├── Dockerfile
├── README.md
├── build.sh
├── lib
    ├── copy-files.sh
    ├── install-nginx.sh
    ├── nginx.conf
    ├── start.sh
    └── verify.sh
└── run.sh


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM debian
 2 | MAINTAINER Kadira Inc.
 3 | 
 4 | COPY lib/install-nginx.sh /tmp/install-nginx.sh
 5 | RUN bash /tmp/install-nginx.sh
 6 | RUN rm /tmp/install-nginx.sh
 7 | 
 8 | COPY lib /tmp/lib
 9 | RUN bash /tmp/lib/copy-files.sh
10 | 
11 | RUN chmod +x /verify.sh /start.sh 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Frontend Server for Meteor Up
 2 | 
 3 | This is the front end server used by Meteor Up in front of meteor apps. This is the latest version of nginx bundled as a docker image. It is configured to run with every app deployed with Meteor Up. But, this is not a Load Balancer.
 4 | 
 5 | ## For SSL Support
 6 | 
 7 | We use this for SSL support for Mup.
 8 | 
 9 | Here's how to run this:
10 | 
11 | ~~~shell
12 | docker run \
13 |   --volume=/opt/<appname>/config/bundle.crt:/bundle.crt \
14 |   --volume=/opt/<appname>/config/private.key:/private.key \
15 |   --link=<appname>:backend \
16 |   --publish=443:443 \
17 |   meteorhacks/mup-frontend-server /start.sh
18 | ~~~
19 | 
20 | As you've noticed, we need to add two volumes for the `bundle.crt` and `private.key`.
21 | 
22 | #### bundle.crt
23 | 
24 | This is a bundle containing all of your certificates including the provided CA certificates. To create this file you need to concatenate all certificates starting from your domain certificate to the top level CA certificates. Here's an example:
25 | 
26 | ~~~shell
27 | cat \
28 |     bulletproofmeteor_com.crt \
29 |     COMODORSADomainValidationSecureServerCA.crt \
30 |     COMODORSAAddTrustCA.crt \
31 |     AddTrustExternalCARoot.crt > bundle.crt
32 | ~~~
33 | 
34 | #### private.key
35 | 
36 | This is the private key you've used to generate the above certficate.
37 | 
38 | ### Verify Configuration
39 | 
40 | You can verify the SSL configuration like this:
41 | 
42 | ~~~shell
43 | docker run \
44 |   --volume=/opt/<appname>/config/bundle.crt:/bundle.crt \
45 |   --volume=/opt/<appname>/config/private.key:/private.key \
46 |   meteorhacks/mup-frontend-server /verify.sh
47 | ~~~
48 | 
49 | ### Why Nginx?
50 | 
51 | There's the question why we've chosen nginx for the SSL termination. We could've used something like `stud` or `bud`.
52 | 
53 | We need to get the correct IP address of the real connection, which is required for certain apps such as Sikka. Normally SSL terminators like `stud` and `bud` do not support this or support it only partially.
54 | 
55 | ## For Static File Caching
56 | 
57 | We've not implemented this yet!
58 | 


--------------------------------------------------------------------------------
/build.sh:
--------------------------------------------------------------------------------
1 | docker build -t meteorhacks:mup-ssl-server ./


--------------------------------------------------------------------------------
/lib/copy-files.sh:
--------------------------------------------------------------------------------
1 | cd /tmp/lib
2 | cp start.sh /start.sh
3 | cp verify.sh /verify.sh
4 | chmod +x /verify.sh /start.sh
5 | 
6 | cp nginx.conf /opt/nginx/conf/nginx.conf
7 | rm -rf /tmp/lib


