nginx

forsrc · Nov 11, 2019 · fce4fb5 · fce4fb5
1 parent a55c504
commit fce4fb5
Show file tree

Hide file tree

Showing 19 changed files with 545 additions and 83 deletions.
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -26,6 +26,7 @@ services:
     - 10000:10000
     environment:
     - JAVA_OPTS=-server -XX:PermSize=128m -XX:MaxPermSize=128m -Xmn128m -Xms128m -Xmx256m -Dspring.thymeleaf.prefix=file:config/templates/
+    - SSO_SERVER=https://mypig-nginx
 
   mypig-tcc:
     image: forsrc/mypig-tcc:latest
@@ -35,6 +36,17 @@ services:
     - 10020:10020
     environment:
     - JAVA_OPTS=-server -XX:PermSize=128m -XX:MaxPermSize=128m -Xmn128m -Xms128m -Xmx256m -Dspring.thymeleaf.prefix=file:config/templates/
+    - SSO_SERVER=https://mypig-nginx
+
+  mypig-api-gateway:
+    image: forsrc/mypig-api-gateway:latest
+    container_name: mypig-api-gateway
+    hostname: mypig-api-gateway
+    ports:
+    - 8088:8088
+    environment:
+    - JAVA_OPTS=-server -XX:PermSize=128m -XX:MaxPermSize=128m -Xmn128m -Xms128m -Xmx256m -Dspring.thymeleaf.prefix=file:config/templates/
+    - SSO_SERVER=https://mypig-nginx
 
   redis:
     image: redis:3.2
@@ -45,16 +57,16 @@ services:
     ports:
     - "6379:6379"
 
-#  nginx:
-#    image: nginx
-#    container_name: mypig-nginx
-#    hostname: mypig-sso-server-nginx
-#    volumes:
-#    - "./docker/nginx/conf/nginx.conf:/etc/nginx/nginx.conf"
-#    - "./docker/nginx/conf/forsrc.pem:/etc/nginx/forsrc.pem"
-#    - "./docker/nginx/conf/forsrc.crt:/etc/nginx/forsrc.crt"
-#    ports:
-#    - "443:443"
+  nginx:
+    image: nginx
+    container_name: mypig-nginx
+    hostname: mypig-nginx
+    volumes:
+    - "./docker/nginx/conf/nginx.conf:/etc/nginx/nginx.conf"
+    - "./docker/nginx/conf/forsrc.pem:/etc/nginx/forsrc.pem"
+    - "./docker/nginx/conf/forsrc.crt:/etc/nginx/forsrc.crt"
+    ports:
+    - "443:443"
 
 networks:
   forsrc.mypig:

diff --git a/docker/nginx/conf/nginx.conf b/docker/nginx/conf/nginx.conf
@@ -61,30 +61,34 @@ http {
             index  index.html index.htm;
         }
 
+        #rewrite ^/sso/(.*)$  /sso/$1;
+
         location /sso {
             proxy_pass       http://sso_server/sso;
            #proxy_pass       http://mypig-sso-server:10000/sso;
+            proxy_set_header HOST $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header X-Forwarded-Port $server_port;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
-           #proxy_set_header Host $host:$server_port;
         }
 
+        #rewrite ^/api/(.*)$  /api/$1;
+
         location /api {
             proxy_pass       http://api_server/api;
            #proxy_pass       http://mypig-api-gateway:8088/api;
+            proxy_set_header HOST $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header X-Forwarded-Port $server_port;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
-           #proxy_set_header Host $host:$server_port;
         }
         #location /upload {
             #upload_store                /tmp 1;

diff --git a/microservice/springboot-admin/Dockerfile b/microservice/springboot-admin/Dockerfile
@@ -1,5 +1,5 @@
 #FROM forsrc/centos-jdk-ssh
-FROM java:8-jre
+FROM openjdk:8-jdk-alpine
 
 VOLUME /tmp
 ARG ARG_JAR_FILE

diff --git a/microservice/springboot-api-gateway/Dockerfile b/microservice/springboot-api-gateway/Dockerfile
@@ -1,5 +1,5 @@
 #FROM forsrc/centos-jdk-ssh
-FROM java:8-jre
+FROM openjdk:8-jdk-alpine
 
