diff options
author | Matt Arnold <matt@thegnuguru.org> | 2023-06-05 19:15:38 -0400 |
---|---|---|
committer | Matt Arnold <matt@thegnuguru.org> | 2023-06-05 19:15:38 -0400 |
commit | eaa5346068abc28cfd463d6b03e8118d9054bfd1 (patch) | |
tree | c299a48560eeb7de7cd22a8df233b0a5bfec73c5 | |
parent | 4f213893a7d082c1125ef745258c682a4a653b78 (diff) | |
parent | c3b15d728bfd9c7c0428c8c2016b9ebf892211da (diff) |
Join the devops repo to the main one
-rw-r--r-- | Dockerfile | 16 | ||||
-rw-r--r-- | Makefile | 20 | ||||
-rwxr-xr-x | appbuild.sh | 14 | ||||
-rw-r--r-- | entrypoint.sh | 6 | ||||
-rw-r--r-- | fly.toml | 37 | ||||
-rw-r--r-- | nginx-config | 54 | ||||
-rwxr-xr-x | sign.sh | 10 |
7 files changed, 157 insertions, 0 deletions
diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d6f1cca --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM alpine:edge + +RUN echo -e "\nhttps://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories +RUN apk add --update --no-cache go git make musl-dev curl openssl +RUN mkdir -p /app/src +WORKDIR /app/src +ARG appRoot=/app +COPY appbuild.sh /app/src +RUN chmod +x appbuild.sh +RUN ./appbuild.sh +COPY sign.sh /app/src +WORKDIR / +COPY entrypoint.sh / +RUN chmod +x entrypoint.sh +EXPOSE 3000 +ENTRYPOINT ./entrypoint.sh diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c6be5c8 --- /dev/null +++ b/Makefile @@ -0,0 +1,20 @@ +build: sign + docker build --no-cache . -t deepblue +sign: + ./sign.sh +up: sign + docker run --net customnetwork --ip 172.42.0.2 -d deepblue --name blueproxy +clean: + rm -fv intercept* + rm -rfv app +nodocker: + mkdir -pv app/src + cp appbuild.sh app/src + cp intercept.* app + cd app/src + export appRoot=` realpath ../app` + ./appbuild.sh + +all: sign build up + + diff --git a/appbuild.sh b/appbuild.sh new file mode 100755 index 0000000..95ea5dd --- /dev/null +++ b/appbuild.sh @@ -0,0 +1,14 @@ +#!/bin/sh +if [ ! -n $appRoot ] +then + export appRoot="/app" +fi +mkdir -pv $appRoot/src +cd $appRoot/src +echo $appRoot +git clone https://git.piusbird.space/poseidon.git/ +cd poseidon +go build +cp *.html $appRoot +cp -r assets $appRoot +cp poseidon $appRoot diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..72e80d7 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/sh +cd /app +#./miniwebproxy >> /stackmsg 2>&1 & +./poseidon >> /stackmsg 2>&1 +tail -f /stackmsg + diff --git a/fly.toml b/fly.toml new file mode 100644 index 0000000..307041d --- /dev/null +++ b/fly.toml @@ -0,0 +1,37 @@ +# fly.toml app configuration file generated for blueproxy on 2023-05-12T12:32:08-04:00 +# +# See https://fly.io/docs/reference/configuration/ for information about how to use this file. +# + +app = "blueproxy" +primary_region = "ams" +kill_signal = "SIGINT" +kill_timeout = "5s" + +[experimental] + auto_rollback = true + +[[services]] + protocol = "tcp" + internal_port = 3000 + min_machines_running = 0 + processes = ["app"] + + [[services.ports]] + port = 80 + handlers = ["http"] + force_https = true + + [[services.ports]] + port = 443 + handlers = ["tls", "http"] + [services.concurrency] + type = "connections" + hard_limit = 25 + soft_limit = 20 + + [[services.tcp_checks]] + interval = "15s" + timeout = "2s" + grace_period = "1s" + restart_limit = 0 diff --git a/nginx-config b/nginx-config new file mode 100644 index 0000000..26aa92f --- /dev/null +++ b/nginx-config @@ -0,0 +1,54 @@ +server { + listen 80; + server_name blue.piusbird.space; + return 302 https://$server_name$request_uri; +} + +server { + access_log /var/log/nginx/blueproxy.access.log; + error_log /var/log/nginx/blueproxy.error.log; + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/blue.piusbird.space/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/blue.piusbird.space/privkey.pem; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + ssl_dhparam /etc/dhparms.global; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # client side verification options + ssl_client_certificate /etc/nginx/client-full.crt; + # make verification optional, so we can display a 403 message to those + # who fail authentication + ssl_verify_client optional; + + server_name blue.piusbird.space; + + location / { + if ($ssl_client_verify != SUCCESS) { + return 403; + } + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://172.42.0.2:3000; + } + + + +} + + diff --git a/sign.sh b/sign.sh new file mode 100755 index 0000000..3492df2 --- /dev/null +++ b/sign.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +[ -f intercept.key ] || + openssl genrsa -out intercept.key 2048 + +[ -f intercept.csr ] || + openssl req -new -key intercept.key -out intercept.csr -subj /CN=intercept.miniweb + +openssl x509 -sha256 -req -days 365 -in intercept.csr -out intercept.crt -signkey intercept.key |