Loading deploy/ansible/host_vars/esgf.data.example.org +18 −0 Original line number Diff line number Diff line Loading @@ -18,3 +18,21 @@ ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-and-disabling-components ## OPTIONAL: Enabling SSL for the server #nginx_config_template: ssl.proxy.conf.j2 #published_port: 443 #ssl_certificate: | # -----BEGIN CERTIFICATE----- # ... #ssl_private_key: | # -----BEGIN RSA PRIVATE KEY----- # ... ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl deploy/ansible/host_vars/esgf.index.example.org +17 −0 Original line number Diff line number Diff line Loading @@ -18,3 +18,20 @@ ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-and-disabling-components ## OPTIONAL: Enabling SSL for the server #nginx_config_template: ssl.proxy.conf.j2 #published_port: 443 #ssl_certificate: | # -----BEGIN CERTIFICATE----- # ... #ssl_private_key: | # -----BEGIN RSA PRIVATE KEY----- # ... ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl deploy/ansible/roles/proxy/defaults/main.yml +7 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,13 @@ image_pull: true # Proxy configuration ### # Default Nginx config using only HTTP nginx_config_template: proxy.conf.j2 published_port: 80 # Generates a Diffie-Helmet file for the server if enabled generate_dhparam: false # Settings for the proxy image proxy_image_prefix: "{{ image_prefix }}" proxy_image_tag: "{{ image_tag }}" Loading deploy/ansible/roles/proxy/tasks/main.yml +44 −5 Original line number Diff line number Diff line Loading @@ -6,17 +6,54 @@ - name: Make proxy config directory file: path: /esg/config/proxy path: "{{ item }}" state: directory with_items: - /esg/config/proxy/conf.d - /esg/config/proxy/ssl - name: Create Docker network docker_network: name: esgf - name: Set paths for the SSL certificate and key set_fact: ssl_certificate_path: /esg/config/proxy/ssl/proxy.crt ssl_private_key_path: /esg/config/proxy/ssl/proxy.key - name: Install a provided certificate block: - name: Install SSL certificate copy: content: "{{ ssl_certificate }}" dest: "{{ ssl_certificate_path }}" - name: Install SSL private key copy: content: "{{ ssl_private_key }}" dest: "{{ ssl_private_key_path }}" when: ssl_certificate is defined and ssl_private_key is defined - name: Make SSL cert files readable by the container user only file: path: "{{ item }}" owner: 1000 group: 1000 mode: "u=r,g=,o=" with_items: - "{{ ssl_certificate_path }}" - "{{ ssl_private_key_path }}" - name: Create Ephemeral Diffie-Helman parameters file command: openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096 args: creates: /esg/config/proxy/ssl/dhparam.pem when: generate_dhparam - name: Write proxy configuration template: src: proxy.conf.j2 dest: /esg/config/proxy/proxy.conf src: "{{ nginx_config_template }}" dest: /esg/config/proxy/conf.d/proxy.conf - name: Start proxy container docker_container: Loading @@ -28,12 +65,14 @@ exposed_ports: - "8080" published_ports: - "80:8080" - "{{ published_port }}:8080" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the Nginx configuration for the proxy - "/esg/config/proxy:/etc/nginx/conf.d:ro" - "/esg/config/proxy/conf.d:/etc/nginx/conf.d:ro" # Mount any SSL files for the proxy - "/esg/config/proxy/ssl:/etc/nginx/ssl:ro" state: started recreate: yes deploy/ansible/roles/proxy/templates/ssl.proxy.conf.j2 0 → 100644 +79 −0 Original line number Diff line number Diff line # HTTP and HTTPS server blocks that proxy to the other containers running on this host server { listen 8080 ssl http2 default_server; server_name _; # Use the Docker embedded DNS server to allow us to resolve container names resolver 127.0.0.11 ipv6=off; ssl_certificate /etc/nginx/ssl/proxy.crt; ssl_certificate_key /etc/nginx/ssl/proxy.key; # SSL configuration from Mozilla SSL config generator # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; {% if generate_dhparam %} # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/nginx/ssl/dhparam.pem; {% endif %} # Enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # Disable SSLv3 since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/proxy.crt; # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping # 15768000 seconds = 6 months add_header Strict-Transport-Security max-age=15768000; # By default, return 404 location / { return 404; } {% if 'data' in group_names %} {% if thredds_enabled %} location /thredds { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://thredds:8080; } {% endif %} {% if fileserver_enabled %} location /thredds/fileServer { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://fileserver:8080; } {% endif %} {% endif %} {% if 'index' in group_names %} {% if solr_enabled %} # We only want to permit access to the replication handler for each core from outside location ~ ^/solr/[a-z]+/replication { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://solr-slave:8983; } {% endif %} {% if search_enabled %} location /esg-search { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://search:8080; } {% endif %} {% endif %} } Loading