 VOLUME /tmp
 ARG ARG_JAR_FILE

diff --git a/microservice/springboot-api-gateway/pom.xml b/microservice/springboot-api-gateway/pom.xml
@@ -72,6 +72,10 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-netflix-zuul</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-netflix-zuul</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-netflix-hystrix</artifactId>

diff --git a/microservice/springboot-api-gateway/src/main/java/com/forsrc/config/RestConfig.java b/microservice/springboot-api-gateway/src/main/java/com/forsrc/config/RestConfig.java
@@ -0,0 +1,202 @@
+package com.forsrc.config;
+
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.ProtocolException;
+import org.apache.http.client.RedirectStrategy;
+import org.apache.http.client.config.CookieSpecs;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.conn.HttpClientConnectionManager;
+import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.TrustStrategy;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
+import org.apache.http.protocol.HttpContext;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.cloud.commons.httpclient.ApacheHttpClientConnectionManagerFactory;
+import org.springframework.cloud.commons.httpclient.ApacheHttpClientFactory;
+import org.springframework.cloud.netflix.zuul.filters.ProxyRequestHelper;
+import org.springframework.cloud.netflix.zuul.filters.ZuulProperties;
+import org.springframework.cloud.netflix.zuul.filters.ZuulProperties.Host;
+import org.springframework.cloud.netflix.zuul.filters.route.SimpleHostRoutingFilter;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+import org.springframework.http.client.ClientHttpRequestFactory;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+
+@Configuration
+public class RestConfig {
+
+	@Autowired
+	private ClientHttpRequestFactory clientHttpRequestFactory;
+
+	// @Bean
+	public CloseableHttpClient httpClient() throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException {
+
+		SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
+
+			public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+				return true;
+			}
+		}).build();
+		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext);
+		return HttpClients.custom().setSSLSocketFactory(sslsf).build();
+
+	}
+
+	@Bean
+	public ClientHttpRequestFactory clientHttpRequestFactory()
+			throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
+
+		SSLConnectionSocketFactory sslConnectionSocketFactory = null;
+		final HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory();
+		factory.setConnectionRequestTimeout(5000);
+		factory.setReadTimeout(5000);
+		factory.setReadTimeout(5000);
+		final SSLContextBuilder builder = new SSLContextBuilder();
+		try {
+			builder.loadTrustMaterial(null, (X509Certificate[] x509Certificate, String s) -> true);
+		} catch (NoSuchAlgorithmException e) {
+			throw e;
+		} catch (KeyStoreException e) {
+			throw e;
+		}
+		try {
+			sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.build(),
+					new String[] { "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.2" }, null, NoopHostnameVerifier.INSTANCE);
+		} catch (NoSuchAlgorithmException e) {
+			throw e;
+		} catch (KeyManagementException e) {
+			throw e;
+		}
+		Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
+				.register("http", new PlainConnectionSocketFactory()).register("https", sslConnectionSocketFactory)
+				.build();
+		PoolingHttpClientConnectionManager phccm = new PoolingHttpClientConnectionManager(registry);
+		phccm.setMaxTotal(500);
+		final CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory)
+				.setConnectionManager(phccm).setConnectionManagerShared(true).build();
+		factory.setHttpClient(httpClient);
+		return factory;
+	}
+
+	@Bean
+	public SimpleHostRoutingFilter simpleHostRoutingFilter(ProxyRequestHelper helper, ZuulProperties properties,
+			ApacheHttpClientConnectionManagerFactory connectionManagerFactory,
+			ApacheHttpClientFactory httpClientFactory) {
+		return new MySimpleHostRoutingFilter(helper, properties, connectionManagerFactory, httpClientFactory);
+	}
+
+	public static class MySimpleHostRoutingFilter extends SimpleHostRoutingFilter {
+
+		private Host hostProperties;
+		private ApacheHttpClientFactory httpClientFactory;
+		private HttpClientConnectionManager connectionManager;
+		private boolean sslHostnameValidationEnabled;
+
+		public MySimpleHostRoutingFilter(ProxyRequestHelper helper, ZuulProperties properties,
+				ApacheHttpClientConnectionManagerFactory connectionManagerFactory,
+				ApacheHttpClientFactory httpClientFactory) {
+			super(helper, properties, connectionManagerFactory, httpClientFactory);
+			this.hostProperties = properties.getHost();
+			this.httpClientFactory = httpClientFactory;
+			this.sslHostnameValidationEnabled = properties.isSslHostnameValidationEnabled();
+		}
+
+		@Override
+		protected CloseableHttpClient newClient() {
+
+			final RequestConfig requestConfig = RequestConfig.custom()
+					.setConnectionRequestTimeout(this.hostProperties.getConnectionRequestTimeoutMillis())
+					.setSocketTimeout(this.hostProperties.getSocketTimeoutMillis())
+					.setConnectTimeout(this.hostProperties.getConnectTimeoutMillis())
+					.setCookieSpec(CookieSpecs.IGNORE_COOKIES).build();
+
+			HttpClientBuilder httpClientBuilder = HttpClients.custom();
+			if (!this.sslHostnameValidationEnabled) {
+				httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
+			}
+			return httpClientBuilder.setConnectionManager(newConnectionManager()).disableContentCompression()
+					.useSystemProperties().setDefaultRequestConfig(requestConfig)
+					.setRetryHandler(new DefaultHttpRequestRetryHandler(0, false))
+					.setRedirectStrategy(new RedirectStrategy() {
+						@Override
+						public boolean isRedirected(HttpRequest request, HttpResponse response, HttpContext context)
+								throws ProtocolException {
+							return false;
+						}
+
+						@Override
+						public HttpUriRequest getRedirect(HttpRequest request, HttpResponse response,
+								HttpContext context) throws ProtocolException {
+							return null;
+						}
+					}).build();
+		}
+
+		private PoolingHttpClientConnectionManager newConnectionManager() {
+			try {
+
+				final SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+				sslContext.init(null, new TrustManager[] { new X509TrustManager() {
+					@Override
+					public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
+							throws CertificateException {
+					}
+
+					@Override
+					public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
+							throws CertificateException {
+					}
+
+					@Override
+					public X509Certificate[] getAcceptedIssuers() {
+						return null;
+					}
+				} }, new SecureRandom());
+
+				RegistryBuilder<ConnectionSocketFactory> registryBuilder = RegistryBuilder
+						.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.INSTANCE);
+				if (this.sslHostnameValidationEnabled) {
+					registryBuilder.register("https", new SSLConnectionSocketFactory(sslContext));
+				} else {
+					registryBuilder.register("https",
+							new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE));
+				}
+				final Registry<ConnectionSocketFactory> registry = registryBuilder.build();
+
+				PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(registry,
+						null, null, null, hostProperties.getTimeToLive(), hostProperties.getTimeUnit());
+				connectionManager.setMaxTotal(hostProperties.getMaxTotalConnections());
+				connectionManager.setDefaultMaxPerRoute(hostProperties.getMaxPerRouteConnections());
+				return connectionManager;
+
+			} catch (Exception ex) {
+				throw new RuntimeException(ex);
+			}
+		}
+	}
+}
diff --git a/microservice/springboot-api-gateway/src/main/resources/bootstrap.yml b/microservice/springboot-api-gateway/src/main/resources/bootstrap.yml
@@ -17,6 +17,10 @@ server:
 #    key-store:            classpath:ssl/mypig-api-gateway.jks
 #    key-store-password:   forsrc
 #    key-alias:            mypig-api-gateway
+  tomcat:
+    remote-ip-header: "X-Forwarded-For"
+    protocol-header: "X-Forwarded-Proto"
+    protocol-header-https-value: "https"
 
