Loading deploy/ansible/roles/proxy/defaults/main.yml +6 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,12 @@ image_pull: true # Proxy configuration ### # Default Nginx config using only HTTP nginx_config_template: proxy.conf.j2 # Generates a Diffie-Helmet file for the server if enabled generate_dhparam: false # Settings for the proxy image proxy_image_prefix: "{{ image_prefix }}" proxy_image_tag: "{{ image_tag }}" Loading deploy/ansible/roles/proxy/tasks/main.yml +41 −3 Original line number Diff line number Diff line Loading @@ -13,10 +13,46 @@ docker_network: name: esgf # TMP - name: Generate self-signed SSL certificate command: > openssl req -new -nodes -x509 -subj "/C=GB/ST=Oxfordshire/L=Didcot/O=Science and Technology Facilities Council/OU=Centre for Environmental Data Analysis/CN=localhost" -days 3650 -keyout /esg/config/proxy/ssl/proxy.key -out /esg/config/proxy/ssl/proxy.crt -extensions v3_ca args: creates: "/esg/config/proxy/ssl/proxy.crt" when: use_self_signed_ssl_cert is defined and use_self_signed_ssl_cert notify: "restart web server" # TMP - name: Install a provided certificate block: - name: Set paths for the SSL certificate and key set_fact: ssl_certificate_path: /esg/config/proxy/ssl/proxy.crt ssl_private_key_path: /esg/config/proxy/ssl/proxy.key - name: Install SSL certificate copy: content: "{{ ssl_certificate }}" dest: "{{ ssl_certificate_path }}" - name: Install SSL private key copy: content: "{{ ssl_private_key }}" dest: "{{ ssl_private_key_path }}" when: ssl_certificate is defined and ssl_private_key is defined - name: Create Ephemeral Diffie-Helman parameters file command: openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096 args: creates: /esg/config/proxy/ssl/dhparam.pem when: generate_dhparam - name: Write proxy configuration template: src: proxy.conf.j2 dest: /esg/config/proxy/proxy.conf src: "{{ nginx_config_template }}" dest: /esg/config/proxy/conf.d/proxy.conf - name: Start proxy container docker_container: Loading @@ -34,6 +70,8 @@ networks_cli_compatible: yes volumes: # Mount the Nginx configuration for the proxy - "/esg/config/proxy:/etc/nginx/conf.d:ro" - "/esg/config/proxy/conf.d:/etc/nginx/conf.d:ro" # Mount any SSL files for the proxy - "/esg/config/proxy/ssl:/etc/nginx/ssl:ro" state: started recreate: yes deploy/ansible/roles/proxy/templates/ssl.proxy.conf.j2 0 → 100644 +79 −0 Original line number Diff line number Diff line # HTTP and HTTPS server blocks that proxy to the other containers running on this host server { listen 8080 ssl http2 default_server; server_name _; # Use the Docker embedded DNS server to allow us to resolve container names resolver 127.0.0.11 ipv6=off; ssl_certificate {{ ssl_certificate_path }}; ssl_certificate_key {{ ssl_private_key_path }}; # SSL configuration from Mozilla SSL config generator # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; {% if generate_dhparam %} # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/nginx/ssl/dhparam.pem; {% endif %} # Enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # Disable SSLv3 since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ ssl_certificate_path }}; # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping # 15768000 seconds = 6 months add_header Strict-Transport-Security max-age=15768000; # By default, return 404 location / { return 404; } {% if 'data' in group_names %} {% if thredds_enabled %} location /thredds { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://thredds:8080; } {% endif %} {% if fileserver_enabled %} location /thredds/fileServer { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://fileserver:8080; } {% endif %} {% endif %} {% if 'index' in group_names %} {% if solr_enabled %} # We only want to permit access to the replication handler for each core from outside location ~ ^/solr/[a-z]+/replication { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://solr-slave:8983; } {% endif %} {% if search_enabled %} location /esg-search { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://search:8080; } {% endif %} {% endif %} } Loading