deploy/ansible/host_vars/esgf.data.example.org +18 −0 Original line number Diff line number Diff line Loading @@ -18,3 +18,21 @@ ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-and-disabling-components ## OPTIONAL: Enabling SSL for the server #nginx_config_template: ssl.proxy.conf.j2 #published_port: 443 #ssl_certificate: | # -----BEGIN CERTIFICATE----- # ... #ssl_private_key: | # -----BEGIN RSA PRIVATE KEY----- # ... ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl
deploy/ansible/host_vars/esgf.index.example.org +17 −0 Original line number Diff line number Diff line Loading @@ -18,3 +18,20 @@ ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-and-disabling-components ## OPTIONAL: Enabling SSL for the server #nginx_config_template: ssl.proxy.conf.j2 #published_port: 443 #ssl_certificate: | # -----BEGIN CERTIFICATE----- # ... #ssl_private_key: | # -----BEGIN RSA PRIVATE KEY----- # ... ### See: https://github.com/ESGF/esgf-docker/blob/master/docs/deploy-ansible.md#enabling-ssl
deploy/ansible/roles/proxy/defaults/main.yml +7 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,13 @@ image_pull: true # Proxy configuration ### # Default Nginx config using only HTTP nginx_config_template: proxy.conf.j2 published_port: 80 # Generates a Diffie-Helmet file for the server if enabled generate_dhparam: false # Settings for the proxy image proxy_image_prefix: "{{ image_prefix }}" proxy_image_tag: "{{ image_tag }}" Loading
deploy/ansible/roles/proxy/tasks/main.yml +44 −5 Original line number Diff line number Diff line Loading @@ -6,17 +6,54 @@ - name: Make proxy config directory file: path: /esg/config/proxy path: "{{ item }}" state: directory with_items: - /esg/config/proxy/conf.d - /esg/config/proxy/ssl - name: Create Docker network docker_network: name: esgf - name: Set paths for the SSL certificate and key set_fact: ssl_certificate_path: /esg/config/proxy/ssl/proxy.crt ssl_private_key_path: /esg/config/proxy/ssl/proxy.key - name: Install a provided certificate block: - name: Install SSL certificate copy: content: "{{ ssl_certificate }}" dest: "{{ ssl_certificate_path }}" - name: Install SSL private key copy: content: "{{ ssl_private_key }}" dest: "{{ ssl_private_key_path }}" when: ssl_certificate is defined and ssl_private_key is defined - name: Make SSL cert files readable by the container user only file: path: "{{ item }}" owner: 1000 group: 1000 mode: "u=r,g=,o=" with_items: - "{{ ssl_certificate_path }}" - "{{ ssl_private_key_path }}" - name: Create Ephemeral Diffie-Helman parameters file command: openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096 args: creates: /esg/config/proxy/ssl/dhparam.pem when: generate_dhparam - name: Write proxy configuration template: src: proxy.conf.j2 dest: /esg/config/proxy/proxy.conf src: "{{ nginx_config_template }}" dest: /esg/config/proxy/conf.d/proxy.conf - name: Start proxy container docker_container: Loading @@ -28,12 +65,14 @@ exposed_ports: - "8080" published_ports: - "80:8080" - "{{ published_port }}:8080" networks: - name: esgf networks_cli_compatible: yes volumes: # Mount the Nginx configuration for the proxy - "/esg/config/proxy:/etc/nginx/conf.d:ro" - "/esg/config/proxy/conf.d:/etc/nginx/conf.d:ro" # Mount any SSL files for the proxy - "/esg/config/proxy/ssl:/etc/nginx/ssl:ro" state: started recreate: yes
deploy/ansible/roles/proxy/templates/ssl.proxy.conf.j2 0 → 100644 +79 −0 Original line number Diff line number Diff line # HTTP and HTTPS server blocks that proxy to the other containers running on this host server { listen 8080 ssl http2 default_server; server_name _; # Use the Docker embedded DNS server to allow us to resolve container names resolver 127.0.0.11 ipv6=off; ssl_certificate /etc/nginx/ssl/proxy.crt; ssl_certificate_key /etc/nginx/ssl/proxy.key; # SSL configuration from Mozilla SSL config generator # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; {% if generate_dhparam %} # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/nginx/ssl/dhparam.pem; {% endif %} # Enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # Disable SSLv3 since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/proxy.crt; # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping # 15768000 seconds = 6 months add_header Strict-Transport-Security max-age=15768000; # By default, return 404 location / { return 404; } {% if 'data' in group_names %} {% if thredds_enabled %} location /thredds { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://thredds:8080; } {% endif %} {% if fileserver_enabled %} location /thredds/fileServer { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://fileserver:8080; } {% endif %} {% endif %} {% if 'index' in group_names %} {% if solr_enabled %} # We only want to permit access to the replication handler for each core from outside location ~ ^/solr/[a-z]+/replication { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://solr-slave:8983; } {% endif %} {% if search_enabled %} location /esg-search { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://search:8080; } {% endif %} {% endif %} }
