pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
atst/deploy/azure/atst-nginx-configmap.yml
tomdds 728bb5713f Fix flexVol serving of nginx certificates 
FlexVol requires that you specify certificates as secrets in order to get both the certificate and private key in the appropriate format for nginx to consume. Additionally, flexvol shouldn't interfer with other secrets mounted in it's host directory.
2019-12-02 15:45:16 -05:00

117 lines
3.7 KiB
YAML
Raw Blame History

---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
atst.conf: |-
server {
access_log /var/log/nginx/access.log json;
listen ${PORT_PREFIX}342;
server_name ${MAIN_DOMAIN};
root /usr/share/nginx/html;
location /.well-known/acme-challenge/ {
try_files $uri =404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
access_log /var/log/nginx/access.log json;
listen ${PORT_PREFIX}343;
server_name ${AUTH_DOMAIN};
root /usr/share/nginx/html;
location /.well-known/acme-challenge/ {
try_files $uri =404;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
access_log /var/log/nginx/access.log json;
server_name ${MAIN_DOMAIN};
# access_log /var/log/nginx/access.log json;
listen ${PORT_PREFIX}442 ssl;
listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
ssl_certificate /etc/ssl/atat.crt;
ssl_certificate_key /etc/ssl/atat.key;
# additional SSL/TLS settings
include /etc/nginx/snippets/ssl.conf;
location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
access_log /var/log/nginx/access.log json;
server_name ${AUTH_DOMAIN};
listen ${PORT_PREFIX}443 ssl;
listen [::]:${PORT_PREFIX}443 ssl ipv6only=on;
ssl_certificate /etc/ssl/atat.crt;
ssl_certificate_key /etc/ssl/atat.key;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# additional SSL/TLS settings
include /etc/nginx/snippets/ssl.conf;
location / {
return 301 https://azure.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
00json_log.conf: |-
log_format json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"msec":"$msec",'
'"request_id":"$request_id",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"referer":"$http_referer",'
'"user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';
Reference in New Issue View Git Blame Copy Permalink