Add TLS options to the reverse-proxy for vino

This adds the option to enable TLS for the vino reverse-proxy. As a
bonus, basic_auth has also been parameterized.

Change-Id: I202c2184fb0fa08585c150110be1127ff326865e
This commit is contained in:
Ian Howell 2021-05-04 13:35:09 -05:00
parent f093129b32
commit aee28c9a98
3 changed files with 45 additions and 10 deletions

View File

@ -1,11 +1,16 @@
FROM nginx:alpine
ENV USE_BASIC_AUTH="false"
ENV BASIC_AUTH_USERNAME="username"
ENV BASIC_AUTH_PASSWORD="password"
RUN apk add --update --no-cache apache2-utils
ENV USE_TLS="false"
ENV TLS_CRT=""
ENV TLS_KEY=""
COPY assets/default.conf /etc/nginx/conf.d/default.conf
RUN apk add --update --no-cache apache2-utils ;
COPY assets/default.conf.tpl /default.conf.tpl
COPY assets/entrypoint.sh /entrypoint.sh
ENTRYPOINT /entrypoint.sh

View File

@ -1,16 +1,12 @@
server {
listen 8000;
server_name localhost;
$tls_config
location / {
proxy_pass http://localhost:5000/;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
# Basic Auth
limit_except OPTIONS {
auth_basic "Restricted";
auth_basic_user_file "auth.htpasswd";
}
$basic_auth_config
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {

View File

@ -1,5 +1,7 @@
#!/bin/sh
set -ex
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
@ -12,5 +14,37 @@
# See the License for the specific language governing permissions and
# limitations under the License.
basic_auth_config=''
if [ "$USE_BASIC_AUTH" = "true" ]; then
htpasswd -Bbn "$BASIC_AUTH_USERNAME" "$BASIC_AUTH_PASSWORD" > /etc/nginx/auth.htpasswd
basic_auth_config='
# Basic Auth
limit_except OPTIONS {
auth_basic "Restricted";
auth_basic_user_file "auth.htpasswd";
}'
fi
export basic_auth_config
tls_config='listen 8000;'
if [ "$USE_TLS" = "true" ]; then
mkdir -p /etc/ssl/certs
mkdir -p /etc/ssl/private
echo "$TLS_CRT" > /etc/ssl/certs/redfish-auth.crt
echo "$TLS_KEY" > /etc/ssl/private/redfish-auth.key
tls_config='listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/ssl/certs/redfish-auth.crt;
ssl_certificate_key /etc/ssl/private/redfish-auth.key;'
fi
export tls_config
vars='$basic_auth_config:$tls_config'
envsubst "$vars" </default.conf.tpl >/etc/nginx/conf.d/default.conf
cat /etc/nginx/conf.d/default.conf
nginx -g 'daemon off;'