From 11523e3e4884b659a8eac11f6a3d61d5bdefb0a8 Mon Sep 17 00:00:00 2001 From: zhaoyupeng Date: Wed, 26 Nov 2025 21:03:41 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=F0=9F=8E=89=20complete=20maker=20nginx?= =?UTF-8?q?(app)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/cmd/makecmd/app.go | 28 ++ .../controller/installer/installer.check.go | 15 ++ internal/controller/installer/installer.go | 37 ++- .../controller/installer/installer.k0s.go | 58 +++++ .../controller/installer/installer.prepare.go | 15 ++ .../installer/installer.yosguard.go | 7 + internal/controller/maker/app.nginx.go | 180 +++++++++++++ pkg/resource/app.nginx.yaml | 209 +++++++++++++++ pkg/resource/nginx/client.conf | 242 ++++++++++++++++++ pkg/resource/nginx/common.conf | 213 +++++++++++++++ pkg/resource/nginx/gateway.conf | 75 ++++++ pkg/resource/nginx/nginx.conf | 63 +++++ pkg/resource/{ => nginx}/seafile.conf | 0 pkg/resource/nginx/user.conf | 17 ++ pkg/resource/nginx/web.conf | 153 +++++++++++ pkg/resource/resource.go | 57 ++++- pkg/resource/ssl/ca.crt | 13 + pkg/resource/ssl/client.server.crt | 10 + pkg/resource/ssl/client.server.key | 8 + pkg/resource/ssl/ffdhe2048.txt | 8 + pkg/resource/ssl/mqtt.server.crt | 12 + pkg/resource/ssl/mqtt.server.key | 8 + pkg/resource/ssl/server.crt | 10 + pkg/resource/ssl/server.key | 8 + pkg/resource/ssl/web.server.crt | 10 + pkg/resource/ssl/web.server.key | 8 + 26 files changed, 1458 insertions(+), 6 deletions(-) create mode 100644 internal/controller/installer/installer.check.go create mode 100644 internal/controller/installer/installer.k0s.go create mode 100644 internal/controller/installer/installer.prepare.go create mode 100644 internal/controller/installer/installer.yosguard.go create mode 100644 internal/controller/maker/app.nginx.go create mode 100644 pkg/resource/app.nginx.yaml create mode 100644 pkg/resource/nginx/client.conf create mode 100644 pkg/resource/nginx/common.conf create mode 100644 pkg/resource/nginx/gateway.conf create mode 100644 pkg/resource/nginx/nginx.conf rename pkg/resource/{ => nginx}/seafile.conf (100%) create mode 100644 pkg/resource/nginx/user.conf create mode 100644 pkg/resource/nginx/web.conf create mode 100644 pkg/resource/ssl/ca.crt create mode 100644 pkg/resource/ssl/client.server.crt create mode 100644 pkg/resource/ssl/client.server.key create mode 100644 pkg/resource/ssl/ffdhe2048.txt create mode 100644 pkg/resource/ssl/mqtt.server.crt create mode 100644 pkg/resource/ssl/mqtt.server.key create mode 100644 pkg/resource/ssl/server.crt create mode 100644 pkg/resource/ssl/server.key create mode 100644 pkg/resource/ssl/web.server.crt create mode 100644 pkg/resource/ssl/web.server.key diff --git a/internal/cmd/makecmd/app.go b/internal/cmd/makecmd/app.go index 2bfbfb5..578dba0 100644 --- a/internal/cmd/makecmd/app.go +++ b/internal/cmd/makecmd/app.go @@ -17,6 +17,7 @@ func App() *cobra.Command { appGateway(), appMie(), appOEM(), + appNginx(), ) return _cmd @@ -118,3 +119,30 @@ func appOEM() *cobra.Command { return _cmd } + +func appNginx() *cobra.Command { + var ( + replica int + disableSeafile bool + ) + + _cmd := &cobra.Command{ + Use: "nginx", + Short: "Make Nginx App", + RunE: func(cmd *cobra.Command, args []string) error { + opts := []maker.NginxOpt{ + maker.WithNginxReplica(replica), + } + if disableSeafile { + opts = append(opts, maker.WithoutNginxSeafile()) + } + mk := maker.NewMaker() + return mk.AppNginx(cmd.Context(), opts...) + }, + } + + _cmd.Flags().IntVar(&replica, "replica-count", 2, "Replica count") + _cmd.Flags().BoolVar(&disableSeafile, "disable-seafile", false, "Disable seafile") + + return _cmd +} diff --git a/internal/controller/installer/installer.check.go b/internal/controller/installer/installer.check.go new file mode 100644 index 0000000..1fc05b5 --- /dev/null +++ b/internal/controller/installer/installer.check.go @@ -0,0 +1,15 @@ +package installer + +import "context" + +func (i *installer) Check(ctx context.Context) error { + var ( + err error + ) + + if err = i.targetOK(ctx); err != nil { + return err + } + + return nil +} diff --git a/internal/controller/installer/installer.go b/internal/controller/installer/installer.go index bb79b36..e244aae 100644 --- a/internal/controller/installer/installer.go +++ b/internal/controller/installer/installer.go @@ -1,8 +1,39 @@ -package controller +package installer + +import ( + "context" + "errors" + "os/exec" + + "gitea.loveuer.com/yizhisec/pkg3/logger" +) type installer struct { + target string } -func NewInstaller() *installer { - return &installer{} +func (i *installer) targetOK(ctx context.Context) error { + if i.target == "" { + logger.Debug("🎯 installer.targetOK: target = self") + return nil + } + + // run ssh , check if it's reachable, and it's root user + cmd := exec.CommandContext(ctx, "ssh", i.target, "whoami") + output, err := cmd.CombinedOutput() + if err != nil { + logger.Debug("❌ installer.targetOK: check target %s failed, err = %v", i.target, err) + return err + } + + if string(output) != "root\n" { + logger.Debug("❌ installer.targetOK: check target %s failed, output = %s", i.target, string(output)) + return errors.New("target is not root user") + } + + return nil +} + +func NewInstaller(target string) *installer { + return &installer{target: target} } diff --git a/internal/controller/installer/installer.k0s.go b/internal/controller/installer/installer.k0s.go new file mode 100644 index 