Add Nginx HTTPS lab (#20)

TheDevOpsHub · Jul 29, 2024 · d2a276c · d2a276c
1 parent 9a3b11b
commit d2a276c
Show file tree

Hide file tree

Showing 8 changed files with 164 additions and 11 deletions.
diff --git a/labs/nginx-https-lab/README.md b/labs/nginx-https-lab/README.md
@@ -0,0 +1,75 @@
+# Nginx https proxy lab
+
+## 1. Labs stack
+
+- [nginx-webserver1](https://nginx.org/): An Ubuntu VM running in nginx webserver.
+- [nginx-proxy](https://nginx.org/): Nginx proxy points to the web servers.
+
+## 2. Setup
+
+### Prerequisites
+
+- Docker + Docker Compose
+
+### Generate a self-signed SSL certificate
+
+Generate a self-signed SSL certificate and key in the nginx-proxy/ssl directory. You can use OpenSSL to generate these files:
+
+```bash
+cd labs/nginx-https-lab
+mkdir -p nginx-proxy/ssl
+cd nginx-proxy/ssl
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.key -out nginx.crt -subj "/CN=localhost"
+```
+
+### Build and run the containers
+
+```bash
+cd labs/nginx-https-lab
+docker-compose up --build -d
+
+# To stop and remove contaienr, run:
+docker compose down
+```
+
+## 3. Explore the Nginx proxy
+
+- Access the Nginx Proxy at https://localhost:6083 (You can replace 6083 by the port work on your machine!)
+  ![https-webserver](./assets/https-browser.png)
+
+- Refresh the page multiple time and you would see that the Nginx Proxy route to `nginx-webserver1`
+- Try to connect to the https server via curl:
+
+```bash
+curl https://localhost:6083
+
+## You will get the error like below
+# curl: (60) SSL certificate problem: self-signed certificate
+# More details here: https://curl.se/docs/sslcerts.html
+
+# curl failed to verify the legitimacy of the server and therefore could not
+# establish a secure connection to it. To learn more about this situation and
+# how to fix it, please visit the web page mentioned above.
+
+# Fix
+## Download server cert
+openssl s_client -showcerts -servername server -connect localhost:6083 > /tmp/cacert.pem
+
+## Now curl with the downloaded cert
+curl --cacert /tmp/cacert.pem https://localhost:6083
+## It should work OK now:
+# <!DOCTYPE html>
+# <html>
+# <head>
+#     <title>Server 1</title>
+# </head>
+# <body>
+#     <h1>Hello from Server 1!</h1>
+# </body>
+# </html>
+```
+
+## Ref
+
+- https://curl.se/docs/sslcerts.html
+- https://nginx.org/
diff --git a/labs/nginx-https-lab/assets/https-browser.png b/labs/nginx-https-lab/assets/https-browser.png
diff --git a/labs/nginx-https-lab/docker-compose.yaml b/labs/nginx-https-lab/docker-compose.yaml
