Initial commit

.github/workflows/build.yml

@@ -0,0 +1,31 @@
+name: Build
+
+on: 
+  push:
+    branches:
+      - '*'
+    tags-ignore:
+      - '*'
+    paths-ignore:
+      - 'bumpver.toml'
+
+jobs:
+  build:
+    name: build, lint, and test hysds-integration
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      #   -- Build --
+      - name: Build
+        run: docker build -t "ngap-dit-proxy:$(cat version.txt)" .
+      - name: Tag as latest
+        if: github.ref == 'refs/heads/main'
+        run: docker tag ghcr.io/podaac/ngap-dit-proxy:$(cat version.txt) ghcr.io/podaac/ngap-dit-proxy:latest
+      - name: Publish Docker images
+        run: docker image push -a ghcr.io/podaac/ngap-dit-proxy

.gitignore

@@ -0,0 +1,2 @@
+.vscode/
+.DS_Store

Dockerfile

@@ -0,0 +1,10 @@
+FROM nginx:mainline-alpine-slim
+
+RUN set -x \
+  && apk update \
+  && apk add aws-cli cronie openssl
+
+COPY --chmod=770 files/renew-cert.sh files/start-cron.sh /docker-entrypoint.d/
+RUN ln -s /docker-entrypoint.d/renew-cert.sh /etc/periodic/daily/renew-cert.sh
+
+COPY files/ssl-proxy.conf.template /etc/nginx/templates/

README.md

@@ -0,0 +1,14 @@
+# ngap-dit-proxy
+
+An Nginx-based reverse proxy for implementing HTTPS with auto-renewing
+certificates provided by the NGAP private CA
+
+## Environment variables
+
+To run this container, you must set the following environment variables:
+
+| Variable             | Description                                      |
+|----------------------|--------------------------------------------------|
+| HOSTNAME             | The hostname of the certificate generated        |
+| NGAP_CERTIFICATE_ARN | The ARN of the certificate to use for this proxy |
+| APP_PORT             | The local HTTP port to reverse proxy as HTTPS    |

files/renew-cert.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -xe
+umask 177
+
+openssl rand --base64 16 | tr -d '\n' > /etc/nginx/passphrase.txt
+aws acm export-certificate \
+  --certificate-arn $NGAP_CERTIFICATE_ARN \
+  --passphrase fileb://etc/nginx/passphrase.txt \
+  --query "[Certificate,CertificateChain,PrivateKey]" \
+  --output text | sed -e "s/^\s*//g" > /etc/nginx/certificate.pem
+
+if [ -f /var/run/nginx.pid ]; then
+  nginx -s reload
+fi

files/ssl-proxy.conf.template

@@ -0,0 +1,16 @@
+server {
+  listen              443 ssl;
+  listen              [::]:443 ssl;
+
+  server_name         ${HOSTNAME};
+
+  ssl_password_file   /etc/nginx/passphrase.txt;
+  ssl_certificate     /etc/nginx/certificate.pem;
+  ssl_certificate_key /etc/nginx/certificate.pem;
+  ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_ciphers         HIGH:!aNULL:!MD5;
+
+  location / {
+    proxy_pass http://localhost:${APP_PORT};
+  }
+}

files/start-cron.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+crond

version.txt

@@ -0,0 +1 @@
+1.0.0