Compare commits
1 Commits
57e0db4950
...
docs
| Author | SHA1 | Date | |
|---|---|---|---|
| 3724d2572a |
32
README.md
32
README.md
@@ -144,3 +144,35 @@ spec:
|
|||||||
```
|
```
|
||||||
|
|
||||||
NOTE: you should need to make an entry in the firewall to allow this request through. It is very important that the firewall entry has a source filter; it should only be allowed from the Kubernetes cluster. Nginx will forward traffic to any host that registers, and this could easily become a MitM vulnerability.
|
NOTE: you should need to make an entry in the firewall to allow this request through. It is very important that the firewall entry has a source filter; it should only be allowed from the Kubernetes cluster. Nginx will forward traffic to any host that registers, and this could easily become a MitM vulnerability.
|
||||||
|
|
||||||
|
## Other tips
|
||||||
|
|
||||||
|
### Use 'upstream' in nginx
|
||||||
|
|
||||||
|
Do this:
|
||||||
|
|
||||||
|
```
|
||||||
|
upstream hosts {
|
||||||
|
server 10.182.0.36:30004;
|
||||||
|
server 10.182.0.39:30004;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
server_name git.tipsy.codes tipsy.codes;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://hosts;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Rather than just writing out the IP in the proxy_pass.
|
||||||
|
|
||||||
|
### visudo to only allow the nginx reload command
|
||||||
|
|
||||||
|
Use `sudo visudo` to update the sudoers file and add this line:
|
||||||
|
|
||||||
|
```
|
||||||
|
skubelb ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
|
||||||
|
```
|
||||||
|
|
||||||
|
This will prevent the user from running commands other than reload.
|
||||||
Reference in New Issue
Block a user