Merge pull request 'PKI' (#2) from PKI into main

Reviewed-on: #2
This commit is contained in:
Fabio Sinibaldi 2025-03-10 12:02:34 +01:00
commit 4589aec248
8 changed files with 264 additions and 0 deletions

View File

@ -0,0 +1,9 @@
## First Level NGINX
This config allows for a default first level proxy to be put between FW and the other clusters
### Single Node
A multiple NGINX instances proxied by a single one
### Swarmed
4 Replicas

View File

@ -0,0 +1,94 @@
# Main context (this is the global configuration)
worker_processes 4;
events {
worker_connections 1024;
}
http {
include mime.types;
# Upstream block to define the Node.js backend servers
# Servers name come from compose definition
upstream swarm1_cluster {
server swarm1w1.sselab.ddns.net;
server swarm1w2.sselab.ddns.net;
server swarm1w3.sselab.ddns.net;
server swarm1w4.sselab.ddns.net;
}
#TODO manage certs
# server {
# listen 443 ssl; # Listen on port 443 for HTTPS
# server_name localhost;
# # SSL certificate settings
# ssl_certificate /Users/nana/nginx-certs/nginx-selfsigned.crt;
# ssl_certificate_key /Users/nana/nginx-certs/nginx-selfsigned.key;
# # Proxying requests to Node.js cluster
# location / {
# proxy_pass http://nodejs_cluster;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# }
# }
# Optional server block for HTTP to HTTPS redirection
server {
listen 80; # Listen on port 80 for HTTP
server_name *.sw1.sselab.ddns.net;
location / {
# Redirect all HTTP traffic to HTTPS
# TODO requires https
# return 301 https://$host$request_uri;
proxy_pass http://swarm1_cluster;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name *.sw1.hassallab.it;
location / {
# Redirect all HTTP traffic to HTTPS
# TODO requires https
# return 301 https://$host$request_uri;
proxy_pass http://swarm1_cluster;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
#Default Catch-all serving
server {
listen 80 default_server;
server_name _;
root /var/www/default;
location /{
try_files $uri /$uri /index.html;
}
}
}

View File

@ -0,0 +1,33 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hassallab Landing Page</title>
</head>
<body>
<header>
</header>
<div class="container">
<h2>Hassallab default landing page</h2>
<p>
Questa è la pagina di default.
Prova a visitare <br>
<a href="www.app.sw1.hassalab.it"> hassallab default</a>
<a href="www.app.sw1.sselab.ddns.it"> sselab default</a>
</p>
</div>
<footer>
<p>&copy; TechWorld with Nana. All Rights Reserved.</p>
<p>Follow us on:
<a href="#" style="color: #3b5998;">Linkedin</a> |
<a href="#" style="color: #00aced;">Twitter</a> |
<a href="#" style="color: #e4405f;">Instagram</a>
</p>
</footer>
</body>
</html>

View File

@ -0,0 +1,12 @@
version: '3.7'
services:
# --- NGINX ---
nginx:
image: nginx:latest
ports:
- '80:80'
- '443:443'
volumes:
- ../configs/node.conf:/etc/nginx/nginx.conf:ro
- ../content/index.html:/var/www/default/index.html

View File

@ -0,0 +1,37 @@
version: '3.7'
services:
# --- NGINX ---
nginx:
image: nginx:latest
ports:
- '80:80'
- '443:443'
deploy:
replicas: 4
update_config:
parallelism: 2
order: start-first
failure_action: rollback
delay: 10s
rollback_config:
parallelism: 0
order: stop-first
restart_policy:
condition: any
delay: 5s
max_attempts: 3
window: 120s
healthcheck:
test: ["CMD", "service", "nginx", "status"]
configs:
- source: nginx_conf
target: /etc/nginx/nginx.conf
- source: nginx_static
target: /var/www/default/index.html
configs:
nginx_conf:
file: ../configs/node.conf
nginx_static:
file: ../content/index.html

17
templates/PKI/README.md Normal file
View File

@ -0,0 +1,17 @@
# PKI
### Templates
Some utils files in order to have a ready solution in order to generate bundles.
**NB** via console is trivial :
Public CRT
'cat SSE\ Lab\ Root\ CA_crt.pem >> certificate-bundle.pem
cat SSE\ Lab\ Intermediate\ CA_crt.pem >> certificate-bundle.pem
cat RUP\ Services_crt.pem >> certificate-bundle.pem'
Private Key
'cat RUP\ Services_prv.pem >> certificate-bundle.key'

View File

@ -0,0 +1,9 @@
-----BEGIN CERTIFICATE-----
Root CA public key data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA public key data
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Leaf Certificate public key data
-----END CERTIFICATE-----

