Add TLS options to the reverse-proxy for vino

This adds the option to enable TLS for the vino reverse-proxy. As a bonus, basic_auth has also been parameterized. Change-Id: I202c2184fb0fa08585c150110be1127ff326865e
2021-05-04 13:35:09 -05:00 · 2021-05-04 13:35:09 -05:00 · aee28c9a98
parent f093129b32
commit aee28c9a98
3 changed files with 45 additions and 10 deletions
--- a/vino-reverse-proxy/Dockerfile
+++ b/vino-reverse-proxy/Dockerfile
@ -1,11 +1,16 @@
 FROM nginx:alpine

+ENV USE_BASIC_AUTH="false"
 ENV BASIC_AUTH_USERNAME="username"
 ENV BASIC_AUTH_PASSWORD="password"

-RUN apk add --update --no-cache apache2-utils
+ENV USE_TLS="false"
+ENV TLS_CRT=""
+ENV TLS_KEY=""

-COPY assets/default.conf /etc/nginx/conf.d/default.conf
+RUN apk add --update --no-cache apache2-utils ;
+
+COPY assets/default.conf.tpl /default.conf.tpl
 COPY assets/entrypoint.sh /entrypoint.sh

 ENTRYPOINT /entrypoint.sh
--- a/vino-reverse-proxy/assets/default.conf.tpl
+++ b/vino-reverse-proxy/assets/default.conf.tpl
@ -1,16 +1,12 @@
 server {
-    listen       8000;
    server_name  localhost;
+    $tls_config
+
    location / {
        proxy_pass  http://localhost:5000/;
        proxy_set_header Authorization $http_authorization;
        proxy_pass_header  Authorization;
-
-        # Basic Auth
-        limit_except OPTIONS {
-            auth_basic "Restricted";
-            auth_basic_user_file "auth.htpasswd";
-        }
+        $basic_auth_config
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
--- a/vino-reverse-proxy/assets/entrypoint.sh
+++ b/vino-reverse-proxy/assets/entrypoint.sh
@ -1,5 +1,7 @@
 #!/bin/sh

+set -ex
+
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
@ -12,5 +14,37 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-htpasswd -Bbn "$BASIC_AUTH_USERNAME" "$BASIC_AUTH_PASSWORD" > /etc/nginx/auth.htpasswd
+basic_auth_config=''
+if [ "$USE_BASIC_AUTH" = "true" ]; then
+  htpasswd -Bbn "$BASIC_AUTH_USERNAME" "$BASIC_AUTH_PASSWORD" > /etc/nginx/auth.htpasswd
+  basic_auth_config='
+        # Basic Auth
+        limit_except OPTIONS {
+            auth_basic "Restricted";
+            auth_basic_user_file "auth.htpasswd";
+        }'
+fi
+export basic_auth_config
+
+tls_config='listen       8000;'
+
+if [ "$USE_TLS" = "true" ]; then
+  mkdir -p /etc/ssl/certs
+  mkdir -p /etc/ssl/private
+
+  echo "$TLS_CRT" > /etc/ssl/certs/redfish-auth.crt
+  echo "$TLS_KEY" > /etc/ssl/private/redfish-auth.key
+
+  tls_config='listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    ssl_certificate /etc/ssl/certs/redfish-auth.crt;
+    ssl_certificate_key /etc/ssl/private/redfish-auth.key;'
+fi
+export tls_config
+
+vars='$basic_auth_config:$tls_config'
+envsubst "$vars" </default.conf.tpl >/etc/nginx/conf.d/default.conf
+
+cat /etc/nginx/conf.d/default.conf
+
 nginx -g 'daemon off;'