feat: use nginx with https upstream (#99)

intershop · Feb 20, 2020 · d0fdd75 · d0fdd75
1 parent 8954c3d
commit d0fdd75
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 6 deletions.
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,9 +1,9 @@
 FROM ubuntu:latest as buildstep
 RUN echo "intalling nginx with mod-pagespeed" && \
   apt-get update && \
-  apt-get install -y curl build-essential zlib1g-dev libpcre3-dev unzip wget uuid-dev sudo && \
+  apt-get install -y curl build-essential zlib1g-dev libpcre3-dev unzip wget uuid-dev sudo openssl libssl-dev && \
   curl -kfL -sS https://ngxpagespeed.com/install > install.sh && \
-  bash install.sh --nginx-version latest
+  bash install.sh --nginx-version latest --additional-nginx-configure-arguments '--with-http_ssl_module'
 
 FROM scratch as configstep
 COPY --from=nginx:mainline /etc/nginx /etc/nginx
@@ -14,14 +14,14 @@ COPY 50x.html /usr/share/nginx/html/
 
 FROM ubuntu:latest
 RUN apt-get update && \
-  apt-get install -y gettext-base && \
+  apt-get install -y gettext-base libssl1.1 && \
   apt-get -y autoremove && \
   apt-get clean && \
   rm -r /var/cache/apt /var/lib/apt/lists
 COPY --from=buildstep /usr/local/nginx /usr/local/nginx
 COPY --from=configstep / /
 ENV NPSC_ENABLE_FILTERS=in_place_optimize_for_browser,prioritize_critical_css,inline_preview_images,lazyload_images,rewrite_images,rewrite_css,remove_comments,local_storage_cache,move_css_to_head,move_css_above_scripts,collapse_whitespace,combine_javascript,extend_cache NPSC_JsPreserveURLs=off NPSC_ImagePreserveURLs=on NPSC_ForceCaching=off
 
-EXPOSE 80
+EXPOSE 80 443
 
 ENTRYPOINT [ "sh", "entrypoint.sh" ]
diff --git a/nginx/README.md b/nginx/README.md
@@ -21,6 +21,10 @@ Basic environment variables:
 
 If you want to use fully qualified names here, do not forget to also add host mappings to your orchestrator name resolution. For `docker run` this can be done with `--add-host`.
 
+If you are using http, the server will run on default port 80.
+If you use https as an upstream, it will run on default port 443.
+In the latter case you will also have to supply the files `server.key` and `server.crt` in the folder `/etx/nginx` (either by volume mapping with `docker run` or in the image itself by `docker build`).
+
 Setup at least one PWA channel configuration:
 
 - use mandatory `PWA_X_SUBDOMAIN` for the channel sub domain

diff --git a/nginx/channel.conf.tmpl b/nginx/channel.conf.tmpl
@@ -1,12 +1,12 @@
 server {
-    listen 80;
     server_name ~^$SUBDOMAIN\..+$;
+    include /etc/nginx/conf.d/listen.conf;
 
     location / {
         proxy_cache my_cache;
         proxy_cache_use_stale error timeout http_404 http_500 http_502 http_503 http_504;
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;

diff --git a/nginx/entrypoint.sh b/nginx/entrypoint.sh
@@ -5,6 +5,23 @@ set -e
 
 [ -z "$UPSTREAM_PWA" ] && echo "UPSTREAM_PWA is not set" && exit 1
 
+if echo "$UPSTREAM_PWA" | grep -Eq '^https'
+then
+  cat >/etc/nginx/conf.d/listen.conf <<EOF
+listen 443 ssl;
+ssl_certificate     server.crt;
+ssl_certificate_key server.key;
+ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers         HIGH:!aNULL:!MD5;
+
+# https://ma.ttias.be/force-redirect-http-https-custom-port-nginx/
+error_page  497 https://\$http_host\$request_uri;
+
+EOF
+else
+  echo "listen 80;" >/etc/nginx/conf.d/listen.conf
+fi
+
 [ -f "/etc/nginx/conf.d/default.conf" ] && rm /etc/nginx/conf.d/default.conf
 
 if [ -n "$UPSTREAM_ICM" ]