Deploying a self-hosted Android Ci Solution with Drone & Gogs (Pt.3 - Nginx)

We will continue where we left off, but just to make sure, we still need to do our pre-flight checks.

Pre-Flight checks:

  • Nginx is installed.
  • You've already setup LetsEncrypt for your domains.
  • (Optional but recommended) Your domain is on Cloudflare

We need two sub-domains. One for the registry and one for the drone server. You can keep it simple. I've set mine up with the following - not setup in nginx yet. Just an fyi here:

  • registry.example.net
  • drone.example.net

Let's go:

Configure Nginx Basic Auth



You need this for the registry server block:

  • Add your user:
sudo sh -c "echo -n '<username>:' >> /etc/nginx/.htpasswd"

  • Add a password:
sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd"
  • Test to make sure your user is there with encrypted password:
cat /etc/nginx/.htpasswd

When you're done, the auth info in the nginx config should work. We will be testing this later with your registry.

  • Restart nginx:
sudo systemctl restart nginx

Create your nginx config file:

  • We don't use the default file, create a clean one from scratch:
sudo vi /etc/nginx/sites-available/droneserv

  • Setup your upstream server blocks:
#Upstream server blocks:

upstream ci {
        server 127.0.0.1:8000;
}

upstream registry {
        server 127.0.0.1:5000;
}

map $http_upgrade $connection_upgrade {
       default upgrade;
       ''      close;
}

  • Set up your port 80 blocks:
Port 80 Server blocks
server {
          listen 80 ;
          server_name drone.example.net
          return 301 https://$host$request_uri;

}

server {
          listen 80 ;
          server_name registry.example.net
          return 301 https://$host$request_uri;

}

Let's setup the 443 server block for the registry

### SSL Server info:

#Registry Server Block
server {
         listen 443 ssl http2;

        server_name registry.example.net;

          # disable any limits to avoid HTTP 413 for large image uploads
          client_max_body_size 0;

         # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
         chunked_transfer_encoding on;


     
        ssl_certificate /etc/letsencrypt/live/registry.example.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/registry.example.net/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

        #registry:

         location /v2/ {

                # Do not allow connections from docker 1.5 and earlier
                # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
                if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
                return 404;
         }

                # To add basic authentication to v2 use auth_basic setting plus add_header
                 auth_basic "Restricted Content";
                 auth_basic_user_file /etc/nginx/.htpasswd;
                 add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;

                proxy_pass                          http://registry;
                proxy_set_header  Host              $http_host;   # required for docker client's sake
                proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
                proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
                proxy_set_header  X-Forwarded-Proto $scheme;
                proxy_read_timeout                  900;     

   }   
}

Next we setup the Drone 443 Server block:

# Drone Server block
server {
         listen 443 ssl http2;

        server_name ci.buildsite.net;
     
        ssl_certificate /etc/letsencrypt/live/ci.buildsite.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ci.buildsite.net/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

      #ci-c:


        location / {
                proxy_pass http://ci;
                include proxy_params;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_redirect off;
                proxy_http_version 1.1;
                proxy_buffering off;
                chunked_transfer_encoding off;
                proxy_read_timeout 86400;
        }

}

Once done, we create the necessary symlinks so that our config can take effect:

sudo ln -s /etc/nginx/sites-available/dockerserv /etc/nginx/sites-enabled/dockerserv

  • Restart Nginx:
sudo systemctl restart nginx

  • Make sure its running, no crashes:
sudo systemctl status nginx

Nginx should be started and running without errors.

For our final part 4 we set up the Docker Registry. You can find that here

Vusi Moyo

Some guy that found code on the internet and is treating it like play dough

Read More