From f4715f3a6e28c8d4c23b612f09a069fe3ae95d80 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 12:23:18 +0200 Subject: [PATCH 1/2] nginx auto config --- compose/.env-template | 47 +++++++++++++++---- compose/compose.yaml | 6 ++- .../nginx/{nginx.conf => nginx.conf.template} | 19 ++++---- 3 files changed, 52 insertions(+), 20 deletions(-) rename compose/nginx/{nginx.conf => nginx.conf.template} (88%) diff --git a/compose/.env-template b/compose/.env-template index 64d7d60..c5a4cf4 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -3,20 +3,47 @@ # ----------------------------------------------------------------------------- # 1. Copy this file to `.env` in the same directory as `compose.yaml`. # 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Run `docker‑compose up -d` to start the containers. # -# Variables -# --------- -# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the Collab -# service (e.g. collab.example.com). +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). # -# INTEL_FQDN Public hostname (FQDN) for the Intel service -# (e.g. intel.example.com). +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). # -# INTEL_SECRET Shared secret Collab uses to authenticate when authenticating -# communication with the intel service. -# Use a strong, private value. +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). +# This file must exist in `nginx/ssl` or Nginx will fail +# to start. ############################################################################### COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com -INTEL_SECRET=super-secret-string \ No newline at end of file +INTEL_SECRET=super-secret-string + +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PATH=dhparam.pem \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 27c3e94..e5e96d2 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -18,10 +18,14 @@ services: nginx: image: nginx:latest container_name: codetogether-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx ports: - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro - ./nginx/ssl:/etc/nginx/ssl - ./nginx/log:/var/log/nginx networks: diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf.template similarity index 88% rename from compose/nginx/nginx.conf rename to compose/nginx/nginx.conf.template index b5a33eb..4418cd7 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf.template @@ -1,6 +1,7 @@ events { worker_connections 1024; } + http { include mime.types; default_type application/octet-stream; @@ -8,12 +9,12 @@ http { keepalive_timeout 65; server { listen 443 ssl http2; - server_name ; + server_name ${COLLAB_FQDN}; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -47,7 +48,7 @@ http { } } server { - server_name ; + server_name ${INTEL_FQDN}; listen 443 ssl http2; # configure proxy buffer sizes @@ -55,9 +56,9 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -91,4 +92,4 @@ http { proxy_send_timeout 360; } } -} +} \ No newline at end of file From e77c2f0b049d20760f14731ef208bc7ce6889bc2 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 12:24:52 +0200 Subject: [PATCH 2/2] remove redundant comment --- compose/.env-template | 2 -- 1 file changed, 2 deletions(-) diff --git a/compose/.env-template b/compose/.env-template index c5a4cf4..9acc048 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -32,8 +32,6 @@ # (e.g. ssl-intel.key). # # DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). -# This file must exist in `nginx/ssl` or Nginx will fail -# to start. ############################################################################### COLLAB_FQDN=collab.example.com