nginx support for upstream https, disable SSLv3 Make the template config closer to the NginxDefaultConfigGenerator, support non-domain config.
Project: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/commit/80429aaa Tree: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/tree/80429aaa Diff: http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/diff/80429aaa Branch: refs/heads/master Commit: 80429aaa1dd22fdc9ebb083804d6ed60b9fa9f9b Parents: b08572f Author: Svetoslav Neykov <[email protected]> Authored: Tue Jan 27 21:58:44 2015 +0200 Committer: Andrea Turli <[email protected]> Committed: Tue Feb 3 11:25:06 2015 +0100 ---------------------------------------------------------------------- .../entity/proxy/nginx/NginxDefaultConfigGenerator.java | 2 ++ .../entity/proxy/nginx/NginxTemplateConfigGenerator.java | 3 +-- .../src/main/resources/brooklyn/entity/proxy/nginx/server.conf | 6 +++++- 3 files changed, 8 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/80429aaa/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxDefaultConfigGenerator.java ---------------------------------------------------------------------- diff --git a/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxDefaultConfigGenerator.java b/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxDefaultConfigGenerator.java index 7ba069e..1ed7e49 100644 --- a/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxDefaultConfigGenerator.java +++ b/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxDefaultConfigGenerator.java @@ -249,6 +249,8 @@ public class NginxDefaultConfigGenerator implements NginxConfigFileGenerator { out.append(prefix); out.append("ssl_certificate_key " + key + ";\n"); } + + out.append("ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n"); } return true; } http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/80429aaa/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxTemplateConfigGenerator.java ---------------------------------------------------------------------- diff --git a/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxTemplateConfigGenerator.java b/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxTemplateConfigGenerator.java index d141ecf..faab7a9 100644 --- a/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxTemplateConfigGenerator.java +++ b/software/webapp/src/main/java/brooklyn/entity/proxy/nginx/NginxTemplateConfigGenerator.java @@ -26,7 +26,6 @@ import brooklyn.entity.basic.ConfigKeys; import brooklyn.entity.proxy.ProxySslConfig; import brooklyn.util.ResourceUtils; import brooklyn.util.collections.MutableMap; -import brooklyn.util.flags.SetFromFlag; import brooklyn.util.text.Strings; import brooklyn.util.text.TemplateProcessor; @@ -39,7 +38,7 @@ import com.google.common.collect.Multimap; public class NginxTemplateConfigGenerator implements NginxConfigFileGenerator { public static final ConfigKey<String> SERVER_CONF_TEMPLATE_URL = ConfigKeys.newStringConfigKey( - "nginx.config.templateUrl", "The server.conf configuration file URL (FreeMarker template)"); + "nginx.config.templateUrl", "The server.conf configuration file URL (FreeMarker template)", "classpath://brooklyn/entity/proxy/nginx/server.conf"); public NginxTemplateConfigGenerator() { } http://git-wip-us.apache.org/repos/asf/incubator-brooklyn/blob/80429aaa/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf ---------------------------------------------------------------------- diff --git a/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf b/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf index 72f38e6..eb34ddb 100644 --- a/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf +++ b/software/webapp/src/main/resources/brooklyn/entity/proxy/nginx/server.conf @@ -41,13 +41,16 @@ http { default_type application/octet-stream; server { + [#if entity.domain?has_content] server_name ${entity.domain}; + [/#if] [#if entity.ssl] # HTTPS setup listen ${entity.port?c} default ssl; ssl_certificate ${driver.runDir}/conf/global.crt; ssl_certificate_key ${driver.runDir}/conf/global.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; [#else] # HTTP setup listen ${entity.port?c}; @@ -60,7 +63,8 @@ http { [#if entity.serverPoolAddresses?has_content] location / { - proxy_pass http://${entity.id}; + server_tokens off; + proxy_pass http[#if entity.portNumberSensor.name == "https.port"]s[/#if]://${entity.id}; proxy_set_header X-Real-IP [#noparse]$remote_addr[/#noparse]; proxy_set_header X-Forwarded-For [#noparse]$proxy_add_x_forwarded_for[/#noparse]; proxy_set_header Host [#noparse]$http_host[/#noparse];