@@ -0,0 +1,24 @@
+version: '3.8'
+
+services:
+  nginx-https-proxy:
+    build:
+      context: ./nginx-proxy
+    container_name: nginx-https-proxy
+    ports:
+      - '6083:443'
+    depends_on:
+      - nginx-https-lab.nginx-webserver1
+    networks:
+      - nginx-https-network
+
+  nginx-https-lab.nginx-webserver1:
+    build:
+      context: ../../pools/nginx-webserver/nginx-webserver1
+    container_name: nginx-https-lab.nginx-webserver1
+    networks:
+      - nginx-https-network
+
+networks:
+  nginx-https-network:
+    driver: bridge
diff --git a/labs/nginx-https-lab/nginx-proxy/Dockerfile b/labs/nginx-https-lab/nginx-proxy/Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx:latest
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY ssl /etc/nginx/ssl
diff --git a/labs/nginx-https-lab/nginx-proxy/nginx.conf b/labs/nginx-https-lab/nginx-proxy/nginx.conf
@@ -0,0 +1,14 @@
+events {}
+
+http {
+    server {
+        listen 443 ssl;
+
+        ssl_certificate /etc/nginx/ssl/nginx.crt;
+        ssl_certificate_key /etc/nginx/ssl/nginx.key;
+
+        location / {
+            proxy_pass http://nginx-https-lab.nginx-webserver1:80;
+        }
+    }
+}
diff --git a/labs/nginx-https-lab/nginx-proxy/ssl/nginx.crt b/labs/nginx-https-lab/nginx-proxy/ssl/nginx.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUexTZap/kjdTvk1KF+EeK9gspdjgwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI0MDcyOTE0NDE0NFoXDTI1MDcy
+OTE0NDE0NFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA7v/b8UNihwRJa25d0L11tP2qS2yrr5w6IN/QZPf6N3EU
+oLA0Ew3NQb08XIZ2LzPpcevrwQIYpdLq7j8xu2li674GE0xgw+v+vlTTqoUp50Xd
+LsVr4yKHRrtY17L3A6ib1DN32BoQlFvI5dJsYG74vwT7gF2Tb16xhtHhZpxkRIdj
+k30iRkFv/7dkyP5XKlPPFH85iki92dyCHA6otf82VH09CrvAqdAUFYBqMz++NBA5
+DN+vNcbJbi22oGNwo/Hud5nG1cCjGg5SU2fmYV9up+8UkpPSKcnkki5NIk2UHNrP
+59mzOJzVkJhvIDzEf+l2xPYkfYuPtF6ehLk9xA8xSwIDAQABo1MwUTAdBgNVHQ4E
+FgQUlyFCgxMiozv/y7FOC0pxIEN6vWswHwYDVR0jBBgwFoAUlyFCgxMiozv/y7FO
+C0pxIEN6vWswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAd7zk
+Re0ktm0l6+SqSLTdo+JzVTcGeJ21KKlq6ekKIUccPQrzJd9ZzH+1Pc9Vz0DDLYX2
+6Wsn3fmbdEQx1iPvKL63uBPWjIXi5Lzm72fY7bpbDnEBiqNZi6BtHR2crczGfWDl
+YH8xj/gThXFlVF1fmZ4KoLc3nC43EoVPsQHcbjjuObegHMg6Vfg0pJB0RkkfaTCO
+GQO4P7K2xj02pxO8LTvd3saIDsNhVs6FhC5D51+tM17NtvFjH/P2AW5IaxBo3EBC
+dGSBysgJL3E0g20SPw3pMfqTOwJ61WYOIfWVzVdosxPE7WDhHF1ftjNn926uZDSn
+U4nm4iI39/vPuI/kEQ==
+-----END CERTIFICATE-----
