didinst
/
accel-sstp-docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: didinst:nginx-stream
Branches Tags
didinst:feat/nginx-proxy
didinst:ldap-frontend
didinst:ldap-radius
didinst:master
didinst:nginx-stream
..
compare: didinst:master
Branches Tags
didinst:feat/nginx-proxy
didinst:ldap-frontend
didinst:ldap-radius
didinst:master
didinst:nginx-stream

No commits in common. 'nginx-stream' and 'master' have entirely different histories.
nginx-stre ... master

8 changed files with 12 additions and 198 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats
  1. 24
      accel-ppp.conf
  2. 47
      compose.yaml
  3. 17
      nginx-stream/Dockerfile
  4. 37
      nginx-stream/http.conf.template
  5. 12
      nginx-stream/nginx.conf
  6. 61
      nginx-stream/stream.conf.template
  7. 7
      proxy/00-default.conf
  8. 3
      proxy/Dockerfile

24
accel-ppp.conf
Unescape View File

@ -22,16 +22,13 @@ single-session=replace
chap-secrets=/etc/ppp/chap-secrets
[ppp]
verbose=0
verbose=5
mtu=1550
mru=1550
accomp=allow
pcomp=allow
ipv4=prefer
ipv6=prefer
ipv6-intf-id=random
ipv6-peer-intf-id=calling-sid
ipv6-accept-peer-intf-id=1
ipv6=allow
lcp-echo-interval=30
lcp-echo-failure=3
lcp-echo-timeout=5
@ -43,8 +40,9 @@ lcp-echo-timeout=5
[sstp]
port=443
verbose=0
accept=ssl,proxy
verbose=5
#accept=proxy,ssl
accept=ssl
ssl-pemfile=/etc/cert.pem
ssl-keyfile=/etc/privkey.pem
ssl-ca-file=/etc/ca.pem
@ -68,22 +66,16 @@ tunnel=192.168.95.2-254,v4pool
dns=2001:4860:4860::8888
[ipv6-pool]
#gw-ip6-address=fc00:b10c:3::ffff
gw-ip6-address=fc00:b10c:0::
fc00:b10c:0001::/48,64,name=v6pool
fc00:b10c:0002::/48,64,name=v6pool-delegate
delegate=fc00:b10c:0002::/48,64
[ipv6-nd]
verbose=1
AdvManagedFlag=1
[ipv6-dhcp]
verbose=1
route-via-gw=1
[log]
level=4
#level=4
level=5
log-file=/dev/stdout
log-debug=/dev/stdout
log-emerg=/dev/stderr

47
compose.yaml
Unescape View File

@ -11,51 +11,10 @@ services:
- ./ca.pem:/etc/ca.pem:ro
expose:
- "443/tcp"
ports:
- "443:443/tcp"
devices:
- "/dev/ppp:/dev/ppp:rwm"
environment:
VIRTUAL_HOST: "api.bearns.me"
VIRTUAL_PROTO: "https"
VIRTUAL_PORT: 443
cap_add:
- NET_ADMIN
networks:
proxy-tier:
ipv6_address: "fc00:b10c:3::ffff"
stream:
build: ./nginx-stream
volumes:
- ./ca.pem:/etc/nginx/certs/chain.pem:ro
- ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
- ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
expose:
- "443/tcp"
ports:
- "443:443/tcp"
environment:
SNI_NAME: "api.bearns.me"
networks:
- proxy-tier
proxy:
build: ./proxy
volumes:
- ./cert.pem:/etc/nginx/certs/cert.pem:ro
- ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
expose:
- "443/tcp"
networks:
- proxy-tier
networks:
proxy-tier:
enable_ipv6: true
ipam:
config:
- subnet: fc00:b10c:3::/64
volumes:
certs:
vhost.d:
html:

17
nginx-stream/Dockerfile
Unescape View File

@ -1,17 +0,0 @@
FROM nginx:alpine
ENV HTTPS_UPSTREAM="proxy"
ENV SSTP_UPSTREAM="sstp"
ENV SNI_NAME="cloud.bearns.me"
# self signed for client certification
# put in /etc/nginx/certs/
ENV CA_CERT="chain.pem"
# put in /etc/nginx/certs/$SNI_NAME
ENV CERT="fullchain.pem"
ENV KEY="key.pem"
RUN rm -f /etc/nginx/conf.d/default.conf
COPY nginx.conf /etc/nginx/
COPY *.conf.template /etc/nginx/templates/

37
nginx-stream/http.conf.template
Unescape View File

@ -1,37 +0,0 @@
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
server_name _;
ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
access_log /dev/stdout main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
}

12
nginx-stream/nginx.conf
Unescape View File

@ -1,12 +0,0 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
include /etc/nginx/conf.d/*.conf;

61
nginx-stream/stream.conf.template
Unescape View File

@ -1,61 +0,0 @@
error_log /dev/stderr;
stream {
log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
map $ssl_preread_server_name $sni_name {
${SNI_NAME} cert-check;
default https;
}
upstream https {
server ${HTTPS_UPSTREAM}:443;
}
upstream cert-check {
server unix:/tmp/virtual-stream.socket;
}
server {
listen 443;
listen [::]:443;
access_log /dev/stdout stream;
proxy_pass $sni_name;
ssl_preread on;
# todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
#proxy_protocol on;
}
map $ssl_client_verify $name {
SUCCESS sstp;
default fallback;
}
upstream sstp {
server ${SSTP_UPSTREAM}:443;
}
upstream fallback {
server unix:/tmp/fallback-stream.socket;
}
server {
listen unix:/tmp/virtual-stream.socket ssl;
ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
ssl_verify_client optional;
# Doesn't work without it
proxy_ssl on;
proxy_pass $name;
proxy_protocol on;
}
}

7
proxy/00-default.conf
Unescape View File

@ -1,7 +0,0 @@
server {
listen 443 ssl;
server_name _;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
return 404;
}

3
proxy/Dockerfile
Unescape View File

@ -1,3 +0,0 @@
FROM nginx:alpine
COPY 00-default.conf /etc/nginx/conf.d/
Write Preview
Loading…
Cancel
Save