diff --git a/Dockerfile b/Dockerfile index 89ac5b0..d30716e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,5 +88,11 @@ RUN luarocks install --tree lua_modules luaposix && \ #USER www-data RUN mkdir -p /etc/resty-auto-ssl/storage/ \ && chown -R www-data /etc/resty-auto-ssl + +RUN openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + -subj '/CN=sni-support-required-for-valid-ssl' \ + -keyout /etc/ssl/resty-auto-ssl-fallback.key \ + -out /etc/ssl/resty-auto-ssl-fallback.crt copy ./conf/* /etc/nginx/conf.d/ +copy ./snippets/* /usr/local/openresty/nginx/conf/ CMD ["/usr/local/openresty/bin/openresty", "-g" ,"daemon off;"]; \ No newline at end of file diff --git a/conf/default.conf b/conf/default.conf index fcc8d38..f6a7c06 100644 --- a/conf/default.conf +++ b/conf/default.conf @@ -1,5 +1,28 @@ server { listen 80; - + include get_auto_ssl.conf; +} +server { + listen 443 ssl; + include auto_ssl.conf; + include ldap.conf; + resolver 127.0.0.11 valid=30s; + set $theia theia; + location / { + #rewrite_log on; + #rewrite /dev/(.*) /$1 break; + #rewrite ^/dev$ /dev/ permanent; + proxy_set_header Host $host; + proxy_set_header Proxy ""; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarde-Proto $scheme; + + + proxy_buffering off; + proxy_pass http://$theiaconf:3000; + } } \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..d88893a --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,28 @@ +version: '2' +services: + openresty: + image: docker.triton2.fet.at/openrestyfet:latest + ports: + - "8080:80" + - "4443:443" + volumes: + - nginxconf:/etc/nginx/conf.d/ + theiaconf: + image: docker.triton2.fet.at/dev_theia + volumes: + - nginxconf:/home/project + devnginx: + image: docker.triton2.fet.at/dev_nginx + ports: + - "8081:80" + theia: + image: docker.triton2.fet.at/dev_theia + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - data_dev:/home + +volumes: + data_dev: + driver: local + nginxconf: + driver: local \ No newline at end of file diff --git a/nginx.conf b/nginx.conf index b70c402..22f5edb 100644 --- a/nginx.conf +++ b/nginx.conf @@ -108,6 +108,12 @@ http { init_worker_by_lua_block { auto_ssl:init_worker() } + auth_ldap_cache_enabled on; + +ldap_server fet { + url ldap://gagarin:389/ou=user,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at?uid?sub?(objectClass=person); + require valid_user; +} include /etc/nginx/conf.d/*.conf; # Don't reveal OpenResty version to clients. diff --git a/snippets/auto_ssl.conf b/snippets/auto_ssl.conf new file mode 100644 index 0000000..5f765d1 --- /dev/null +++ b/snippets/auto_ssl.conf @@ -0,0 +1,14 @@ +ssl_certificate_by_lua_block { + auto_ssl:ssl_certificate() +} + + # You must still define a static ssl_certificate file for nginx to start. + # + # You may generate a self-signed fallback with: + # + # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \ + # -subj '/CN=sni-support-required-for-valid-ssl' \ + # -keyout /etc/ssl/resty-auto-ssl-fallback.key \ + # -out /etc/ssl/resty-auto-ssl-fallback.crt +ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; +ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; \ No newline at end of file diff --git a/snippets/get_auto_ssl.conf b/snippets/get_auto_ssl.conf new file mode 100644 index 0000000..5f7753c --- /dev/null +++ b/snippets/get_auto_ssl.conf @@ -0,0 +1,5 @@ +location /.well-known/acme-challenge/ { + content_by_lua_block { + auto_ssl:challenge_server() + } + } \ No newline at end of file diff --git a/snippets/ldap.conf b/snippets/ldap.conf new file mode 100644 index 0000000..95e7143 --- /dev/null +++ b/snippets/ldap.conf @@ -0,0 +1,2 @@ +auth_ldap "FET Login"; +auth_ldap_servers fet; \ No newline at end of file