Skip to content

Instantly share code, notes, and snippets.

@codekitchen
Last active September 14, 2016 16:32
Show Gist options
  • Save codekitchen/f1a28015672d2dcfe3ee1980cf6e7ef2 to your computer and use it in GitHub Desktop.
Save codekitchen/f1a28015672d2dcfe3ee1980cf6e7ef2 to your computer and use it in GitHub Desktop.
shell session: using SNI with dinghy-http-proxy
codekitchen:~
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
967b5f9d819e codekitchen/dinghy-http-proxy:2.5.0 "/app/docker-entrypoi" 24 hours ago Up 24 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:19322->19322/udp dinghy_http_proxy
codekitchen:~
> cd ~/.dinghy/certs/
codekitchen:~/.dinghy/certs
> openssl req -x509 -newkey rsa:2048 -keyout cdn.antenna.docker.key -out cdn.antenna.docker.crt -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker"
Generating a 2048 bit RSA private key
......................+++
.......+++
writing new private key to 'cdn.antenna.docker.key'
-----
codekitchen:~/.dinghy/certs
> openssl req -x509 -newkey rsa:2048 -keyout www.antenna.docker.key -out www.antenna.docker.crt -days 365 -nodes -subj "/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker"
Generating a 2048 bit RSA private key
..+++
.............................+++
writing new private key to 'www.antenna.docker.key'
-----
codekitchen:~/.dinghy/certs
> docker run -d -e VIRTUAL_HOST=cdn.antenna.docker --name cdn nginx
b63fc36bb030361242d1106cb6b9292b9f22f9d80256542c26c51dfc39dfc276
codekitchen:~/.dinghy/certs
> docker run -d -e VIRTUAL_HOST=www.antenna.docker --name www nginx
e95fe56becd68524e8a25854e853eb5515339a5d8cbe8e61a4853c010ed1f210
codekitchen:~/.dinghy/certs
> openssl s_client -showcerts -servername www.antenna.docker -connect www.antenna.docker:443 </dev/null
CONNECTED(00000003)
depth=0 /C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
verify return:1
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
i:/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
-----BEGIN CERTIFICATE-----
MIIEQjCCAyqgAwIBAgIJALwxySZcOsAuMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMRUwEwYD
VQQKEwxDb21wYW55IE5hbWUxDDAKBgNVBAsTA09yZzEbMBkGA1UEAxMSd3d3LmFu
dGVubmEuZG9ja2VyMB4XDTE2MDkxNDE2MjYyNVoXDTE3MDkxNDE2MjYyNVowczEL
MAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQx
FTATBgNVBAoTDENvbXBhbnkgTmFtZTEMMAoGA1UECxMDT3JnMRswGQYDVQQDExJ3
d3cuYW50ZW5uYS5kb2NrZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDD4r/sqDsJjfC+FQGQD6vk/1l9DOBpCpFbL7D8QY/xwN7sopaZZ8RfoLx6wEFn
Xg5SXKoiu6DHIxYaZqhBPeBa5lYQvbBppgF88xp8mGRpX4iJaql7no/wcEuEMQG6
3mUFU93mt6MglOHNrh08ZS3N2d0f3/IxX5+/oawkXtR5SiIRPeSPjlPsaBPm3B1t
L6fLWDMBsH8DD8xvCkASTKXDObBsGT3Ai5GeZPQ7YQ1EpSxWoqveFvrgAb+NdKev
H29UQPIrbh7E0NizkCpdZ2ksnOCUlL00GUtlhO4niHTbW4F/cJ4ER3KYstSHOdq/
UCmYOUohpbQmKYEIaGFOz9SfAgMBAAGjgdgwgdUwHQYDVR0OBBYEFOGmwJFd7d+b
Jv0VH7HuGND4EWvfMIGlBgNVHSMEgZ0wgZqAFOGmwJFd7d+bJv0VH7HuGND4EWvf
oXekdTBzMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQ
b3J0bGFuZDEVMBMGA1UEChMMQ29tcGFueSBOYW1lMQwwCgYDVQQLEwNPcmcxGzAZ
BgNVBAMTEnd3dy5hbnRlbm5hLmRvY2tlcoIJALwxySZcOsAuMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADggEBADEJUjLI0YVXj5Ol2P3haXUX1+1oeVUAAQDY
CRljI/LwYbobHba/x7vTQPgL1Bnnezo/xw2aERr9mENeaYfAA87rQmSAh9cOSu2Y
l9P2zk7IW8g5MuUs9efn7k946zAaG23ZHaVtYk9Nj6phmZlrh1DmD3nx3P7HpMCz
4ad3xWsCdYDbmPPat4wXTH9A0KoL3s8MxJqF0CYh+KPtWz33dzrxqM3lbes4hFYZ
Ee62nH8rUBYYLOpnCpdITztq93IhJ4j7hVgVtGRdZGlV4EYOMy7gJSw6K+eua/2p
OX/cgMCXPxAYp4QgS2spebtEKXYT13aHlWUB6xPRb7EDdd2UeIk=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
issuer=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.antenna.docker
---
No client certificate CA names sent
---
SSL handshake has read 1976 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: E8170F2C087DAD61B70039DB73F782F7C7B716969FC57FCF537EC70C57C1C1D6
Session-ID-ctx:
Master-Key: 36F5DAD21393B60005D95E4B144BB79197DC8CD14E3A2706A934D8EECD1C4AE763C2CEEB73731F28890EC84A9082D443
Key-Arg : None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e7 bb 6f fa 15 fa 56 e9-d5 7c ee 97 4d 07 c4 8a ..o...V..|..M...
