airship/images
Code Issues Proposed changes

Add TLS options to the reverse-proxy for vino

Browse Source 
This adds the option to enable TLS for the vino reverse-proxy. As a
bonus, basic_auth has also been parameterized.

Change-Id: I202c2184fb0fa08585c150110be1127ff326865e
This commit is contained in:
Ian Howell 2021-05-04 13:35:09 -05:00
parent f093129b32
commit aee28c9a98
3 changed files with 45 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
vino-reverse-proxy/Dockerfile
View File

@ -1,11 +1,16 @@
FROM nginx:alpine FROM nginx:alpine
ENV USE_BASIC_AUTH="false"
ENV BASIC_AUTH_USERNAME="username" ENV BASIC_AUTH_USERNAME="username"
ENV BASIC_AUTH_PASSWORD="password" ENV BASIC_AUTH_PASSWORD="password"
RUN apk add --update --no-cache apache2-utils ENV USE_TLS="false"
ENV TLS_CRT=""
ENV TLS_KEY=""
COPY assets/default.conf /etc/nginx/conf.d/default.conf RUN apk add --update --no-cache apache2-utils ;
COPY assets/default.conf.tpl /default.conf.tpl
COPY assets/entrypoint.sh /entrypoint.sh COPY assets/entrypoint.sh /entrypoint.sh
ENTRYPOINT /entrypoint.sh ENTRYPOINT /entrypoint.sh

10
vino-reverse-proxy/assets/default.conf → vino-reverse-proxy/assets/default.conf.tpl
View File

@ -1,16 +1,12 @@
server { server {
listen 8000;
server_name localhost; server_name localhost;
$tls_config
location / { location / {
proxy_pass http://localhost:5000/; proxy_pass http://localhost:5000/;
proxy_set_header Authorization $http_authorization; proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization; proxy_pass_header Authorization;
$basic_auth_config
# Basic Auth
limit_except OPTIONS {
auth_basic "Restricted";
auth_basic_user_file "auth.htpasswd";
}
} }
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
location = /50x.html { location = /50x.html {

36
vino-reverse-proxy/assets/entrypoint.sh
View File

@ -1,5 +1,7 @@
#!/bin/sh #!/bin/sh
set -ex
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
# You may obtain a copy of the License at # You may obtain a copy of the License at
@ -12,5 +14,37 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
htpasswd -Bbn "$BASIC_AUTH_USERNAME" "$BASIC_AUTH_PASSWORD" > /etc/nginx/auth.htpasswd basic_auth_config=''
if [ "$USE_BASIC_AUTH" = "true" ]; then
htpasswd -Bbn "$BASIC_AUTH_USERNAME" "$BASIC_AUTH_PASSWORD" > /etc/nginx/auth.htpasswd
basic_auth_config='
# Basic Auth
limit_except OPTIONS {
auth_basic "Restricted";
auth_basic_user_file "auth.htpasswd";
}'
fi
export basic_auth_config
tls_config='listen 8000;'
if [ "$USE_TLS" = "true" ]; then
mkdir -p /etc/ssl/certs
mkdir -p /etc/ssl/private
echo "$TLS_CRT" > /etc/ssl/certs/redfish-auth.crt
echo "$TLS_KEY" > /etc/ssl/private/redfish-auth.key
tls_config='listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/redfish-auth.crt;
ssl_certificate_key /etc/ssl/private/redfish-auth.key;'
fi
export tls_config
vars='$basic_auth_config:$tls_config'
envsubst "$vars" </default.conf.tpl >/etc/nginx/conf.d/default.conf
cat /etc/nginx/conf.d/default.conf
nginx -g 'daemon off;' nginx -g 'daemon off;'