Add configmap for nginx settings and config

2018-08-07 10:51:55 -04:00 · 2018-08-07 10:51:55 -04:00 · 9262c0f346
commit 9262c0f346
parent ea853a7b28
1 changed files with 73 additions and 0 deletions
--- a/deploy/kubernetes/atst-nginx-configmap.yml
+++ b/deploy/kubernetes/atst-nginx-configmap.yml
@ -0,0 +1,73 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: atst-nginx
+  namespace: atat
+data:
+  htpasswd: |
+    atat:$apr1$D9ZQ6.AS$BwgIHxTMbRQsv4LbbAGAT/
+  nginx-config: |-
+    server {
+        server_name www.atat.codes atat.codes;
+        listen 80 http2;
+        #if ($http_x_forwarded_proto != 'https') {
+        #    return 301 https://$host$request_uri;
+        #}
+        location /login-dev {
+            auth_basic "Developer Access";
+            auth_basic_user_file /etc/nginx/.htpasswd;
+            try_files $uri @app;
+        }
+        location / {
+            try_files $uri @app;
+        }
+        location @app {
+            include uwsgi_params;
+            uwsgi_pass unix:///var/run/atst_uwsgi.sock;
+        }
+    }
+    server {
+        server_name auth.atat.codes;
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2 ipv6only=on;
+        # SSL server certificate and private key
+        ssl_certificate /etc/ssl/private/auth.atat.crt
+        ssl_certificate_key /etc/ssl/private/auth.atat.key
+        # Set SSL protocols, ciphers, and related options
+        ssl_protocols TLSv1.3 TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+        ssl_prefer_server_ciphers on;
+        ssl_ecdh_curve secp384r1;
+        ssl_dhparam /etc/ssl/dhparam.pem;
+        # SSL session options
+        ssl_session_timeout 4h;
+        ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
+        ssl_session_tickets off;
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        resolver 8.8.8.8 8.8.4.4;
+        # Request and validate client certificate
+        #ssl_verify_client on;
+        #ssl_verify_depth 10;
+        #ssl_client_certificate /etc/nginx/ssl/ca/client-ca.pem;
+        # Guard against HTTPS -> HTTP downgrade
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
+        location / {
+            return 301 https://www.atat.codes$request_uri;
+        }
+        location /login-redirect {
+            try_files $uri @app;
+        }
+        location @app {
+            include uwsgi_params;
+            uwsgi_pass unix:///var/run/atst_uwsgi.sock;
+            uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+            uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
+            uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
+        }
+    }