Add SSL support and documentation on how to use the container
6 files added
2 files modified
| | |
| | | nginx nginx-mod-http-perl \ |
| | | && yum clean all |
| | | |
| | | COPY nginx.conf /etc/nginx/ |
| | | COPY nginx/nginx.conf /etc/nginx/nginx.conf |
| | | # SSL - these two directive install the SSL configuration file |
| | | # This copies the Diffie-Hellman settings. Used by NGinx |
| | | COPY nginx/dhparam.pem /etc/ssl/conf/dhparam.pem |
| | | COPY nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf |
| | | ## End of SSL |
| | | |
| | | RUN touch /run/nginx.pid \ |
| | | && chgrp -R nginx /var/log/nginx /run/nginx.pid \ |
| | |
| | | |
| | | COPY src/ /usr/share/nginx/html |
| | | |
| | | EXPOSE 8080 |
| | | EXPOSE 8080 8443 |
| | | |
| | | USER nginx |
| | | |
New file |
| | |
| | | ## About this container |
| | | This container deploys a stand-alone To Do application written in AngularJS. |
| | | The web server supports both HTTP and HTTPs connection. |
| | | |
| | | ## How to build |
| | | Run the following command to build the container image: |
| | | `$ podman build -t do280/todo-angular:latest .` |
| | | |
| | | The current application provides a self-signed certificate in `ssl`. Their names |
| | | would match the certificates name in OpenShift. |
| | | If you need to regenerate a self-signed certificate,run the following command: |
| | | `$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt` |
| | | |
| | | If you need to recreate a Diffie-Hellman group, run the following command: |
| | | `$ openssl dhparam -out dhparam.pem 2048` |
| | | |
| | | ## How to run |
| | | |
| | | ### In HTTP mode |
| | | `podman run --userns keep-id -v ./ssl/certs:/usr/local/etc/ssl/certs:Z --name todo -p 8080:8080 do280/todo-angular:latest` |
| | | |
| | | ### In HTTPs mode |
| | | `podman run --userns keep-id -v ./ssl/certs:/usr/local/etc/ssl/certs:Z --name todo -p 8443:8443 do280/todo-angular:latest` |
| | | |
| | | ### Disable HTTPs support |
| | | If you need to disable HTTPs support, run the following steps: |
| | | |
| | | 1. In `Dockerfile` -- comment lines 16 and 17: |
| | | ``` |
| | | # COPY nginx/dhparam.pem /etc/ssl/conf/dhparam.pem |
| | | # COPY nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf |
| | | ``` |
| | | 2. In `nginx/nginx.conf`comment line 36 |
| | | ``` |
| | | # include /etc/nginx/conf.d/*.conf; |
| | | ``` |
| | | 3. Rebuild the image: |
| | | ``` |
| | | `$ podman build -t do280/todo-angular:latest .` |
| | | ``` |
| | | 4. Run the following command to create the container: |
| | | ``` |
| | | `$ podman run --name todo -p 8080:8080 do280/todo-angular:latest` |
| | | ``` |
New file |
| | |
| | | server { |
| | | listen 8443 http2 ssl; |
| | | listen [::]:8443 http2 ssl; |
| | | |
| | | server_name _; |
| | | root /usr/share/nginx/html; |
| | | |
| | | ssl_certificate /usr/local/etc/ssl/certs/tls.crt; |
| | | ssl_certificate_key /usr/local/etc/ssl/certs/tls.key; |
| | | ssl_dhparam /etc/ssl/conf/dhparam.pem; |
| | | |
| | | ######################################################################## |
| | | # from https://cipherli.st/ # |
| | | # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html # |
| | | ######################################################################## |
| | | |
| | | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| | | ssl_prefer_server_ciphers on; |
| | | ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; |
| | | ssl_ecdh_curve secp384r1; |
| | | ssl_session_cache shared:SSL:10m; |
| | | ssl_session_tickets off; |
| | | ssl_stapling on; |
| | | ssl_stapling_verify on; |
| | | resolver 8.8.8.8 8.8.4.4 valid=300s; |
| | | resolver_timeout 5s; |
| | | # Disable preloading HSTS for now. You can use the commented out header line that includes |
| | | # the "preload" directive if you understand the implications. |
| | | #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; |
| | | add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; |
| | | add_header X-Frame-Options DENY; |
| | | add_header X-Content-Type-Options nosniff; |
| | | |
| | | ################################## |
| | | # END https://cipherli.st/ BLOCK # |
| | | ################################## |
| | | |
| | | location / { |
| | | } |
| | | |
| | | error_page 404 /404.html; |
| | | location = /404.html { |
| | | } |
| | | |
| | | error_page 500 502 503 504 /50x.html; |
| | | location = /50x.html { |
| | | } |
| | | } |
New file |
| | |
| | | -----BEGIN DH PARAMETERS----- |
| | | MIIBCAKCAQEAngpO95MkTY4tq05n3c4PWrsZbGdQBuKrOm8u8RzMRr1LgLvSHcZ3 |
| | | JHEpWwa78Iwh1Wu5U0rjSC/37ooN6qUB7dY++zulaF+r3UPABu2VVp5Hi48i2n6z |
| | | xAAOj4kci9GvFnqZQGTx+1Vx1ICnRgpKc0CaCgMlGZ6aNP5Q8pW1V08uzH80xG9G |
| | | djDnhyJIY7QKDIJuavJ1AOikzM4tYlliDoIaE2H9P2nNqiIhD8HdS/8TXfr2NLiB |
| | | OGWC8E6ro3SWl/x1Anwg5Hy7YGBrLMDRZkPeoU6gFb2Y2DCnHA8ANLMgr05P6Ue8 |
| | | C15kRTtRE1waYY/NKoGWxHGcwMZLaeT5UwIBAg== |
| | | -----END DH PARAMETERS----- |
New file |
| | |
| | | # For more information on configuration, see: |
| | | # * Official English Documentation: http://nginx.org/en/docs/ |
| | | # * Official Russian Documentation: http://nginx.org/ru/docs/ |
| | | |
| | | env BACKEND_HOST; |
| | | |
| | | worker_processes auto; |
| | | error_log stderr; |
| | | pid /run/nginx.pid; |
| | | |
| | | # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. |
| | | include /usr/share/nginx/modules/*.conf; |
| | | |
| | | events { |
| | | worker_connections 1024; |
| | | } |
| | | |
| | | http { |
| | | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| | | '$status $body_bytes_sent "$http_referer" ' |
| | | '"$http_user_agent" "$http_x_forwarded_for"'; |
| | | |
| | | sendfile on; |
| | | tcp_nopush on; |
| | | tcp_nodelay on; |
| | | keepalive_timeout 65; |
| | | types_hash_max_size 2048; |
| | | |
| | | include /etc/nginx/mime.types; |
| | | default_type application/octet-stream; |
| | | |
| | | # Load modular configuration files from the /etc/nginx/conf.d directory. |
| | | # See http://nginx.org/en/docs/ngx_core_module.html#include |
| | | # for more information. |
| | | include /etc/nginx/default.d/*.conf; |
| | | include /etc/nginx/conf.d/*.conf; |
| | | |
| | | perl_set $backend 'sub { return $ENV{"BACKEND_HOST"}; }'; |
| | | |
| | | server { |
| | | listen 8080 default_server; |
