add ssl configuration posibility

Mostowiec Dominik · Mostowiec Dominik · commit 1ceb594aa422 · 2018-08-17T11:02:15.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -13,6 +13,7 @@ COPY files/ecr.ini /etc/supervisor.d/ecr.ini
 COPY files/root /etc/crontabs/root
 
 COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
+COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf
 
 ENV PORT 5000
 
diff --git a/files/nginx.conf b/files/nginx.conf
@@ -18,11 +18,13 @@ http {
   # this is necessary for us to be able to disable request buffering in all cases
   proxy_http_version 1.1;
 
+  #SSLCONFIG
+
   # will run before forking out nginx worker processes
   init_by_lua_block { require "cjson" }
 
   server {
-    listen PORT default_server;
+    listen LISTEN default_server;
 
     # Cache
     add_header X-Cache-Status   $upstream_cache_status;
diff --git a/files/ssl.conf b/files/ssl.conf
@@ -0,0 +1,9 @@
+ssl_certificate_key REGISTRY_HTTP_TLS_KEY;
+ssl_certificate     REGISTRY_HTTP_TLS_CERTIFICATE;
+
+ssl_protocols TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_prefer_server_ciphers on;
+
+add_header Strict-Transport-Security max-age=31536000;
+
diff --git a/files/startup.sh b/files/startup.sh
@@ -36,11 +36,23 @@ echo Using cache max size $CACHE_MAX_SIZE
 
 CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
 
+ENABLESSL=''
+SSLINCLUDE=''
+SSLCONFIG=/usr/local/openresty/nginx/conf/ssl.conf
+if [ ! -z "$REGISTRY_HTTP_TLS_CERTIFICATE" ] && [ ! -z "$REGISTRY_HTTP_TLS_KEY" ]; then
+  sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSLCONFIG
+  sed -i -e s!REGISTRY_HTTP_TLS_KEY!"$REGISTRY_HTTP_TLS_KEY"!g $SSLCONFIG
+  ENABLESSL='ssl'
+  SSLINCLUDE="include $SSLCONFIG;"
+fi
+
 # Update nginx config
 sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG
+sed -i -e s!LISTEN!"$PORT $ENABLESSL"!g $CONFIG
 sed -i -e s!PORT!"$PORT"!g $CONFIG
 sed -i -e s!RESOLVER!"$RESOLVER"!g $CONFIG
 sed -i -e s!CACHE_MAX_SIZE!"$CACHE_MAX_SIZE"!g $CONFIG
+sed -i -e s!#SSLCONFIG!"$SSLINCLUDE"!g $CONFIG
 
 # setup ~/.aws directory
 AWS_FOLDER='/root/.aws'