0000000..53653ee --- /dev/null +++ b/internal/controller/installer/installer.k0s.go @@ -0,0 +1,58 @@ +package installer + +import ( + "context" + + "github.com/samber/lo" +) + +type K0sOpt func(*k0sOpt) +type k0sOpt struct { + Type string // controller, worker + DisableWorker bool + WorkerTokenFile string +} + +func WithK0sType(t string) K0sOpt { + types := []string{"controller", "worker"} + return func(o *k0sOpt) { + if lo.Contains(types, t) { + o.Type = t + } + } +} + +func WithoutK0sWorker() K0sOpt { + return func(o *k0sOpt) { + o.DisableWorker = true + } +} + +func WithK0sWorkerTokenFile(filename string) K0sOpt { + return func(o *k0sOpt) { + if filename != "" { + o.WorkerTokenFile = filename + } + } +} + +func (i *installer) K0s(ctx context.Context, opts ...K0sOpt) error { + var ( + err error + o = &k0sOpt{ + Type: "controller", + DisableWorker: false, + WorkerTokenFile: "/etc/k0s/worker.token", + } + ) + + if err = i.targetOK(ctx); err != nil { + return err + } + + for _, fn := range opts { + fn(o) + } + + return nil +} diff --git a/internal/controller/installer/installer.prepare.go b/internal/controller/installer/installer.prepare.go new file mode 100644 index 0000000..e9cc8ab --- /dev/null +++ b/internal/controller/installer/installer.prepare.go @@ -0,0 +1,15 @@ +package installer + +import "context" + +func (i *installer) Prepare(ctx context.Context) error { + var ( + err error + ) + + if err = i.targetOK(ctx); err != nil { + return err + } + + return nil +} diff --git a/internal/controller/installer/installer.yosguard.go b/internal/controller/installer/installer.yosguard.go new file mode 100644 index 0000000..70992eb --- /dev/null +++ b/internal/controller/installer/installer.yosguard.go @@ -0,0 +1,7 @@ +package installer + +import "context" + +func (i *installer) YosGuard(ctx context.Context) error { + return nil +} diff --git a/internal/controller/maker/app.nginx.go b/internal/controller/maker/app.nginx.go new file mode 100644 index 0000000..85c8bbe --- /dev/null +++ b/internal/controller/maker/app.nginx.go @@ -0,0 +1,180 @@ +package maker + +import ( + "context" + "fmt" + "os" + "path/filepath" + + "gitea.loveuer.com/yizhisec/pkg3/logger" + "github.com/samber/lo" + "yizhisec.com/hsv2/forge/internal/opt" + "yizhisec.com/hsv2/forge/pkg/resource" +) + +type NginxOpt func(*nginxOpt) + +type nginxOpt struct { + WithoutSeafile bool + Replica int +} + +func WithNginxReplica(replica int) NginxOpt { + return func(o *nginxOpt) { + if replica >= 0 { + o.Replica = replica + } + } +} + +func WithoutNginxSeafile() NginxOpt { + return func(o *nginxOpt) { + o.WithoutSeafile = true + } +} + +func (m *maker) AppNginx(ctx context.Context, opts ...NginxOpt) error { + const ( + _upsert = `#!/bin/bash + +kubectl create configmap nginx-main --namespace hsv2 --from-file=nginx.conf=./conf/nginx.conf --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap nginx-user --namespace hsv2 --from-file=user.conf=./conf/user.conf --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap nginx-gateway --namespace hsv2 --from-file=gateway.conf=./conf/gateway.conf --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap nginx-web --namespace hsv2 --from-file=web.conf=./conf/web.conf --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap nginx-client --namespace hsv2 --from-file=client.conf=./conf/client.conf --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap nginx-common --namespace hsv2 --from-file=common.conf=./conf/common.conf --dry-run=client -o yaml | kubectl apply -f - +%s + +kubectl create configmap ssl-ca-crt --namespace hsv2 --from-file=ca.crt=./ssl/ca.crt --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap ssl-ffdhe2048 --namespace hsv2 --from-file=ffdhe2048.txt=./ssl/ffdhe2048.txt --dry-run=client -o yaml | kubectl apply -f - + +kubectl create configmap ssl-server-crt --namespace hsv2 --from-file=server.crt=./ssl/server.crt --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap ssl-server-key --namespace hsv2 --from-file=server.key=./ssl/server.key --dry-run=client -o yaml | kubectl apply -f - + +kubectl create configmap ssl-mqtt-crt --namespace hsv2 --from-file=mqtt.server.crt=./ssl/mqtt.server.crt --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap ssl-mqtt-key --namespace hsv2 --from-file=mqtt.server.key=./ssl/mqtt.server.key --dry-run=client -o yaml | kubectl apply -f - + +kubectl create configmap ssl-client-server-crt --namespace hsv2 --from-file=client.server.crt=./ssl/client.server.crt --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap ssl-client-server-key --namespace hsv2 --from-file=client.server.key=./ssl/client.server.key --dry-run=client -o yaml | kubectl apply -f - + +kubectl create configmap ssl-web-server-crt --namespace hsv2 --from-file=web.server.crt=./ssl/web.server.crt --dry-run=client -o yaml | kubectl apply -f - +kubectl create configmap ssl-web-server-key --namespace hsv2 --from-file=web.server.key=./ssl/web.server.key --dry-run=client -o yaml | kubectl apply -f - + +kubectl apply -f deployment.yaml +kubectl rollout restart deployment nginx-deployment -n hsv2` + ) + var ( + err error + workdir = filepath.Join(opt.Cfg.Make.Dir, "app", "nginx") + o = nginxOpt{ + WithoutSeafile: false, + Replica: 2, + } + applySeafile = "kubectl create configmap nginx-seafile --namespace hsv2 --from-file=seafile.conf=./conf/seafile.conf --dry-run=client -o yaml | kubectl apply -f -" + ) + + logger.Info(" ☑️ maker.AppNginx: 开始构建 nginx, workdir = %s", workdir) + + for _, fn := range opts { + fn(&o) + } + + logger.Debug(" ☑️ maker.AppNginx: 创建工作目录 = %s", workdir) + if err = os.MkdirAll(workdir, 0755); err != nil { + return err + } + logger.Debug("✅ maker.AppNginx: 创建工作目录成功 = %s", workdir) + + // 子目录: conf 与 ssl + confDir := filepath.Join(workdir, "conf") + sslDir := filepath.Join(workdir, "ssl") + + logger.Debug(" ☑️ maker.AppNginx: 创建 conf 与 ssl 子目录") + if err = os.MkdirAll(confDir, 0755); err != nil { + logger.Debug("❌ maker.AppNginx: 创建 conf 目录失败: %v", err) + return err + } + if err = os.MkdirAll(sslDir, 0755); err != nil { + logger.Debug("❌ maker.AppNginx: 创建 ssl 目录失败: %v", err) + return err + } + logger.Debug("✅ maker.AppNginx: 创建 conf 与 ssl 子目录成功") + + // 写入 nginx 配置文件到 conf 子目录(列表 + for 循环) + logger.Debug(" ☑️ maker.AppNginx: 写入 nginx 配置文件到 conf 子目录") + confFiles := []struct { + name string + content []byte + }{ + {"nginx.conf", resource.NGINXMain}, + {"user.conf", resource.NGINXUser}, + {"gateway.conf", resource.NGINXGateway}, + {"web.conf", resource.NGINXWeb}, + {"client.conf", resource.NGINXClient}, + {"common.conf", resource.NGINXCommon}, + } + + // 过滤 seafile.conf 文件 + if !o.WithoutSeafile { + confFiles = append(confFiles, struct { + name string + content []byte + }{ + "seafile.conf", resource.NGINXSeafile, + }) + } + + for _, f := range confFiles { + dest := filepath.Join(confDir, f.name) + if err = os.WriteFile(dest, f.content, 0644); err != nil { + logger.Debug("❌ maker.AppNginx: 写入 %s 失败: %v", f.name, err) + return err + } + logger.Debug("✅ maker.AppNginx: 写入 %s 成功, dest = %s", f.name, dest) + } + logger.Debug("✅ maker.AppNginx: 写入 nginx 配置文件成功") + + // 写入 ssl 文件到 ssl 子目录 + logger.Debug(" ☑️ maker.AppNginx: 写入 SSL 证书与密钥到 ssl 子目录") + sslFiles := []struct{ name, content string }{ + {"ffdhe2048.txt", resource.SSLFFDHE2048}, + {"ca.crt", resource.SSLCaCrt}, + {"server.crt", resource.SSLServerCrt}, + {"server.key", resource.SSLServerKey}, + {"mqtt.server.crt", resource.SSLMQTTServerCrt}, + {"mqtt.server.key", resource.SSLMQTTServerKey}, + {"client.server.crt", resource.SSLClientServerCrt}, + {"client.server.key", resource.SSLClientServerKey}, + {"web.server.crt", resource.SSLWebServerCrt}, + {"web.server.key", resource.SSLWebServerKey}, + } + for _, f := range sslFiles { + dest := filepath.Join(sslDir, f.name) + if err = os.WriteFile(dest, []byte(f.content), 0644); err != nil { + logger.Debug("❌ maker.AppNginx: 写入 %s 失败: %v", f.name, err) + return err + } + logger.Debug("✅ maker.AppNginx: 写入 %s 成功, dest = %s", f.name, dest) + } + + // write nginx deployment yaml + dest := filepath.Join(workdir, "nginx.yaml") + content := []byte(fmt.Sprintf(resource.YAMLAppNGINX, o.Replica)) + if err = os.WriteFile(dest, content, 0644); err != nil { + logger.Debug("❌ maker.AppNginx: 写入 nginx.yaml 失败: %v", err) + return err + } + logger.Debug("✅ maker.AppNginx: 写入 nginx.yaml 成功, dest = %s", dest) + + // write nginx upsert script + dest = filepath.Join(workdir, "upsert.sh") + content = []byte(fmt.Sprintf(_upsert, lo.If(o.WithoutSeafile, "").Else(applySeafile))) + if err = os.WriteFile(dest, content, 0755); err != nil { + logger.Debug("❌ maker.AppNginx: 写入 upsert.sh 失败: %v", err) + return err + } + logger.Debug("✅ maker.AppNginx: 写入 upsert.sh 成功, dest = %s", dest) + + logger.Info("✅ maker.AppNginx: nginx 构建完成") + return nil +} diff --git a/pkg/resource/app.nginx.yaml b/pkg/resource/app.nginx.yaml new file mode 100644 index 0000000..4912ddf --- /dev/null +++ b/pkg/resource/app.nginx.yaml @@ -0,0 +1,209 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: hsv2 +spec: + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app: nginx + containers: + - name: nginx + image: hub.yizhisec.com/external/nginx:1.29.1-alpine3.22 + imagePullPolicy: IfNotPresent + volumeMounts: + - name: nginx-main + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + - name: nginx-user + mountPath: /etc/nginx/sites-enabled/user.conf + subPath: user.conf + readOnly: true + - name: nginx-gateway + mountPath: /etc/nginx/sites-enabled/gateway.conf + subPath: gateway.conf + readOnly: true + - name: nginx-web + mountPath: /etc/nginx/sites-enabled/web.conf + subPath: web.conf + readOnly: true + - name: nginx-client + mountPath: /etc/nginx/sites-enabled/client.conf + subPath: client.conf + readOnly: true + - name: nginx-common + mountPath: /etc/nginx/common/common.conf + subPath: common.conf + readOnly: true + - name: ssl-ffdhe2048 + mountPath: /etc/nginx/ssl/ffdhe2048.txt + subPath: ffdhe2048.txt + readOnly: true + - name: ssl-ca-crt + mountPath: /yizhisec/ssl/ca.crt + subPath: ca.crt + readOnly: true + - name: ssl-server-crt + mountPath: /yizhisec/ssl/server.crt + subPath: server.crt + readOnly: true + - name: ssl-server-key + mountPath: /yizhisec/ssl/server.key + subPath: server.key + readOnly: true + - name: ssl-mqtt-crt + mountPath: /etc/nginx/ssl/mqtt.server.crt + subPath: mqtt.server.crt + readOnly: true + - name: ssl-mqtt-key + mountPath: /etc/nginx/ssl/mqtt.server.key + subPath: mqtt.server.key + readOnly: true + - name: ssl-client-server-crt + mountPath: /etc/nginx/ssl/client.server.crt + subPath: client.server.crt + readOnly: true + - name: ssl-client-server-key + mountPath: /etc/nginx/ssl/client.server.key + subPath: client.server.key + readOnly: true + - name: ssl-web-server-crt + mountPath: /etc/nginx/ssl/web.server.crt + subPath: web.server.crt + readOnly: