Merge pull request 'PKI' (#2) from PKI into main

Reviewed-on: #2
2025-03-10 12:02:34 +01:00 · 2025-03-10 12:02:34 +01:00 · 4589aec248
parent a8739324ac 764c5c8b83
commit 4589aec248
8 changed files with 264 additions and 0 deletions
--- a/dockerized/first-level-nginx/README.md
+++ b/dockerized/first-level-nginx/README.md
@ -0,0 +1,9 @@
+## First Level NGINX
+
+This config allows for a default first level proxy to be put between FW and the other clusters
+
+### Single Node
+A multiple NGINX instances proxied by a single one
+
+### Swarmed
+4 Replicas
--- a/dockerized/first-level-nginx/configs/node.conf
+++ b/dockerized/first-level-nginx/configs/node.conf
@ -0,0 +1,94 @@
+# Main context (this is the global configuration)
+worker_processes 4;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include mime.types;
+
+    # Upstream block to define the Node.js backend servers
+    # Servers name come from compose definition
+
+    upstream swarm1_cluster {
+        server swarm1w1.sselab.ddns.net;
+        server swarm1w2.sselab.ddns.net;
+        server swarm1w3.sselab.ddns.net;
+        server swarm1w4.sselab.ddns.net;
+    }
+
+
+    #TODO manage certs
+    # server {
+    #     listen 443 ssl;  # Listen on port 443 for HTTPS
+    #     server_name localhost;
+
+    #     # SSL certificate settings
+    #     ssl_certificate /Users/nana/nginx-certs/nginx-selfsigned.crt;
+    #     ssl_certificate_key /Users/nana/nginx-certs/nginx-selfsigned.key;
+
+    #     # Proxying requests to Node.js cluster
+    #     location / {
+    #         proxy_pass http://nodejs_cluster;
+    #         proxy_set_header Host $host;
+    #         proxy_set_header X-Real-IP $remote_addr;
+    #     }
+    # }
+
+
+    # Optional server block for HTTP to HTTPS redirection
+    server {
+        listen 80;  # Listen on port 80 for HTTP
+        server_name *.sw1.sselab.ddns.net;
+
+        
+        location / {
+            # Redirect all HTTP traffic to HTTPS
+            # TODO requires https
+            # return 301 https://$host$request_uri;
+
+            proxy_pass http://swarm1_cluster;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+
+
+    server {
+        listen 80;
+        server_name *.sw1.hassallab.it;
+
+        location / {
+            # Redirect all HTTP traffic to HTTPS
+            # TODO requires https
+            # return 301 https://$host$request_uri;
+
+            proxy_pass http://swarm1_cluster;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+
+
+    #Default Catch-all serving
+    server {
+        listen 80 default_server;
+        server_name _;
+        root /var/www/default;
+
+        location /{
+            try_files  $uri /$uri /index.html;
+        }
+    }
+}
--- a/dockerized/first-level-nginx/content/index.html
+++ b/dockerized/first-level-nginx/content/index.html
@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Hassallab Landing Page</title>
+</head>
+
+<body>
+    <header>
+    </header>
+   
+    <div class="container">
+        <h2>Hassallab default landing page</h2>
+        <p>
+            Questa è la pagina di default.
+            Prova a visitare <br>
+            <a href="www.app.sw1.hassalab.it"> hassallab default</a>
+            <a href="www.app.sw1.sselab.ddns.it"> sselab default</a>
+        </p>
+    </div>
+    <footer>
+        <p>&copy; TechWorld with Nana. All Rights Reserved.</p>
+        <p>Follow us on:
+            <a href="#" style="color: #3b5998;">Linkedin</a> |
+            <a href="#" style="color: #00aced;">Twitter</a> |
+            <a href="#" style="color: #e4405f;">Instagram</a>
+        </p>
+    </footer>
+</body>
+
+</html>
--- a/dockerized/first-level-nginx/single_node/compose.yaml
+++ b/dockerized/first-level-nginx/single_node/compose.yaml
@ -0,0 +1,12 @@
+version: '3.7'
+
+services:
+  # --- NGINX ---
+  nginx:
+      image: nginx:latest
+      ports:
+        - '80:80'
+        - '443:443'
+        volumes: 
+        - ../configs/node.conf:/etc/nginx/nginx.conf:ro
+        - ../content/index.html:/var/www/default/index.html
--- a/dockerized/first-level-nginx/swarmed/compose.yaml
+++ b/dockerized/first-level-nginx/swarmed/compose.yaml
@ -0,0 +1,37 @@
+version: '3.7'
+
+services:
+  # --- NGINX ---
+  nginx:
+      image: nginx:latest
+      ports:
+        - '80:80'
+        - '443:443'
+      deploy:
+        replicas: 4
+        update_config:
+          parallelism: 2
+          order: start-first
+          failure_action: rollback
+          delay: 10s
+        rollback_config:
+          parallelism: 0
+          order: stop-first
+        restart_policy:
+          condition: any
+          delay: 5s
+          max_attempts: 3
+          window: 120s
+      healthcheck:
+        test: ["CMD", "service", "nginx", "status"]
+      configs:
+        - source: nginx_conf
+          target: /etc/nginx/nginx.conf
+        - source: nginx_static
+          target: /var/www/default/index.html
+
+configs:
+  nginx_conf:
+    file: ../configs/node.conf
+  nginx_static:
+    file: ../content/index.html
--- a/templates/PKI/README.md
+++ b/templates/PKI/README.md
@ -0,0 +1,17 @@
+# PKI
+
+### Templates
+Some utils files in order to have a ready solution in order to generate bundles. 
