Фронтальный nginx с secret и config
Фронтальный nginx с secret и config#
docker-compose.yml для деплоя стека:
version: "3.3"
services:
nginx:
image: nginx:latest
ports:
- 80:80
- 443:443
deploy:
replicas: 1
secrets:
- openproject.sitefactory.cf.crt
- openproject.sitefactory.cf.key
- openproject.sitefactory.cf.htpasswd
configs:
- source: outside-nginx.conf_v0.02
target: /etc/nginx/nginx.conf
- source: openproject.sitefactory.cf.conf_v0.03
target: /etc/nginx/conf.d/openproject.sitefactory.cf.conf
- source: proxy-pass.rules_v0.01
target: /etc/nginx/conf.d/proxy-pass.rules
- source: ssl-settings.rules_v0.01
target: /etc/nginx/conf.d/ssl-settings.rules
secrets:
openproject.sitefactory.cf.crt:
external: true
openproject.sitefactory.cf.key:
external: true
openproject.sitefactory.cf.htpasswd:
external: true
configs:
outside-nginx.conf_v0.02:
external: true
ssl-settings.rules_v0.01:
external: true
openproject.sitefactory.cf.conf_v0.03:
external: true
proxy-pass.rules_v0.01:
external: true
Конфиг nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events {
worker_connections 4000;
# Accept as many connections as possible, after nginx gets notification
# about a new connection.
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format additional '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /dev/stdout main buffer=16k;
server_tokens off;
# Causes nginx to attempt to send its HTTP response head in one packet,
# instead of using partial frames.
tcp_nopush on;
# Don't buffer data-sends (disable Nagle algorithm).
tcp_nodelay on;
# Timeout for keep-alive connections. Server will close connections
# after this time.
keepalive_timeout 30;
# Number of requests a client can make over the keep-alive connection.
keepalive_requests 1000;
# Allow the server to close the connection after a client stops
# responding.
reset_timedout_connection on;
# Send the client a "request timed out" if the body is not loaded
# by this time.
client_body_timeout 10;
# If the client stops reading data, free up the stale client connection
# after this much time.
send_timeout 2;
# Compression.
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied any;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
}
Конфиг хоста на примере openproject.sitefactory.cf:
upstream openproject-cluster {
server 11.100.250.9:3456 weight=100 max_fails=15 fail_timeout=2;
server 11.100.250.10:3456 weight=100 max_fails=15 fail_timeout=2;
server 11.100.250.11:3456 weight=100 max_fails=15 fail_timeout=2;
server 11.100.250.12:3456 weight=100 max_fails=15 fail_timeout=2;
}
server {
listen 80;
listen 443 ssl;
include /etc/nginx/conf.d/ssl-settings.rules;
ssl_certificate /run/secrets/openproject.sitefactory.cf.crt;
ssl_certificate_key /run/secrets/openproject.sitefactory.cf.key;
server_name openproject.sitefactory.cf;
set $host_header "openproject.sitefactory.cf";
if ($scheme = http) {
return 301 https://$host_header$request_uri;
}
charset utf-8;
access_log /dev/stdout;
location / {
auth_basic "Enter password";
auth_basic_user_file /run/secrets/openproject.sitefactory.cf.htpasswd;
include /etc/nginx/conf.d/proxy-pass.rules;
proxy_pass http://openproject-cluster;
}
location ~* (\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|git|.docker.config)|~)$ {return 418;}
}