diff --git a/labs/nginx-https-lab/nginx-proxy/ssl/nginx.key b/labs/nginx-https-lab/nginx-proxy/ssl/nginx.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDu/9vxQ2KHBElr
+bl3QvXW0/apLbKuvnDog39Bk9/o3cRSgsDQTDc1BvTxchnYvM+lx6+vBAhil0uru
+PzG7aWLrvgYTTGDD6/6+VNOqhSnnRd0uxWvjIodGu1jXsvcDqJvUM3fYGhCUW8jl
+0mxgbvi/BPuAXZNvXrGG0eFmnGREh2OTfSJGQW//t2TI/lcqU88UfzmKSL3Z3IIc
+Dqi1/zZUfT0Ku8Cp0BQVgGozP740EDkM3681xsluLbagY3Cj8e53mcbVwKMaDlJT
+Z+ZhX26n7xSSk9IpyeSSLk0iTZQc2s/n2bM4nNWQmG8gPMR/6XbE9iR9i4+0Xp6E
+uT3EDzFLAgMBAAECggEAL8+qebjPwI/Yei/hf60vG251f1I1hFN+A26Su2gqO6YZ
+CM5HFJq5uZF4PlA921KIvFwEVR+su5uWmOO2eLXr7pockAbDAt62nu/MSjwKdnQw
++7bNzuns4vb+nmP0a1xzE//Z1Tbdozg7V9KBEMeSZnBCOds+b9SjMgPRkhvuKRED
+lDZ0i0+QiKix8zKQWO7eEUeuz1eahAEPcGq5y+1f7Xel8YajboBBWtOJbgyGooZG
+YHZVWi+1Rb16nyXPgI/ztN5sMb1kUfu5S/sgBICABcMSyjiqK0iqJyO6hOSng5Qs
+z61piHCGtCEBSjp10FxdmtKM0Jdt4RVx1iWSYGlZoQKBgQD/O6yekjHPEipqCs85
+MhTi92QBhL84/AhoEn/POm+dwdvZ9xUN5jq2QHc58XhUT7arxdpAVD/dk2Yf79ky
+sNzNbEV5LQRdPO5VdGIpyKigoSQfF4cVApQsOWZn2WJsXPdHE8/GPM6FBHQvja3R
+bIZmOnj+qtbariLido3z6zO5awKBgQDvt7Kp18XIduJ7r+j3xDkzesTuIiybENvu
+0PUsUfTrxI7KOKHnyPgVsMcRPNlzz3VZeqyNiXPLyxrXg7p4F3iDS2SHTDVOQzUw
+GrJH+5hX3hkaLzXajRJ8bx8MX8pQVJuBBUeidFm/2DFNovwj06PGitFaNZ8cj/68
+YrDMoAL/oQKBgQDw8biniYOT46Y+rS2q5OhqyviRpmuOs/6LoMsfKh8sYlHVljc+
+A9XxLzJedOIPVaEwz3qVt/MCjZ+fDqGQBP6svkVne2PfUSH9cf0pTNBDs1uSLnfL
+EcAnb5iI+OK9QZX+d2lxzv12/RlhuvIX/cdywkhuwYBKuJEeEKU5WxRdOQKBgF+y
+kxWwuRmNNF8yW6vF3xwJD+MNK4eAFHzjWG0oDsGsh2B9eU0h8sAeAWqFQz4zfOKK
+0aXzUJHz9DRDN0bH/+lSSMCmkMU8mVgp4DBSZX/2f0jvve0Q0mdwqRF0kDy/ehDo
+va9CCa5HrW8T+NqIm+If+vGrZGivp38nWvNlkazhAoGBAMHX94+EqAUcCWTrp+JZ
+UvM3N5fuHK1IJTF2Gnf/Z5DtTVpNcWBoMPaYq0CQMo1AIbj+nAsbZbIQnS0bFEcf
+LAT/af1+Aa2Le05irwdcXW6XTHaLaIDZK2gURRfzjH+1N8R5d4WIn0hP8Fl2RpVz
+bseCuV5a0k68M45iTMVLi55m
+-----END PRIVATE KEY-----
diff --git a/labs/nginx-lab/README.md b/labs/nginx-lab/README.md
@@ -13,8 +13,6 @@
 
 ### Build and run the containers
 
-- Option-1: Build and run in background (Recommend)
-
 ```bash
 cd labs/nginx-lab
 docker-compose up --build -d
@@ -23,15 +21,7 @@ docker-compose up --build -d
 docker compose down
 ```
 
-- Option-2: Run and verbose the logs
-
-```bash
-cd labs/nginx-lab
-docker-compose up --build
-# To stop, press 'Ctrl + C'
-```
-
 ## 3. Explore the Nginx proxy
 
 - Access the Nginx Proxy at http://localhost:6082 (You can replace 6082 by the port work on your machine!)
-- Refresh the page multiple time and you would see that the HA Proxy route to `nginx-webserver1`
+- Refresh the page multiple time and you would see that the Nginx Proxy route to `nginx-webserver1`