diff --git a/hammerhead/app/gitea/deploy/gitea.hcl b/hammerhead/app/gitea/deploy/gitea.hcl index a30f36c..4e8af79 100644 --- a/hammerhead/app/gitea/deploy/gitea.hcl +++ b/hammerhead/app/gitea/deploy/gitea.hcl @@ -12,16 +12,22 @@ job "gitea" { network { mode = "bridge" - port "http" { - static = 3000 - to = 3000 + port "ssh" { + static = 22 } - port "ssh" { to = 22 } + # port "http" { + # static = 3000 + # to = 3000 + # } } service { name = "gitea-frontend" - port = "http" + port = "3000" + + connect { + sidecar_service {} + } # check { # name = "alive" @@ -44,7 +50,7 @@ job "gitea" { } service { - name = "gitea-db" + name = "gitea-postgres-connector" connect { sidecar_service { @@ -65,11 +71,7 @@ job "gitea" { driver = "docker" config { - # Exposes the http & ssh ports from the container to the host. - # Lame because anyone can access gitea bypassing nginx from :3000 - # Necessary because without further mesh-net config, - # nginx can't access the container's port. - ports = ["http", "ssh"] + ports = ["ssh"] image = "gitea/gitea:1.14.2" volumes = [ diff --git a/hammerhead/app/nginx/config/gitea.tpl b/hammerhead/app/nginx/config/gitea.tpl index fa4ad4f..1787081 100644 --- a/hammerhead/app/nginx/config/gitea.tpl +++ b/hammerhead/app/nginx/config/gitea.tpl @@ -1,17 +1,27 @@ -upstream gitea-backend { -{{ range service "gitea-frontend" }} - server {{ .Address }}:{{ .Port }}; -{{ else }} - server 127.0.0.1:65535; # force a 502 -{{ end }} +upstream gitea-frontend { + server 127.0.0.1:3000; } server { - listen 80; - listen [::]:80; - server_name gitea.hammerhead.luxeylab.net; + listen 80; + listen [::]:80; + server_name gitea.hammerhead.luxeylab.net; - location / { - proxy_pass http://gitea-backend; - } + + # Forward information from nginx to the upstream + # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + location / { + # Forward information from nginx to the upstream + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Port $server_port; + + proxy_pass http://gitea-frontend; + } } \ No newline at end of file diff --git a/hammerhead/app/nginx/deploy/nginx.hcl b/hammerhead/app/nginx/deploy/nginx.hcl index d120752..eeb308f 100644 --- a/hammerhead/app/nginx/deploy/nginx.hcl +++ b/hammerhead/app/nginx/deploy/nginx.hcl @@ -5,6 +5,7 @@ job "nginx" { count = 1 network { + mode = "bridge" port "http" { static = 80 } @@ -24,6 +25,24 @@ job "nginx" { port = "http" } + service { + name = "nginx-gitea-frontend-connector" + + connect { + sidecar_service { + proxy { + upstreams { + # Required + destination_name = "gitea-frontend" + local_bind_port = "3000" + # Optional + local_bind_address = "127.0.0.1" + } + } + } + } + } + task "nginx" { driver = "docker" @@ -36,12 +55,12 @@ job "nginx" { ] } - template { - data = file("../config/dummy-http-server.tpl") - destination = "local/dummy-http-server.conf" - change_mode = "signal" - change_signal = "SIGHUP" - } + # template { + # data = file("../config/dummy-http-server.tpl") + # destination = "local/dummy-http-server.conf" + # change_mode = "signal" + # change_signal = "SIGHUP" + # } template { data = file("../config/gitea.tpl")