From 6c8e63cb529b4485e7621b70d6ad00e0aeb72b1d Mon Sep 17 00:00:00 2001 From: erik Date: Fri, 9 Sep 2022 16:53:51 +0200 Subject: [PATCH] [skip ci] WIP nginx-conf --- .../resources/website/nginx-configmap.yaml | 14 +- .../resources/website/nginx-deployment.yaml | 6 +- ...server-service.yaml => nginx-service.yaml} | 4 +- src/main/resources/website/testconfig.yaml | 215 ++++++++++++++++++ 4 files changed, 234 insertions(+), 5 deletions(-) rename src/main/resources/website/{website-server-service.yaml => nginx-service.yaml} (81%) create mode 100644 src/main/resources/website/testconfig.yaml diff --git a/src/main/resources/website/nginx-configmap.yaml b/src/main/resources/website/nginx-configmap.yaml index 52cfbfb..a5fb9dd 100644 --- a/src/main/resources/website/nginx-configmap.yaml +++ b/src/main/resources/website/nginx-configmap.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: nginx-env + name: nginx-conf namespace: default data: nginx.conf: | @@ -49,7 +49,7 @@ data: server_names_hash_bucket_size 128; # this seems to be required for some vhosts - # it might be a good idea to set a common reverse proxy "$http_referer" + # it might be a good idea to set a common reverse proxy # which points to the ingress? include /etc/nginx/conf.d/FQDN.conf # should be replaced by c4k @@ -113,6 +113,16 @@ data: server_name FQDN www.FQDN; + # security headers + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy "strict-origin"; + # maybe need to add: + # add_header Permissions-Policy "permissions here"; + root WEBSITECONTENTPATH; index index.html; diff --git a/src/main/resources/website/nginx-deployment.yaml b/src/main/resources/website/nginx-deployment.yaml index 35c516d..9ffd062 100644 --- a/src/main/resources/website/nginx-deployment.yaml +++ b/src/main/resources/website/nginx-deployment.yaml @@ -4,6 +4,9 @@ metadata: name: nginx spec: replicas: 1 + selector: + matchLabels: + app: nginx template: metadata: labels: @@ -11,7 +14,8 @@ spec: spec: containers: - name: nginx - image: nginx + image: nginx:latest + imagePullPolicy: IfNotPresent ports: - containerPort: 80 volumeMounts: diff --git a/src/main/resources/website/website-server-service.yaml b/src/main/resources/website/nginx-service.yaml similarity index 81% rename from src/main/resources/website/website-server-service.yaml rename to src/main/resources/website/nginx-service.yaml index 0425f79..1422aea 100644 --- a/src/main/resources/website/website-server-service.yaml +++ b/src/main/resources/website/nginx-service.yaml @@ -1,14 +1,14 @@ kind: Service apiVersion: v1 metadata: - name: website-server-service + name: nginx-service namespace: default annotations: metallb.universe.tf/allow-shared-ip: "shared-ip-service-group" spec: type: LoadBalancer selector: - app: website-server + app: nginx ports: - port: 80 targetPort: 80 diff --git a/src/main/resources/website/testconfig.yaml b/src/main/resources/website/testconfig.yaml new file mode 100644 index 0000000..0a92778 --- /dev/null +++ b/src/main/resources/website/testconfig.yaml @@ -0,0 +1,215 @@ +# ToDo: +# Roadmap aufsetzen +# Minigoal: run nginx server, serving a simple static site +# get correct config for static website +# security +# paths to rootfolder correctly defined +# volumes correctly defined +# nginx can access volumes +# +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-env + namespace: default +data: + nginx.conf: | + user nginx; + + worker_processes 3; + + error_log /var/log/nginx/error.log; + + pid logs/nginx.pid; + + worker_rlimit_nofile 8192; + + events { + worker_connections 4096; ## Default: 1024 + } + + daemon off; # run in foreground + + http { + include conf/mime.types; + + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log logs/access.log main; + + sendfile on; + + tcp_nopush on; + + keepalive_timeout 65; + + server_names_hash_bucket_size 128; # this seems to be required for some vhosts + + # it might be a good idea to set a common reverse proxy + # which points to the ingress? + + include /etc/nginx/conf.d/repo.test.meissa.de.conf # should be replaced by c4k + } + + mime.types: | + types { + text/html html htm shtml; + text/css css; + text/xml xml rss; + image/gif gif; + image/jpeg jpeg jpg; + application/x-javascript js; + text/plain txt; + text/x-component htc; + text/mathml mml; + image/png png; + image/x-icon ico; + image/x-jng jng; + image/vnd.wap.wbmp wbmp; + application/java-archive jar war ear; + application/mac-binhex40 hqx; + application/pdf pdf; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/zip zip; + application/octet-stream deb; + application/octet-stream bin exe dll; + application/octet-stream dmg; + application/octet-stream eot; + application/octet-stream iso img; + application/octet-stream msi msp msm; + audio/mpeg mp3; + audio/x-realaudio ra; + video/mpeg mpeg mpg; + video/quicktime mov; + video/x-flv flv; + video/x-msvideo avi; + video/x-ms-wmv wmv; + video/x-ms-asf asx asf; + video/x-mng mng; + } + repo.test.meissa.de.conf: | + server { + + listen 80 default_server; + + listen [::]:80 default_server; + + server_name repo.test.meissa.de www.repo.test.meissa.de; + + # security headers + add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload'; + add_header Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options nosniff; + add_header Referrer-Policy "strict-origin"; + # maybe need to add: + # add_header Permissions-Policy "permissions here"; + + root /var/www/html/repo.test.meissa.de; + + index index.html; + + try_files $uri /index.html; + + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /etc/nginx # mount nginx volume to /etc/nginx + readOnly: true + name: nginx-conf + - mountPath: /var/log/nginx + name: log + - mountPath: /var/www/html/repo.test.meissa.de + name: website-content-volume + volumes: + - name: nginx-conf + configMap: + name: nginx-conf # place ConfigMap `nginx-conf` on /etc/nginx + items: + - key: nginx.conf + path: conf.d/nginx.conf + - key: repo.test.meissa.de.conf + path: conf.d/repo.test.meissa.de.conf + - key: mime.types + path: mime.d/mime.types # dig directory + - name: log + emptyDir: {} + - name: website-content-volume + persistentVolumeClaim: + claimName: website-content-pvc +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx-ingress + namespace: default + annotations: + ingress.kubernetes.io/ssl-redirect: "true" + traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd +spec: + tls: + - hosts: + - repo.test.meissa.de + secretName: website-cert + rules: + - host: repo.test.meissa.de + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: nginx-service + port: + number: 3000 +--- +kind: Service +apiVersion: v1 +metadata: + name: nginx-service + namespace: default +spec: + type: LoadBalancer + selector: + app: nginx + ports: + - port: 80 + targetPort: 80 + protocol: TCP \ No newline at end of file