C12

C11
C10
2026-06-01 17:29:40 +02:00 · 2026-06-01 17:26:19 +02:00 · 2026-06-01 17:21:51 +02:00 · 2026-06-01 16:47:01 +02:00 · 2026-06-01 16:31:24 +02:00 · 2026-06-01 16:28:18 +02:00
4 changed files with 153 additions and 11 deletions
@@ -6,13 +6,16 @@ services:
    container_name: workshop-proxy
    depends_on:
      - backend-a
+      - backend-a2
      - backend-b
      - backend-c
    ports:
      - "8080:80"
+      - "8443:443"
    volumes:
      - ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro,z
      - ./proxy/html:/usr/share/nginx/html:ro,z
+      - ./certs/live:/etc/nginx/certs:ro,z

  backend-a:
    image: nginx:1.27-alpine
@@ -20,6 +23,12 @@ services:
    volumes:
      - ./backends/a:/usr/share/nginx/html:ro,z

+  backend-a2:
+    image: nginx:1.27-alpine
+    container_name: workshop-backend-a2
+    volumes:
+      - ./backends/a2:/usr/share/nginx/html:ro,z
+
  backend-b:
    image: nginx:1.27-alpine
    container_name: workshop-backend-b
@@ -8,8 +8,8 @@ http {
  sendfile on;
  server_tokens off;

-  upstream backend_a_typo {
-    server backend-a:8080;
+  upstream backend_a {
+    server backend-a:80;
  }

  upstream backend_b {
@@ -33,7 +33,7 @@ http {
    }

    location /service/b {
-      proxy_pass http://backend_b;
+      proxy_pass http://backend_b/;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto http;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -8,8 +8,15 @@ http {
  sendfile on;
  server_tokens off;

+  log_format workshop '$remote_addr - $request '
+                      'status=$status upstream=$upstream_addr '
+                      'rt=$request_time urt=$upstream_response_time';
+
+  access_log /var/log/nginx/access.log workshop;  
+
  upstream backend_a {
    server backend-a:80;
+    server backend-a2:80;
  }

  upstream backend_b {
@@ -25,34 +32,72 @@ http {
    server_name _;

    location / {
-      root /usr/share/nginx/html;
-      try_files $uri $uri/ /index.html;
-    }
-
-    location /service/a {
-      proxy_pass http://backend_a/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-Proto http;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    location /service/b {
-      proxy_pass http://backend_b/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-Proto http;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    }
-
-    location /service/c {
-      proxy_pass http://backend_c/;
-      proxy_set_header Host $host;
-      proxy_set_header X-Forwarded-Proto http;
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      return 301 https://$host:8443$request_uri;
    }

     location = /healthz {
      default_type text/plain;
      return 200 "ok\n";
    }
+
+    location = /internal/status {
+      access_log off;
+      default_type text/plain;
+
+      if ($remote_addr != 127.0.0.1) {
+        return 403;
+      }
+      
+      return 200 "internal ok\n";
+    }
+  }
+
+  server {
+    listen 443 ssl;
+    server_name localhost;
+    ssl_certificate /etc/nginx/certs/localhost.crt;
+    ssl_certificate_key /etc/nginx/certs/localhost.key;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;
+
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+    location / {
+      root /usr/share/nginx/html;
+      try_files $uri $uri/ /index.html;
+    }
+
+    location = /service/a {
+      proxy_pass http://backend_a/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_hide_header ETag;
+    }
+
+    location = /demo/a {
+      proxy_pass http://backend_a/;
+    }
+
+    location = /service/b {
+      proxy_pass http://backend_b/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location = /service/c {
+      proxy_pass http://backend_c/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
  }
 }
@@ -0,0 +1,88 @@
+events {
+  worker_connections 1024;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  server_tokens off;
+
+  log_format workshop '$remote_addr - $request '
+                      'status=$status upstream=$upstream_addr '
+                      'rt=$request_time urt=$upstream_response_time';
+
+  access_log /var/log/nginx/access.log workshop;  
+
+  upstream backend_a {
+    server backend-a:80;
+    server backend-a2:80;
+  }
+
+  upstream backend_b {
+    server backend-b:80;
+  }
+
+  upstream backend_c {
+    server backend-c:80;
+  }
+
+  server {
+    listen 80;
+    server_name _;
+
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+    location / {
+      root /usr/share/nginx/html;
+      try_files $uri $uri/ /index.html;
+    }
+
+    location = /service/a {
+      proxy_pass http://backend_a/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_hide_header ETag;
+    }
+
+    location = /demo/a {
+      proxy_pass http://backend_a/;
+    }
+
+    location = /service/b {
+      proxy_pass http://backend_b/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location = /service/c {
+      proxy_pass http://backend_c/;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto http;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location = /healthz {
+      default_type text/plain;
+      return 200 "ok\n";
+    }
+
+    location = /internal/status {
+      access_log off;
+      default_type text/plain;
+
+      if ($remote_addr != 127.0.0.1) {
+        return 403;
+      }
+      
+      return 200 "internal ok\n";
+    }
+  }
+}
Author	SHA1	Message	Date
AlexBa16	f6f035f4fa	C12	2026-06-01 17:29:40 +02:00
AlexBa16	f3d437826e	C11	2026-06-01 17:26:19 +02:00
AlexBa16	23e985d33a	C10	2026-06-01 17:21:51 +02:00
AlexBa16	52711085d5	C9	2026-06-01 16:47:01 +02:00
AlexBa16	025f92569f	C8	2026-06-01 16:31:24 +02:00
AlexBa16	4d2b1f9c75	C7	2026-06-01 16:28:18 +02:00
AlexBa16	68d44714ac	C6	2026-06-01 16:23:30 +02:00
AlexBa16	930a4ef124	C5	2026-06-01 16:14:06 +02:00
AlexBa16	a321ee6c30	C4	2026-06-01 16:07:37 +02:00
AlexBa16	9fbc4e72cb	C3	2026-06-01 16:02:12 +02:00