Facilitate easy use of Let's Encrypt certificates
This commit is contained in:
parent
67e1cf6849
commit
b774eaacc9
@ -11,5 +11,8 @@ COPY templates templates
|
|||||||
RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js
|
RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js
|
||||||
RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js'
|
RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js'
|
||||||
RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css'
|
RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css'
|
||||||
|
RUN mkdir /frontend-secrets
|
||||||
|
RUN ln -s ../server-secrets/self_cert.pem /frontend-secrets/cert.pem
|
||||||
|
RUN ln -s ../server-secrets/self_key.pem /frontend-secrets/key.pem
|
||||||
COPY entrypoint.sh /entrypoint.sh
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
ENTRYPOINT /entrypoint.sh
|
ENTRYPOINT /entrypoint.sh
|
||||||
|
12
nginx.conf
12
nginx.conf
@ -61,10 +61,6 @@ http {
|
|||||||
proxy_read_timeout 600;
|
proxy_read_timeout 600;
|
||||||
send_timeout 600;
|
send_timeout 600;
|
||||||
|
|
||||||
# To use CA-s own certificate for frontend and mutually authenticated connections
|
|
||||||
ssl_certificate /server-secrets/self_cert.pem;
|
|
||||||
ssl_certificate_key /server-secrets/self_key.pem;
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
# Section for serving insecure HTTP, note that this is suitable for
|
# Section for serving insecure HTTP, note that this is suitable for
|
||||||
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
|
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
|
||||||
@ -97,6 +93,10 @@ http {
|
|||||||
# once it has been configured
|
# once it has been configured
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||||
|
|
||||||
|
# Bind mount this directory to use Let's Encrypt keypair for frontend
|
||||||
|
ssl_certificate /frontend-secrets/cert.pem;
|
||||||
|
ssl_certificate_key /frontend-secrets/key.pem;
|
||||||
|
|
||||||
#proxy pass event
|
#proxy pass event
|
||||||
location /api/event/ {
|
location /api/event/ {
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
@ -147,6 +147,10 @@ http {
|
|||||||
ssl_verify_client optional;
|
ssl_verify_client optional;
|
||||||
ssl_client_certificate /server-secrets/ca_cert.pem;
|
ssl_client_certificate /server-secrets/ca_cert.pem;
|
||||||
|
|
||||||
|
# Use same keypair used by IPSec, OpenVPN
|
||||||
|
ssl_certificate /server-secrets/self_cert.pem;
|
||||||
|
ssl_certificate_key /server-secrets/self_key.pem;
|
||||||
|
|
||||||
# Proxy pass to backend
|
# Proxy pass to backend
|
||||||
location /api/ {
|
location /api/ {
|
||||||
proxy_pass http://read-write;
|
proxy_pass http://read-write;
|
||||||
|
Loading…
Reference in New Issue
Block a user