-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Use stock Alpine base image * Download nginx using HTTPS * Use a venv * Split complex logic into separate scripts * Fix spnego module build process * General cleanup and optimization
- Loading branch information
Showing
8 changed files
with
193 additions
and
117 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -eux | ||
|
||
SPNEGO_AUTH_COMMIT_ID="72c8ee04c81f929ec84d5a6d126f789b77781a8c" | ||
NGINX_VERSION="$( nginx -v 2>&1 | awk -F/ '{print $2}' )" | ||
NGINX_CONFIG="$( nginx -V 2>&1 | python3 /usr/src/extract_nginx_options.py )" | ||
NGINX_TAR="nginx.tar.gz" | ||
NGINX_SRC="/usr/src/nginx-${NGINX_VERSION}" | ||
SPNEGO_TAR="spnego-http-auth.tar.gz" | ||
SPNEGO_SRC="/usr/src/spnego-http-auth-nginx-module-${SPNEGO_AUTH_COMMIT_ID}" | ||
MODULE_DIR="/usr/lib/nginx/modules/" | ||
MODULE_NAME="ngx_http_auth_spnego_module.so" | ||
|
||
wget "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O "${NGINX_TAR}" | ||
wget "https://github.com/stnoonan/spnego-http-auth-nginx-module/archive/${SPNEGO_AUTH_COMMIT_ID}.tar.gz" -O "${SPNEGO_TAR}" | ||
|
||
tar -xzC /usr/src -f "${NGINX_TAR}" | ||
tar -xzC /usr/src -f "${SPNEGO_TAR}" | ||
|
||
cd "${NGINX_SRC}" | ||
|
||
# shellcheck disable=SC2086 | ||
./configure ${NGINX_CONFIG} --add-dynamic-module="${SPNEGO_SRC}" | ||
|
||
make modules | ||
|
||
cp "objs/${MODULE_NAME}" "${MODULE_DIR}" | ||
|
||
echo "load_module ${MODULE_DIR}/${MODULE_NAME};" > /usr/src/nginx.conf | ||
|
||
cat /etc/nginx/nginx.conf >> /usr/src/nginx.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -eux | ||
|
||
apk add \ | ||
ca-certificates \ | ||
krb5-libs \ | ||
krb5-server \ | ||
--no-cache | ||
|
||
update-ca-certificates | ||
|
||
mkdir /usr/share/nginx/html/ | ||
|
||
cp /usr/src/krb5.conf /etc/krb5.conf | ||
|
||
cp /root/ca/cacert.pem /usr/share/nginx/html/cacert.pem | ||
cp /root/ca2/cacert.pem /usr/share/nginx/html/ca2cert.pem | ||
cp /root/ca/client.ansible.http.tests-cert.pem /usr/share/nginx/html/client.pem | ||
cp /root/ca/private/client.ansible.http.tests-key.pem /usr/share/nginx/html/client.key | ||
|
||
chmod 644 /usr/share/nginx/html/* | ||
|
||
echo "Microsoft Rulz" > /usr/share/nginx/html/gssapi | ||
|
||
python3 -c "import secrets; password = secrets.token_hex(30); print(password); print(password);" | /usr/sbin/kdb5_util create -r HTTP.TESTS | ||
python3 -c "print('*/admin@HTTP.TESTS\t*')" > /var/lib/krb5kdc/kadm5.acl | ||
|
||
kadmin.local -q "addprinc -randkey HTTP/ansible@HTTP.TESTS" | ||
kadmin.local -q "addprinc -randkey HTTP/ansible.http.tests@HTTP.TESTS" | ||
kadmin.local -q "ktadd -k /etc/nginx.keytab HTTP/ansible@HTTP.TESTS" | ||
kadmin.local -q "ktadd -k /etc/nginx.keytab HTTP/ansible.http.tests@HTTP.TESTS" | ||
|
||
chmod 660 /etc/nginx.keytab | ||
chown root:nginx /etc/nginx.keytab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,24 @@ | ||
Flask==1.1.2 | ||
Jinja2==2.11.2 | ||
MarkupSafe==1.1.1 | ||
blinker==1.4 | ||
brotlipy==0.7.0 | ||
cffi==1.14.3 | ||
click==7.1.2 | ||
decorator==4.4.2 | ||
gunicorn==20.0.4 | ||
httpbin==0.7.0 | ||
itsdangerous==1.1.0 | ||
pycparser==2.20 | ||
raven==6.10.0 | ||
werkzeug==1.0.1 | ||
attrs==23.2.0 | ||
blinker==1.8.2 | ||
brotlicffi==1.1.0.0 | ||
cffi==1.16.0 | ||
click==8.1.7 | ||
decorator==5.1.1 | ||
flasgger==0.9.7.1 | ||
Flask==3.0.3 | ||
greenlet==2.0.2 | ||
gunicorn==22.0.0 | ||
httpbin==0.10.2 | ||
itsdangerous==2.2.0 | ||
Jinja2==3.1.4 | ||
jsonschema==4.22.0 | ||
jsonschema-specifications==2023.12.1 | ||
MarkupSafe==2.1.5 | ||
mistune==3.0.2 | ||
packaging==24.0 | ||
pycparser==2.22 | ||
PyYAML==6.0.1 | ||
referencing==0.35.1 | ||
rpds-py==0.18.1 | ||
six==1.16.0 | ||
Werkzeug==3.0.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
#!/usr/bin/env sh | ||
|
||
set -eux | ||
|
||
subj="/C=US/ST=North Carolina/L=Durham/O=Ansible" | ||
days=3650 | ||
|
||
ca1="/root/ca" | ||
ca2="/root/ca2" | ||
|
||
create_ca() { | ||
ca="$1" | ||
name="$2" | ||
|
||
mkdir -p "${ca}/certs" "${ca}/private" "${ca}/newcerts" | ||
echo 1000 > "${ca}/serial" | ||
touch "${ca}/index.txt" | ||
sed "s|\./demoCA|${ca}|g" /etc/ssl/openssl.cnf > "${ca}/openssl.cnf" | ||
openssl req -new -x509 -nodes -extensions v3_ca \ | ||
-config "${ca}/openssl.cnf" -days "${days}" -subj "${subj}/CN=${name}" -out "${ca}/cacert.pem" -keyout "${ca}/private/cakey.pem" | ||
} | ||
|
||
create_cert() { | ||
ca="$1" | ||
name="$2" | ||
|
||
openssl req -new -nodes -config "${ca}/openssl.cnf" -subj "${subj}/CN=${name}" -out "${ca}/${name}-req.pem" -keyout "${ca}/private/${name}-key.pem" | ||
yes | openssl ca -config "${ca}/openssl.cnf" -days "${days}" -in "${ca}/${name}-req.pem" -out "${ca}/${name}-cert.pem" | ||
} | ||
|
||
create_ca "${ca1}" "ansible.http.tests" | ||
create_ca "${ca2}" "ca2.ansible.http.tests" | ||
|
||
create_cert "${ca1}" "ansible.http.tests" | ||
create_cert "${ca1}" "sni1.ansible.http.tests" | ||
create_cert "${ca1}" "sni2.ansible.http.tests" | ||
create_cert "${ca1}" "client.ansible.http.tests" | ||
create_cert "${ca2}" "self-signed.ansible.http.tests" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
import sys | ||
|
||
prefix = 'configure arguments: ' | ||
|
||
for line in sys.stdin: | ||
if line.startswith(prefix): | ||
line = line.removeprefix(prefix) | ||
options = line.split() | ||
options = [option for option in options if not option.startswith('--add-dynamic-module=')] | ||
line = ' '.join(options) | ||
print(line) | ||
break | ||
else: | ||
raise Exception() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
gunicorn | ||
httpbin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,13 @@ | ||
#!/bin/sh | ||
#!/usr/bin/env sh | ||
|
||
if [ -z ${KRB5_PASSWORD} ]; then | ||
if [ -z "${KRB5_PASSWORD}" ]; then | ||
echo "No KRB5_PASSWORD provided for the admin account." | ||
exit 1 | ||
fi | ||
|
||
kadmin.local -q "addprinc -pw ${KRB5_PASSWORD} admin" | ||
|
||
/usr/sbin/krb5kdc | ||
gunicorn -D httpbin:app | ||
/usr/share/nginx/venv/bin/gunicorn -D httpbin:app | ||
|
||
nginx -g "daemon off;" |