View File

@ -0,0 +1,53 @@
-----BEGIN CERTIFICATE-----
MIIEOzCCAyOgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDA4
MjRaFw0zNTAzMDMxMDA4MjRaMIGQMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEPMA0GA1UECwwGU1NFTGFi
MSowKAYJKoZIhvcNAQkBFhtmYWJpby5zaW5pYmFsZGlAaXN0aS5jbnIuaXQxFzAV
BgNVBAMMDnNzZWxhYi1yb290LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAnXup44PPzPSTDRkLBMGuUtXUk344tNZDn6h+rxXGlSw0T6qGrGPCAhqI
6IuOkCE/wp/Sv1KEFp2OamPiEwA0mTIoOi2ACaNg7fhOHUNpgw2dpeaiVd6WCmY6
MkLMcAH4jFlnOI/RnjkV01Yz3KGj7tpztd3wqD84INasRH+6zlZqiKG0HIxjlAUx
eHOop2rOTzUSsiOZyaW3dlQNtup7ndkFGZYd6aN50Kd1tbOZGHBldFwonNQN/59I
xUAsgX2BGQ97K1BoFN3bor3MwK9oKbjHY72/kPIN1IrblcreejyElq3Gt+B4UJ+R
XZO7A/lCzqykNLJax3wQkU3ZfKk6ywIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQq
FihPUE5zZW5zZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1Ud
DgQWBBTYTk488gvOsh5qJ/VbKYxZRbQ/NzAfBgNVHSMEGDAWgBTYTk488gvOsh5q
J/VbKYxZRbQ/NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkq
hkiG9w0BAQsFAAOCAQEAH8sMS8XHZh4Jg6vBvwU1mufi9KeTW1MQP8p8FXV4hBZy
jSPpeEyqJo4fms70AY9zqomjxIikKgBRnIi/pyJ5U3oKOrktHiXlzugeVIptR37P
mUBPu/7yO1ttNdwKbX8OjSxR/BnJtP/rVwcKn2KnF0CQWHEsEpgTd+ayIEl7OEvJ
icuN2//H71ytu/Le7tl+Ib6ZuoVA+n6JQenSOOWd31UUNNe8mANj0bzkHTaoIDzS
oqhN9vfQ61E3p8E1X3IA3q8rggrJudR+fngwH7TeKtd2STP2nXtHYlhDBfVlUG6x
riZKtbFI0oiwF0BFyV4dah2i6N98phZ5V23Iz7t0PA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMCSVQx
DTALBgNVBAgMBFBpc2ExDTALBgNVBAcMBFBpc2ExDTALBgNVBAoMBElTVEkxDzAN
BgNVBAsMBlNTRUxhYjEqMCgGCSqGSIb3DQEJARYbZmFiaW8uc2luaWJhbGRpQGlz
dGkuY25yLml0MRcwFQYDVQQDDA5zc2VsYWItcm9vdC1jYTAeFw0yNTAzMDUxMDEw
MjZaFw0yODAzMDQxMDEwMjZaMIGHMQswCQYDVQQGEwJJVDENMAsGA1UECAwEUGlz
YTENMAsGA1UEBwwEUGlzYTENMAsGA1UECgwESVNUSTEqMCgGCSqGSIb3DQEJARYb
ZmFiaW8uc2luaWJhbGRpQGlzdGkuY25yLml0MR8wHQYDVQQDDBZzc2VsYWItaW50
ZXJtZWRpYXRlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo+3H
Vz7jnaGGew6LjeFhE5Dr+iIID+SdclrkB/ljz5ey3q4Rnsso4xnKVdyITSUinDee
RiPk+R2h7mhGlL9Z25JpykV+exwzM5hPrU0GVaus9QljL9TCAsN82M6ww6R0+m1s
vQp6/Y5oax/Mi/6K3dHqcjKEZ8GbHUns8xZtZ8sPCboyV1IFeAjfBIJYfr94CRqy
A/H2JcY348fM3XMDzDhZXEydeMeaM8bQhtQml0IwRs3L1ZHFppNXjvQLW2IbF8EW
VQNlTY7UwWpjsGDC3+3vrV0yOyE1hpi4YU3zcq9ds+HeVw4fUNEWCoDaEEah9wnX
4O2yVxm+R31WEia3sQIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5z
ZSBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRE3BNE
555kVhkB6C1XKtrYY+QlZzAfBgNVHSMEGDAWgBTYTk488gvOsh5qJ/VbKYxZRbQ/
NzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAQEAVbuglqJ2/vDBkFunvQa0SdR/OaL9cRtbfGqhYpc3sZVO2tDh7aKSrr9o
7EeLFL+GKt9f8IqKMMTC33Ac/m+Ne6wvyv6sqpbTo84gdVlVV/YjWt9spEUivHa4
TLxEhi7KeO2DmhMGYWI/ogTaNKWboUmZZ4PoBS0Z3Rz6I97UcPB89AcKLGAW0dtC
fAQSHYVQ0Egm4Qf8ICJBcdwdnjffSUk3kkVcKg4qr+5kjVACjRJfqOm7PDrh2jmA
gnMxtST45WTgWlWa4cS+/Bb9KreQCdfcN1xevOzOJSVecVYT40N8n8nwhCIkMPAM
1QzsP1M6grD89nHeECK4LEpLTdBhvw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Leaf Certificate public key data
-----END CERTIFICATE-----