NGINX -s reload (Part 2)

第 11 屆 iThome 鐵人賽

DAY 28

DevOps

Oops Step ( Home lab of a kind ) 系列第 28 篇

11th鐵人賽 jenkins nginx ssl憑證 git

icekimo

2019-09-29 00:04:38

3620 瀏覽

分享至

資安業者Security Discovery最近在檢查網路上公開的Jenkins實例時，發現有個實例屬於美國奇異航空（GE Aviation），而且存放了原始碼、明文密碼、配置細節，以及該公司內部架構的各種私鑰，被知會的奇異航空當天就關閉了該實例，並坦承是因DNS配置錯誤所造成。ITHOME報導

那麼，老爺子Jenkins要怎麼上網呢？用撥接？我是習慣用nginx做前端Reverse Proxy。但是設定檔這次要用git做版本管理。
先看看我的.gitignore寫法

root@Bosley:/etc/nginx# cat .gitignore
*
!nginx.conf
!naxsi_core.rules
!fastcgi_params
!mime.types
!sites-available
!sites-available/**
!conf.d
!conf.d/**
!modules-available
!modules-available/**

好，直接把機器上/etc/nginx開始版控

root@Bosley:/etc/nginx# git init && git add . && git status
Initialized empty Git repository in /etc/nginx/.git/
On branch master

No commits yet

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)

        new file:   fastcgi_params
        new file:   mime.types
        new file:   naxsi_core.rules
        new file:   nginx.conf
        new file:   sites-available/Redirect_HTTPS
        new file:   sites-available/qnap-ssl

root@Bosley:/etc/nginx#  git rm --cached sites-available/qnap-ssl# 暫不想提交這版本
# 預先在Github開一個空repo當目的
root@Bosley:/etc/nginx# git remote add origin git@github.com:August-Icekimo/nginx.conf.git
# 先下再上
root@Bosley:/etc/nginx# git pull origin master
From github.com:August-Icekimo/nginx.conf
 * branch            master     -> FETCH_HEAD
# 填commit
root@Bosley:/etc/nginx# git commit -m "First Upload Version"
[master 9dff538] First Upload Version
 5 files changed, 255 insertions(+)
 create mode 100644 fastcgi_params
 create mode 100644 mime.types
 create mode 100644 naxsi_core.rules
 create mode 100644 nginx.conf
 create mode 100644 sites-available/Redirect_HTTPS
# push! harder!
root@Bosley:/etc/nginx# git push -u origin master
Counting objects: 8, done.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 3.68 KiB | 198.00 KiB/s, done.
Total 8 (delta 0), reused 0 (delta 0)
To github.com:August-Icekimo/nginx.conf.git
   6037caf..9dff538  master -> master
Branch 'master' set up to track remote branch 'master' from 'origin'.
root@Bosley:/etc/nginx#

再來你就可以胡亂編寫測試nginx，萬一搞掛了，就做個 git checkout 就找到回家的路了 ~~，不用七天~~ 。
如果你以為等災難復原時是

# git clone git@github.com:August-Icekimo/nginx.conf

千萬不要啊，你在仔細想想就知道這樣會clone什麼鬼怪下來，多了一層目錄和一隻手一隻腳，讓你認不出來。
~~但你把它加句點也是可以啦~~
怎麼辦？就是進去/etc/nginx然後做git init到可以git pull，就是災難被復原了。
真是江湖一點訣，說破不值錢。

繼續回到正題，我們來弄個SSL憑證

sudo acme.sh --config-home /etc/acme --force --debug --issue --domain jenkins.icekimo.idv.tw --standalone

然後我突然有個想法，我們來開個branch吧，這樣感覺好像是很大的企業集團，還有Branch的耶


root@Bosley:/etc/nginx# git branch bosley
root@Bosley:/etc/nginx# git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
root@Bosley:/etc/nginx# git checkout bosley
Switched to branch 'bosley'
root@Bosley:/etc/nginx# git status
On branch bosley
nothing to commit, working tree clean
root@Bosley:/etc/nginx# nginx -s stop

然後經過一番修改，寫好jenkins的nginx設定檔，準備存檔

root@Bosley:/etc/nginx# git add .
root@Bosley:/etc/nginx# git status
On branch bosley
Changes to be committed:
  (use "git reset HEAD <file>..." to unstage)

        modified:   nginx.conf
        new file:   sites-available/jenkins-ssl
        modified:   sites-available/upstream_Bosley.conf

root@Bosley:/etc/nginx# git commit -m "Jenkins CI serve page"
[bosley 03e2431] Jenkins CI serve page
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 sites-available/jenkins-ssl
root@Bosley:/etc/nginx# git push
fatal: The current branch bosley has no upstream branch.
To push the current branch and set the remote as upstream, use

    git push --set-upstream origin bosley

root@Bosley:/etc/nginx# git push --set-upstream origin bosley
Counting objects: 6, done.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.12 KiB | 87.00 KiB/s, done.
Total 6 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
remote:
remote: Create a pull request for 'bosley' on GitHub by visiting:
remote:      https://github.com/August-Icekimo/nginx.conf/pull/new/bosley
remote:
To github.com:August-Icekimo/nginx.conf.git
 * [new branch]      bosley -> bosley
Branch 'bosley' set up to track remote branch 'bosley' from 'origin'.
root@Bosley:/etc/nginx#

真是美好的一天，我們把Jenkins加好HTTPS可以從外面安全的連線使用了。
等等，這日子好像過得有點快，我們順便把portainer.io一起設定完好了

server {
    listen 443 ssl;
    ssl on;
    ssl_certificate /etc/acme/lab.icekimo.idv.tw/fullchain.cer;
    ssl_certificate_key /etc/acme/lab.icekimo.idv.tw/lab.icekimo.idv.tw.key;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    server_name lab.icekimo.idv.tw;

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header        Via "nginx";
        proxy_max_temp_file_size 0;
        client_max_body_size       10m;
        client_body_buffer_size    128k;
        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;
        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;

        proxy_pass http://portainer_page;
        break;
    }
}

這樣再做個nginx -s reload

如果到github細看，就會注意到我把upstream集中在一個檔案，一次把服務組態地圖都講清楚了
然後個別檔案描述說明443上什麼名字(server name)是誰。
這樣的好處是可以一次把所有upstream定義完畢，然後只需要增加第二個HA的設定檔，在site-enalbled裡面更改連結，就會把hot standby的服務投入負載平衡中。