true + - name: ssl-web-server-key + mountPath: /etc/nginx/ssl/web.server.key + subPath: web.server.key + readOnly: true + volumes: + - name: nginx-main + configMap: + name: nginx-main + items: + - key: nginx.conf + path: nginx.conf + - name: nginx-user + configMap: + name: nginx-user + items: + - key: user.conf + path: user.conf + - name: nginx-gateway + configMap: + name: nginx-gateway + items: + - key: gateway.conf + path: gateway.conf + - name: nginx-web + configMap: + name: nginx-web + items: + - key: web.conf + path: web.conf + - name: nginx-client + configMap: + name: nginx-client + items: + - key: client.conf + path: client.conf + - name: nginx-common + configMap: + name: nginx-common + items: + - key: common.conf + path: common.conf + - name: ssl-ffdhe2048 + configMap: + name: ssl-ffdhe2048 + items: + - key: ffdhe2048.txt + path: ffdhe2048.txt + - name: ssl-ca-crt + configMap: + name: ssl-ca-crt + items: + - key: ca.crt + path: ca.crt + - name: ssl-server-crt + configMap: + name: ssl-server-crt + items: + - key: server.crt + path: server.crt + - name: ssl-server-key + configMap: + name: ssl-server-key + items: + - key: server.key + path: server.key + - name: ssl-mqtt-crt + configMap: + name: ssl-mqtt-crt + items: + - key: mqtt.server.crt + path: mqtt.server.crt + - name: ssl-mqtt-key + configMap: + name: ssl-mqtt-key + items: + - key: mqtt.server.key + path: mqtt.server.key + - name: ssl-client-server-crt + configMap: + name: ssl-client-server-crt + items: + - key: client.server.crt + path: client.server.crt + - name: ssl-client-server-key + configMap: + name: ssl-client-server-key + items: + - key: client.server.key + path: client.server.key + - name: ssl-web-server-crt + configMap: + name: ssl-web-server-crt + items: + - key: web.server.crt + path: web.server.crt + - name: ssl-web-server-key + configMap: + name: ssl-web-server-key + items: + - key: web.server.key + path: web.server.key +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx-service + namespace: hsv2 +spec: + selector: + app: nginx + ports: + - protocol: TCP + name: o-443 + port: 443 + targetPort: 23443 + nodePort: 31443 + - protocol: TCP + name: o-8443 + port: 8443 + targetPort: 8443 + nodePort: 32443 + type: NodePort diff --git a/pkg/resource/nginx/client.conf b/pkg/resource/nginx/client.conf new file mode 100644 index 0000000..9cb206b --- /dev/null +++ b/pkg/resource/nginx/client.conf @@ -0,0 +1,242 @@ +upstream hs-client-server { + least_conn; + server client-service:9129 max_fails=3 fail_timeout=10s; +} + +upstream hs-client-without-auth-server { + least_conn; + server client-service:9024 max_fails=3 fail_timeout=10s; +} + +upstream hs-client-message-server { + least_conn; + server client-service:9025 max_fails=3 fail_timeout=10s; +} + +server { + listen 443 ssl + proxy_protocol; + server_name hs-client-api-server hs.client.api.server; + + ssl_certificate /etc/nginx/ssl/client.server.crt; + ssl_certificate_key /etc/nginx/ssl/client.server.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + + location /api/v1/pkg/archive { + proxy_pass http://u-api-service/api/v2_2/client/download/check; + } + + location /api/ { + proxy_pass http://hs-client-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/ { + proxy_pass http://hs-client-without-auth-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/dl/ { + proxy_pass http://hs-client-without-auth-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v2/admin/ { + proxy_pass http://hs-client-message-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + # location /app-store { + # auth_request /app-store-auth; + # rewrite ^/app-store(.*)$ $1 break; + # proxy_pass http://hs-resource-server:19980; + # proxy_http_version 1.1; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_read_timeout 300s; + # } + + location /app-store-auth { + internal; + proxy_pass http://hs-client-server/auth$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Original-IP $remote_addr; + proxy_set_header Query-Data $http_query_data; + } + + # location /wm/api { + # proxy_pass http://hs-watermark-server; + # proxy_http_version 1.1; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_read_timeout 300s; + # } + + location /static/config/ { + alias /static/config/; + } + + location /static/resource/ { + alias /static/resource/; + } + + location /user/avatar/ { + alias /static/avatar/; + add_header Cache-Control public; + } +} + + +server { + listen 443 ssl proxy_protocol; + server_name hs-client-update-server hs.client.update.server; + + ssl_certificate /etc/nginx/ssl/client.server.crt; + ssl_certificate_key /etc/nginx/ssl/client.server.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + + # location /api/v1/pkg/config/setup { + # proxy_pass http://u-api-service/api/v2_2/client/download/version; + # } + + location /api/v1/pkg/archive { + proxy_pass http://u-api-service/api/v2_2/client/download/check; + } + + location /api/v1/pkg/archive/version { + proxy_pass http://u-api-service/api/v2_2/client/download/version; + } + + location /static/config/rc.json { + proxy_pass http://u-api-service/api/v2_2/client/rc/json?os=win; + } + + location = /api/v1/version { + proxy_pass http://hs-client-without-auth-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/pkg { + proxy_pass http://hs-client-without-auth-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/dl/ { + proxy_pass http://hs-client-without-auth-server; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /user/avatar/ { + alias /static/avatar/; + expires 7d; + add_header Cache-Control public; + } + + location /static/config/ { + alias /static/config/; + } + + location /static/resource/ { + alias /static/resource/; + } +} + +server { + listen 9118 ssl + proxy_protocol; + + ssl_certificate /etc/nginx/ssl/client.server.crt; + ssl_certificate_key /etc/nginx/ssl/client.server.