Move akkounts nginx to nginx proxy
This commit is contained in:
Râu Cao
parent
e2e857ec76
commit
8225e1b67b
GPG Key ID:
15E65F399D084BA9
@ -38,6 +38,7 @@
|
|||||||
"kosmos_gitea::nginx",
|
"kosmos_gitea::nginx",
|
||||||
"kosmos_website",
|
"kosmos_website",
|
||||||
"kosmos_website::default",
|
"kosmos_website::default",
|
||||||
|
"kosmos-akkounts::nginx",
|
||||||
"kosmos-akkounts::nginx_api",
|
"kosmos-akkounts::nginx_api",
|
||||||
"kosmos-bitcoin::nginx_lndhub",
|
"kosmos-bitcoin::nginx_lndhub",
|
||||||
"kosmos-ejabberd::nginx",
|
"kosmos-ejabberd::nginx",
|
||||||
|
|||||||
@ -3,7 +3,6 @@ name "akkounts"
|
|||||||
default_run_list = %w(
|
default_run_list = %w(
|
||||||
role[postgresql_client]
|
role[postgresql_client]
|
||||||
kosmos-akkounts::default
|
kosmos-akkounts::default
|
||||||
kosmos-akkounts::nginx
|
|
||||||
)
|
)
|
||||||
|
|
||||||
env_run_lists(
|
env_run_lists(
|
||||||
|
|||||||
@ -23,6 +23,7 @@ default_run_list = %w(
|
|||||||
kosmos_garage::nginx_web
|
kosmos_garage::nginx_web
|
||||||
kosmos_gitea::nginx
|
kosmos_gitea::nginx
|
||||||
kosmos_website::default
|
kosmos_website::default
|
||||||
|
kosmos-akkounts::nginx
|
||||||
kosmos-akkounts::nginx_api
|
kosmos-akkounts::nginx_api
|
||||||
kosmos-bitcoin::nginx_lndhub
|
kosmos-bitcoin::nginx_lndhub
|
||||||
kosmos-ejabberd::nginx
|
kosmos-ejabberd::nginx
|
||||||
|
|||||||
@ -217,10 +217,7 @@ application deploy_path do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO move to nginx proxy
|
firewall_rule "akkounts_zerotier" do
|
||||||
include_recipe 'kosmos-akkounts::nginx'
|
|
||||||
|
|
||||||
firewall_rule "Akkounts private access" do
|
|
||||||
command :allow
|
command :allow
|
||||||
port node["akkounts"]["port"]
|
port node["akkounts"]["port"]
|
||||||
protocol :tcp
|
protocol :tcp
|
||||||
|
|||||||
@ -9,12 +9,20 @@ domain = node[app_name]["domain"]
|
|||||||
|
|
||||||
nginx_certbot_site domain
|
nginx_certbot_site domain
|
||||||
|
|
||||||
|
upstream_hosts = []
|
||||||
|
search(:node, "role:akkounts").each do |node|
|
||||||
|
upstream_hosts << node["knife_zero"]["host"]
|
||||||
|
end
|
||||||
|
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||||
source "nginx_conf_#{app_name}.erb"
|
source "nginx_conf_#{app_name}.erb"
|
||||||
owner 'www-data'
|
owner 'www-data'
|
||||||
mode 0640
|
mode 0640
|
||||||
variables port: node[app_name]['port'],
|
variables port: node[app_name]['port'],
|
||||||
domain: domain,
|
domain: domain,
|
||||||
|
upstream_port: node["akkounts"]["port"],
|
||||||
|
upstream_hosts: upstream_hosts,
|
||||||
root_dir: "/opt/#{app_name}/public",
|
root_dir: "/opt/#{app_name}/public",
|
||||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||||
|
|||||||
@ -12,6 +12,7 @@ upstream_hosts = []
|
|||||||
search(:node, "role:akkounts").each do |node|
|
search(:node, "role:akkounts").each do |node|
|
||||||
upstream_hosts << node["knife_zero"]["host"]
|
upstream_hosts << node["knife_zero"]["host"]
|
||||||
end
|
end
|
||||||
|
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||||
|
|
||||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||||
source "nginx_conf_akkounts_api.erb"
|
source "nginx_conf_akkounts_api.erb"
|
||||||
|
|||||||
@ -1,17 +1,23 @@
|
|||||||
# Generated by Chef
|
# Generated by Chef
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
upstream _akkounts {
|
upstream _akkounts {
|
||||||
server localhost:<%= @port %>;
|
<% @upstream_hosts.each do |host| %>
|
||||||
|
server <%= host %>:<%= @upstream_port %>;
|
