modified nginx default conf file

+ added openssl in nginx site conf file + reorganized readme
2022-08-31 18:04:05 +02:00
parent 2967738e7a
commit 9dffefff0c
5 changed files with 95 additions and 48 deletions
--- a/srcs/requirements/nginx/Dockerfile
+++ b/srcs/requirements/nginx/Dockerfile
@@ -1,7 +1,13 @@
 FROM debian:buster

-RUN apt update && apt install -y nginx
+RUN apt update && apt install -y nginx openssl

+# create ssl certificate
+RUN openssl req -newkey rsa:2048 -nodes -x509 \
+	-keyout /etc/nginx/cert/hulamy.42.fr.key -out /etc/nginx/cert/hulamy.42.fr.crt \
+	-subj "/C=fr/ST=ile-de-france/L=paris/O=42/OU=inception/CN=hulamy.42.fr"
+
+# import sites conf files
 COPY ./conf/nginx.conf /etc/nginx/
 COPY ./conf/inception_nginx.conf /etc/nginx/conf.d/

@@ -12,6 +18,35 @@ COPY ./conf/salade.jpeg /data/images/
 CMD [ "nginx", "-g", "daemon off;" ]


+#
 # -g 'daemon off' :
-# daemon off, to avoid the main process of nginx to quit after creating its childs, and therefore make docker exit
-# https://stackoverflow.com/questions/18861300/how-to-run-nginx-within-a-docker-container-without-halting
+#   daemon off, to avoid the main process of nginx to quit after creating its childs, and therefore make docker exit
+#   https://stackoverflow.com/questions/18861300/how-to-run-nginx-within-a-docker-container-without-halting
+#
+# ssl certificate :
+#   openssl faq : https://www.openssl.org/docs/faq.html
+#   openssl req : create ertificate request, and optionally create self signed certificates
+#   openssl req man : https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
+#   exemple of openssl with nginx on docker : https://www.johnmackenzie.co.uk/posts/using-self-signed-ssl-certificates-with-docker-and-nginx/
+#
+#   usually the steps are :
+#   - create a server private key : `openssl genrsa -out server.key 2048`
+#   - create a CSR (certificate signing request) with the key : `openssl req -new -key server.key -out www.exemple.com.csr`
+#   - it will ask for :
+#     -  Country Name (2 letter code)
+#     -  State or Province Name (full name)
+#     -  Locality Name (eg, city)
+#     -  Organization Name (eg, company)
+#     -  Organizational Unit Name (eg, section)
+#     -  Common Name (eg, fully qualified host name)
+#     -  Email Address (put nothing)
+#   - now ask to a CA (certificate authority) for a certificate.crt by giving them your request.csr
+#
+#   alternatively we can generate our self-signed certificate with the `openssl req` command :
+#     - `x509` option is used to output a certificate instead of a certificate request
+#     - a request is created from scratch, if it is not given with `-in`
+#     - `newkey` generate a new private key, unless `-key` is given
+#     - `nodes` create a private key without encryption (no passphrase needed)
+#
+# SO discussion about becomming a real CA to have a certificate that works in deployement : https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
+
--- a/srcs/requirements/nginx/conf/inception_nginx.conf
+++ b/srcs/requirements/nginx/conf/inception_nginx.conf
@@ -1,13 +1,24 @@
 server {
-							# http uses port 80, and https uses port 443
-	listen 443 ssl;			# for ipv4.
-	listen [::]:443 ssl;	# for ipv6.
+	listen				80;
+	listen				[::]:80;
+	server_name			localhost;
+	location /			{ root /data/www; }
+	location /images/	{ root /data; }
+}
+
+server {
+	listen				443 ssl;										# for ipv4, on port 443, specifying that accepted connections should works in ssl mode
+	listen				[::]:443 ssl;									# for ipv6
+	server_name			hulamy.42.fr;
+	ssl_certificate		/etc/nginx/cert/hulamy.42.fr.crt				# specifies the file with the ssl certificate (self signed here) generated by openssl
+	ssl_certificate-key	/etc/nginx/cert/hulamy.42.fr.key				# specifies the file with the secret key of the certificate
+
+	root /var/www/html;													# contains default nginx index.nginx-debian.html
+	index index.html index.htm index.nginx-debian.html index.php;		# defines files that will be used as index (https://nginx.org/en/docs/http/ngx_http_index_module.html)

-	server_name localhost;
 	location / {
+		try_files $uri $uri/ =404;										# from /etc/nginx/sites-enabled/default : First attempt to serve request as file, then as directory, then fall back to displaying a 404
+		# test
 		root /data/www;
 	}
-	location /images/ {
-		root /data;
-	}
 }
--- a/srcs/requirements/nginx/conf/index.html
+++ b/srcs/requirements/nginx/conf/index.html
@@ -1 +1 @@
-hello world !
+you are on http connection, on port 80, on localhost
--- a/srcs/requirements/nginx/conf/nginx.conf
+++ b/srcs/requirements/nginx/conf/nginx.conf
@@ -46,7 +46,7 @@ http {																		# section for http server directives
 	# Gzip Settings
 	##

-	gzip on;																# enable gzipping of responses. gzip is an algorithm that compress the data
+	gzip off;																# enable gzipping of responses. gzip is an algorithm that compress the data (disabled for security reasons : https://bugs.debian.org/773332)

 	# gzip_vary on;
 	# gzip_proxied any;