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + location = /api/v1/version { + proxy_pass http://hs-client-without-auth-server; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/pkg { + proxy_pass http://hs-client-without-auth-server; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + location /api/v1/dl/ { + proxy_pass http://hs-client-without-auth-server; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } +} \ No newline at end of file diff --git a/pkg/resource/nginx/common.conf b/pkg/resource/nginx/common.conf new file mode 100644 index 0000000..2d5c1eb --- /dev/null +++ b/pkg/resource/nginx/common.conf @@ -0,0 +1,213 @@ +ssl_certificate /etc/nginx/ssl/web.server.crt; +ssl_certificate_key /etc/nginx/ssl/web.server.key; + +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +add_header Strict-Transport-Security "max-age=63072000" always; + +client_header_buffer_size 1k; + +client_max_body_size 50M; + +location = /token_auth { + internal; + proxy_pass http://hs-api/api/tokenauth; + proxy_http_version 1.1; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; +} + +location /client/dl/android { + proxy_set_header Cookie $http_cookie; + default_type application/octet-stream; + alias /static/client/android; + if ($arg_attname ~ "^(.+)") { + add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; + } +} + +location /client/dl/ { + # remove download client auth verify + # auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + default_type application/octet-stream; + alias /static/client/; + if ($arg_attname ~ "^(.+)") { + add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; + } +} + +location /user/avatar/ { + auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + alias /static/avatar/; + expires 7d; + add_header Cache-Control public; +} + +location /file/share/ { + auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + alias /static/share_file/; + if ($arg_attname ~ "^(.+)") { + add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; + } +} + +location /file/public/ { + auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + alias /static/public_folder/; + if ($arg_attname ~ "^(.+)") { + add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; + } +} + +location /file/clipboard/ { + auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + alias /static/clipboard_file/; +} + +location /file/uploaded/ { + auth_request /token_auth; + + proxy_set_header Cookie $http_cookie; + alias /static/uploaded_files/; + if ($arg_attname ~ "^(.+)") { + add_header Content-Disposition "attachment;filename*=utf-8''$arg_attname"; + } +} + +location /resource/update_log.csv { + auth_request /token_auth; + + proxy_set_header X-Original-URI $request_uri; + proxy_set_header Cookie $http_cookie; + default_type application/octet-stream; + alias /static/resource/update_log.csv; +} + +location /resource/update_timestamp.txt { + auth_request /token_auth; + + proxy_set_header X-Original-URI $request_uri; + proxy_set_header Cookie $http_cookie; + default_type application/octet-stream; + alias /static/resource/update_timestamp.txt; +} + +location /resource/ { + default_type application/octet-stream; + alias /static/resource/; +} + +location /api/ { + proxy_pass http://hs-api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; +} + + +# location /network-disk { +# set $arg_token ''; # 声明 $arg_token 变量 +# if ($args ~* "token=(.*?)(&|$)") { +# set $arg_token $1; +# } +# auth_request /token_auth; +# set $auth $http_authorization; +# if ($http_authorization = "") { +# set $auth "token $arg_authorization"; +# } +# rewrite ^/network-disk(.*)$ $1 break; +# proxy_pass http://hs-resource-server:19980; +# proxy_http_version 1.1; +# proxy_set_header Authorization $auth; +# } + +# location /app-store { +# set $arg_token ''; # 声明 $arg_token 变量 +# if ($args ~* "token=(.*?)(&|$)") { +# set $arg_token $1; +# } +# auth_request /app-store-auth; +# set $auth $http_authorization; +# if ($http_authorization = "") { +# set $auth "token $arg_authorization"; +# } +# rewrite ^/app-store(.*)$ $1 break; +# proxy_pass http://hs-resource-server:19980; +# proxy_http_version 1.1; +# proxy_set_header Authorization $auth; +# } + +location /app-store-auth { + internal; + set $hs_token $http_hs_token; + if ($hs_token = "") { + set $hs_token $arg_token; + } + proxy_set_header Hs-Token $hs_token; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Original-IP $remote_addr; + proxy_set_header Query-Data $http_query_data; + + proxy_pass http://hs-api/api$request_uri; +} + +error_page 502 /502.json; +error_page 503 /503.json; +location /503.json { + return 503 '{"code": -2, "msg": "服务器未响应", "err": "hs-nginx err"}'; +} + +error_page 504 /504.json; +location /504.json { + return 504 '{"code": -3, "msg": "服务器未响应", "err": "hs-nginx err"}'; +} +error_page 497 301 =307 https://$http_host$request_uri; +error_page 401 @my_401; +error_page 403 @my_403; +error_page 404 @my_404; +error_page 502 @my_502; + +location @my_401 { + default_type text/html; + return 401 '401

401 Unauthorized

'; +} + +location @my_403 { + default_type text/html; + return 403 '403

403 Forbidden

'; +} + +location @my_404 { + default_type text/html; + return 404 '404

404 Not_Found

'; +} + +location @my_502 { + default_type text/html; + return 502 '502

502 Bad_Gateway

'; +} diff --git a/pkg/resource/nginx/gateway.conf b/pkg/resource/nginx/gateway.conf new file mode 100644 index 0000000..765e07e --- /dev/null +++ b/pkg/resource/nginx/gateway.conf @@ -0,0 +1,75 @@ +upstream hs-gateway-controller { + least_conn; + server gateway-service:9012 max_fails=3 fail_timeout=10s; +} + +server { + listen 443 ssl proxy_protocol; + server_name hs-gateway-controller; + + ssl_certificate /yizhisec/ssl/server.crt; + ssl_certificate_key /yizhisec/ssl/server.key; + ssl_client_certificate /yizhisec/ssl/ca.crt; + ssl_verify_client on; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + + location / { + proxy_pass http://hs-gateway-controller; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } +} + +server { + listen 443 ssl proxy_protocol; + server_name hs-gateway-register-controller; + + ssl_certificate /yizhisec/ssl/server.crt; + ssl_certificate_key /yizhisec/ssl/server.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/ssl/ffdhe2048.txt; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + + location = /api/v1/gateway/setting { + if ($request_method != POST ) { + return 502 '{"code": -1, "msg": "invalid request"}'; + } + + proxy_pass http://hs-gateway-controller; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } +} \ No newline at end of file diff --git a/pkg/resource/nginx/nginx.conf b/pkg/resource/nginx/nginx.conf new file mode 100644 index 0000000..3fd42fd --- /dev/null +++ b/pkg/resource/nginx/nginx.conf @@ -0,0 +1,63 @@ +user root; +worker_processes auto; + +events { + worker_connections 1024; +} + +stream { + error_log /var/log/nginx/error.log error; + + map $ssl_preread_server_name $backend { + mqtt.yizhisec.com 127.0.0.1:27443; + mqtt-yizhisec-com 127.0.0.1:27443; + default web; + } + + upstream web { + server 127.0.0.1:443; + } + + server { + listen 27443 ssl proxy_protocol; + + # ssl_session_timeout 10m; + ssl_certificate /etc/nginx/ssl/mqtt.server.crt; + ssl_certificate_key /etc/nginx/ssl/mqtt.server.key; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + proxy_pass emqx-service.db-emqx:1883; + } + + server { + listen 23443; + proxy_pass $backend; + ssl_preread on; + proxy_protocol on; + } +} + +http { + log_format custom '$time_iso8601 - $remote_addr - $http_host - $status - $request_time - $request_method - $request_uri'; + access_log /var/log/nginx/access.log custom; + + include /etc/nginx/sites-enabled/*.conf; + include mime.types; + default_type application/octet-stream; + + sendfile on; + sendfile_max_chunk 512k; + tcp_nopush on; + tcp_nodelay on; + + gzip on; + gzip_vary on; + gzip_http_version 1.0; + gzip_min_length 1000; + gzip_comp_level 6; + gzip_disable msie6; + gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml; + + keepalive_timeout 65; +} diff --git a/pkg/resource/seafile.conf b/pkg/resource/nginx/seafile.conf similarity index 100% rename from pkg/resource/seafile.conf rename to pkg/resource/nginx/seafile.conf diff --git a/pkg/resource/nginx/user.conf b/pkg/resource/nginx/user.conf new file mode 100644 index 0000000..1094e6e --- /dev/null +++ b/pkg/resource/nginx/user.conf @@ -0,0 +1,17 @@ +server { + listen 80; + server_name hs-user-management-controller; + + add_header Strict-Transport-Security "max-age=63072000" always; + + client_max_body_size 50M; + + location / { + proxy_pass http://user-service:9013; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } +} \ No newline at end of file diff --git a/pkg/resource/nginx/web.conf b/pkg/resource/nginx/web.conf new file mode 100644 index 0000000..ea56fec --- /dev/null +++ b/pkg/resource/nginx/web.conf @@ -0,0 +1,153 @@ +server { + listen 80; + return 301 https://$host$request_uri; +} + +# upstream hs-backup-server { +# least_conn; +# server hs-backup-server:9349 max_fails=3 fail_timeout=10s; +# } + +upstream hs-api { + server api-service:9002; +} + +server { + listen 9002; + + location / { + proxy_pass http://hs-api; + } +} + +server { + listen 443 ssl default_server; + + location /api/admin/ { + return 404; + } + + location /oem { + proxy_pass http://oem-service; + } + + location /api/my/sys/client/installer { + proxy_pass http://u-api-service/api/v2_2/client/download/list; + } + + location /api/system/version { + proxy_pass http://u-api-service/api/v2_2/system/version; + } + + location /api/v2_2/client { + proxy_pass http://u-api-service; + } + + location / { + proxy_pass http://front-user-service; + } + + include /etc/nginx/common/common.conf; + + error_page 497 301 =307 https://$http_host$request_uri; +} + +server { + listen 8443 ssl; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; # 或 "DENY" + add_header Content-Security-Policy "img-src * data:; frame-ancestors 'none';" always; + add_header Referrer-Policy "strict-origin-when-cross-origin"; + add_header X-Permitted-Cross-Domain-Policies "none"; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Download-Options "noopen" always; + add_header X-Content-Type-Options "nosniff" always; + + server_tokens off; + + location /api/system/version { + proxy_pass http://u-api-service/api/v2_2/system/version; + } + + location /oem { + proxy_pass http://oem-service; + } + + + # location /wm/ { + # alias /data/wm/; + # expires 30d; + # add_header Cache-Control public; + # } + + location / { + proxy_pass http://front-admin-service; + } + + location /api/v2_1/user { + proxy_pass http://user-service:9013; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 300s; + } + + include /etc/nginx/common/common.conf; + + location /ws { + proxy_pass http://hs-api/ws; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 300s; + } + + # location /backup { + # proxy_pass http://hs-backup-server; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_read_timeout 300s; + # } + + location /api/local/user/import/template { + auth_request /token_auth; + alias /static/resource/local_user_import_template.xlsx; + } + + # location /wm/api { + # proxy_pass http://hs-watermark-server; + # proxy_http_version 1.1; + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $proxy_protocol_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_read_timeout 300s; + # } + + location @my_401 { + default_type text/html; + return 401 '401

