Lab5 for doing R33 upgrades

labs/lab5/docker-compose.yml

@@ -0,0 +1,187 @@
+# NGINX Plus / OSS with NGINX Agent
+# NGINX webservers with ingress-demo pages
+# NGINX One Console Instance Registration
+# NGINX Basics, Dec 2024
+# Chris Akker, Shouvik Dutta, Adam Currier
+#
+services:
+  plus1: # Alpine NGINX Plus Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey From One Console
+      NGINX_AGENT_INSTANCE_GROUP: $NAME-sync-group
+    hostname: $NAME-plus1
+    container_name: $NAME-plus1
+    image: private-registry.nginx.com/nginx-plus/agent:nginx-plus-r32-alpine-3.20-20240613 # CVE - From Nginx Private Registry
+    volumes: # Sync these folders to container
+      - ./nginx-plus/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-plus/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-plus/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-plus/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - 80:80 # Open for HTTP
+      - 443:443 # Open for HTTPS
+      - 9000:9000 # Open for stub status page
+      - 9113:9113 # Open for Prometheus Scraper page
+    restart: always
+  #
+  plus2: # Alpine NGINX Plus Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+      NGINX_AGENT_INSTANCE_GROUP: $NAME-sync-group
+    hostname: $NAME-plus2
+    container_name: $NAME-plus2
+    image: private-registry.nginx.com/nginx-plus/agent:nginx-plus-r31-alpine-3.19-20240522 # CVE - From Nginx Private Registry
+    volumes: # Sync these folders to container
+      - ./nginx-plus/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-plus/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-plus/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-plus/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+      - '9000' # Open for API / Dashboard page
+      - '9113' # Open for Prometheus Scraper page
+    restart: always
+  #
+  plus3: # RHEL UBI NGINX Plus Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+      NGINX_AGENT_INSTANCE_GROUP: $NAME-sync-group
+    hostname: $NAME-plus3
+    container_name: $NAME-plus3
+    image: private-registry.nginx.com/nginx-plus/agent:nginx-plus-r31-ubi-9-20240522 # From Nginx Private Registry
+    volumes: # Sync these folders to container
+      - ./nginx-plus/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-plus/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-plus/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-plus/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+      - '9000' # Open for API / Dashboard page
+      - '9113' # Open for Prometheus Scraper page
+    restart: always
+  #
+#  plus4: # Debian R33 NGINX Plus Web / Load Balancer
+#    environment:
+#      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+#      NGINX_AGENT_SERVER_GRPCPORT: '443'
+#      NGINX_AGENT_TLS_ENABLE: 'true'
+#      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+#      NGINX_LICENSE_JWT: $JWT
+#      NGINX_AGENT_INSTANCE_GROUP: $NAME-sync-group
+#    hostname: $NAME-plus4
+#    container_name: $NAME-plus4
+#    image: private-registry.nginx.com/nginx-plus/agent:debian # From Nginx Private Registry R33
+#    volumes: # Sync these folders to container
+      - ./nginx-plus/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-plus/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-plus/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-plus/usr/share/nginx/html:/usr/share/nginx/html
+#    ports:
+#      - '80' # Open for HTTP
+#      - '443' # Open for HTTPS
+#      - '9000' # Open for API / Dashboard page
+#      - '9113' # Open for Prometheus Scraper page
+#    restart: always
+  #
+  oss1: # Debian NGINX OSS Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+    hostname: $NAME-oss1
+    container_name: $NAME-oss1
+    image: docker-registry.nginx.com/nginx/agent:mainline # From Docker Public Registry
+    volumes: # Sync these folders to container
+      - ./nginx-oss/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-oss/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-oss/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-oss/etc/ssl/nginx:/etc/ssl/nginx
+      - ./nginx-oss/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+      - '9000' # Open for stub status page
+      - '9113' # Open for Prometheus Scraper page
+    restart: always
+  #
+  oss2: # Alpine NGINX OSS Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+    hostname: $NAME-oss2
+    container_name: $NAME-oss2
+    image: docker-registry.nginx.com/nginx/agent:alpine # From Docker Public Registry
+    volumes: # Sync these folders to container
+      - ./nginx-oss/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-oss/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-oss/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-oss/etc/ssl/nginx:/etc/ssl/nginx
+      - ./nginx-oss/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+      - '9000' # Open for stub status page
+      - '9113' # Open for Prometheus Scraper page
+    restart: always
+    #
+  oss3: # Older Alpine NGINX OSS Web / Load Balancer
+    environment:
+      NGINX_AGENT_SERVER_HOST: 'agent.connect.nginx.com'
+      NGINX_AGENT_SERVER_GRPCPORT: '443'
+      NGINX_AGENT_TLS_ENABLE: 'true'
+      NGINX_AGENT_SERVER_TOKEN: $TOKEN # Datakey Fron Nginx One Console
+    hostname: $NAME-oss3
+    container_name: $NAME-oss3
+    image: docker-registry.nginx.com/nginx/agent:1.26-alpine # From Docker Public Registry
+    volumes: # Sync these folders to container
+      - ./nginx-oss/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx-oss/etc/nginx/conf.d:/etc/nginx/conf.d
+      - ./nginx-oss/etc/nginx/includes:/etc/nginx/includes
+      - ./nginx-oss/etc/ssl/nginx:/etc/ssl/nginx
+      - ./nginx-oss/usr/share/nginx/html:/usr/share/nginx/html
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+      - '9000' # Open for stub status page
+      - '9113' # Open for Prometheus Scraper page
+    restart: always
+  #
+  web1:
+    hostname: $NAME-web1
+    container_name: $NAME-web1
+    platform: linux/amd64
+    image: nginxinc/ingress-demo # Image from Docker Hub
+    ports:
+      - '80' # Open for HTTP
+      - '443' # Open for HTTPS
+  web2:
+    hostname: $NAME-web2
+    container_name: $NAME-web2
+    platform: linux/amd64
+    image: nginxinc/ingress-demo
+    ports:
+      - '80'
+      - '433'
+  web3:
+    hostname: $NAME-web3
+    container_name: $NAME-web3
+    platform: linux/amd64
+    image: nginxinc/ingress-demo
+    ports:
+      - '80'
+      - '443'
+

