examples improvement - hardened, joomla, kubernetes, load-balancer and moodle

2021-08-04 16:54:59 +02:00 · 2021-08-04 16:54:59 +02:00 · 55186bbef5
commit 55186bbef5
parent d8286ced7c
13 changed files with 159 additions and 23 deletions
--- a/examples/hardened/README.md
+++ b/examples/hardened/README.md
@ -0,0 +1,11 @@
 # Hardened
 Example on how you can harden the container executing bunkerized-nginx. See the [documentation](https://bunkerized-nginx.readthedocs.io/en/latest/security_tuning.html#container-hardening) for details.
 ## Architecture
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/hardened/architecture.png?raw=true" />
 ## Docker
 See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/hardened/docker-compose.yml).
--- a/examples/hardened/architecture.png
+++ b/examples/hardened/architecture.png
--- a/examples/joomla/README.md
+++ b/examples/joomla/README.md
@ -0,0 +1,11 @@
 # Joomla
 Joomla is a free and open-source content management system (CMS) for publishing web content on websites. Web content applications include discussion forums, photo galleries, e-Commerce and user communities and numerous other web-based applications. More info on the official [website](https://www.joomla.org/) and [repository](https://github.com/joomla/joomla-cms).
 ## Architecture
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/joomla/architecture.png?raw=true" />
 ## Docker
 See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/joomla/docker-compose.yml).
--- a/examples/joomla/architecture.png
+++ b/examples/joomla/architecture.png
--- a/examples/kubernetes/README.md
+++ b/examples/kubernetes/README.md
@ -0,0 +1,16 @@
 # Kubernetes
 Various examples on how to use bunkerized-nginx within a Kubernetes cluster. See the [Kubernetes section of the documentation](#TODO) for more information.
 ## Architecture
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/kubernetes/architecture.png?raw=true" />
 ## Configuration
 We will assume that you have setup the [bunkerized-nginx ingress controller](#TODO) inside your cluster.
 ## Kubernetes
 See [ingress.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/ingress.yml), [php.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/php.yml) and [reverse-proxy.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/kubernetes/reverse-proxy.yml).
--- a/examples/kubernetes/architecture.png
+++ b/examples/kubernetes/architecture.png
--- a/examples/kubernetes/ingress.yml
+++ b/examples/kubernetes/ingress.yml
@ -0,0 +1,66 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: bunkerized-nginx-ingress
  # this label is mandatory
  labels:
    bunkerized-nginx: "yes"
  annotations:
    # add any global and default environment variables here as annotations with the "bunkerized-nginx." prefix
    # examples :
    #bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
    #bunkerized-nginx.USE_ANTIBOT: "javascript"
    #bunkerized-nginx.REDIRECT_HTTP_TO_HTTPS: "yes"
    #bunkerized-nginx.app.example.com_REVERSE_PROXY_WS: "yes"
    #bunkerized-nginx.app.example.com_USE_MODSECURITY: "no"
 # add "static" routes here (see https://kubernetes.io/docs/concepts/services-networking/ingress/)
 # and/or add annotations to your services (see https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/kubernetes)
 spec:
  tls:
  - hosts:
    - app1.example.com
  rules:
  - host: "app1.example.com"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: app1
            port:
              number: 80
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: app1
  labels:
    app: app1
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: app1
  template:
    metadata:
      labels:
        app: app1
    spec:
      containers:
      - name: app1
        image: containous/whoami
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: app1
 spec:
  type: ClusterIP
  selector:
    app: app1
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
--- a/examples/kubernetes/php.yml
+++ b/examples/kubernetes/php.yml
@ -1,21 +1,21 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: myapp
+  name: app2
  labels:
-    app: myapp
+    app: app2
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: myapp
+      app: app2
  template:
    metadata:
      labels:
-        app: myapp
+        app: app2
    spec:
      containers:
-      - name: myapp
+      - name: app2
        image: php:fpm
        volumeMounts:
          - name: www
@ -23,22 +23,25 @@ spec:
      volumes:
        - name: www
          hostPath:
-            path: /shared/www/myapp.example.com
+            path: /shared/www/app2.example.com
            type: Directory
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: myapp
+  name: app2
  # this label is mandatory
  labels:
    bunkerized-nginx: "yes"
  annotations:
-    bunkerized-nginx.AUTOCONF: "yes"
+    bunkerized-nginx.SERVER_NAME: "app2.example.com"
-    bunkerized-nginx.SERVER_NAME: "myapp.example.com"
+    bunkerized-nginx.REMOTE_PHP: "app2"
    bunkerized-nginx.REMOTE_PHP: "myapp"
    bunkerized-nginx.REMOTE_PHP_PATH: "/var/www/html"
    bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
 spec:
  type: ClusterIP
  selector:
-    app: myapp
+    app: app2
  ports:
    - protocol: TCP
      port: 9000
--- a/examples/kubernetes/reverse-proxy.yml
+++ b/examples/kubernetes/reverse-proxy.yml
@ -1,37 +1,40 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: myapp
+  name: app3
  labels:
-    app: myapp
+    app: app3
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: myapp
+      app: app3
  template:
    metadata:
      labels:
-        app: myapp
+        app: app3
    spec:
      containers:
-      - name: myapp
+      - name: app3
        image: containous/whoami
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: myapp
+  name: app3
  # this label is mandatory
  labels:
    bunkerized-nginx: "yes"
  annotations:
-    bunkerized-nginx.AUTOCONF: "yes"
+    bunkerized-nginx.SERVER_NAME: "app3.example.com"
    bunkerized-nginx.SERVER_NAME: "myapp.example.com"
    bunkerized-nginx.USE_REVERSE_PROXY: "yes"
    bunkerized-nginx.REVERSE_PROXY_URL: "/"
-    bunkerized-nginx.REVERSE_PROXY_HOST: "http://myapp"
+    bunkerized-nginx.REVERSE_PROXY_HOST: "http://app3"
    bunkerized-nginx.AUTO_LETS_ENCRYPT: "yes"
 spec:
  type: ClusterIP
  selector:
-    app: myapp
+    app: app3
  ports:
    - protocol: TCP
      port: 80
--- a/examples/load-balancer/README.md
+++ b/examples/load-balancer/README.md
@ -0,0 +1,15 @@
 # Load balancer
 Simple example on how to load balance requests to multiple backends.
 ## Architecture
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/load-balancer/architecture.png?raw=true" />
 ## Configuration
 Edit the custom `upstream` directive in the **http-confs/upstream.conf** file according to your use case.
 ## Docker
 See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/load-balancer/docker-compose.yml).
--- a/examples/load-balancer/architecture.png
+++ b/examples/load-balancer/architecture.png
--- a/examples/moodle/README.md
+++ b/examples/moodle/README.md
@ -0,0 +1,11 @@
 # Moodle
 Moodle is a free and open-source learning management system (LMS) written in PHP and distributed under the GNU General Public License. See the official [website](https://moodle.org/) and [repository](https://git.in.moodle.com/moodle/moodle) for more information.
 ## Architecture
 <img src="https://github.com/bunkerity/bunkerized-nginx/blob/dev/examples/moodle/architecture.png?raw=true" />
 ## Docker
 See [docker-compose.yml](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/moodle/docker-compose.yml).
--- a/examples/moodle/moodle.png
+++ b/examples/moodle/moodle.png