401 Unauthorized

'; + } + + location @my_403 { + default_type text/html; + return 403 '403

403 Forbidden

'; + } + + location @my_404 { + default_type text/html; + return 404 '404

404 Not_Found

'; + } + + location @my_502 { + default_type text/html; + return 502 '502

502 Bad_Gateway

'; + } + + error_page 497 301 =307 https://$http_host$request_uri; + error_page 401 @my_401; + error_page 403 @my_403; + error_page 404 @my_404; + error_page 502 @my_502; +} \ No newline at end of file diff --git a/pkg/resource/resource.go b/pkg/resource/resource.go index a773042..8219d92 100644 --- a/pkg/resource/resource.go +++ b/pkg/resource/resource.go @@ -32,9 +32,6 @@ var ( //go:embed backup-seafile.yaml YAMLBackupSeafile string - //go:embed seafile.conf - NGINXSeafile []byte - //go:embed app.user.yaml YAMLAppUser string @@ -58,4 +55,58 @@ var ( //go:embed app.oem.yaml YAMLAppOEM string + + //go:embed app.nginx.yaml + YAMLAppNGINX string + + //go:embed ssl/ca.crt + SSLCaCrt string + + //go:embed ssl/client.server.crt + SSLClientServerCrt string + + //go:embed ssl/client.server.key + SSLClientServerKey string + + //go:embed ssl/ffdhe2048.txt + SSLFFDHE2048 string + + //go:embed ssl/mqtt.server.crt + SSLMQTTServerCrt string + + //go:embed ssl/mqtt.server.key + SSLMQTTServerKey string + + //go:embed ssl/server.crt + SSLServerCrt string + + //go:embed ssl/server.key + SSLServerKey string + + //go:embed ssl/web.server.crt + SSLWebServerCrt string + + //go:embed ssl/web.server.key + SSLWebServerKey string + + //go:embed nginx/seafile.conf + NGINXSeafile []byte + + //go:embed nginx/common.conf + NGINXCommon []byte + + //go:embed nginx/gateway.conf + NGINXGateway []byte + + //go:embed nginx/web.conf + NGINXWeb []byte + + //go:embed nginx/client.conf + NGINXClient []byte + + //go:embed nginx/nginx.conf + NGINXMain []byte + + //go:embed nginx/user.conf + NGINXUser []byte ) diff --git a/pkg/resource/ssl/ca.crt b/pkg/resource/ssl/ca.crt new file mode 100644 index 0000000..d57a347 --- /dev/null +++ b/pkg/resource/ssl/ca.crt @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB7zCCAZWgAwIBAgIUZvlcdld7K4q8gQ1iS7DCv8dAuAcwCgYIKoZIzj0EAwIw +TTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vh +bmd6aG91MRYwFAYDVQQKDA1ZaVpoaSBSb290IENBMB4XDTIyMTIwMjEwMTMxNVoX +DTMyMTEyOTEwMTMxNVowTTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9u +ZzESMBAGA1UEBwwJR3Vhbmd6aG91MRYwFAYDVQQKDA1ZaVpoaSBSb290IENBMFkw +EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAu+EOUpD8tO1KA6MXkvjfo3iD5dEEezY +kRL+sM9uCB2jKDcMiq2QNa/GE1NRbgQ04fpwVcvJkeMKrlEQWdqCEKNTMFEwHQYD +VR0OBBYEFCJhDR/vXpS4Mlo1y5sk/XWloNR6MB8GA1UdIwQYMBaAFCJhDR/vXpS4 +Mlo1y5sk/XWloNR6MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIg +IPCDJQOAvuR1LcTc/1G0nmcZLJA8mk7PSpzc7dp7kO4CIQC41hyfKwEYkfvxthLR +f4vSt3qR8cz4cBaWaSJ9sZRHoQ== +-----END CERTIFICATE----- diff --git a/pkg/resource/ssl/client.server.crt b/pkg/resource/ssl/client.server.crt new file mode 100644 index 0000000..b5773c3 --- /dev/null +++ b/pkg/resource/ssl/client.server.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBejCCASACAQEwCgYIKoZIzj0EAwIwTTELMAkGA1UEBhMCQ04xEjAQBgNVBAgM +CUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MRYwFAYDVQQKDA1ZaVpoaSBS +b290IENBMB4XDTIyMDcyNjA3MDUxOFoXDTMyMDcyMzA3MDUxOFowRTELMAkGA1UE +BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MQ4w +DAYDVQQKDAVZaVpoaTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD01GbM70jdF +hKz1Mc8ZdZ0PbseeZFO6X5hRR6MpOXl0KKIhqmEFb6vIUk7putv2NPp+1ifLXx2+ +4Gg6X7VP53QwCgYIKoZIzj0EAwIDSAAwRQIhAKCf/+9sG5Y2muvjAS92kRd3Cxwa +1JkEGsiSnc3KtuD9AiAPAc1yuZaQuv8oTct1xJZpPE3vgVbKhU/mP+O3dDIr2Q== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/pkg/resource/ssl/client.server.key b/pkg/resource/ssl/client.server.key new file mode 100644 index 0000000..2aef784 --- /dev/null +++ b/pkg/resource/ssl/client.server.