Refactor stream proxy

8 months ago · 7cd8e20405
parent a4a7bf0187
commit 7cd8e20405
4 changed files with 60 additions and 52 deletions
--- a/compose.yaml
+++ b/compose.yaml
@ -25,16 +25,15 @@ services:
  stream:
    build: ./nginx-stream
    volumes:
-      - ./ca.pem:/etc/nginx/certs/ca.pem:ro
-      - ./cert.pem:/etc/nginx/certs/cert.pem:ro
-      - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
+      - ./ca.pem:/etc/nginx/certs/chain.pem:ro
+      - ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
+      - ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
    expose:
      - "443/tcp"
    ports:
      - "443:443/tcp"
    environment:
-      - ENABLE_IPV6=true
-      - TRUST_DOWNSTREAM_PROXY=true
+      SNI_NAME: "api.bearns.me"
    networks:
      - proxy-tier

--- a/nginx-stream/Dockerfile
+++ b/nginx-stream/Dockerfile
@ -2,10 +2,16 @@ FROM nginx:alpine

 ENV HTTPS_UPSTREAM="proxy"
 ENV SSTP_UPSTREAM="sstp"
-ENV SNI_NAME="api.bearns.me"
-ENV CA_CERT="ca.pem"
+ENV SNI_NAME="cloud.bearns.me"
+# self signed for client certification
+# put in /etc/nginx/certs/
+ENV CA_CERT="chain.pem"
+# put in /etc/nginx/certs/$SNI_NAME
+ENV CERT="fullchain.pem"
+ENV KEY="key.pem"
+
+RUN rm -f /etc/nginx/conf.d/default.conf

 COPY nginx.conf /etc/nginx/
-COPY stream.conf.template /etc/nginx/templates/
+COPY *.conf.template /etc/nginx/templates/

-RUN rm -f /etc/nginx/conf.d/default.conf
--- a/nginx-stream/http.conf.template
+++ b/nginx-stream/http.conf.template
@ -0,0 +1,37 @@
+http {
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
+        server_name _;
+
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
+
+        access_log  /dev/stdout  main;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+}
--- a/nginx-stream/stream.conf.template
+++ b/nginx-stream/stream.conf.template
@ -1,6 +1,10 @@
 error_log /dev/stderr;

 stream {
+    log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
+                      '$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
+                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
    map $ssl_preread_server_name $sni_name {
            ${SNI_NAME} cert-check;
            default https;
@ -18,8 +22,11 @@ stream {
        listen 443;
        listen [::]:443;

+        access_log /dev/stdout stream;
+
        proxy_pass $sni_name;
        ssl_preread on;
+        # todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
        #proxy_protocol on;
    }

@ -39,8 +46,8 @@ stream {
    server {
        listen unix:/tmp/virtual-stream.socket ssl;

-        ssl_certificate /etc/nginx/certs/cert.pem;
-        ssl_certificate_key /etc/nginx/certs/privkey.pem;
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};

        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
        ssl_verify_client optional;
@ -52,44 +59,3 @@ stream {
        proxy_protocol on;
    }
 }
-
-http {
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    server {
-        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
-        server_name _;
-
-        ssl_certificate /etc/nginx/certs/cert.pem;
-        ssl_certificate_key /etc/nginx/certs/privkey.pem;
-
-        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
-
-        #access_log  /var/log/nginx/host.access.log  main;
-        access_log  /dev/stdout  main;
-
-        location / {
-            root   /usr/share/nginx/html;
-            index  index.html index.htm;
-        }
-
-        #error_page  404              /404.html;
-
-        # redirect server error pages to the static page /50x.html
-        #
-        error_page   500 502 503 504  /50x.html;
-        location = /50x.html {
-            root   /usr/share/nginx/html;
-        }
-
-        # deny access to .htaccess files, if Apache's document root
-        # concurs with nginx's one
-        #
-        #location ~ /\.ht {
-        #    deny  all;
-        #}
-    }
-}