From f1df9c3217656763ac983788a5067f38ba43b8b2 Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 17 Dec 2020 16:03:33 -0500 Subject: [PATCH 1/2] initial nginx dynamic docker image config --- docker-compose.yml | 4 ++++ nginx-ingress/Dockerfile | 8 ++++++++ nginx-ingress/entrypoint.sh | 7 +++++++ nginx-ingress/nginx.conf | 28 ++++++++++++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 nginx-ingress/Dockerfile create mode 100644 nginx-ingress/entrypoint.sh create mode 100644 nginx-ingress/nginx.conf diff --git a/docker-compose.yml b/docker-compose.yml index f70207f..ca96d70 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,3 +3,7 @@ # Using version 2 as 3 does not support resource constraint options (cpu_*, mem_* limits) for non swarm mode in Compose version: "2" +services: + proxy: + build: ./nginx-ingress + image: local/nginx-ingress:base diff --git a/nginx-ingress/Dockerfile b/nginx-ingress/Dockerfile new file mode 100644 index 0000000..c00e373 --- /dev/null +++ b/nginx-ingress/Dockerfile @@ -0,0 +1,8 @@ +FROM nginx:stable-alpine + +COPY nginx.conf /etc/nginx/nginx.conf + +COPY entrypoint.sh / +RUN chmod +x /entrypoint.sh + +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh new file mode 100644 index 0000000..8bcdeb5 --- /dev/null +++ b/nginx-ingress/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +if [[ $ACCESS_LOG ]]; then + sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf +fi + +nginx -g "daemon off;" diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf new file mode 100644 index 0000000..c8aac96 --- /dev/null +++ b/nginx-ingress/nginx.conf @@ -0,0 +1,28 @@ +worker_processes 1; + +events { + worker_connections 1024; +} + +http { + server { + listen *:8080; + + client_max_body_size 0; + + set $allowOriginSite *; + proxy_pass_request_headers on; + proxy_pass_header Set-Cookie; + + # External settings, do not remove + #ENV_ACCESS_LOG + + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; + proxy_redirect off; + proxy_buffering off; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Set-Cookie; + } +} From 010149e6b643fb95bfa85d5fdfe45b4c7b47f79a Mon Sep 17 00:00:00 2001 From: Brian Long Date: Thu, 17 Dec 2020 16:07:17 -0500 Subject: [PATCH 2/2] added platform config --- nginx-ingress/entrypoint.sh | 4 ++++ nginx-ingress/nginx.conf | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh index 8bcdeb5..5adaad5 100644 --- a/nginx-ingress/entrypoint.sh +++ b/nginx-ingress/entrypoint.sh @@ -1,5 +1,9 @@ #!/bin/sh +if [[ $ACS_PLATFORM_URL ]]; then + sed -i s%http:\/\/platform:8080%"$REPO_URL"%g /etc/nginx/nginx.conf +fi + if [[ $ACCESS_LOG ]]; then sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf fi diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf index c8aac96..0bbab22 100644 --- a/nginx-ingress/nginx.conf +++ b/nginx-ingress/nginx.conf @@ -24,5 +24,28 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Set-Cookie; + + # Protect access to SOLR APIs + location ~ ^(/.*/service/api/solr/.*)$ {return 403;} + location ~ ^(/.*/s/api/solr/.*)$ {return 403;} + location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;} + location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;} + + location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;} + location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;} + + # Protect access to Prometheus endpoint + location ~ ^(/.*/s/prometheus)$ {return 403;} + + location / { + proxy_pass http://platform:8080; + } + + location /alfresco/ { + proxy_pass http://platform:8080; + + # If using external proxy / load balancer (for initial redirect if no trailing slash) + absolute_redirect off; + } } }