pueda validar los certificados antes de ser aplicados (con validación a través de registros DNS no será necesaria).
		* Sirve a través de HTTPS todos los servicios, que funcionan sobre HTTP localmente. Carga los certificados con la ayuda de [certificates-manager](https://gitlab.com/redmic-project/gateway/certificates-manager) y genera sus propios parámetros Diffie-Hellman cuando no los tiene disponibles (normalmente solo la primera vez, hay que tener paciencia porque es un proceso pesado).

		* Comprime las respuestas a las peticiones con gzip, disminuyendo el tráfico de red.

		@@ -16,15 +17,16 @@ Este servicio sirve de proxy inverso al frente de Traefik, para aportar funcio

		* Protege frente al acceso malicioso, por parte de bots o desde orígenes sospechosos. Toma la información de [mariusv/nginx-badbot-blocker](https://github.com/mariusv/nginx-badbot-blocker) para ello.


		## Variables

		Se pueden definir algunos valores variables al servicio web.

		\| Variable \| Descripción \| Valor por defecto \|
		\|:-:\|:-:\|:-:\|
		\| PUBLIC_HOSTNAME \| Dominio en el que será accesible el servidor web. Se usa para comprobar su salud solamente. \| `localhost` \|
		\| PERSISTENT_PATH \| Ruta interna al contenedor sobre la que se montará el volumen `persistent-vol`. \| `/var/nginx/persistent` \|


		## Volúmenes

		Se definen diferentes volúmenes para lograr persistencia del servicio, al mismo tiempo que se mantienen separados ficheros de distinta índole.
		@@ -37,9 +39,6 @@ Almacena aquellos ficheros que no son secretos y que interesa conservar entre re

		Conserva los ficheros de caché generados durante el funcionamiento del servidor web. Para limpiar la caché, es posible reiniciar el servicio tras borrar este volumen, y se volverá a regenerar de nuevo sin inconvenientes.

		### acme-vol

		Permite al servicio certificates-manager exponer los ficheros generados para la validación del certificado, para que el servidor web sea capaz de responder a los challenges con ellos. No será necesario si se realiza validación a través de registros DNS.

		## Configuraciones

		@@ -53,6 +52,7 @@ Contiene un listado de IP que deben bloquearse siempre. Procede originalmente de

		Define aquellos agentes (para identificar bots), dominios y URL que deben ser bloqueados. Procede originalmente de https://github.com/mariusv/nginx-badbot-blocker/blob/master/blacklist.conf, pero ha sido ampliado y es posible editarlo. Por ejemplo, para bloquear bots de rastreo o para conceder acceso a un agente concreto.


		## Secretos

		Del mismo modo que con las configs, se usan secrets de Docker para almacenar aquellas configuraciones que además no deben ser públicas.

deploy/.env

+7 −0

Original line number	Diff line number	Diff line
		NGINX_IMAGE_TAG=1.17-alpine
		OPENSSL_VERSION=1.1.1d-r0

		PERSISTENT_PATH=/var/nginx/persistent
		HTTPS_INTERNAL_PORT=443
		HTTPS_PORT=443
		PORT_MODE=host
		BLACKLIST_CONFIG_NAME=nginx-blacklist