labs/lab5/nginx-oss/etc/nginx/conf.d/cafe.example.com.conf

@@ -0,0 +1,27 @@
+# cafe.example.com HTTP
+server {
+    # Listening on port 80 on all IP addresses on this machine
+    listen 80;
+
+    server_name cafe.example.com;
+
+    # status_zone cafe-VirtualServer;
+
+    # Server specific logging
+    access_log  /var/log/nginx/cafe.example.com.log main_ext; 
+    error_log   /var/log/nginx/cafe.example.com_error.log info; 
+
+    location / {
+
+        proxy_buffering off;
+
+        # Including best-practice headers are bonus points
+        include includes/proxy_headers.conf;
+        include includes/keepalive.conf;
+
+        # status_zone /;
+
+        proxy_pass http://nginx_cafe;
+    }
+
+}

labs/lab5/nginx-oss/etc/nginx/conf.d/stub_status.conf

@@ -0,0 +1,19 @@
+# ngx_http_stub_status_module (Available in NGINX OSS)
+# provides Basic Status information http://nginx.org/en/docs/http/ngx_http_stub_status_module.html
+
+server {
+	listen 9000 ssl;              # Listener for Stub Status
+
+	ssl_certificate /etc/ssl/nginx/30-day.crt;
+    ssl_certificate_key /etc/ssl/nginx/30-day.key;
+
+	location /basic_status {
+		stub_status;
+	}
+
+	   # Redirect requests for "/" to "/basic_status"
+   location / {
+       return 301 /basic_status;
+   }
+
+}