0010 - 80 86 f2 16 86 9d b1 a5-48 91 98 a5 96 d0 49 cb ........H.....I.
0020 - 18 bf cf 64 0d 8a 03 b7-9c da db db 24 01 31 b4 ...d........$.1.
0030 - 79 a8 d1 2f f4 98 16 d3-83 04 7d 1e 90 3a bb 98 y../......}..:..
0040 - 31 fe 35 00 fa ad d9 47-8f 10 80 04 97 b5 67 0e 1.5....G......g.
0050 - a8 de 87 4c 5a 70 82 34-d3 11 2d c0 bc 22 ff 95 ...LZp.4..-.."..
0060 - 92 bc 9b 23 ee 71 4d 27-2c 97 59 d3 15 62 12 27 ...#.qM',.Y..b.'
0070 - 11 72 4e e1 5c 0b a9 24-9a 1c 89 73 ac 33 da 25 .rN.\..$...s.3.%
0080 - cb 4b da 8d c3 5c a2 3b-62 88 44 b2 55 97 23 b0 .K...\.;b.D.U.#.
0090 - 85 f0 e1 f6 20 8d f1 a1-41 93 86 b7 78 66 0b 01 .... ...A...xf..
00a0 - 87 96 b3 9d aa c0 b8 32-b4 b9 7d a6 de d5 dc 35 .......2..}....5
00b0 - 50 b0 ca 5f b1 0b a1 ec-01 d0 97 ed 04 3e 8e 9d P.._.........>..
Start Time: 1473870441
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
DONE
codekitchen:~/.dinghy/certs
> openssl s_client -showcerts -servername cdn.antenna.docker -connect cdn.antenna.docker:443 </dev/null
CONNECTED(00000003)
depth=0 /C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
verify return:1
---
Certificate chain
0 s:/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
i:/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
-----BEGIN CERTIFICATE-----
MIIEQjCCAyqgAwIBAgIJAP5JxZMqozCMMA0GCSqGSIb3DQEBBQUAMHMxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIEwZPcmVnb24xETAPBgNVBAcTCFBvcnRsYW5kMRUwEwYD
VQQKEwxDb21wYW55IE5hbWUxDDAKBgNVBAsTA09yZzEbMBkGA1UEAxMSY2RuLmFu
dGVubmEuZG9ja2VyMB4XDTE2MDkxNDE2MjYyMFoXDTE3MDkxNDE2MjYyMFowczEL
MAkGA1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQx
FTATBgNVBAoTDENvbXBhbnkgTmFtZTEMMAoGA1UECxMDT3JnMRswGQYDVQQDExJj
ZG4uYW50ZW5uYS5kb2NrZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDRFxbC0IoNYNHxJPUj/Qrn3iVJO5ol2rJaXvLCqLmGhs1C/kxf8KXiDOL194uQ
/L744TTZKrarLnTnsUXk/vsh8Bc20gonaOYTBFy2Oz6/qQoW5nA6WNB7FELDt5yt
x2YAVV5p6T+WZNafuWGWKtaVxwILJ8vwERsESJSLiVMlMrlMXRSt4T3ldVSxns1S
+AEZ+1pX241Z/PTR80mDf3aUuavpWNdrxX1n8HUk+JMO+yykoAYD4o0gKZ7GStMH
qtRecdJtzAx2POEBKZiWvJnZokgD9yjC5QanUpsNSlwJddyURx6h1LJle01KiF0w
EHhIpNdofIM331bBDVVt0EezAgMBAAGjgdgwgdUwHQYDVR0OBBYEFMgN8zDPpcrN
NKccv9YOMiOO5seMMIGlBgNVHSMEgZ0wgZqAFMgN8zDPpcrNNKccv9YOMiOO5seM
oXekdTBzMQswCQYDVQQGEwJVUzEPMA0GA1UECBMGT3JlZ29uMREwDwYDVQQHEwhQ
b3J0bGFuZDEVMBMGA1UEChMMQ29tcGFueSBOYW1lMQwwCgYDVQQLEwNPcmcxGzAZ
BgNVBAMTEmNkbi5hbnRlbm5hLmRvY2tlcoIJAP5JxZMqozCMMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADggEBAH0BWeM6+TSm+zDVO/emPJokeCmAGrhw4OnR
qRK4tO2VGfGTzpu4pZHnXZfVSofa7epz72bt10qHIQbiDtvG/2FFjGhCgjKvJs14
UvCC6ceHBuY4twv2U/8qmWZH26g/2w+2R476wFdNTKe/kFOyCk6i9oInXgwNpbgr
1TmnJmg4kc7y8Dx1u70aAPckyqkVUDyyo+qCChd0yz2RMLnGKw3AIyGZvWZiptrv
bplhZWl83GbEtOpXjbv5QEz5OVdmJ8xiOdkWVLj3DXgI8OlX1oyhIMoOTyPkp/Ag
yaXxqBpdL6mb/lJzNVOv/2x76vHph1vUf4ZXgYN6sozpsaJ+4P4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
issuer=/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=cdn.antenna.docker
---
No client certificate CA names sent
---