+
+**NB** via console is trivial : 
+
+Public CRT
+'cat SSE\ Lab\ Root\ CA_crt.pem >> certificate-bundle.pem
+cat SSE\ Lab\ Intermediate\ CA_crt.pem >> certificate-bundle.pem
+cat RUP\ Services_crt.pem >> certificate-bundle.pem'
+
+Private Key
+'cat RUP\ Services_prv.pem >> certificate-bundle.key'
+
+
+	
--- a/templates/PKI/certificate-bundle(structure).pem
+++ b/templates/PKI/certificate-bundle(structure).pem
@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+Root CA public key data
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+Intermediate CA public key data
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+Leaf Certificate public key data
+-----END CERTIFICATE-----
--- a/templates/PKI/certificate-bundle(template).pem
+++ b/templates/PKI/certificate-bundle(template).pem
@ -0,0 +1,53 @@
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAyOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
+DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
+BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
+dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDA4
+MjRaFw0zNTAzMDMxMDA4MjRaMIGQMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
+YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEPMA0GA1UECwwGU1NFTGFi
+MSowKAYJKoZIhvcNAQkBFhtmYWJpby5zaW5pYmFsZGlAaXN0aS5jbnIuaXQxFzAV
+BgNVBAMMDnNzZWxhYi1yb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAnXup44PPzPSTDRkLBMGuUtXUk344tNZDn6h+rxXGlSw0T6qGrGPCAhqI
+6IuOkCE/wp/Sv1KEFp2OamPiEwA0mTIoOi2ACaNg7fhOHUNpgw2dpeaiVd6WCmY6
+MkLMcAH4jFlnOI/RnjkV01Yz3KGj7tpztd3wqD84INasRH+6zlZqiKG0HIxjlAUx
+eHOop2rOTzUSsiOZyaW3dlQNtup7ndkFGZYd6aN50Kd1tbOZGHBldFwonNQN/59I
+xUAsgX2BGQ97K1BoFN3bor3MwK9oKbjHY72/kPIN1IrblcreejyElq3Gt+B4UJ+R
+XZO7A/lCzqykNLJax3wQkU3ZfKk6ywIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQq
+FihPUE5zZW5zZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1Ud
+DgQWBBTYTk488gvOsh5qJ/VbKYxZRbQ/NzAfBgNVHSMEGDAWgBTYTk488gvOsh5q
+J/VbKYxZRbQ/NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkq
+hkiG9w0BAQsFAAOCAQEAH8sMS8XHZh4Jg6vBvwU1mufi9KeTW1MQP8p8FXV4hBZy
+jSPpeEyqJo4fms70AY9zqomjxIikKgBRnIi/pyJ5U3oKOrktHiXlzugeVIptR37P
+mUBPu/7yO1ttNdwKbX8OjSxR/BnJtP/rVwcKn2KnF0CQWHEsEpgTd+ayIEl7OEvJ
+icuN2//H71ytu/Le7tl+Ib6ZuoVA+n6JQenSOOWd31UUNNe8mANj0bzkHTaoIDzS
+oqhN9vfQ61E3p8E1X3IA3q8rggrJudR+fngwH7TeKtd2STP2nXtHYlhDBfVlUG6x
+riZKtbFI0oiwF0BFyV4dah2i6N98phZ5V23Iz7t0PA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
+DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
+BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
+dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDEw
+MjZaFw0yODAzMDQxMDEwMjZaMIGHMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
+YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYb
+ZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MR8wHQYDVQQDDBZzc2VsYWItaW50
+ZXJtZWRpYXRlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+3H
+Vz7jnaGGew6LjeFhE5Dr+iIID+SdclrkB/ljz5ey3q4Rnsso4xnKVdyITSUinDee
+RiPk+R2h7mhGlL9Z25JpykV+exwzM5hPrU0GVaus9QljL9TCAsN82M6ww6R0+m1s
+vQp6/Y5oax/Mi/6K3dHqcjKEZ8GbHUns8xZtZ8sPCboyV1IFeAjfBIJYfr94CRqy
+A/H2JcY348fM3XMDzDhZXEydeMeaM8bQhtQml0IwRs3L1ZHFppNXjvQLW2IbF8EW
+VQNlTY7UwWpjsGDC3+3vrV0yOyE1hpi4YU3zcq9ds+HeVw4fUNEWCoDaEEah9wnX
+4O2yVxm+R31WEia3sQIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5z
+ZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRE3BNE
+555kVhkB6C1XKtrYY+QlZzAfBgNVHSMEGDAWgBTYTk488gvOsh5qJ/VbKYxZRbQ/
+NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+AAOCAQEAVbuglqJ2/vDBkFunvQa0SdR/OaL9cRtbfGqhYpc3sZVO2tDh7aKSrr9o
+7EeLFL+GKt9f8IqKMMTC33Ac/m+Ne6wvyv6sqpbTo84gdVlVV/YjWt9spEUivHa4
+TLxEhi7KeO2DmhMGYWI/ogTaNKWboUmZZ4PoBS0Z3Rz6I97UcPB89AcKLGAW0dtC
+fAQSHYVQ0Egm4Qf8ICJBcdwdnjffSUk3kkVcKg4qr+5kjVACjRJfqOm7PDrh2jmA
+gnMxtST45WTgWlWa4cS+/Bb9KreQCdfcN1xevOzOJSVecVYT40N8n8nwhCIkMPAM
+1QzsP1M6grD89nHeECK4LEpLTdBhvw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+Leaf Certificate public key data
+-----END CERTIFICATE-----