diff --git a/.env b/.env new file mode 100644 index 00000000..953b7a63 --- /dev/null +++ b/.env @@ -0,0 +1,6 @@ +# Domain name for service. Should be equal with name in generated ssl-certificate +NGINX_DEBUG=True +# Domain name for service. Should be equal with name in generated ssl-certificate +NGINX_VHOSTNAME=demo.kqueen.net +# Directory path for certificates in container.Finally it look like $NGINX_SSL_CERTIFICATE_DIR/$NGINX_VHOSTNAME +NGINX_SSL_CERTIFICATE_DIR=/mnt/letsencrypt diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 1db07c83..ef4b2716 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -25,13 +25,24 @@ services: depends_on: - etcd proxy: - build: ./prod/nginx/ + env_file: + - .env + build: + context: ./prod/nginx/ + # TODO: check that NGINX_VHOSTNAME from .env file is equal with generated ssl-cert + args: + - DEBUG=${NGINX_DEBUG} + - VHOSTNAME=${NGINX_VHOSTNAME} + - SSL_CERTIFICATE_DIR=${NGINX_SSL_CERTIFICATE_DIR}/${NGINX_VHOSTNAME} + - SSL_CERTIFICATE_PATH=${NGINX_SSL_CERTIFICATE_DIR}/${NGINX_VHOSTNAME}/fullchain.cer + - SSL_CERTIFICATE_KEY_PATH=${NGINX_SSL_CERTIFICATE_DIR}/${NGINX_VHOSTNAME}/${NGINX_VHOSTNAME}.key + - SSL_TRUSTED_CERTIFICATE_PATH=${NGINX_SSL_CERTIFICATE_DIR}/${NGINX_VHOSTNAME}/ca.cer restart: always ports: - 443:443 - 80:80 volumes: - - /mnt/storage/kqueen/certs/:/mnt/letsencrypt/demo.kqueen.net/:ro + - /mnt/storage/kqueen/certs/:${NGINX_SSL_CERTIFICATE_DIR}/${NGINX_VHOSTNAME}/:ro volumes_from: - ui:ro depends_on: diff --git a/prod/nginx/Dockerfile b/prod/nginx/Dockerfile index 086a5629..e0938a67 100644 --- a/prod/nginx/Dockerfile +++ b/prod/nginx/Dockerfile @@ -4,7 +4,18 @@ LABEL maintainer="tkukral@mirantis.com" # environment ENV DIR_CONF /etc/nginx/conf.d/ ENV DIR_APP /var/www/app/ -ENV VHOSTNAME demo.kqueen.net +ARG DEBUG +ENV DEBUG ${DEBUG:-False} +ARG VHOSTNAME +ENV VHOSTNAME ${VHOSTNAME:-demo.kqueen.net} +ARG SSL_CERTIFICATE_DIR +ENV SSL_CERTIFICATE_DIR ${SSL_CERTIFICATE_DIR:-/mnt/letsencrypt/$VHOSTNAME} +ARG SSL_CERTIFICATE_PATH +ENV SSL_CERTIFICATE_PATH ${SSL_CERTIFICATE_PATH:-$SSL_CERTIFICATE_DIR/fullchain.cer} +ARG SSL_CERTIFICATE_KEY_PATH +ENV SSL_CERTIFICATE_KEY_PATH ${SSL_CERTIFICATE_KEY_PATH:-$SSL_CERTIFICATE_DIR/$VHOSTNAME.key} +ARG SSL_TRUSTED_CERTIFICATE_PATH +ENV SSL_TRUSTED_CERTIFICATE_PATH ${SSL_TRUSTED_CERTIFICATE_PATH:-$SSL_CERTIFICATE_DIR/ca.cer} # flush nginx config RUN rm -v /etc/nginx/conf.d/* @@ -13,4 +24,10 @@ RUN rm -v /etc/nginx/conf.d/* COPY vhost.conf $DIR_CONF # edit vhost.conf -RUN sed -i "s/vhostname/$VHOSTNAME/g" "$DIR_CONF/vhost.conf" +RUN sed -i "s@vhostname@$VHOSTNAME@g" "$DIR_CONF/vhost.conf" && \ + sed -i "s@ssl_certificate_path@$SSL_CERTIFICATE_PATH@g" "$DIR_CONF/vhost.conf" && \ + sed -i "s@ssl_certificate_key_path@$SSL_CERTIFICATE_KEY_PATH@g" "$DIR_CONF/vhost.conf" && \ + sed -i "s@ssl_trusted_certificate_path@$SSL_TRUSTED_CERTIFICATE_PATH@g" "$DIR_CONF/vhost.conf" + +#debug mode +RUN if [ "$DEBUG" = True ]; then (echo 'Check nginx configuration: '; cat "$DIR_CONF/vhost.conf"; echo 'Check defined environment variables: '; env); fi diff --git a/prod/nginx/vhost.conf b/prod/nginx/vhost.conf index 2f363115..b6e8b674 100644 --- a/prod/nginx/vhost.conf +++ b/prod/nginx/vhost.conf @@ -27,8 +27,9 @@ server { # https://vhostname access_log /dev/stdout main; error_log /dev/stdout info; - ssl_certificate /mnt/letsencrypt/vhostname/fullchain.cer; - ssl_certificate_key /mnt/letsencrypt/vhostname/vhostname.key; + ssl_certificate ssl_certificate_path; + ssl_certificate_key ssl_certificate_key_path; + ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; @@ -49,7 +50,7 @@ server { # https://vhostname #ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /mnt/letsencrypt/vhostname/ca.cer; + ssl_trusted_certificate ssl_trusted_certificate_path; client_max_body_size 64M;