final gitea configuration without SSL

2021-06-18 12:33:46 +02:00 · 2021-06-18 12:33:46 +02:00 · 9acdec272b
commit 9acdec272b
parent 6aa3369341
3 changed files with 60 additions and 29 deletions
--- a/hammerhead/app/gitea/deploy/gitea.hcl
+++ b/hammerhead/app/gitea/deploy/gitea.hcl
@ -12,16 +12,22 @@ job "gitea" {

    network {
      mode = "bridge"
-      port "http" { 
-        static = 3000
-        to = 3000 
+      port "ssh" { 
+        static = 22 
      }
-      port "ssh" { to = 22 }
+      # port "http" { 
+      #   static = 3000
+      #   to = 3000 
+      # }
    }

    service {
      name = "gitea-frontend"
-      port = "http"
+      port = "3000"
+
+      connect {
+        sidecar_service {}
+      }

      # check {
      #   name     = "alive"
@ -44,7 +50,7 @@ job "gitea" {
    }

    service {
-      name = "gitea-db"
+      name = "gitea-postgres-connector"

      connect {
        sidecar_service {
@ -65,11 +71,7 @@ job "gitea" {
      driver = "docker"

      config {
-        # Exposes the http & ssh ports from the container to the host.
-        # Lame because anyone can access gitea bypassing nginx from :3000
-        # Necessary because without further mesh-net config, 
-        # nginx can't access the container's port.
-        ports = ["http", "ssh"]
+        ports = ["ssh"]
        image = "gitea/gitea:1.14.2"

        volumes = [
--- a/hammerhead/app/nginx/config/gitea.tpl
+++ b/hammerhead/app/nginx/config/gitea.tpl
@ -1,17 +1,27 @@
-upstream gitea-backend {
-{{ range service "gitea-frontend" }}
-  server {{ .Address }}:{{ .Port }};
-{{ else }}
-  server 127.0.0.1:65535; # force a 502
-{{ end }}
+upstream gitea-frontend {
+  server 127.0.0.1:3000;
 }

 server {
-   listen 80;
-   listen [::]:80;
-   server_name gitea.hammerhead.luxeylab.net;
+  listen 80;
+  listen [::]:80;
+  server_name gitea.hammerhead.luxeylab.net;

-   location / {
-      proxy_pass http://gitea-backend;
-   }
+
+  # Forward information from nginx to the upstream
+  # add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
+  add_header X-Frame-Options              SAMEORIGIN;
+  add_header X-Content-Type-Options       nosniff;
+  add_header X-XSS-Protection             "1; mode=block";
+  location / {
+    # Forward information from nginx to the upstream
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    Host                $http_host;
+    proxy_set_header    X-Forwarded-Host    $http_host;
+    proxy_set_header    X-Forwarded-Port    $server_port;
+
+    proxy_pass http://gitea-frontend;
+  }
 }
--- a/hammerhead/app/nginx/deploy/nginx.hcl
+++ b/hammerhead/app/nginx/deploy/nginx.hcl
@ -5,6 +5,7 @@ job "nginx" {
    count = 1

    network {
+      mode = "bridge"
      port "http" {
        static = 80
      }
@ -24,6 +25,24 @@ job "nginx" {
      port = "http"
    }

+    service {
+      name = "nginx-gitea-frontend-connector"
+
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              # Required
+              destination_name = "gitea-frontend"
+              local_bind_port = "3000"
+              # Optional
+              local_bind_address = "127.0.0.1"
+            }
+          }
+        }
+      }
+    }
+
    task "nginx" {
      driver = "docker"

@ -36,12 +55,12 @@ job "nginx" {
        ]
      }

-      template {
-        data = file("../config/dummy-http-server.tpl")
-        destination   = "local/dummy-http-server.conf"
-        change_mode   = "signal"
-        change_signal = "SIGHUP"
-      }
+      # template {
+      #   data = file("../config/dummy-http-server.tpl")
+      #   destination   = "local/dummy-http-server.conf"
+      #   change_mode   = "signal"
+      #   change_signal = "SIGHUP"
+      # }

      template {
        data = file("../config/gitea.tpl")