didinst
/
accel-sstp-docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Nginx frontend in stream mode, client cert based auth to connect sstp server

Browse Source
nginx-stream
Terekhin Alexandr 8 months ago
parent 761e7f4e06
commit 7a2079e3ef
Signed by: didinst
GPG Key ID: E2ACF65D0DF94F98
7 changed files with 111 additions and 5 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      accel-ppp.conf
  2. 45
      compose.yaml
  3. 10
      nginx-stream/Dockerfile
  4. 12
      nginx-stream/nginx.conf
  5. 37
      nginx-stream/stream.conf.template
  6. 7
      proxy/00-default.conf
  7. 3
      proxy/Dockerfile

2
accel-ppp.conf
Unescape View File

@ -41,7 +41,7 @@ lcp-echo-timeout=5
[sstp]
port=443
verbose=5
#accept=proxy,ssl
accept=proxy,ssl
accept=ssl
ssl-pemfile=/etc/cert.pem
ssl-keyfile=/etc/privkey.pem

45
compose.yaml
Unescape View File

@ -11,10 +11,47 @@ services:
- ./ca.pem:/etc/ca.pem:ro
expose:
- "443/tcp"
ports:
- "443:443/tcp"
devices:
- "/dev/ppp:/dev/ppp:rwm"
environment:
VIRTUAL_HOST: "api.bearns.me"
VIRTUAL_PROTO: "https"
VIRTUAL_PORT: 443
cap_add:
- NET_ADMIN
- NET_ADMIN
networks:
- proxy-tier
stream:
build: ./nginx-stream
volumes:
- ./ca.pem:/etc/nginx/certs/ca.pem:ro
- ./cert.pem:/etc/nginx/certs/cert.pem:ro
- ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
expose:
- "443/tcp"
ports:
- "443:443/tcp"
environment:
- ENABLE_IPV6=true
- TRUST_DOWNSTREAM_PROXY=true
networks:
- proxy-tier
proxy:
build: ./proxy
volumes:
- ./cert.pem:/etc/nginx/certs/cert.pem:ro
- ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
expose:
- "443/tcp"
networks:
- proxy-tier
networks:
proxy-tier:
volumes:
certs:
vhost.d:
html:

10
nginx-stream/Dockerfile
Unescape View File

@ -0,0 +1,10 @@
FROM nginx:alpine
ENV HTTPS_UPSTREAM="proxy"
ENV SSTP_UPSTREAM="sstp"
ENV CA_CERT="ca.pem"
COPY nginx.conf /etc/nginx/
COPY stream.conf.template /etc/nginx/templates/
RUN rm -f /etc/nginx/conf.d/default.conf

12
nginx-stream/nginx.conf
Unescape View File

@ -0,0 +1,12 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
include /etc/nginx/conf.d/*.conf;

37
nginx-stream/stream.conf.template
Unescape View File

@ -0,0 +1,37 @@
error_log /dev/stderr;
stream {
map $ssl_client_verify $name {
SUCCESS sstp;
default https;
}
upstream https {
server ${HTTPS_UPSTREAM}:443;
}
upstream sstp {
server ${SSTP_UPSTREAM}:443;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
ssl_verify_client optional;
proxy_half_close on;
# Doesn't work without it
proxy_ssl on;
proxy_ssl_session_reuse off;
proxy_pass $name;
ssl_preread on;
proxy_protocol on;
}
}

7
proxy/00-default.conf
Unescape View File

@ -0,0 +1,7 @@
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
return 404;
}

3
proxy/Dockerfile
Unescape View File

@ -0,0 +1,3 @@
FROM nginx:alpine
COPY 00-default.conf /etc/nginx/conf.d/
Write Preview
Loading…
Cancel
Save