 spring:
   application:
@@ -94,10 +98,10 @@ zuul:
 #  sensitive-headers: Cookie,Set-Cookie,Authorization
 #  OAuth2TokenRelayFilter.pre.disable: false
   sensitive-headers: Access-Control-Allow-Origin
-  sslHostnameValidationEnabled: true
+  sslHostnameValidationEnabled: false
   trace-request-body:   true
-  add-host-header: false
-  add-proxy-headers: true
+  add-host-header:      true
+  add-proxy-headers:    true
   ignore-security-headers: false
   routes:
     static:
@@ -108,9 +112,11 @@ zuul:
     mypig-sso-server:   /app/**
     sso:
       path:             /sso/**
-      url:              http://mypig-sso-server:10000/sso
-      stripPrefix:      true
+      url:              https://mypig-nginx/sso
+      stripPrefix:      true  
       custom-sensitive-headers: true
+      sslHostnameValidationEnabled: false
+
 
 
 

diff --git a/microservice/springboot-config-server/Dockerfile b/microservice/springboot-config-server/Dockerfile
@@ -1,5 +1,5 @@
 #FROM forsrc/centos-jdk-ssh
-FROM java:8-jre
+FROM openjdk:8-jdk-alpine
 
 VOLUME /tmp
 ARG ARG_JAR_FILE

diff --git a/microservice/springboot-eureka-server/Dockerfile b/microservice/springboot-eureka-server/Dockerfile
@@ -1,5 +1,5 @@
 #FROM forsrc/centos-jdk-ssh
-FROM java:8-jre
+FROM openjdk:8-jdk-alpine
 
 VOLUME /tmp
 ARG ARG_JAR_FILE

diff --git a/microservice/springboot-sso-server/Dockerfile b/microservice/springboot-sso-server/Dockerfile
@@ -1,5 +1,5 @@
 #FROM forsrc/centos-jdk-ssh
-FROM java:8-jre
+FROM openjdk:8-jdk-alpine
 
 VOLUME /tmp
 ARG ARG_JAR_FILE