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEICfD/l/g3ERF2gwJwQhC2bmIzeUWlyzizYpwlw9y19/1oAoGCCqGSM49 +AwEHoUQDQgAEPTUZszvSN0WErPUxzxl1nQ9ux55kU7pfmFFHoyk5eXQooiGqYQVv +q8hSTum62/Y0+n7WJ8tfHb7gaDpftU/ndA== +-----END EC PRIVATE KEY----- \ No newline at end of file diff --git a/pkg/resource/ssl/ffdhe2048.txt b/pkg/resource/ssl/ffdhe2048.txt new file mode 100644 index 0000000..088f967 --- /dev/null +++ b/pkg/resource/ssl/ffdhe2048.txt @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/pkg/resource/ssl/mqtt.server.crt b/pkg/resource/ssl/mqtt.server.crt new file mode 100644 index 0000000..14fcf21 --- /dev/null +++ b/pkg/resource/ssl/mqtt.server.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBvTCCAWOgAwIBAgIBATAKBggqhkjOPQQDAjBNMQswCQYDVQQGEwJDTjESMBAG +A1UECAwJR3Vhbmdkb25nMRIwEAYDVQQHDAlHdWFuZ3pob3UxFjAUBgNVBAoMDVlp +WmhpIFJvb3QgQ0EwHhcNMjMxMjEwMTUyNDM3WhcNMzMxMjA3MTUyNDM3WjBhMQsw +CQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdkb25nMRIwEAYDVQQHDAlHdWFuZ3po +b3UxDjAMBgNVBAoMBVlpWmhpMRowGAYDVQQDDBFtcXR0Lnlpemhpc2VjLmNvbTBZ +MBMGByqGSM49AgEGCCqGSM49AwEHA0IABPKwi96F+XaxPzOhkDkTCvcT/150GYJo +ExTvEFf0xfnmutDkkQw8RoQOe8AgExsxwXy75QgE5d3i7Igh4EJN2MSjIDAeMBwG +A1UdEQQVMBOCEW1xdHQueWl6aGlzZWMuY29tMAoGCCqGSM49BAMCA0gAMEUCICmm +3xfwGmdY8TOUFYJsTu1QyWnhLIl1zRPSEgKprPNEAiEAnaBn8Oq1qdx6K2PKAaT/ +8Cad6JPsoBTxqW/QLYmp89o= +-----END CERTIFICATE----- diff --git a/pkg/resource/ssl/mqtt.server.key b/pkg/resource/ssl/mqtt.server.key new file mode 100644 index 0000000..a505e8f --- /dev/null +++ b/pkg/resource/ssl/mqtt.server.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIPKnMTtmsu90SKIWpeW9OaxyKntsHDvGoP/JSIM/zMKHoAoGCCqGSM49 +AwEHoUQDQgAE8rCL3oX5drE/M6GQORMK9xP/XnQZgmgTFO8QV/TF+ea60OSRDDxG +hA57wCATGzHBfLvlCATl3eLsiCHgQk3YxA== +-----END EC PRIVATE KEY----- diff --git a/pkg/resource/ssl/server.crt b/pkg/resource/ssl/server.crt new file mode 100644 index 0000000..5ce6d50 --- /dev/null +++ b/pkg/resource/ssl/server.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBejCCASACAQEwCgYIKoZIzj0EAwIwTTELMAkGA1UEBhMCQ04xEjAQBgNVBAgM +CUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MRYwFAYDVQQKDA1ZaVpoaSBS +b290IENBMB4XDTIyMTIwMjEwMTMxNloXDTMyMTEyOTEwMTMxNlowRTELMAkGA1UE +BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MQ4w +DAYDVQQKDAVZaVpoaTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNPLXfr++g44 +7TROHOLF8BIoYM9UTzGCOTA4gDoAgYXkVs077fKLFAJKJH72mpMOw0laZUElmcCw +sBKKWLshyHQwCgYIKoZIzj0EAwIDSAAwRQIhALH9PCuZtfHAMZuDEanJOC7hf3BC +wPq2CXKG7lzHASLzAiAT6C/rlyN9IYYNiy0RXFsgDtsQQJy9RH6cPyvk/xh6eA== +-----END CERTIFICATE----- diff --git a/pkg/resource/ssl/server.key b/pkg/resource/ssl/server.key new file mode 100644 index 0000000..7d1a45e --- /dev/null +++ b/pkg/resource/ssl/server.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIDKTGdd21zcq4j2rbvTX4G7anjzBJdOgkvSu7uvj0oBZoAoGCCqGSM49 +AwEHoUQDQgAE08td+v76DjjtNE4c4sXwEihgz1RPMYI5MDiAOgCBheRWzTvt8osU +Akokfvaakw7DSVplQSWZwLCwEopYuyHIdA== +-----END EC PRIVATE KEY----- diff --git a/pkg/resource/ssl/web.server.crt b/pkg/resource/ssl/web.server.crt new file mode 100644 index 0000000..0531c4f --- /dev/null +++ b/pkg/resource/ssl/web.server.crt @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBeTCCASACAQEwCgYIKoZIzj0EAwIwTTELMAkGA1UEBhMCQ04xEjAQBgNVBAgM +CUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MRYwFAYDVQQKDA1ZaVpoaSBS +b290IENBMB4XDTIyMDgyMTA4MjEzMloXDTMyMDgxODA4MjEzMlowRTELMAkGA1UE +BhMCQ04xEjAQBgNVBAgMCUd1YW5nZG9uZzESMBAGA1UEBwwJR3Vhbmd6aG91MQ4w +DAYDVQQKDAVZaVpoaTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOI4Fy+rT8ca +AuW390kWqhfqtv1a9+KISsESg/tuUiNYile3Tl7ndMzZmBJDlIOGXt8KcFc8t7kU +Lx/nUF3g4rcwCgYIKoZIzj0EAwIDRwAwRAIgFc6wgYlcdUoFtfZDEeW8a2xloUA3 +HaPnkqCPZlKzwlACIARWSaWA64UTC+et/n3LZY9ZGWRatzxhhALToM33pewH +-----END CERTIFICATE----- \ No newline at end of file diff --git a/pkg/resource/ssl/web.server.key b/pkg/resource/ssl/web.server.key new file mode 100644 index 0000000..b796e62 --- /dev/null +++ b/pkg/resource/ssl/web.server.key @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIEu0E+YkAH+Qg7yuOpqh2w56JOgjzSuxqZl7uFQkpLAVoAoGCCqGSM49 +AwEHoUQDQgAE4jgXL6tPxxoC5bf3SRaqF+q2/Vr34ohKwRKD+25SI1iKV7dOXud0 +zNmYEkOUg4Ze3wpwVzy3uRQvH+dQXeDitw== +-----END EC PRIVATE KEY----- \ No newline at end of file