This repository has been archived by the owner on Jul 11, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1 parent
87c12a5
commit 5f35e2c
Showing
5 changed files
with
81 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,3 +5,4 @@ | |
|
||
include_recipe 'rubygems-sensu::server' | ||
include_recipe 'rubygems' | ||
include_recipe 'rubygems-monitoring::nginx' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# | ||
# Cookbook Name:: rubygems-monitoring | ||
# Recipe:: nginx | ||
# | ||
|
||
node.default['nginx']['server_tokens'] = 'off' | ||
node.default['nginx']['default_site_enabled'] = false | ||
|
||
include_recipe 'chef-vault' | ||
|
||
include_recipe 'nginx' | ||
|
||
directory "#{node['nginx']['dir']}/certs" do | ||
owner 'root' | ||
group 'root' | ||
mode '0644' | ||
end | ||
|
||
item = chef_vault_item('certs', 'production') | ||
|
||
file "#{node['nginx']['dir']}/certs/rubygems.org.key" do | ||
content item['key'] | ||
owner 'root' | ||
group 'root' | ||
mode '0644' | ||
notifies :reload, 'service[nginx]' | ||
end | ||
|
||
file "#{node['nginx']['dir']}/certs/rubygems.org.crt" do | ||
content item['crt'] | ||
owner 'root' | ||
group 'root' | ||
mode '0644' | ||
notifies :reload, 'service[nginx]' | ||
end | ||
|
||
template "#{node['nginx']['dir']}/sites-available/sensu" do | ||
source 'nginx.conf.erb' | ||
owner 'root' | ||
group 'root' | ||
mode '0644' | ||
variables( | ||
ssl_key: File.join(node['nginx']['dir'], 'certs', 'rubygems.org.key'), | ||
ssl_cert: File.join(node['nginx']['dir'], 'certs', 'rubygems.org.crt') | ||
) | ||
notifies :reload, 'service[nginx]' | ||
end | ||
|
||
nginx_site 'sensu' |
25 changes: 25 additions & 0 deletions
25
cookbooks/rubygems-monitoring/templates/default/nginx.conf.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
server { | ||
|
||
listen 443 default ssl; | ||
|
||
server_name monitoring.rubygems.org; | ||
|
||
ssl on; | ||
ssl_certificate <%= @ssl_cert %>; | ||
ssl_certificate_key <%= @ssl_key %>; | ||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; | ||
ssl_prefer_server_ciphers on; | ||
ssl_session_cache shared:SSL:10m; | ||
ssl_session_timeout 5m; | ||
|
||
add_header Strict-Transport-Security max-age=31536000; | ||
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
proxy_set_header X-Forwarded-Proto https; | ||
proxy_set_header Content-Length $content_length; | ||
proxy_set_header Host $host; | ||
proxy_redirect off; | ||
proxy_pass http://localhost:8080; | ||
|
||
} |