Join the devops repo to the main one

7 files changed, 157 insertions, 0 deletions

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..d6f1cca
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,16 @@
+FROM alpine:edge
+
+RUN echo -e  "\nhttps://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories
+RUN apk add --update --no-cache go git make musl-dev curl openssl
+RUN mkdir -p /app/src
+WORKDIR /app/src
+ARG appRoot=/app
+COPY appbuild.sh /app/src
+RUN chmod +x appbuild.sh
+RUN ./appbuild.sh
+COPY sign.sh /app/src
+WORKDIR /
+COPY entrypoint.sh /
+RUN chmod +x entrypoint.sh
+EXPOSE 3000
+ENTRYPOINT ./entrypoint.sh
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..c6be5c8
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,20 @@
+build: sign
+	docker build --no-cache . -t deepblue
+sign:
+	./sign.sh
+up: sign 
+	docker run --net customnetwork --ip 172.42.0.2 -d deepblue --name blueproxy
+clean:
+	rm -fv intercept*
+	rm -rfv app
+nodocker:
+	mkdir -pv app/src
+	cp appbuild.sh app/src
+	cp intercept.* app
+	cd app/src
+	export appRoot=` realpath ../app`
+	./appbuild.sh
+
+all: sign build up
+
+
diff --git a/appbuild.sh b/appbuild.sh
new file mode 100755
index 0000000..95ea5dd
--- /dev/null
+++ b/appbuild.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+if [ ! -n $appRoot ]
+then
+	export appRoot="/app"
+fi
+mkdir -pv $appRoot/src
+cd $appRoot/src
+echo $appRoot
+git clone https://git.piusbird.space/poseidon.git/
+cd poseidon 
+go build
+cp *.html $appRoot
+cp -r assets $appRoot
+cp poseidon $appRoot
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..72e80d7
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+cd /app
+#./miniwebproxy >> /stackmsg 2>&1 &
+./poseidon >> /stackmsg 2>&1
+tail -f /stackmsg
+
diff --git a/fly.toml b/fly.toml
new file mode 100644
index 0000000..307041d
--- /dev/null
+++ b/fly.toml
@@ -0,0 +1,37 @@
+# fly.toml app configuration file generated for blueproxy on 2023-05-12T12:32:08-04:00
+#
+# See https://fly.io/docs/reference/configuration/ for information about how to use this file.
+#
+
+app = "blueproxy"
+primary_region = "ams"
+kill_signal = "SIGINT"
+kill_timeout = "5s"
+
+[experimental]
+  auto_rollback = true
+
+[[services]]
+  protocol = "tcp"
+  internal_port = 3000
+  min_machines_running = 0
+  processes = ["app"]
+
+  [[services.ports]]
+    port = 80
+    handlers = ["http"]
+    force_https = true
+
+  [[services.ports]]
+    port = 443
+    handlers = ["tls", "http"]
+  [services.concurrency]
+    type = "connections"
+    hard_limit = 25
+    soft_limit = 20
+
+  [[services.tcp_checks]]
+    interval = "15s"
+    timeout = "2s"
+    grace_period = "1s"
+    restart_limit = 0
diff --git a/nginx-config b/nginx-config
new file mode 100644
index 0000000..26aa92f
--- /dev/null
+++ b/nginx-config
@@ -0,0 +1,54 @@
+server {
+    listen 80;
+    server_name blue.piusbird.space;
+    return 302 https://$server_name$request_uri;
+}
+
+server {
+        access_log  /var/log/nginx/blueproxy.access.log;
+	error_log  /var/log/nginx/blueproxy.error.log;
+	listen 443 ssl;
+	ssl_certificate /etc/letsencrypt/live/blue.piusbird.space/fullchain.pem; 
+	ssl_certificate_key /etc/letsencrypt/live/blue.piusbird.space/privkey.pem;
+	
+	ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+        ssl_session_tickets off;
+	ssl_dhparam /etc/dhparms.global;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    # OCSP stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    
+	# client side verification options
+	 ssl_client_certificate /etc/nginx/client-full.crt;
+    # make verification optional, so we can display a 403 message to those
+    # who fail authentication
+    ssl_verify_client optional;
+
+	server_name blue.piusbird.space;
+	
+	location / {
+	if ($ssl_client_verify != SUCCESS) {
+        return 403;
+      }
+
+      proxy_set_header        Host $host;
+      proxy_set_header        X-Real-IP $remote_addr;
+      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_pass http://172.42.0.2:3000;
+    }
+
+
+
+}
+
+
diff --git a/sign.sh b/sign.sh
new file mode 100755
index 0000000..3492df2
--- /dev/null
+++ b/sign.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+[ -f intercept.key ] ||
+	openssl genrsa -out intercept.key 2048
+
+[ -f intercept.csr ] ||
+	openssl req -new -key intercept.key -out intercept.csr -subj /CN=intercept.miniweb
+
+openssl x509 -sha256 -req -days 365 -in intercept.csr -out intercept.crt -signkey intercept.key