diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..4b89b5d --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,31 @@ +name: Build + +on: + push: + branches: + - '*' + tags-ignore: + - '*' + paths-ignore: + - 'bumpver.toml' + +jobs: + build: + name: build, lint, and test hysds-integration + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: docker/login-action@v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # -- Build -- + - name: Build + run: docker build -t "ngap-dit-proxy:$(cat version.txt)" . + - name: Tag as latest + if: github.ref == 'refs/heads/main' + run: docker tag ghcr.io/podaac/ngap-dit-proxy:$(cat version.txt) ghcr.io/podaac/ngap-dit-proxy:latest + - name: Publish Docker images + run: docker image push -a ghcr.io/podaac/ngap-dit-proxy diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a2ac9cd --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.vscode/ +.DS_Store diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2729cc0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM nginx:mainline-alpine-slim + +RUN set -x \ + && apk update \ + && apk add aws-cli cronie openssl + +COPY --chmod=770 files/renew-cert.sh files/start-cron.sh /docker-entrypoint.d/ +RUN ln -s /docker-entrypoint.d/renew-cert.sh /etc/periodic/daily/renew-cert.sh + +COPY files/ssl-proxy.conf.template /etc/nginx/templates/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..78a218d --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +# ngap-dit-proxy + +An Nginx-based reverse proxy for implementing HTTPS with auto-renewing +certificates provided by the NGAP private CA + +## Environment variables + +To run this container, you must set the following environment variables: + +| Variable | Description | +|----------------------|--------------------------------------------------| +| HOSTNAME | The hostname of the certificate generated | +| NGAP_CERTIFICATE_ARN | The ARN of the certificate to use for this proxy | +| APP_PORT | The local HTTP port to reverse proxy as HTTPS | diff --git a/files/renew-cert.sh b/files/renew-cert.sh new file mode 100755 index 0000000..fb84d10 --- /dev/null +++ b/files/renew-cert.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +set -xe +umask 177 + +openssl rand --base64 16 | tr -d '\n' > /etc/nginx/passphrase.txt +aws acm export-certificate \ + --certificate-arn $NGAP_CERTIFICATE_ARN \ + --passphrase fileb://etc/nginx/passphrase.txt \ + --query "[Certificate,CertificateChain,PrivateKey]" \ + --output text | sed -e "s/^\s*//g" > /etc/nginx/certificate.pem + +if [ -f /var/run/nginx.pid ]; then + nginx -s reload +fi diff --git a/files/ssl-proxy.conf.template b/files/ssl-proxy.conf.template new file mode 100644 index 0000000..f16b809 --- /dev/null +++ b/files/ssl-proxy.conf.template @@ -0,0 +1,16 @@ +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name ${HOSTNAME}; + + ssl_password_file /etc/nginx/passphrase.txt; + ssl_certificate /etc/nginx/certificate.pem; + ssl_certificate_key /etc/nginx/certificate.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + location / { + proxy_pass http://localhost:${APP_PORT}; + } +} diff --git a/files/start-cron.sh b/files/start-cron.sh new file mode 100644 index 0000000..7286720 --- /dev/null +++ b/files/start-cron.sh @@ -0,0 +1,2 @@ +#!/bin/sh +crond diff --git a/version.txt b/version.txt new file mode 100644 index 0000000..afaf360 --- /dev/null +++ b/version.txt @@ -0,0 +1 @@ +1.0.0 \ No newline at end of file