Merge pull request #2194 from bacongobbler/ssl_router

Matthew Fisher · Matthew Fisher · commit ea0f06658037 · 2014-10-27T19:18:17.000-04:00
feat(router): add optional controller SSL support
diff --git a/deisctl/units/deis-router.service b/deisctl/units/deis-router.service
@@ -6,7 +6,7 @@ EnvironmentFile=/etc/environment
 TimeoutStartSec=20m
 ExecStartPre=/bin/sh -c "IMAGE=`/run/deis/bin/get_image /deis/router` && docker history $IMAGE >/dev/null || docker pull $IMAGE"
 ExecStartPre=/bin/sh -c "docker inspect deis-router >/dev/null && docker rm -f deis-router || true"
-ExecStart=/bin/sh -c "IMAGE=`/run/deis/bin/get_image /deis/router` && docker run --name deis-router --rm -p 80:80 -p 2222:2222 -e EXTERNAL_PORT=80 -e HOST=$COREOS_PRIVATE_IPV4 $IMAGE"
+ExecStart=/bin/sh -c "IMAGE=`/run/deis/bin/get_image /deis/router` && docker run --name deis-router --rm -p 80:80 -p 2222:2222 -p 443:443 -e EXTERNAL_PORT=80 -e HOST=$COREOS_PRIVATE_IPV4 $IMAGE"
 ExecStopPost=-/usr/bin/docker rm -f deis-router
 Restart=on-failure
 RestartSec=5
diff --git a/docs/managing_deis/router_settings.rst b/docs/managing_deis/router_settings.rst
@@ -55,6 +55,8 @@ setting                                      description
 /deis/router/gzipVary                        nginx gzipVary setting (default: on)
 /deis/router/gzipDisable                     nginx gzipDisable setting (default: "msie6")
 /deis/router/gzipTypes                       nginx gzipTypes setting (default: "application/x-javascript application/xhtml+xml application/xml application/xml+rss application/json text/css text/javascript text/plain text/xml")
+/deis/router/sslCert                         cluster-wide SSL certificate
+/deis/router/sslKey                          cluster-wide SSL private key
 /deis/services/*                             healthy application containers reported by deis/publisher
 /deis/store/gateway/host                     host of the store gateway component (set by store-gateway)
 /deis/store/gateway/port                     port of the store gateway component (set by store-gateway)
diff --git a/router/conf.d/deis.cert.toml b/router/conf.d/deis.cert.toml
@@ -0,0 +1,9 @@
+[template]
+src   = "deis.cert"
+dest  = "/etc/ssl/deis.cert"
+uid = 0
+gid = 0
+mode  = "0644"
+keys = [
+  "/deis/router",
+]
diff --git a/router/conf.d/deis.conf.toml b/router/conf.d/deis.conf.toml
@@ -0,0 +1,9 @@
+[template]
+src   = "deis.conf"
+dest  = "/opt/nginx/conf/deis.conf"
+uid = 0
+gid = 0
+mode  = "0644"
+keys = [
+  "/deis/router",
+]
diff --git a/router/conf.d/deis.key.toml b/router/conf.d/deis.key.toml
@@ -0,0 +1,9 @@
+[template]
+src   = "deis.key"
+dest  = "/etc/ssl/deis.key"
+uid = 0
+gid = 0
+mode  = "0644"
+keys = [
+  "/deis/router",
+]
diff --git a/router/templates/deis.cert b/router/templates/deis.cert
@@ -0,0 +1 @@
+{{ .deis_router_sslCert }}
diff --git a/router/templates/deis.conf b/router/templates/deis.conf
@@ -0,0 +1,8 @@
+server_name_in_redirect off;
+port_in_redirect off;
+
+{{ if .deis_router_sslCert }}
+listen 443 ssl spdy;
+ssl_certificate /etc/ssl/deis.cert;
+ssl_certificate_key /etc/ssl/deis.key;
+{{ end }}
diff --git a/router/templates/deis.key b/router/templates/deis.key
@@ -0,0 +1 @@
+{{ .deis_router_sslKey }}
diff --git a/router/templates/nginx.conf b/router/templates/nginx.conf
@@ -50,8 +50,7 @@ http {
 
     server {
         server_name ~^deis\.(?<domain>.+)$;
-        server_name_in_redirect off;
-        port_in_redirect off;
+        include deis.conf;
 
         location / {
             proxy_buffering             off;
@@ -75,8 +74,7 @@ http {
 
     server {
         server_name ~^deis-store\.(?<domain>.+)$;
-        server_name_in_redirect off;
-        port_in_redirect off;
+        include deis.conf;
 
         location / {
             proxy_buffering             off;
@@ -101,25 +99,24 @@ http {
 
     server {
         server_name ~^{{ Base $service.Key }}\.(?<domain>.+)${{ range $app_domains := $domains }}{{ if eq (Base $service.Key) (Base $app_domains.Key) }} {{ $app_domains.Value }}{{ end }}{{ end }};
-
-        server_name_in_redirect off;
-        port_in_redirect off;
+        include deis.conf;
 
         location / {
             proxy_buffering             off;
             proxy_set_header            Host $host;
-            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header            X-Forwarded-Proto $scheme;
+            proxy_set_header            X-Forwarded-For   $proxy_add_x_forwarded_for;
             proxy_redirect              off;
             proxy_connect_timeout       10s;
             proxy_send_timeout          1200s;
             proxy_read_timeout          1200s;
             proxy_http_version          1.1;
-            proxy_set_header            Upgrade $http_upgrade;
-            proxy_set_header            Connection $connection_upgrade;
+            proxy_set_header            Upgrade           $http_upgrade;
+            proxy_set_header            Connection        $connection_upgrade;
 
             proxy_next_upstream         error timeout http_502 http_503 http_504;
 
-            add_header                  X-Deis-Upstream $upstream_addr;
+            add_header                  X-Deis-Upstream   $upstream_addr;
 
             proxy_pass                  http://{{ Base $service.Key }};
         }
