-
Notifications
You must be signed in to change notification settings - Fork 232
HTTPS Sender #602
HTTPS Sender #602
Changes from 19 commits
9ce0e90
1d492c8
c99e96f
7a02c67
59b1b0f
9240b22
81b429a
264db82
d5127ff
aec7e1e
5e9e6e1
cdd4c79
9892e8d
9479bb3
59342f1
74f8ffb
da96565
386b537
a0607f4
bc856fd
8530278
17b1e7b
b10ab02
f45ed78
55ac341
4e0a704
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
FROM nginx:alpine | ||
|
||
# Overwrite default configuration | ||
ADD build/proxy.conf /etc/nginx/conf.d/default.conf | ||
# Install generated certificates; run `gen.sh` first | ||
ADD build/proxy.crt /etc/nginx/proxy.crt | ||
ADD build/proxy.key /etc/nginx/proxy.key | ||
|
||
EXPOSE 8080 14443 | ||
|
||
# Poll healthcheck port until it returns 2xx or 3xx. | ||
CMD ["sh", "-c", "while ! { wget --spider -S http://jaeger-collector:14269; }; do echo waiting for healthcheck; sleep 1; done; nginx -g 'daemon off;'"] |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
-----BEGIN CERTIFICATE----- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the expiration date for this one? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Noted in gen.sh |
||
MIIBbTCCARSgAwIBAgIJAJXCC2VdhrxqMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMM | ||
B1RFU1QgQ0EwHhcNMTkwMzA3MTQzODIwWhcNMjkwMzA3MTQzODIwWjASMRAwDgYD | ||
VQQDDAdURVNUIENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAhYnw9zYU0G3 | ||
VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/0A1Of2zqxbyJpaEIFcqTmTTy | ||
TXCE7I6B6aNTMFEwHQYDVR0OBBYEFLXSxii6ZFvw427zs7ct/B+eHv2QMB8GA1Ud | ||
IwQYMBaAFLXSxii6ZFvw427zs7ct/B+eHv2QMA8GA1UdEwEB/wQFMAMBAf8wCgYI | ||
KoZIzj0EAwIDRwAwRAIgBrX7CX8zNoRLAZ48jGcqI8RuNlpkj0S+UShIQjwez3AC | ||
IGuqhnGb9JZSiZmIQaYdSE6T/sQaX7iDnwEgKGMI8OB7 | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
-----BEGIN EC PARAMETERS----- | ||
BggqhkjOPQMBBw== | ||
-----END EC PARAMETERS----- | ||
-----BEGIN EC PRIVATE KEY----- | ||
MHcCAQEEIAA24MB8sxrLG1an0nG1DCH6J32iqrtborxFOjdqWNCmoAoGCCqGSM49 | ||
AwEHoUQDQgAEAhYnw9zYU0G3VZ48nNlT5jAs096pX0zeHM/yxiJe+DS5Yj0EJXM/ | ||
0A1Of2zqxbyJpaEIFcqTmTTyTXCE7I6B6Q== | ||
-----END EC PRIVATE KEY----- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. are these being generated by There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No, this is root certificate which is used to generate proxy's certificate by The Public key pin is coded here: There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you please document somewhere how you generated these files? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OK, I will. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
if [[ $# -ne 2 ]]; then | ||
echo usage: $0 '<proxy-name> <forward-target>' | ||
exit 1 | ||
fi | ||
|
||
SERVER=$1 | ||
FORWARD=$2 | ||
TARGET=build/proxy | ||
|
||
# generate secrets | ||
cd $(dirname $0) | ||
mkdir -p ./build | ||
openssl ecparam -genkey -name prime256v1 -out ${TARGET}.key | ||
openssl req -new -sha256 -key ${TARGET}.key -out ${TARGET}.csr -subj \ | ||
"/CN=${SERVER}/" | ||
openssl x509 -req -sha256 -days 1 -CA authority.crt -CAkey authority.key -CAcreateserial -in ${TARGET}.csr -out ${TARGET}.crt | ||
chmod 644 ${TARGET}.key | ||
|
||
cat authority.crt >> ${TARGET}.crt | ||
|
||
# generate nginx settings | ||
SERVER=${SERVER} FORWARD=${FORWARD} envsubst < "proxy.template.conf" > ${TARGET}.conf |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
server { | ||
listen 8080; | ||
server_name ${SERVER}; | ||
location / { | ||
root /usr/share/nginx/html/; | ||
index index.html; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The indentation here seems a bit off |
||
} | ||
} | ||
|
||
server { | ||
listen 14443 ssl; | ||
jpkrohling marked this conversation as resolved.
Show resolved
Hide resolved
|
||
server_name ${SERVER}; | ||
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I know this is only for testing, but could we have a production-grade configuration here? Like, a secure set of ciphers and options like For reference, this is what I used to have on a few servers of mine, which was "current" a couple of years ago: server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name acme.example.com;
ssl_certificate /etc/pki/tls/certs/acme.example.com.bundle.cert;
ssl_certificate_key /etc/pki/tls/private/acme.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # probably needs an update to include TLSv1.3?
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
add_header Strict-Transport-Security max-age=31536000;
root /usr/share/nginx/html/acme.example.com;
}
|
||
ssl_certificate /etc/nginx/proxy.crt; | ||
ssl_certificate_key /etc/nginx/proxy.key; | ||
location / { | ||
proxy_pass http://${FORWARD}; | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,14 +5,14 @@ JAEGER_COMPOSE_URL=https://raw.githubusercontent.com/jaegertracing/jaeger/master | |
XDOCK_JAEGER_YAML=$(PROJECT)/jaeger-docker-compose.yml | ||
|
||
.PHONY: crossdock | ||
crossdock: gradle-compile crossdock-download-jaeger | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http | ||
crossdock: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) kill java-udp java-http java-https | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) rm -f java-udp java-http java-https | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) build java-udp java-http java-https | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock | ||
|
||
.PHONY: crossdock-fresh | ||
crossdock-fresh: gradle-compile crossdock-download-jaeger | ||
crossdock-fresh: gradle-compile crossdock-proxy-secret-gen crossdock-download-jaeger | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) down --rmi all | ||
docker-compose -f $(XDOCK_YAML) -f $(XDOCK_JAEGER_YAML) run crossdock | ||
|
||
|
@@ -30,3 +30,7 @@ crossdock-clean: | |
.PHONY: crossdock-download-jaeger | ||
crossdock-download-jaeger: | ||
curl -o $(XDOCK_JAEGER_YAML) $(JAEGER_COMPOSE_URL) | ||
|
||
.PHONY: crossdock-proxy-secret-gen | ||
crossdock-proxy-secret-gen: | ||
$(PROJECT)/https-proxy/gen.sh jaeger-collector-https-proxy jaeger-collector:14268 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not thrilled with the name. Is it typical to pass certs via env vars? We've recently added many TLS options to Jaeger backend, and the certs are always passed via files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had three reasons to pass this via environment variable over file.