deploy/ansible/roles/proxy/defaults/main.yml +6 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,12 @@ image_pull: true # Proxy configuration ### # Default Nginx config using only HTTP nginx_config_template: proxy.conf.j2 # Generates a Diffie-Helmet file for the server if enabled generate_dhparam: false # Settings for the proxy image proxy_image_prefix: "{{ image_prefix }}" proxy_image_tag: "{{ image_tag }}" Loading
deploy/ansible/roles/proxy/tasks/main.yml +41 −3 Original line number Diff line number Diff line Loading @@ -13,10 +13,46 @@ docker_network: name: esgf # TMP - name: Generate self-signed SSL certificate command: > openssl req -new -nodes -x509 -subj "/C=GB/ST=Oxfordshire/L=Didcot/O=Science and Technology Facilities Council/OU=Centre for Environmental Data Analysis/CN=localhost" -days 3650 -keyout /esg/config/proxy/ssl/proxy.key -out /esg/config/proxy/ssl/proxy.crt -extensions v3_ca args: creates: "/esg/config/proxy/ssl/proxy.crt" when: use_self_signed_ssl_cert is defined and use_self_signed_ssl_cert notify: "restart web server" # TMP - name: Install a provided certificate block: - name: Set paths for the SSL certificate and key set_fact: ssl_certificate_path: /esg/config/proxy/ssl/proxy.crt ssl_private_key_path: /esg/config/proxy/ssl/proxy.key - name: Install SSL certificate copy: content: "{{ ssl_certificate }}" dest: "{{ ssl_certificate_path }}" - name: Install SSL private key copy: content: "{{ ssl_private_key }}" dest: "{{ ssl_private_key_path }}" when: ssl_certificate is defined and ssl_private_key is defined - name: Create Ephemeral Diffie-Helman parameters file command: openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096 args: creates: /esg/config/proxy/ssl/dhparam.pem when: generate_dhparam - name: Write proxy configuration template: src: proxy.conf.j2 dest: /esg/config/proxy/proxy.conf src: "{{ nginx_config_template }}" dest: /esg/config/proxy/conf.d/proxy.conf - name: Start proxy container docker_container: Loading @@ -34,6 +70,8 @@ networks_cli_compatible: yes volumes: # Mount the Nginx configuration for the proxy - "/esg/config/proxy:/etc/nginx/conf.d:ro" - "/esg/config/proxy/conf.d:/etc/nginx/conf.d:ro" # Mount any SSL files for the proxy - "/esg/config/proxy/ssl:/etc/nginx/ssl:ro" state: started recreate: yes
deploy/ansible/roles/proxy/templates/ssl.proxy.conf.j2 0 → 100644 +79 −0 Original line number Diff line number Diff line # HTTP and HTTPS server blocks that proxy to the other containers running on this host server { listen 8080 ssl http2 default_server; server_name _; # Use the Docker embedded DNS server to allow us to resolve container names resolver 127.0.0.11 ipv6=off; ssl_certificate {{ ssl_certificate_path }}; ssl_certificate_key {{ ssl_private_key_path }}; # SSL configuration from Mozilla SSL config generator # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; {% if generate_dhparam %} # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/nginx/ssl/dhparam.pem; {% endif %} # Enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # Disable SSLv3 since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!3DES'; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate {{ ssl_certificate_path }}; # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping # 15768000 seconds = 6 months add_header Strict-Transport-Security max-age=15768000; # By default, return 404 location / { return 404; } {% if 'data' in group_names %} {% if thredds_enabled %} location /thredds { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://thredds:8080; } {% endif %} {% if fileserver_enabled %} location /thredds/fileServer { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://fileserver:8080; } {% endif %} {% endif %} {% if 'index' in group_names %} {% if solr_enabled %} # We only want to permit access to the replication handler for each core from outside location ~ ^/solr/[a-z]+/replication { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://solr-slave:8983; } {% endif %} {% if search_enabled %} location /esg-search { include /etc/nginx/includes/proxy_params.conf; proxy_pass http://search:8080; } {% endif %} {% endif %} }
