pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSL/TLS config for staging sites.

Browse Source 
This presumes the existence of TLS kubernetes secrets available in both
clusters. It adds NGINX config for SSL termination and the necessary k8s
config to write the certificate and private key to the NGINX container.
This commit is contained in:
dandds 2019-08-02 07:42:20 -04:00
parent 1577312fb8
commit e5c360452c
4 changed files with 66 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
k8s/aws/atst-nginx-configmap.yml
View File

@ -9,11 +9,10 @@ data:
server { server {
server_name aws.atat.code.mil; server_name aws.atat.code.mil;
# access_log /var/log/nginx/access.log json; # access_log /var/log/nginx/access.log json;
listen 8442; listen 8442 ssl;
listen [::]:8442 ipv6only=on; listen [::]:8442 ssl ipv6only=on;
# if ($http_x_forwarded_proto != 'https') { ssl_certificate /etc/ssl/private/atat.crt;
# return 301 https://$host$request_uri; ssl_certificate_key /etc/ssl/private/atat.key;
# }
location /login-redirect { location /login-redirect {
return 301 https://auth-aws.atat.code.mil$request_uri; return 301 https://auth-aws.atat.code.mil$request_uri;
} }
@ -39,29 +38,14 @@ data:
server { server {
# access_log /var/log/nginx/access.log json; # access_log /var/log/nginx/access.log json;
server_name auth-aws.atat.code.mil; server_name auth-aws.atat.code.mil;
listen 8443; listen 8443 ssl;
listen [::]:8443 ipv6only=on; listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key ssl_certificate /etc/ssl/private/atat.crt;
# ssl_certificate /etc/ssl/private/auth.atat.crt; ssl_certificate_key /etc/ssl/private/atat.key;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate # Request and validate client certificate
# ssl_verify_client on; ssl_verify_client on;
# ssl_verify_depth 10; ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem; ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade # Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / { location / {
@ -73,12 +57,12 @@ data:
location @app { location @app {
include uwsgi_params; include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id; uwsgi_param HTTP_X_REQUEST_ID $request_id;
} }
} }

18
k8s/aws/aws.yml
View File

@ -60,6 +60,10 @@ spec:
- name: nginx-htpasswd - name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd" mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd subPath: .htpasswd
- name: tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@ -91,6 +95,16 @@ spec:
- key: htpasswd - key: htpasswd
path: .htpasswd path: .htpasswd
mode: 0640 mode: 0640
- name: tls
secret:
secretName: aws-atat-code-mil-tls
items:
- key: tls.crt
path: atat.crt
mode: 0644
- key: tls.key
path: atat.key
mode: 0640
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -155,7 +169,7 @@ metadata:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec: spec:
ports: ports:
- port: 80 - port: 443
targetPort: 8442 targetPort: 8442
selector: selector:
role: web role: web
@ -172,7 +186,7 @@ metadata:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb" service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec: spec:
ports: ports:
- port: 80 - port: 443
targetPort: 8443 targetPort: 8443
selector: selector:
role: web role: web

50
k8s/azure/atst-nginx-configmap.yml
View File

@ -9,11 +9,10 @@ data:
server { server {
server_name azure.atat.code.mil; server_name azure.atat.code.mil;
# access_log /var/log/nginx/access.log json; # access_log /var/log/nginx/access.log json;
listen 8442; listen 8442 ssl;
listen [::]:8442 ipv6only=on; listen [::]:8442 ssl ipv6only=on;
# if ($http_x_forwarded_proto != 'https') { ssl_certificate /etc/ssl/private/atat.crt;
# return 301 https://$host$request_uri; ssl_certificate_key /etc/ssl/private/atat.key;
# }
location /login-redirect { location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri; return 301 https://auth-azure.atat.code.mil$request_uri;
} }
@ -39,29 +38,14 @@ data:
server { server {
# access_log /var/log/nginx/access.log json; # access_log /var/log/nginx/access.log json;
server_name auth-azure.atat.code.mil; server_name auth-azure.atat.code.mil;
listen 8443; listen 8443 ssl;
listen [::]:8443 ipv6only=on; listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key ssl_certificate /etc/ssl/private/atat.crt;
# ssl_certificate /etc/ssl/private/auth.atat.crt; ssl_certificate_key /etc/ssl/private/atat.key;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate # Request and validate client certificate
# ssl_verify_client on; ssl_verify_client on;
# ssl_verify_depth 10; ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem; ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade # Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / { location / {
@ -73,12 +57,12 @@ data:
location @app { location @app {
include uwsgi_params; include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket; uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert; uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn; uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy; uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn; uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy; uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id; uwsgi_param HTTP_X_REQUEST_ID $request_id;
} }
} }

18
k8s/azure/azure.yml
View File

@ -60,6 +60,10 @@ spec:
- name: nginx-htpasswd - name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd" mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd subPath: .htpasswd
- name: tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@ -91,6 +95,16 @@ spec:
- key: htpasswd - key: htpasswd
path: .htpasswd path: .htpasswd
mode: 0640 mode: 0640
- name: tls
secret:
secretName: azure-atat-code-mil-tls
items:
- key: tls.crt
path: atat.crt
mode: 0644
- key: tls.key
path: atat.key
mode: 0640
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@ -154,7 +168,7 @@ metadata:
spec: spec:
loadBalancerIP: 13.92.235.6 loadBalancerIP: 13.92.235.6
ports: ports:
- port: 80 - port: 443
targetPort: 8442 targetPort: 8442
selector: selector:
role: web role: web
@ -170,7 +184,7 @@ metadata:
spec: spec:
loadBalancerIP: 23.100.24.41 loadBalancerIP: 23.100.24.41
ports: ports:
- port: 80 - port: 443
targetPort: 8443 targetPort: 8443
selector: selector:
role: web role: web