From 0a01e10832f10478a8e42d42a717c1f45dcf837d Mon Sep 17 00:00:00 2001 From: Matt Fellows Date: Fri, 19 Jan 2018 12:20:58 +1100 Subject: [PATCH] feat(ssl): create nginx SSL reverse proxy example (#58) --- README.md | 7 ++++--- docker-compose.yml | 10 ++++++++++ ssl/nginx-selfsigned.crt | 22 ++++++++++++++++++++++ ssl/nginx-selfsigned.key | 27 +++++++++++++++++++++++++++ ssl/nginx.conf | 21 +++++++++++++++++++++ 5 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 ssl/nginx-selfsigned.crt create mode 100644 ssl/nginx-selfsigned.key create mode 100644 ssl/nginx.conf diff --git a/README.md b/README.md index b322c3c..11d74a6 100644 --- a/README.md +++ b/README.md @@ -55,9 +55,10 @@ For a quick start with the Pact Broker and Postgres, we have an example Now you can access your local broker: ```sh -# Get IP of your running Docker instance -DOCKER_HOST=$(docker-machine ip $(docker-machine active)) -curl -v http://$DOCKER_HOST # you can visit in your browser too! +curl -v http://localhost # you can visit in your browser too! + +# SSL endpoint, note that URLs in response contain https:// protocol +curl -v -k https://localhost:8443 ``` _NOTE: this image should be modified before using in Production, in particular, the use of hard-coded credentials_ diff --git a/docker-compose.yml b/docker-compose.yml index 0413d9b..6233f7b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -24,3 +24,13 @@ services: PACT_BROKER_DATABASE_PASSWORD: password PACT_BROKER_DATABASE_HOST: postgres PACT_BROKER_DATABASE_NAME: postgres + + nginx: + image: nginx:alpine + links: + - broker_app:broker + volumes: + - ./ssl/nginx.conf:/etc/nginx/conf.d/default.conf:ro + - ./ssl:/etc/nginx/ssl + ports: + - "8443:443" \ No newline at end of file diff --git a/ssl/nginx-selfsigned.crt b/ssl/nginx-selfsigned.crt new file mode 100644 index 0000000..d4a4d6d --- /dev/null +++ b/ssl/nginx-selfsigned.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIJAPVSxq8aUpd1MA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTgwMTE4MjMzMjMzWhcNMTkwMTE4MjMzMjMzWjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA5vwTFJLlWmMC456Kv7uHxSqARkj5dwsb0lFoc5bGjOYvlJUu2S8F8QMc +PlW2vXM7UsmBzbNgQsQh1FgRXgfNfHF80F21dILpzM/aA8a/GkJsKUZCHccQb5mq +i25OrI4+XE6kSt/fwTbWRJGZgEADoIJ3wewcfzkJoeGonU+g8rYwPLq9xaHwFVFV +x30KIZv5CToanHVy+aQUKg9m4VGuij22U7HzphS4IGZoaj2Uo0vpXqhWoKYrLFv2 +h0spP93Pr4VzoRGwlHgl2s+7qfwzRf9DhxePq9lGnqJ8TMQv1+jRITWB8jT8qW3Q +t/+fWaGtkqbtgS8vGaAoXtXUZIWarQIDAQABo4GnMIGkMB0GA1UdDgQWBBSQCcqt +DxAYpPkMWvMmU+DMT21RuDB1BgNVHSMEbjBsgBSQCcqtDxAYpPkMWvMmU+DMT21R +uKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV +BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAPVSxq8aUpd1MAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAE+ryTcny4NfIhdAwFbGjfZSsOHf0Ivt +5lW0hHA7SZVcPysgAlM8sk+aZDQdNEP6eoUfpuwLvAio/kpvr9pFI0THvBm9W9MS +zWmKkGrsuk8MXM0SsPi+BSz49YwAtsLFku7fsr/GNAD6+Vw+fyF+ySvUYJ2FwOEF +4lYfzy1X0BA6l4RVmnO1Rv8Mn6LkzrBMe4kW0VARaBsS3hO/FW2nHMSDSkRCFjKi +4qeX6RcJhHzfsZnQi2gqbVQXUvYiSjZL561UZdaybNJdSU+uOKgK2NTU1Pv6Prkh +HS9Gm+yEtgSvTx/JoLkiKx31Q4GH2hoommCT0viCcnKz1eHKGYUhMP0= +-----END CERTIFICATE----- diff --git a/ssl/nginx-selfsigned.key b/ssl/nginx-selfsigned.key new file mode 100644 index 0000000..e8a6b54 --- /dev/null +++ b/ssl/nginx-selfsigned.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA5vwTFJLlWmMC456Kv7uHxSqARkj5dwsb0lFoc5bGjOYvlJUu +2S8F8QMcPlW2vXM7UsmBzbNgQsQh1FgRXgfNfHF80F21dILpzM/aA8a/GkJsKUZC +HccQb5mqi25OrI4+XE6kSt/fwTbWRJGZgEADoIJ3wewcfzkJoeGonU+g8rYwPLq9 +xaHwFVFVx30KIZv5CToanHVy+aQUKg9m4VGuij22U7HzphS4IGZoaj2Uo0vpXqhW +oKYrLFv2h0spP93Pr4VzoRGwlHgl2s+7qfwzRf9DhxePq9lGnqJ8TMQv1+jRITWB +8jT8qW3Qt/+fWaGtkqbtgS8vGaAoXtXUZIWarQIDAQABAoIBAQC3r5woz0yO3ZAN +nSWvpZ0pwUuzGRMxhOcCEPUkfrG0mNUbrqtL0WZDLHsIYzdoXzu88TxFbbFORxSz +/bkJ8uCJZuKf/PVxCy6MTnqMaD/OzSWgiRvI/GXoqeYC7ZypApE67NsgI/qXd1lb +vAG7CK0ZtscvsulSjvRHBOIG/6z5dUAKnLJjr7uKydMHSIKNafKAEA6HGDCvIu4d +J9EQzLfmpjLTkeB1DNZrv1mtNjf/kG/M/UX5a1RtOJTGvHQn/oZSUKng3DVUNBtq +dEO6Pi5n88xWuxH6YAWqqDjCfqyey1Jc1rQxfnx6vRPL7+IaXRugAKFMFm8Xbp9/ +/9eEDCyNAoGBAPZEjYH9u2856KYUTyky8gD1TOE9gf4x4zFjK6SzBT8v1y1RdSwQ +tf7ozj94OV/b9bAE3k/z2a09xYty5VBXs6MCluQTS67KgRaO9sSFtRmnupyBNk2z +r3QEYuVDmJ6Dk/3ovItXqFaW8IbOZMf6Acu5aEDx4UKmb2tzGGJ7DxF/AoGBAPAc +57p1yRWIG+hJMdkudXhBz+L3t2NbESWom33hi1mDMIKp3dwJmhA4kq+Uyqfl32uF +Iy3z+3xr2V1BdGg1RnicfcyjHaQ4/89YB+nkOHB8muV2R57tYahOgWn6rXXxTOBs +X2Vjd7ByAEFimrVfDH33inrYuIiI/cku4Xyj71HTAoGBAJeyrsBuPfFL6KW1SPYF +7dDtSchNjS+6J0sa3Z18sTS1EYVW8iiMuq8lVTb/pcgIxJUCyrbRbTssG+3EfsE4 +5Oz7AVvJDwvCrjXpJtTz0BTXnzoc1giTMPb0ZL75HqA2SQlVPh9PheCg5dUEekw9 +ErIdqbynwqy9vVCg+1pel2+dAoGAR1C+fsIHFG8VottCg/fpies6HHZosIjWwfGf +JTc9FTwCx3w+WeE8Mf8rihzOSCndPukPNtHVavH5YFpVgbH5GU+ZiZMU9ba8O9Aw +oYZYQQixVN/Zi9mDfOK8S0baCELAC5QEjW+KmAx0CPeJbb8qTaudJLmDrYHKpttW +u5dROGMCgYEAlgTZNiEeBAPQZD30CSvFUlZVCOOyu5crP9hCPA9um5FsvD9minSz +yJqeMj7zapZsatAzYwHrGG6nHnTKWEBNaimR7kjTpKdKzXQaA9XeVLmeFAZ3Exad +JDKTPI+asF+097sHUcVuloMOZXbD1uAZnvLWIwfsaHxs41AkF+0lmM4= +-----END RSA PRIVATE KEY----- diff --git a/ssl/nginx.conf b/ssl/nginx.conf new file mode 100644 index 0000000..83eea6c --- /dev/null +++ b/ssl/nginx.conf @@ -0,0 +1,21 @@ +server { + listen 443 ssl default_server; + server_name localhost; + ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt; + ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1; + ssl_session_cache shared:SSL:10m; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + proxy_pass http://broker:80; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Scheme "https"; + proxy_set_header X-Forwarded-Port "443"; + proxy_set_header X-Forwarded-Ssl "on"; + proxy_set_header X-Real-IP $remote_addr; + } +}