-
Notifications
You must be signed in to change notification settings - Fork 324
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding experimental, optional auto-ssl integration.
- Loading branch information
Showing
20 changed files
with
289 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
config = require "api-umbrella.proxy.models.file_config" | ||
|
||
auto_ssl = (require "resty.auto-ssl").new({ | ||
hook_server_port = config["auto_ssl"]["hook_server"]["port"] | ||
}) | ||
|
||
auto_ssl:init() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
auto_ssl:init_worker() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
auto_ssl:ssl_certificate() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/usr/bin/env bash | ||
|
||
lua_resty_auto_ssl_version="0.12.0-1" | ||
|
||
set -e -u -x | ||
source ./tasks/helpers.sh | ||
|
||
luarocks_install "lua-resty-auto-ssl" "$lua_resty_auto_ssl_version" | ||
|
||
stamp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# Dynamic handler for issuing or returning certs. | ||
ssl_certificate_by_lua_file "{{_src_root_dir}}/src/api-umbrella/auto-ssl/hooks/ssl_certificate.lua"; | ||
|
||
# Fallback certificate (must be present for nginx to start). | ||
ssl_certificate {{etc_dir}}/ssl/auto_ssl_fallback.crt; | ||
ssl_certificate_key {{etc_dir}}/ssl/auto_ssl_fallback.key; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto http; | ||
proxy_set_header X-Forwarded-Port 80; | ||
|
||
location / { | ||
proxy_pass http://api_umbrella_backend; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto https; | ||
proxy_set_header X-Forwarded-Port 443; | ||
|
||
location / { | ||
proxy_pass http://api_umbrella_backend; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
server_name _; | ||
|
||
proxy_buffering off; | ||
proxy_connect_timeout {{nginx._initial_proxy_connect_timeout}}s; | ||
proxy_read_timeout {{nginx._initial_proxy_read_timeout}}s; | ||
proxy_send_timeout {{nginx._initial_proxy_send_timeout}}s; | ||
proxy_http_version 1.1; | ||
proxy_set_header Connection ""; | ||
proxy_set_header Host $host; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
worker_processes {{auto_ssl.workers}}; | ||
|
||
daemon off; | ||
|
||
{{#auto_ssl.user}} | ||
user {{auto_ssl.user}} {{auto_ssl.group}}; | ||
{{/auto_ssl.user}} | ||
{{^auto_ssl.user}} | ||
{{#_effective_user_name}} | ||
# Even if user switching isn't enabled, make sure nginx uses the current | ||
# effective user and group for launching the child workers (so nginx's default | ||
# usage of the "nobody" user isn't used). | ||
user {{_effective_user_name}} {{_effective_group_name}}; | ||
{{/_effective_user_name}} | ||
{{/auto_ssl.user}} | ||
|
||
pid {{run_dir}}/nginx-auto-ssl.pid; | ||
|
||
events { | ||
worker_connections {{auto_ssl.worker_connections}}; | ||
} | ||
|
||
error_log stderr; | ||
|
||
pcre_jit on; | ||
|
||
http { | ||
access_log {{log_dir}}/nginx-auto-ssl/{{nginx.access_log_filename}} combined {{nginx.access_log_options}}; | ||
|
||
client_body_temp_path {{tmp_dir}}/nginx-auto-ssl-client_body_temp; | ||
proxy_temp_path {{tmp_dir}}/nginx-auto-ssl-proxy_temp; | ||
fastcgi_temp_path {{tmp_dir}}/nginx-auto-ssl-fastcgi_temp; | ||
uwsgi_temp_path {{tmp_dir}}/nginx-auto-ssl-uwsgi_temp; | ||
scgi_temp_path {{tmp_dir}}/nginx-auto-ssl-scgi_temp; | ||
server_tokens off; | ||
|
||
lua_package_path '{{_package_path}}'; | ||
lua_package_cpath '{{_package_cpath}}'; | ||