--------------------------------------------------------------------------------
/lib/install-nginx.sh:
--------------------------------------------------------------------------------
 1 | set -e 
 2 | 
 3 | BUILD_DIR=/tmp/nginx
 4 | NGINX_VERSION=1.8.0
 5 | PREFIX=/opt/nginx
 6 | NGINX_USER=nginx
 7 | 
 8 | # creating a non-privileged user
 9 | useradd $NGINX_USER || :
10 | 
11 | # install dependencies
12 | apt-get update
13 | apt-get -y install libpcre3-dev libssl-dev openssl build-essential wget
14 | 
15 | # start building process
16 | 
17 | rm -rf $BUILD_DIR
18 | mkdir -p $BUILD_DIR
19 | mkdir -p $PREFIX
20 | cd $BUILD_DIR
21 | 
22 | # download nginx
23 | wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz
24 | tar xvzf nginx-$NGINX_VERSION.tar.gz
25 | 
26 | # building
27 | cd nginx-$NGINX_VERSION
28 | ./configure \
29 |   --prefix=$PREFIX --user=$NGINX_USER --group=$NGINX_USER \
30 |   --with-http_ssl_module --without-http_scgi_module \
31 |   --without-http_uwsgi_module --without-http_fastcgi_module
32 | 
33 | make install
34 | 
35 | # remove build specific libraries
36 | apt-get -y remove build-essential wget
37 | apt-get -y autoremove
38 | 
39 | # generate new Diffie-Hellman group
40 | openssl dhparam -out /dhparams.pem 2048


--------------------------------------------------------------------------------
/lib/nginx.conf:
--------------------------------------------------------------------------------
 1 | daemon off;
 2 | error_log /dev/stdout notice;
 3 | worker_processes  1;
 4 | 
 5 | events {
 6 |     worker_connections  4096;
 7 | }
 8 | 
 9 | http {
10 |     include       mime.types;
11 |     default_type  application/octet-stream;
12 |     
13 |     # to avoid SSL handshake time
14 |     ssl_session_cache   shared:SSL:10m;
15 |     ssl_session_timeout 10m;
16 | 
17 |     upstream site{
18 |       server backend:80;
19 |     }
20 | 
21 |     sendfile        on;
22 |     keepalive_timeout  65;
23 | 
24 |     gzip  on;
25 | 
26 |     server {
27 |         listen              443 ssl;
28 |         server_name         mup-ssl;
29 |         ssl_certificate     /bundle.crt;
30 |         ssl_certificate_key /private.key;
31 | 
32 |         # As recommended by https://weakdh.org/sysadmin.html to deploy a strong Diffie-Hellman key.
33 |         ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
34 |         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
35 |         add_header          Strict-Transport-Security max-age=15768000;
36 |         ssl_prefer_server_ciphers on;
37 |         ssl_dhparam /dhparams.pem;
38 | 
39 |         # OCSP Stapling
40 |         # fetch OCSP records from URL in ssl_certificate and cache them
41 |         ssl_stapling on;
42 |         ssl_stapling_verify on;
43 |         
44 |         # Set upload to sensible value as defaults to 1M if not present 
45 |         client_max_body_size 10M;
46 | 
47 | 
48 |         location / {
49 |           proxy_pass http://site/;
50 |           proxy_redirect      off;
51 |           proxy_set_header    Host              $host;
52 |           proxy_set_header    X-Real-IP         $remote_addr;
53 |           proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
54 |           proxy_set_header    X-Forwarded-Proto $scheme;
55 | 
56 |           # WebSocket specific
57 |           proxy_http_version 1.1;
58 |           proxy_set_header    Upgrade           $http_upgrade;
59 |           proxy_set_header    Connection        "upgrade";
60 | 
61 |           #
62 |           # Specific for comet or long running HTTP requests, don't buffer up the
63 |           # response from origin servers but send them directly to the client.
64 |           #
65 |           proxy_buffering     off;
66 | 
67 |           #
68 |           # Bump the timeout's so someting sensible so our connections don't
69 |           # disconnect automatically. We've set it to 12 hours.
70 |           #
71 |           proxy_connect_timeout 43200000;
72 |           proxy_read_timeout    43200000;
73 |           proxy_send_timeout    43200000;
74 |         }
75 |     }
76 | }
77 | 


--------------------------------------------------------------------------------
/lib/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | ulimit -n 32000
4 | /opt/nginx/sbin/nginx


--------------------------------------------------------------------------------
/lib/verify.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | /opt/nginx/sbin/nginx -t


--------------------------------------------------------------------------------
/run.sh:
--------------------------------------------------------------------------------
1 | docker run -it \
2 |   --volume=/opt/nginx/conf/bundle.pem:/bundle.crt \
3 |   --volume=/opt/nginx/conf/private.key:/private.key \
4 |   --link=meteor:backend \
5 |   --publish=443:443 \
6 |   meteorhacks:mup-ssl-server /start.sh


--------------------------------------------------------------------------------