add setup gitea ssl article files
commit
4d77f082c7
@ -0,0 +1,3 @@
|
|||||||
|
# Setup Gitea SSL
|
||||||
|
|
||||||
|
Les fichiers ici proposés sont des exemples à utiliser pour l'article Setup Gitea SSL publié par GNU Linux Magazine France.
|
@ -0,0 +1,58 @@
|
|||||||
|
version: "2"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
gitea:
|
||||||
|
external: false
|
||||||
|
|
||||||
|
services:
|
||||||
|
gitea:
|
||||||
|
container_name: gitea
|
||||||
|
image: gitea/gitea:latest
|
||||||
|
environment:
|
||||||
|
- USER_UID=1000
|
||||||
|
- USER_GID=1000
|
||||||
|
- DB_TYPE=postgres
|
||||||
|
- DB_HOST=db:5432
|
||||||
|
- DB_NAME=gitea
|
||||||
|
- DB_USER=gitea
|
||||||
|
- DB_PASSWD=<CHANGE_ME>
|
||||||
|
restart: always
|
||||||
|
networks:
|
||||||
|
- gitea
|
||||||
|
volumes:
|
||||||
|
- /var/hosting/git/gitea:/data
|
||||||
|
- /etc/timezone:/etc/timezone:ro
|
||||||
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
ports:
|
||||||
|
- "172.17.0.1:8080:3000"
|
||||||
|
- "127.0.0.1:2222:22"
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
|
|
||||||
|
db:
|
||||||
|
container_name: db
|
||||||
|
image: postgres:9.6
|
||||||
|
restart: always
|
||||||
|
environment:
|
||||||
|
- POSTGRES_USER=gitea
|
||||||
|
- POSTGRES_PASSWORD=<CHANGE_ME>
|
||||||
|
- POSTGRES_DB=gitea
|
||||||
|
networks:
|
||||||
|
- gitea
|
||||||
|
volumes:
|
||||||
|
- /var/hosting/git/postgres:/var/lib/postgresql/data
|
||||||
|
|
||||||
|
haproxy:
|
||||||
|
container_name: lb
|
||||||
|
image: 'tomdess/haproxy-certbot:latest'
|
||||||
|
environment:
|
||||||
|
- CERTS=your.domain.name
|
||||||
|
- EMAIL=you@your.domain.name
|
||||||
|
volumes:
|
||||||
|
- '/var/hosting/git/letsencrypt:/etc/letsencrypt'
|
||||||
|
- '/var/hosting/git/haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg'
|
||||||
|
ports:
|
||||||
|
- '80:80'
|
||||||
|
- '443:443'
|
||||||
|
depends_on:
|
||||||
|
- gitea
|
@ -0,0 +1,42 @@
|
|||||||
|
global
|
||||||
|
maxconn 20480
|
||||||
|
############# IMPORTANT #################################
|
||||||
|
## DO NOT SET CHROOT OTHERWISE YOU HAVE TO CHANGE THE ##
|
||||||
|
## acme-http01-webroot.lua file ##
|
||||||
|
# chroot /jail ##
|
||||||
|
#########################################################
|
||||||
|
lua-load /etc/haproxy/acme-http01-webroot.lua
|
||||||
|
# SSL options
|
||||||
|
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:!aNULL;
|
||||||
|
tune.ssl.default-dh-param 4096
|
||||||
|
|
||||||
|
# DNS runt-time resolution on backend hosts
|
||||||
|
resolvers docker
|
||||||
|
nameserver dns "127.0.0.11:53"
|
||||||
|
|
||||||
|
defaults
|
||||||
|
mode http
|
||||||
|
timeout connect 5000ms
|
||||||
|
timeout client 50000ms
|
||||||
|
timeout server 50000ms
|
||||||
|
option forwardfor
|
||||||
|
option http-server-close
|
||||||
|
|
||||||
|
# never fail on address resolution
|
||||||
|
default-server init-addr last,libc,none
|
||||||
|
|
||||||
|
frontend http
|
||||||
|
bind *:80
|
||||||
|
mode http
|
||||||
|
acl url_acme_http01 path_beg /.well-known/acme-challenge/
|
||||||
|
http-request use-service lua.acme-http01 if METH_GET url_acme_http01
|
||||||
|
redirect scheme https code 301 if !{ ssl_fc }
|
||||||
|
|
||||||
|
frontend https
|
||||||
|
bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3 no-tls-tickets no-tlsv10 no-tlsv11
|
||||||
|
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
|
||||||
|
default_backend www
|
||||||
|
|
||||||
|
backend www
|
||||||
|
server server1 172.17.0.1:8080 check port 8080
|
||||||
|
http-request add-header X-Forwarded-Proto https if { ssl_fc }
|
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
apt-get update -y
|
||||||
|
apt-get install -y git docker docker-compose net-tools
|
||||||
|
|
||||||
|
addgroup --gid 1000 hosting
|
||||||
|
adduser --ingroup hosting -u 1000 git
|
||||||
|
adduser --system --ingroup hosting --ingroup docker git-docker
|
||||||
|
|
||||||
|
mkdir /home/git/.ssh
|
||||||
|
chown -R git:hosting /home/git/.ssh
|
||||||
|
mkdir -p /var/hosting/git/gitea
|
||||||
|
mkdir -p /var/hosting/git/postgres
|
||||||
|
mkdir -p /var/hosting/git/gitea/git/.ssh/
|
||||||
|
mkdir -p /app/gitea
|
||||||
|
mkdir -p /var/hosting/git/haproxy/config
|
||||||
|
mkdir -p /var/hosting/git/haproxy/certs.d
|
||||||
|
mkdir -p /var/hosting/git/letsencrypt
|
Loading…
Reference in New Issue