Add configmap for nginx settings and config
This commit is contained in:
parent
ea853a7b28
commit
9262c0f346
73
deploy/kubernetes/atst-nginx-configmap.yml
Normal file
73
deploy/kubernetes/atst-nginx-configmap.yml
Normal file
@ -0,0 +1,73 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: atst-nginx
|
||||
namespace: atat
|
||||
data:
|
||||
htpasswd: |
|
||||
atat:$apr1$D9ZQ6.AS$BwgIHxTMbRQsv4LbbAGAT/
|
||||
nginx-config: |-
|
||||
server {
|
||||
server_name www.atat.codes atat.codes;
|
||||
listen 80 http2;
|
||||
#if ($http_x_forwarded_proto != 'https') {
|
||||
# return 301 https://$host$request_uri;
|
||||
#}
|
||||
location /login-dev {
|
||||
auth_basic "Developer Access";
|
||||
auth_basic_user_file /etc/nginx/.htpasswd;
|
||||
try_files $uri @app;
|
||||
}
|
||||
location / {
|
||||
try_files $uri @app;
|
||||
}
|
||||
location @app {
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:///var/run/atst_uwsgi.sock;
|
||||
}
|
||||
}
|
||||
server {
|
||||
server_name auth.atat.codes;
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2 ipv6only=on;
|
||||
# SSL server certificate and private key
|
||||
ssl_certificate /etc/ssl/private/auth.atat.crt
|
||||
ssl_certificate_key /etc/ssl/private/auth.atat.key
|
||||
# Set SSL protocols, ciphers, and related options
|
||||
ssl_protocols TLSv1.3 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ecdh_curve secp384r1;
|
||||
ssl_dhparam /etc/ssl/dhparam.pem;
|
||||
# SSL session options
|
||||
ssl_session_timeout 4h;
|
||||
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
|
||||
ssl_session_tickets off;
|
||||
# OCSP Stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 8.8.8.8 8.8.4.4;
|
||||
# Request and validate client certificate
|
||||
#ssl_verify_client on;
|
||||
#ssl_verify_depth 10;
|
||||
#ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem;
|
||||
# Guard against HTTPS -> HTTP downgrade
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
|
||||
location / {
|
||||
return 301 https://www.atat.codes$request_uri;
|
||||
}
|
||||
location /login-redirect {
|
||||
try_files $uri @app;
|
||||
}
|
||||
location @app {
|
||||
include uwsgi_params;
|
||||
uwsgi_pass unix:///var/run/atst_uwsgi.sock;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
|
||||
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
|
||||
}
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user