|
||
# Quiet the raw socket errors from the logs, since we should be handling any | ||
# connection errors as appropriate in the Lua code. | ||
lua_socket_log_errors off; | ||
|
||
# The "auto_ssl" shared dict must be defined with enough storage space to | ||
# hold your certificate data. | ||
lua_shared_dict auto_ssl 5m; | ||
|
||
# The "auto_ssl" shared dict is used to temporarily store various settings | ||
# like the secret used by the hook server. Do not change or omit it. | ||
lua_shared_dict auto_ssl_settings 64k; | ||
|
||
{{#dns_resolver._nameservers_nginx}} | ||
resolver {{dns_resolver._nameservers_nginx}}; | ||
resolver_timeout 12s; | ||
{{/dns_resolver._nameservers_nginx}} | ||
|
||
init_by_lua_file "{{_src_root_dir}}/src/api-umbrella/auto-ssl/hooks/init.lua"; | ||
init_worker_by_lua_file "{{_src_root_dir}}/src/api-umbrella/auto-ssl/hooks/init.lua"; | ||
|
||
lua_check_client_abort on; | ||
if_modified_since off; | ||
|
||
include ./mime.conf; | ||
include ./realip.conf; | ||
|
||
# Allow any sized uploads to backends. | ||
client_max_body_size 0; | ||
|
||
keepalive_timeout {{nginx.keepalive_timeout}}s; | ||
|
||
ssl_protocols {{nginx.ssl_protocols}}; | ||
ssl_ciphers {{nginx.ssl_ciphers}}; | ||
ssl_session_cache {{nginx.ssl_session_cache}}; | ||
ssl_session_timeout {{nginx.ssl_session_timeout}}; | ||
ssl_session_tickets {{nginx.ssl_session_tickets}}; | ||
ssl_buffer_size {{nginx.ssl_buffer_size}}; | ||
ssl_prefer_server_ciphers {{nginx.ssl_prefer_server_ciphers}}; | ||
ssl_ecdh_curve {{nginx.ssl_ecdh_curve}}; | ||
|
||
{{#nginx.dhparam}} | ||
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | ||
ssl_dhparam {{nginx.dhparam}}; | ||
{{/nginx.dhparam}} | ||
|
||
{{#nginx.server_names_hash_bucket_size}} | ||
server_names_hash_bucket_size {{nginx.server_names_hash_bucket_size}}; | ||
{{/nginx.server_names_hash_bucket_size}} | ||
|
||
upstream api_umbrella_backend { | ||
server 127.0.0.1:{{http_port}}; | ||
keepalive 10; | ||
} | ||
|
||
server { | ||
{{#listen.addresses}} | ||
listen {{.}}:{{auto_ssl.https.port}} ssl default_server so_keepalive=on; | ||
{{/listen.addresses}} | ||
|
||
include ./auto-ssl-cert.conf; | ||
include ./auto-ssl-proxy.conf; | ||
include ./auto-ssl-proxy-https.conf; | ||
} | ||
|
||
# HTTP server | ||
server { | ||
{{#listen.addresses}} | ||
listen {{.}}:{{auto_ssl.http.port}} default_server so_keepalive=on; | ||
{{/listen.addresses}} | ||
|
||
# Endpoint used for performing domain verification with Let's Encrypt. | ||
location /.well-known/acme-challenge/ { | ||
content_by_lua_block { | ||
auto_ssl:challenge_server() | ||
} | ||
} | ||
|
||
include ./auto-ssl-proxy.conf; | ||
include ./auto-ssl-proxy-http.conf; | ||
} | ||
|
||
# Internal server for handling certificate tasks. | ||
server { | ||
listen 127.0.0.1:{{auto_ssl.hook_server.port}} so_keepalive=on; | ||
|
||
# Increase the body buffer size, to ensure the internal POSTs can always | ||
# parse the full POST contents into memory. | ||
client_body_buffer_size 128k; | ||
client_max_body_size 128k; | ||
|
||
location / { | ||
content_by_lua_block { | ||
auto_ssl:hook_server() | ||
} | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
API_UMBRELLA_RUNTIME_CONFIG={{_api_umbrella_config_runtime_file}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/usr/bin/env bash | ||
set -e -u | ||
exec ../rc.log "$@" |
Oops, something went wrong.