simplificando rol - usar imagen custom e incluis certificados ssl
This commit is contained in:
Mauro Torrez
19
files/Dockerfile
Normal file
19
files/Dockerfile
Normal file
@@ -0,0 +1,19 @@
|
||||
# nginx container with self-signed SSL certificates
|
||||
FROM nginx
|
||||
MAINTAINER Mauro Torrez <in@mau.ro>
|
||||
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y -q ssl-cert \
|
||||
&& apt-get clean \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/nginx/ssl/cert.pem \
|
||||
&& cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/nginx/ssl/cert.key
|
||||
|
||||
ADD nginx.conf /etc/nginx/
|
||||
ADD dhparams.pem /etc/nginx/ssl/
|
||||
ADD default_ssl.conf /etc/nginx/conf.d/
|
||||
|
||||
VOLUME /etc/nginx/ssl/
|
||||
VOLUME /etc/nginx/conf.d/
|
||||
VOLUME /etc/nginx/locations/
|
||||
VOLUME /usr/share/nginx/html/
|
||||
16
files/default_ssl.conf
Normal file
16
files/default_ssl.conf
Normal file
@@ -0,0 +1,16 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name _;
|
||||
root /usr/share/nginx/html;
|
||||
include locations/*.conf;
|
||||
}
|
||||
25
files/dhparams.pem
Normal file
25
files/dhparams.pem
Normal file
@@ -0,0 +1,25 @@
|
||||
-----BEGIN X9.42 DH PARAMETERS-----
|
||||
MIIELAKCAgEAiv8Jwz/DveMn0fonZXPf5Bh2d+CBwE4tHeMUCArtm4D06EftfEhh
|
||||
6vgFiWIVxH7LAdQ4aXV18UDOL78wOYOV4jNAdOzXG/SqWVVKftXgE2+igyQcPile
|
||||
TQk/tXAPOgHNoT1Sk94ziKFFfBOyzw6wWjfyLBBSZ0FUj31y6u9b1jGAdbFYTF3J
|
||||
IR5sHtxbjnGL3EDFp8a/m0zIwxyEC+nJokiW2EwURQggJEReYNrjONJ0yqnIuEWx
|
||||
5zK2lxm55LEfBSOK1bkRKXe9yT9F+uBMUmVoWC4buURJaPxTwLUrFp8oi6LMM6Ep
|
||||
RZNNF2fOBxuGawqi7Xt8DZdcUS4vszYyx2S6Fha1wH2BnJqfZZZdhw2B2A+dQM7n
|
||||
O21GbEVGJwr1RBO1H6up/sJwy4TH9vSR/f33rWaC1ZE3phG/dYPhBB91oKuQJ9eb
|
||||
IullFJJbhaNjzk0pzBQyaI/v7QtZX++/wpyL7TWW24ldXCgvCbkNxFpIqIaOalIw
|
||||
MSLOsC6LLQ/DhxjJ6nvIC+oNuFyD6KHIWkYm43VDFJlbFIMiZrOs8xZOFRPg9uh4
|
||||
9jDLC+dHp8tqhdOwbvtqxC6PemxgfOQ1fij+JQGaRTrab/0XFH26nxVjSZcDb1Ah
|
||||
5XIdBrOHxeu2Is61O10AhqHbapF0YctLpNz4/gxNVB1tRrPxHGCQu5ECggIAGwOV
|
||||
2KzUNUDy2OO74wZ6AO9XZku/w2Nccj2FcHvyrYIQVsdaTs8fNNmKaTKJ5EQP9kJO
|
||||
dL5odyw+B+RnedaRQWYKU6byva1EatutQ98z5PkfjruXmj3fUA1nse1F6nrR+mYU
|
||||
hLdpWPM9YkvdIqV3ZpZToy/FHIWNfg/5n3gjhCE27hXuSkiDn/0g+ccuPkolvfhU
|
||||
PP4ZKn/IGU+hAuBI0UEhixXnAQBSS4zueEF9PXptCC8TlBHEO06SkETkdpMrbv3a
|
||||
1vhziiBjKwvzuNOZoF2NbNhiV9bg04KDQgIKX3xVhFduBXQfGbHKMlpT2p/7SxM+
|
||||
L055KK70+yPQ+PBxPpuH97A3ru3CBJYs/XA9UhQp2ixCrUqycpxKso6nHMxATVx+
|
||||
EgqBggO1sjpvGH1vPhZJXjXR1qLz+DXK0u1AefjrkKBbjy9qJWSmLjxnFvp8HUH5
|
||||
BVcazGnP6Su0IuW4gg+8kx2Pjdb3wyE6LDOfsFgAz4qayNzE51i2uFK7k0ChFHbW
|
||||
ng2o+Bp7eaYUguHveXZ3Ik2PBFe8YHFyxarSn5EncwlHY/yv8VMeyrV3fZEhPY5r
|
||||
UEFIM25t4r8ywzKmEGO6WQOhVPhHfssehWOF9EjAYyQM8IkwrYNH2G6REG+vxahu
|
||||
bsLiqdakirWzAZnw5SLWwHfvq2I6h8gpThEIwTsCIQC8dydvhEwDnjNGgmfu8QaX
|
||||
WBn6CTGhx2hPVqxuKi64rQ==
|
||||
-----END X9.42 DH PARAMETERS-----
|
||||
64
files/nginx.conf
Normal file
64
files/nginx.conf
Normal file
@@ -0,0 +1,64 @@
|
||||
|
||||
user nginx;
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
# gzip on;
|
||||
# gzip_disable "msie6";
|
||||
# gzip_vary on;
|
||||
# gzip_proxied any;
|
||||
# gzip_comp_level 6;
|
||||
# gzip_buffers 16 8k;
|
||||
# gzip_http_version 1.1;
|
||||
# gzip_types text/plain text/css application/json application/x-javascript
|
||||
# text/xml application/xml application/xml+rss text/javascript;
|
||||
|
||||
# ver https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||
ssl_certificate ssl/cert.pem;
|
||||
ssl_certificate_key ssl/cert.key;
|
||||
ssl_dhparam ssl/dhparams.pem;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
ssl_session_tickets off;
|
||||
|
||||
# modern configuration
|
||||
ssl_protocols TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
# add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# OCSP stapling
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user