Created overrides file for mutual TLS

Changes command line options to environmental parameters Added nginx reverse proxy to overrides
2021-02-02 10:57:43 +00:00 · 2021-02-02 10:57:43 +00:00 · 4022cff35d
parent 9bbd2a8d77
commit 4022cff35d
2 changed files with 102 additions and 0 deletions
--- a/hack/nginx/conf.d/concourse_proxy.conf
+++ b/hack/nginx/conf.d/concourse_proxy.conf
@ -0,0 +1,65 @@
+server {
+    server_name localhost;
+
+    listen 443 ssl;
+
+    # Lock down TLS according to our guidelines:
+    #   https://lampkicking.atlassian.net/wiki/x/HICvBQ
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 5m;
+
+    ssl_certificate     /etc/nginx/mtls_certs/frontend/localhost.cert.pem;
+    ssl_certificate_key /etc/nginx/mtls_certs/frontend/localhost.key.pem;
+
+    # HSTS for one month
+    add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always;
+
+    location / {
+        proxy_pass https://web:8443/;
+
+        proxy_ssl_certificate         /etc/nginx/mtls_certs/backend/web.cert.pem;
+        proxy_ssl_certificate_key     /etc/nginx/mtls_certs/backend/web.key.pem;
+        proxy_ssl_trusted_certificate /etc/nginx/mtls_certs/backend/ca-chain.cert.pem;
+
+        proxy_ssl_verify        on;
+        #proxy_ssl_verify        off;
+        proxy_ssl_verify_depth  2;
+        proxy_ssl_session_reuse on;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto "https";
+
+        # Fix `websocket: bad handshake` when using `fly intercept`
+        proxy_set_header  Upgrade $http_upgrade;
+        proxy_set_header  Connection "upgrade";
+
+        # Fix appears that your reverse proxy set up is broken" error.
+        proxy_read_timeout  90;
+    }
+
+   error_page 502 /custom_502.html;
+    error_page 504 /custom_504.html;
+
+    location = /custom_502.html {
+        root /etc/nginx/error_pages;
+        internal;
+    }
+    location = /custom_504.html {
+        root /etc/nginx/error_pages;
+        internal;
+    }
+}
+
+server {
+    server_name localhost;
+
+    listen 80;
+
+    return 301 https://$host$request_uri;
+}
+
--- a/hack/overrides/mutual-tls.yml
+++ b/hack/overrides/mutual-tls.yml
@ -0,0 +1,37 @@
+version: '3'
+
+services:
+  web:
+    build: .
+    image: concourse/concourse:local
+    volumes:
+    - .:/src
+    command: web
+    depends_on: [db]
+    #ports:
+    #- 8443:8443
+    environment:
+      CONCOURSE_LOG_LEVEL: debug
+      CONCOURSE_POSTGRES_HOST: db
+      CONCOURSE_POSTGRES_USER: dev
+      CONCOURSE_POSTGRES_PASSWORD: dev
+      CONCOURSE_POSTGRES_DATABASE: concourse
+      CONCOURSE_EXTERNAL_URL: https://localhost:443
+      CONCOURSE_ADD_LOCAL_USER: test:test,guest:guest
+      CONCOURSE_MAIN_TEAM_LOCAL_USER: test
+      CONCOURSE_CLUSTER_NAME: dev
+      CONCOURSE_ENABLE_PIPELINE_INSTANCES: "true"
+      CONCOURSE_ENABLE_ACROSS_STEP: "true"
+      CONCOURSE_TLS_BIND_PORT: 8443
+      CONCOURSE_TLS_CERT: /src/certs/web.cert.pem 
+      CONCOURSE_TLS_CA_CERT: /src/certs/ca-chain.cert.pem
+      CONCOURSE_TLS_KEY: /src/certs/web.key.pem
+
+  nginx_mtls_rp:
+    image: nginx:latest
+    depends_on: [web]
+    volumes:
+    - ./hack/nginx/conf.d:/etc/nginx/conf.d
+    - ./hack/mtls_certs:/etc/nginx/mtls_certs
+    ports:
+      - "443:443"