Created overrides file for mutual TLS
Changes command line options to environmental parameters Added nginx reverse proxy to overrides
This commit is contained in:
parent
9bbd2a8d77
commit
4022cff35d
|
@ -0,0 +1,65 @@
|
|||
server {
|
||||
server_name localhost;
|
||||
|
||||
listen 443 ssl;
|
||||
|
||||
# Lock down TLS according to our guidelines:
|
||||
# https://lampkicking.atlassian.net/wiki/x/HICvBQ
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384';
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
ssl_certificate /etc/nginx/mtls_certs/frontend/localhost.cert.pem;
|
||||
ssl_certificate_key /etc/nginx/mtls_certs/frontend/localhost.key.pem;
|
||||
|
||||
# HSTS for one month
|
||||
add_header Strict-Transport-Security "max-age=2592000; includeSubDomains" always;
|
||||
|
||||
location / {
|
||||
proxy_pass https://web:8443/;
|
||||
|
||||
proxy_ssl_certificate /etc/nginx/mtls_certs/backend/web.cert.pem;
|
||||
proxy_ssl_certificate_key /etc/nginx/mtls_certs/backend/web.key.pem;
|
||||
proxy_ssl_trusted_certificate /etc/nginx/mtls_certs/backend/ca-chain.cert.pem;
|
||||
|
||||
proxy_ssl_verify on;
|
||||
#proxy_ssl_verify off;
|
||||
proxy_ssl_verify_depth 2;
|
||||
proxy_ssl_session_reuse on;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto "https";
|
||||
|
||||
# Fix `websocket: bad handshake` when using `fly intercept`
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
# Fix appears that your reverse proxy set up is broken" error.
|
||||
proxy_read_timeout 90;
|
||||
}
|
||||
|
||||
error_page 502 /custom_502.html;
|
||||
error_page 504 /custom_504.html;
|
||||
|
||||
location = /custom_502.html {
|
||||
root /etc/nginx/error_pages;
|
||||
internal;
|
||||
}
|
||||
location = /custom_504.html {
|
||||
root /etc/nginx/error_pages;
|
||||
internal;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name localhost;
|
||||
|
||||
listen 80;
|
||||
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
web:
|
||||
build: .
|
||||
image: concourse/concourse:local
|
||||
volumes:
|
||||
- .:/src
|
||||
command: web
|
||||
depends_on: [db]
|
||||
#ports:
|
||||
#- 8443:8443
|
||||
environment:
|
||||
CONCOURSE_LOG_LEVEL: debug
|
||||
CONCOURSE_POSTGRES_HOST: db
|
||||
CONCOURSE_POSTGRES_USER: dev
|
||||
CONCOURSE_POSTGRES_PASSWORD: dev
|
||||
CONCOURSE_POSTGRES_DATABASE: concourse
|
||||
CONCOURSE_EXTERNAL_URL: https://localhost:443
|
||||
CONCOURSE_ADD_LOCAL_USER: test:test,guest:guest
|
||||
CONCOURSE_MAIN_TEAM_LOCAL_USER: test
|
||||
CONCOURSE_CLUSTER_NAME: dev
|
||||
CONCOURSE_ENABLE_PIPELINE_INSTANCES: "true"
|
||||
CONCOURSE_ENABLE_ACROSS_STEP: "true"
|
||||
CONCOURSE_TLS_BIND_PORT: 8443
|
||||
CONCOURSE_TLS_CERT: /src/certs/web.cert.pem
|
||||
CONCOURSE_TLS_CA_CERT: /src/certs/ca-chain.cert.pem
|
||||
CONCOURSE_TLS_KEY: /src/certs/web.key.pem
|
||||
|
||||
nginx_mtls_rp:
|
||||
image: nginx:latest
|
||||
depends_on: [web]
|
||||
volumes:
|
||||
- ./hack/nginx/conf.d:/etc/nginx/conf.d
|
||||
- ./hack/mtls_certs:/etc/nginx/mtls_certs
|
||||
ports:
|
||||
- "443:443"
|
Loading…
Reference in New Issue