Merge pull request #36 from cerc-io/dboreham/tls-proxy
Initial version of automated TLS proxy
This commit is contained in:
GitHub
commit
4d8da3f145
2
tls-proxy/README.md
Normal file
2
tls-proxy/README.md
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# tls-proxy
|
||||||
|
Automated deployment of TLS reverse proxy provisioned with Let's Encrypt certificate
|
||||||
27
tls-proxy/docker-compose.yml
Normal file
27
tls-proxy/docker-compose.yml
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
services:
|
||||||
|
|
||||||
|
proxy:
|
||||||
|
image: nginx:stable-bullseye
|
||||||
|
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
- 443:443
|
||||||
|
volumes:
|
||||||
|
- ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
|
||||||
|
- ./certbot/challenge:/data/certbot-challenge:ro
|
||||||
|
- ./certbot/certificates:/data/certificates:ro
|
||||||
|
|
||||||
|
certbot:
|
||||||
|
image: certbot/certbot:v2.5.0
|
||||||
|
volumes:
|
||||||
|
- ./certbot/certificates:/etc/letsencrypt
|
||||||
|
- ./certbot/challenge:/data-www-challenge
|
||||||
|
entrypoint: "/bin/sh -c 'sleep 300; trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||||
|
|
||||||
|
# Hello-world http container useful for test/debugging the proxy
|
||||||
|
# an actual service would be used for production
|
||||||
|
example-webservice:
|
||||||
|
image: crccheck/hello-world
|
||||||
|
ports:
|
||||||
|
- 8000
|
||||||
|
|
||||||
20
tls-proxy/initialize-tls-proxy.sh
Executable file
20
tls-proxy/initialize-tls-proxy.sh
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
# TODO: get from the caller
|
||||||
|
LACONIC_TLS_DOMAIN=example.com
|
||||||
|
# When we're called nginx and certbot container are up and running and certbot is sleeping before executing renew
|
||||||
|
# So we can now ask certbot to issue our initial cert
|
||||||
|
tls_certificate_directory=./certbot/certificates/live/${LACONIC_TLS_DOMAIN}
|
||||||
|
rm -rf ${tls_certificate_directory}
|
||||||
|
# TODO: pass in email from caller
|
||||||
|
# TODO: allow staging/dry-run mode
|
||||||
|
docker compose exec certbot \
|
||||||
|
certbot certonly --webroot -w /data-www-challenge \
|
||||||
|
--staging \
|
||||||
|
--email ${EMAIL} \
|
||||||
|
-d ${LACONIC_TLS_DOMAIN} \
|
||||||
|
--rsa-key-size 4096 \
|
||||||
|
--agree-tos \
|
||||||
|
--force-renewal
|
||||||
39
tls-proxy/nginx-config-template
Normal file
39
tls-proxy/nginx-config-template
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
events {
|
||||||
|
worker_connections 1024;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
server_tokens off;
|
||||||
|
charset utf-8;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
location ~ /.well-known/acme-challenge/ {
|
||||||
|
root /data/certbot-challenge;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://webservice:8000/;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
ssl_certificate /data/certificates/live/${LACONIC_TLS_DOMAIN}/fullchain.pem;
|
||||||
|
ssl_certificate_key /data/certificates/live/${LACONIC_TLS_DOMAIN}/privkey.pem;
|
||||||
|
server_name ${LACONIC_TLS_DOMAIN};
|
||||||
|
root /var/www/html;
|
||||||
|
index index.php index.html index.htm;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass ${LACONIC_ORIGIN_SERVICE_URL};
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /.well-known/acme-challenge/ {
|
||||||
|
root /data/certbot-challenge;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
29
tls-proxy/run-this-first.sh
Executable file
29
tls-proxy/run-this-first.sh
Executable file
@ -0,0 +1,29 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
if [[ -n "$CERC_SCRIPT_DEBUG" ]]; then
|
||||||
|
set -x
|
||||||
|
fi
|
||||||
|
set -e
|
||||||
|
mkdir -p ./nginx
|
||||||
|
mkdir -p ./certbot/certificates
|
||||||
|
mkdir -p ./certbot/challenge
|
||||||
|
# TODO: get from the caller
|
||||||
|
LACONIC_TLS_DOMAIN=example.com
|
||||||
|
LACONIC_ORIGIN_SERVICE_URL=http://example-webservice:8000/
|
||||||
|
# Expand the config template into the nginx config file
|
||||||
|
cat ./nginx-config-template | sed 's/${LACONIC_TLS_DOMAIN}/'${LACONIC_TLS_DOMAIN}'/' | \
|
||||||
|
sed 's/${LACONIC_ORIGIN_SERVICE_URL}/'${LACONIC_ORIGIN_SERVICE_URL}'/' > ./nginx/nginx.conf
|
||||||
|
# Create a self-signed cert so nginx will start without us changing its config between pre and post certbot invocation.
|
||||||
|
# Check if we have a cert already
|
||||||
|
tls_certificate_directory=./certbot/certificates/live/${LACONIC_TLS_DOMAIN}
|
||||||
|
tls_certificate_directory_in_container=/etc/letsencrypt/live/${LACONIC_TLS_DOMAIN}
|
||||||
|
tls_certificate_file_name=${tls_certificate_directory}/fullchain.pem
|
||||||
|
# TODO: this won't work if there's a delay of more than one day between generating the
|
||||||
|
# self signed cert and starting the certbot enrollment process
|
||||||
|
if [[ ! -f ${tls_certificate_file_name} ]] ; then
|
||||||
|
echo "Generating self-signed certificate for ${LACONIC_TLS_DOMAIN}:"
|
||||||
|
mkdir -p ${tls_certificate_directory}
|
||||||
|
docker compose run --rm --entrypoint "\
|
||||||
|
openssl req -x509 -nodes -newkey rsa:4096 -days 1 -keyout '${tls_certificate_directory_in_container}/privkey.pem' \
|
||||||
|
-out '${tls_certificate_directory_in_container}/fullchain.pem' -subj '/CN=${LACONIC_TLS_DOMAIN}'" certbot
|
||||||
|
echo
|
||||||
|
fi
|
||||||
Loading…
Reference in New Issue
Block a user