| | | listen [::]:8080 default_server; |
| | | server_name _; |
| | | root /usr/share/nginx/html; |
| | | |
| | | # Load configuration files for the default server block. |
| | | # include /etc/nginx/conf.d/*.conf; |
| | | |
| | | sub_filter_types application/javascript; |
| | | sub_filter '_BACKEND_' $backend; |
| | | sub_filter_once off; |
| | | |
| | | location / { |
| | | } |
| | | |
| | | error_page 404 /404.html; |
| | | location = /40x.html { |
| | | } |
| | | |
| | | error_page 500 502 503 504 /50x.html; |
| | | location = /50x.html { |
| | | } |
| | | } |
| | | |
| | | } |
| | |
| | | |
| | | var todoItems = [ |
| | | { |
| | | description: 'Buy bread', |
| | | category: 'Domestic', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: 1.75, |
| | | notes: "Buy from Budgens\nor failing that from Tesco's" |
| | | }, |
| | | { |
| | | description: 'Buy milk', |
| | | category: 'Domestic', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: 0.75, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Buy stamps', |
| | | category: 'Domestic', |
| | | complete: true, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: 10.00, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Mow lawn', |
| | | description: 'Take OpenShift training', |
| | | category: 'Domestic', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: "Take OpenShift DO280 course" |
| | | }, |
| | | { |
| | | description: 'Book exam', |
| | | category: 'Domestic', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: 200, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Organize brown bag', |
| | | category: 'Professional', |
| | | complete: false, |
| | | description: 'Read James Joyce', |
| | | category: 'Domestic', |
| | | complete: true, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
| | |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: 7.50, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Sharpen knives', |
| | | category: 'Domestic', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Stage Isis release', |
| | | category: 'Professional', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Submit conference session', |
| | | category: 'Professional', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
| | | }, |
| | | { |
| | |
| | | description: 'Write blog post', |
| | | category: 'Professional', |
| | | complete: true, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
| | | }, |
| | | { |
| | | description: 'Write to penpal', |
| | | category: 'Other', |
| | | complete: false, |
| | | dueBy: randomInNextFortnight(), |
| | | cost: null, |
| | | notes: null |
New file |
| | |
| | | -----BEGIN CERTIFICATE----- |
| | | MIIEDTCCAvWgAwIBAgIUZ2ILvNHGb6kIggcIKY5ibQ5m1u4wDQYJKoZIhvcNAQEL |
| | | BQAwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWln |
| | | aDEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIVHJhaW5pbmcxHjAcBgNVBAMM |
| | | FXRvZG8uYXBwcy5leGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTdHJhaW5pbmdA |
| | | cmVkaGF0LmNvbTAeFw0xOTExMjgyMDQyMDJaFw0yMDExMjcyMDQyMDJaMIGVMQsw |
| | | CQYDVQQGEwJVUzELMAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNV |
| | | BAoMB1JlZCBIYXQxETAPBgNVBAsMCFRyYWluaW5nMR4wHAYDVQQDDBV0b2RvLmFw |
| | | cHMuZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE3RyYWluaW5nQHJlZGhhdC5j |
| | | b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCurfjfmTVju+uJxanJ |
| | | cio6DYs1lAQyzKuJeJeKlzIxdY1RT48QN8iBQ6egLCwgZxqUMKhEEHYfxAi6/aKl |
| | | cQdr3n77xMVQv+Bub34XX3H2aOE1V9kKh0og0srrvKBUb8su6uiqu0Jpq0eu+Xe7 |
| | | gVe5WP1b4SeA4ZpAtPugqFRxXLufsyqpVCoGJKvi3XQGHOini/h+Oz/sirpUGJ60 |
| | | P4IhYOsC3vNPTVB4Bgmcm7AsgEfK19+AQLqYqnmCc8iq2XFmHiAvd7VrqnLFOjpN |
| | | FR+x7xrDRAkEB/WiQ+s2HHWMpAYOJb9qfbBCKr1JUH7cX0ZHaEtwMxVvqNcjxpEI |
| | | CshpAgMBAAGjUzBRMB0GA1UdDgQWBBSkr4M7N/rBhHeVyBEU0MHlE0i67zAfBgNV |
| | | HSMEGDAWgBSkr4M7N/rBhHeVyBEU0MHlE0i67zAPBgNVHRMBAf8EBTADAQH/MA0G |
| | | CSqGSIb3DQEBCwUAA4IBAQA01PSkcS8SOgQpNSfIoJ8s2pMOlhQ/0VoEFofheGVt |
| | | kekFaPRGn0Z2DEorKXRuclR2Ye4+4zvvAsNXeZZa2jAbhFXA9Zs2SzUDK7xXebUc |
| | | azzGd4JFST5KqroV5lAgeEeZdW1r39PCFPLZ36c0jh5g6fbFws7atzO+dqATU2mX |
| | | c0qywhEZDz4PfUwyP6B2oG39oNGKj457WMg39oWjopZJ9NK0SKqFybeTjO/13pDr |
| | | CWJNC//Eralcdu8zoWF6U5BFiEQTXlmeD4J+AZTmBBT5vaAW1ypEkmRAhPIkAwVs |
| | | HryISUxmPg2JCrlU+52jCM3RCXoXCZerrdC+l/xirTgd |
| | | -----END CERTIFICATE----- |
New file |
| | |
| | | -----BEGIN PRIVATE KEY----- |
| | | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCurfjfmTVju+uJ |
| | | xanJcio6DYs1lAQyzKuJeJeKlzIxdY1RT48QN8iBQ6egLCwgZxqUMKhEEHYfxAi6 |
| | | /aKlcQdr3n77xMVQv+Bub34XX3H2aOE1V9kKh0og0srrvKBUb8su6uiqu0Jpq0eu |
| | | +Xe7gVe5WP1b4SeA4ZpAtPugqFRxXLufsyqpVCoGJKvi3XQGHOini/h+Oz/sirpU |
| | | GJ60P4IhYOsC3vNPTVB4Bgmcm7AsgEfK19+AQLqYqnmCc8iq2XFmHiAvd7VrqnLF |
| | | OjpNFR+x7xrDRAkEB/WiQ+s2HHWMpAYOJb9qfbBCKr1JUH7cX0ZHaEtwMxVvqNcj |
| | | xpEICshpAgMBAAECggEBAIWXJZOTr2I0EMHP+rbGagb13rY+GivjnXjIUlU6prdu |
| | | qII77zS/BMffPu5feevaDlixEa7kTAKlQOwJF/+g/sT/Z2wTI7hK1lB/UhZ790M1 |
| | | GK9cHPBRYV7S9z/shU2uJd0e6IvSJMt9o5fs0CYFmFp29WT0P+rwHrFH+Hz434PF |
| | | 3WYswUyZLLpuC2bkOPam7AEHQgZ7UHW38GWC72zDVOCUZnxbqknWw9PKIHdMK5EK |
| | | 7CNkRc9KwTOPnT4uE+h/RiO2LUapxPz9NSfCuGNVmRRPezNajIY8TELNXL4DxC8x |
| | | G7IXW3DXCqkHexg0e2YKWWPq9V/iiAJRVUcdTP8sQRECgYEA2NWNgBt1P5seRLy/ |
| | | 77Vz/w57r6Ds7rk/uDPC96SZVSTIHcwKx+UOSNIyzmbBAfW0QGaWnAz/XyUSe6Vj |
| | | 5KKDHKSKUd7p4w3dzJFfgWl1/M+HyC2eTrDYYaqSAsqKcWLavF2sHU2ISYrGsVrI |
| | | czrGqK2LN4xwCFX1Q9hIs3G5mf0CgYEAzjsu+up9gudPdAfavYVyppNh8LABKVcV |
| | | 1lIlz0UfS4aWq+C6gWjnEqrOKHkvWwzlgozvaEyIChHlTpc/zMo0/DMx+BngYNhh |
| | | uvMv7AgbBmo1MEHH/ZFwTKoWF2nlx9ER+FqyeTR8rfuff7fsNp/qwnTWJnY9QdEu |
| | | c7EPKXqrDd0CgYAjGcbTMx6y0jh/JhLoCfaiFkUddC6GooRXHEH2drW/m7mtYSdp |
| | | noHGdgh1cxrRZ2Xreu/siQoZ69VnIKngDBKvY09k23H/KHJ8OBg+ycSozSuM0x2q |
| | | XWRZwxPp0cHBgyAnl/5RrAhg508szKZgSOZ5zcYYkupb3xZaCjwSmFlUPQKBgBEm |
| | | Zs/C9FEQf1D83jnogRJNK1XirRYNAenixvYnn2SeeqUseRYN7TlmLuK6wS9nMSbc |
| | | JYSc6Ks9tb4FYe7b2fAnKb6iGEC1fdsYIiIUwnqUFnw+3CzADYCynEeyLMOjJUVr |
| | | 9W+S59NoG2l5mBEq11D4el6Ucp+oj55bWRFv/A2ZAoGBAMehwcekk/7PhroCvuSf |
| | | nwsZAfKEC5jrcDkrhZ/Um5q2ca/E0HMKqLB1xscPrNHyNzuxORMPzKQpcQHOQIPW |
| | | isRyRaSbbJO23pDlgImY4LZYVjNwYM6bbJZGwr7K1IjPsosiE6j7jMNRVZVlmHA4 |
| | | E0Gy+qsU9BPz6msZ2LFYRkWX |
| | | -----END PRIVATE KEY----- |