labs/lab5/nginx-oss/etc/nginx/conf.d/tls-cars.example.com.conf

@@ -0,0 +1,54 @@
+# cars.example.com HTTP/HTTPS
+# NGINX Basics Workshop
+# Nov 2024, Chris Akker, Shouvik Dutta, Adam Currier
+#
+server {
+
+    listen 443 ssl;   # Uncomment to change to port 443, add "ssl" parameter for terminating TLS on all IP addresses on this machine
+
+    server_name cars.example.com;   # Set hostname to match in request
+
+# Update the following lines for NGINX cert and key directives and file locations
+
+    ssl_certificate /etc/ssl/nginx/cars.crt;
+    ssl_certificate_key /etc/ssl/nginx/cars.key;
+
+    ssl_protocols TLSv1.1 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:3DES;
+    ssl_prefer_server_ciphers on;
+
+    access_log  /var/log/nginx/cars.example.com.log main;
+
+    error_log   /var/log/nginx/cars.example.com_error.log info;
+
+    root /usr/share/nginx/html;         # Set the root folder for the HTML and JPG files
+
+    location / {
+
+        default_type text/html;
+        return 200 "Let's go fast, you have reached cars.example.com, path $uri\n";
+    }
+
+    location /gtr {
+
+        try_files $uri $uri.html;         # Look for filename that matches the URI requested
+    }
+
+    location /nsx {
+
+        try_files $uri $uri.html;
+    }
+
+    location /rcf {
+
+        try_files $uri $uri.html;
+    }
+
+    location /browse {                   # new URL path
+
+        alias /usr/share/nginx/html;     # Browse this folder
+        index index.html;                # Use this file, but if it does *not* exist
+        autoindex on;                    # Perform directory/file browsing
+    }
+
+} 

labs/lab5/nginx-oss/etc/nginx/conf.d/upstreams.conf

@@ -0,0 +1,34 @@
+# NGINX Basics, Plus Proxy to three upstream NGINX containers
+# Nov 2024 - Chris Akker, Shouvik Dutta, Adam Currier
+# nginx_cafe servers
+#
+upstream nginx_cafe {         # Upstream block, the name is "nginx_cafe"
+
+    # Uncomment the zone directive below to add metrics to the Dashboard
+    # zone nginx_cafe 256k;
+
+    # Load Balancing Algorithms supported by NGINX
+    # - Round Robin (Default if nothing specified)
+    # - Least Connections
+    # - IP Hash
+    # - Hash (Any generic Hash)
+
+    # Load Balancing Algorithms supported by NGINX Plus
+    # - Least Time Last Byte / Header
+    # - Random Two     
+
+    # Uncomment for Least-Time Last-Byte algorithm      
+    # least_time last_byte;
+
+    # From Docker-Compose:
+    server web1:80;
+    server web2:80;
+    server web3:80;
+
+    # Uncomment for Cookie persistence
+    # sticky cookie srv_id expires=1m domain=.example.com path=/;
+
+    # Uncomment for keepalive TCP connections to upstreams
+    keepalive 16;
+
+}

labs/lab5/nginx-oss/etc/nginx/includes/keepalive.conf

@@ -0,0 +1,9 @@
+# Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+proxy_http_version 1.1;
+
+# Remove the Connection header if the client sends it,
+# it could be "close" to close a keepalive connection
+proxy_set_header Connection "";
+
+# Host request header field, or the server name matching a request
+proxy_set_header Host $host;

labs/lab5/nginx-oss/etc/nginx/includes/log_formats/main_ext.conf

@@ -0,0 +1,20 @@
+# Extended Log Format
+# Nginx Basics
+log_format  main_ext    'remote_addr="$remote_addr", '
+                        '[time_local=$time_local], '
+                        'request="$request", '
+                        'status="$status", '
+                        'http_referer="$http_referer", '
+                        'body_bytes_sent="$body_bytes_sent", '
+                        'Host="$host", '
+                        'sn="$server_name", '
+                        'request_time=$request_time, '
+                        'http_user_agent="$http_user_agent", '
+                        'http_x_forwarded_for="$http_x_forwarded_for", '
+                        'request_length="$request_length", '
+                        'upstream_address="$upstream_addr", '
+                        'upstream_status="$upstream_status", '
+                        'upstream_connect_time="$upstream_connect_time", '
+                        'upstream_header_time="$upstream_header_time", '
+                        'upstream_response_time="$upstream_response_time", '
+                        'upstream_response_length="$upstream_response_length", ';

labs/lab5/nginx-oss/etc/nginx/includes/proxy_headers.conf

@@ -0,0 +1,12 @@
+## Set Headers to the proxied servers ##
+
+# client address in a binary form, value’s length is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses
+proxy_set_header X-Real-IP $remote_addr;
+
+# X-Forwarded-For client request header field with the $remote_addr variable appended to it,
+# separated by a comma. If the “X-Forwarded-For” field is not present in the client request header,
+# the $proxy_add_x_forwarded_for variable is equal to the $remote_addr variable.
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# request scheme, “http” or “https”
+proxy_set_header X-Forwarded-Proto $scheme;