||||||
|
<% end %>
|
||||||
}
|
}
|
||||||
|
|
||||||
|
proxy_cache_path /var/cache/nginx/akkounts levels=1:2
|
||||||
|
keys_zone=akkounts_cache:10m
|
||||||
|
max_size=1g inactive=120m use_temp_path=off;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
listen [::]:443 ssl http2;
|
||||||
|
server_name <%= @domain %>;
|
||||||
|
|
||||||
ssl_certificate <%= @ssl_cert %>;
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
ssl_certificate_key <%= @ssl_key %>;
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
|
|
||||||
server_name <%= @domain %>;
|
add_header Strict-Transport-Security "max-age=15768000";
|
||||||
|
|
||||||
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||||
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||||
@ -23,32 +29,19 @@ server {
|
|||||||
gzip_static on;
|
gzip_static on;
|
||||||
expires max;
|
expires max;
|
||||||
add_header Cache-Control public;
|
add_header Cache-Control public;
|
||||||
|
proxy_cache akkounts_cache;
|
||||||
}
|
}
|
||||||
|
|
||||||
try_files $uri/index.html $uri @app;
|
try_files $uri/index.html $uri @proxy;
|
||||||
|
|
||||||
location @app {
|
location @proxy {
|
||||||
# an HTTP header important enough to have its own Wikipedia entry:
|
|
||||||
# http://en.wikipedia.org/wiki/X-Forwarded-For
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
# enable this if and only if you use HTTPS, this helps Rack
|
|
||||||
# set the proper protocol for doing redirects:
|
|
||||||
proxy_set_header X-Forwarded-Proto https;
|
proxy_set_header X-Forwarded-Proto https;
|
||||||
|
|
||||||
# pass the Host: header from the client right along so redirects
|
|
||||||
# can be set properly within the Rack application
|
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
|
||||||
# we don't want nginx trying to do something clever with
|
|
||||||
# redirects, we set the Host: header above already.
|
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
|
|
||||||
# Increase number of buffers. Default is 8
|
|
||||||
proxy_buffers 1024 8k;
|
proxy_buffers 1024 8k;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
proxy_pass http://_akkounts;
|
proxy_pass http://_akkounts;
|
||||||
proxy_http_version 1.1;
|
}
|
||||||
}
|
|
||||||
}
|
}
|
||||||
<% end -%>
|
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
# Generated by Chef
|
# Generated by Chef
|
||||||
upstream _akkounts {
|
upstream _akkounts_api {
|
||||||
<% @upstream_hosts.each do |host| %>
|
<% @upstream_hosts.each do |host| %>
|
||||||
server <%= host %>:<%= @upstream_port %>;
|
server <%= host %>:<%= @upstream_port %>;
|
||||||
<% end %>
|
<% end %>
|
||||||
@ -15,6 +15,9 @@ server {
|
|||||||
|
|
||||||
add_header 'Strict-Transport-Security' 'max-age=31536000';
|
add_header 'Strict-Transport-Security' 'max-age=31536000';
|
||||||
|
|
||||||
|
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||||
|
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||||
|
|
||||||
location /kredits/ {
|
location /kredits/ {
|
||||||
add_header 'Access-Control-Allow-Origin' '*' always;
|
add_header 'Access-Control-Allow-Origin' '*' always;
|
||||||
add_header 'Access-Control-Allow-Methods' 'GET' always;
|
add_header 'Access-Control-Allow-Methods' 'GET' always;
|
||||||
@ -28,6 +31,6 @@ server {
|
|||||||
proxy_buffers 1024 8k;
|
proxy_buffers 1024 8k;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
proxy_pass http://_akkounts/api/kredits/;
|
proxy_pass http://_akkounts_api/api/kredits/;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user