Re: [PATCH compass-ci 1/2] container/srv-http: support https protocol
On Wed, Aug 25, 2021 at 04:55:28PM +0800, Lu Weitao wrote:
[Why] Some clients(chrome|firefox bowser) can't access srv-http like: http://api.compass-ci.openeuler.org/pub because the url will be change as:(it's default behavior of bowser) https://api.compass-ci.openeuler.org/pub
so srv-http need support https access
[How] with start container/srv-http:
check current server exists?: /etc/ssl/certs/web-backend.crt /etc/ssl/certs/web-backend.key | | v v yes no config nginx.conf like: config /nginx.conf like: ... ... listen $port ssl: listen $port; ... | v start nginx in container
Signed-off-by: Lu Weitao <luweitaobe@163.com> --- container/srv-http/docker_run.sh | 9 +++++++++ container/srv-http/root/sbin/entrypoint.sh | 13 ++++++++++++- container/srv-http/start-cci | 2 ++ container/srv-http/start-git | 2 ++ container/srv-http/start-initrd | 2 ++ container/srv-http/start-os | 2 ++ container/srv-http/start-pub | 2 ++ container/srv-http/start-result | 2 ++ container/srv-http/start-rpm | 2 ++ 9 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 container/srv-http/docker_run.sh
diff --git a/container/srv-http/docker_run.sh b/container/srv-http/docker_run.sh new file mode 100644 index 00000000..fcd9083d --- /dev/null +++ b/container/srv-http/docker_run.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# SPDX-License-Identifier: MulanPSL-2.0+ +# Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved. + +mount_ssl(){ + if [ -f "/etc/ssl/certs/web-backend.key" ] && [ -f "/etc/ssl/certs/web-backend.crt" ]; then + echo "-v /etc/ssl/certs:/opt/cert" + fi
defined var: ssl_path="/etc/ssl/certs/" , avoid long contents;
+} diff --git a/container/srv-http/root/sbin/entrypoint.sh b/container/srv-http/root/sbin/entrypoint.sh index ced6eda5..d0d354c2 100755 --- a/container/srv-http/root/sbin/entrypoint.sh +++ b/container/srv-http/root/sbin/entrypoint.sh @@ -1,6 +1,17 @@ #!/bin/sh
-sed -i "s/listen 11300;/listen $LISTEN_PORT;/g" /etc/nginx/conf.d/default.conf +ssl_conf="\ ssl_certificate /opt/cert/web-backend.crt;\n\ + ssl_certificate_key /opt/cert/web-backend.key;\n\ + ssl_session_timeout 5m;\n\ + ssl_ciphers BCDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;\n\ + ssl_prefer_server_ciphers on;\n" + +if [ -f "/opt/cert/web-backend.key" ] && [ -f "/opt/cert/web-backend.crt" ]; then + sed -i "s/listen 11300;/listen $LISTEN_PORT ssl;/g" /etc/nginx/conf.d/default.conf + sed -i "/server_name/a $ssl_conf" /etc/nginx/conf.d/default.conf +else + sed -i "s/listen 11300;/listen $LISTEN_PORT;/g" /etc/nginx/conf.d/default.conf +fi
perhaps modify like this: listen="$LISTEN_PORT" if [ -f "/opt/cert/web-backend.key" ] && [ -f "/opt/cert/web-backend.crt" ]; then listen="$listen ssl" sed -i "/server_name/a $ssl_conf" /etc/nginx/conf.d/default.conf fi sed -i "s/listen 11300;/listen $listen;/g" /etc/nginx/conf.d/default.conf Thanks, Liushaofei
nginx /usr/sbin/php-fpm7 diff --git a/container/srv-http/start-cci b/container/srv-http/start-cci index aa539d20..1f160f44 100755 --- a/container/srv-http/start-cci +++ b/container/srv-http/start-cci @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-cci
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20011:20011 -v /srv/cci/libvirt-xml:/srv/cci/libvirt-xml:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-git b/container/srv-http/start-git index 0b0ff477..5851af6f 100755 --- a/container/srv-http/start-git +++ b/container/srv-http/start-git @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-git
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20010:20010 -v /srv/git/archlinux:/srv/git/archlinux:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-initrd b/container/srv-http/start-initrd index 41958da2..c8e7eded 100755 --- a/container/srv-http/start-initrd +++ b/container/srv-http/start-initrd @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-initrd
cmd=( @@ -17,6 +18,7 @@ cmd=( -v /srv/initrd/osimage:/srv/initrd/osimage:ro -v /srv/initrd/deps:/srv/initrd/deps:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-os b/container/srv-http/start-os index 5b63902e..c2012397 100755 --- a/container/srv-http/start-os +++ b/container/srv-http/start-os @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-os
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20009:20009 -v /srv/os:/srv/os:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-pub b/container/srv-http/start-pub index 6dfd5a44..2224737e 100755 --- a/container/srv-http/start-pub +++ b/container/srv-http/start-pub @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-pub
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20006:20006 -v /srv/pub:/srv/pub:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-result b/container/srv-http/start-result index 32bdf7df..c9e0eac2 100755 --- a/container/srv-http/start-result +++ b/container/srv-http/start-result @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-result
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20007:20007 -v /srv/result:/srv/result:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) diff --git a/container/srv-http/start-rpm b/container/srv-http/start-rpm index 2d38298c..62fb1385 100755 --- a/container/srv-http/start-rpm +++ b/container/srv-http/start-rpm @@ -3,6 +3,7 @@ # Copyright (c) 2020 Huawei Technologies Co., Ltd. All rights reserved.
. $CCI_SRC/container/defconfig.sh +. ./docker_run.sh docker_rm srv-http-rpm
cmd=( @@ -13,6 +14,7 @@ cmd=( -p 20012:20012 -v /srv/rpm/pub:/srv/rpm/pub:ro -v /etc/localtime:/etc/localtime:ro + $(mount_ssl) -d srv-http ) -- 2.23.0
participants (1)
-
Liu Shaofei