SSL handshake has read 1976 bytes and written 325 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: D5D0CAE9F400CC6F09707D8BD96D880C0AB31001E793F6955AE3FCACE594382B
Session-ID-ctx:
Master-Key: CA048EE8A86FB47D43032AAFC858C4580E819FC1D7F68DC928DC43C325248182381CED4FB2431EE5AA193BE15399CC1A
Key-Arg : None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e7 bb 6f fa 15 fa 56 e9-d5 7c ee 97 4d 07 c4 8a ..o...V..|..M...
0010 - d2 2a 80 ad 19 53 93 6e-b3 ce bf 07 f4 c9 5f 29 .*...S.n......_)
0020 - f1 31 e2 56 58 50 cd fa-3f 22 36 7a fa 44 59 e3 .1.VXP..?"6z.DY.
0030 - 22 95 f8 ab 1a 18 f2 7c-e3 ca a8 9a 97 2a 58 06 "......|.....*X.
0040 - 69 10 e4 70 6b 5a cb f2-01 3b 77 9a c9 60 4b 45 i..pkZ...;w..`KE
0050 - fb be 38 17 ab 42 b2 0e-ff 26 b1 69 7c 0c 3c a2 ..8..B...&.i|.<.
0060 - cb c0 88 d8 51 7c 97 54-6f 0d 13 65 44 e1 6b e7 ....Q|.To..eD.k.
0070 - 8d 9e a5 c5 06 ef ce 72-3d 2a b9 95 12 e9 c3 06 .......r=*......
0080 - 45 82 6b e7 eb f2 78 70-d1 62 9f fe 56 e5 ca 60 E.k...xp.b..V..`
0090 - 34 28 f5 59 34 7e 73 60-5b 5c 1a ef df 96 bf d6 4(.Y4~s`[\......
00a0 - bd 86 9d 50 54 d8 55 ba-f5 bc f7 62 30 74 db bb ...PT.U....b0t..
00b0 - b4 28 ab 9a 1d 96 9a a7-4a e8 da ef 3c 18 e1 21 .(......J...<..!
Start Time: 1473870448
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
DONE
codekitchen:~/.dinghy/certs
> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e95fe56becd6 nginx "nginx -g 'daemon off" About a minute ago Up About a minute 80/tcp, 443/tcp www
b63fc36bb030 nginx "nginx -g 'daemon off" About a minute ago Up About a minute 80/tcp, 443/tcp cdn
967b5f9d819e codekitchen/dinghy-http-proxy:2.5.0 "/app/docker-entrypoi" 25 hours ago Up 25 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:19322->19322/udp dinghy_http_proxy
codekitchen:~/.dinghy/certs
> docker exec -it dinghy_http_proxy cat /etc/nginx/conf.d/default.conf
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
server {
listen 80 default_server;
server_name _;
root /var/www/default/htdocs;
error_page 404 /index.html;
}
upstream cdn.antenna.docker {
server 172.17.0.3:443;
}
server {
server_name cdn.antenna.docker;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 301 https://cdn.antenna.docker$request_uri;
}
server {
server_name cdn.antenna.docker;
listen 443 ssl;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/cdn.antenna.docker.crt;
ssl_certificate_key /etc/nginx/certs/cdn.antenna.docker.key;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://cdn.antenna.docker;
}
}
upstream www.antenna.docker {
server 172.17.0.4:443;
}
server {
server_name www.antenna.docker;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 301 https://www.antenna.docker$request_uri;
}
server {
server_name www.antenna.docker;
listen 443 ssl;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/www.antenna.docker.crt;
ssl_certificate_key /etc/nginx/certs/www.antenna.docker.key;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://www.antenna.docker;
}
}
codekitchen:~/.dinghy/certs
>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment