zishuo/nip
1
0
Fork 0
mirror of https://github.com/cunnie/sslip.io.git synced 2025-10-06 08:06:53 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

document_root/ is under k8s/

Browse Source 
fixes `Forbidden path outside the build context` when building the
forthcoming `Dockerfile-nginx`
This commit is contained in:
Brian Cunnie
2020-07-05 11:30:45 -07:00
parent 3c7a883709
commit ae1012f483
8 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
k8s/document_root/about.html Normal file
View File

@@ -0,0 +1,105 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,
initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any
other head content must come *after* these tags -->
<title>About sslip.io</title>
<meta name="description" content="sslip.io">
<meta name="author" content="Brian Cunnie">
<!-- cute Green Lock icon -->
<link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico">
<!--
Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<!-- Optional theme -->
<link rel="stylesheet" href="css/starter-template.css">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media
queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via
file:// -->
<!--[if lt IE 9]> <script
src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle
collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false"
aria-controls="navbar">
<span class="sr-only">Toggle navigation </span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button> <a class="navbar-brand" href="/">sslip.io</a> </div>
<div id="navbar" class="collapse
navbar-collapse">
<ul class="nav navbar-nav">
<li><a href="/">Home</a></li>
<li><a href="faq.html">FAQ</a></li>
<li class="active"><a href="about.html">About</a></li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</nav>
<div class="container">
<div class="starter-template">
<h1>About sslip.io</h1>
<p><a href="https://github.com/tylerschultz">Tyler Schultz</a>,
<a href="https://github.com/APShirley">Alvaro Perez-Shirley</a>,
and <a href="https://github.com/cunnie">Brian Cunnie</a> created sslip.io on Tuesday August 11, 2015 during a
Pivotal Software-sponsored Hack Day. Thanks Pivotal!</p>
<p><a href="https://github.com/sstephenson">Sam Stephenson</a> built <a href="http://xip.io/">xip.io</a>, upon which
much of our code is based. He also suggested the name
<i>sslip.io</i>.</p>
<p><a href="https://github.com/justinjsmith">Justin Smith</a> advised us on the security implications of releasing
an SSL certificate and key to the general public.</p>
<div class="row">
<p></p>
</div>
<p>&copy; 2015 Brian Cunnie, Pivotal Software</p>
</div>
</div>
<!-- /.container -->
<!-- Bootstrap core JavaScript ================================================== -->
<!--
Placed at the end of the document so the pages load faster -->
<!-- jQuery
(necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<!--
Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<!--
IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="https://raw.githubusercontent.com/twbs/bootstrap/master/docs/assets/js/ie10-viewport-bug-workaround.js"></script>
<!--
Google Analytics -->
<script>
(function(i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function() {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o), m = s.getElementsByTagName(
o)[0];
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
})(window, document, 'script',
'//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-43107212-2', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>

11
k8s/document_root/css/starter-template.css Normal file
View File

@@ -0,0 +1,11 @@
body {
padding-top: 50px;
}
.starter-template {
padding: 40px 15px;
text-align: left;
}
table.sslip {
border-spacing: 10px 2px;
border-collapse: separate;
}

197
k8s/document_root/faq.html Normal file
View File

@@ -0,0 +1,197 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width,
initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any
other head content must come *after* these tags -->
<title>sslip.io FAQ</title>
<meta name="description" content="sslip.io">
<meta name="author" content="Brian Cunnie">
<!-- cute Green Lock icon -->
<link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico">
<!-- Latest
compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<!-- Optional theme -->
<link rel="stylesheet" href="css/starter-template.css">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media
queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via
file:// -->
<!--[if lt IE 9]> <script
src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle
collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false"
aria-controls="navbar">
<span class="sr-only">Toggle navigation </span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button> <a class="navbar-brand" href="/">sslip.io</a> </div>
<div id="navbar" class="collapse
navbar-collapse">
<ul class="nav navbar-nav">
<li><a href="/">Home</a></li>
<li class="active"><a href="faq.html">FAQ</a></li>
<li><a href="about.html">About</a></li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</nav>
<div class="container">
<div class="starter-template">
<h1>FAQ</h1>
<p class="lead">Do I have to pay to use this service?</p>
<p>No, it's free.</p>
<p class="lead">Can I use this certificate on my commerce website?</p>
<p>Although there's no technical reason why you couldn't use
the sslip.io SSL key and certificate for your commerce
web, we <i>strongly</i> recommend against it: the key
is publicly available; your traffic isn't secure. sslip.io's
primary purpose is to assist developers who need to test
against valid SSL certs, not to safeguard content.</p>
<p class="lead">My webserver wants a certificate and an "intermediate certificate
chain"&mdash;where do I get that? </p>
<p>Certain web servers (e.g. <a href="http://www.tenable.com">Tenable's</a> <a href="http://www.tenable.com/products/nessus-vulnerability-scanner">Nessus</a> scanner) prefer to split the chained certificate file
(which has three concatenated certificates) into two
files: one file containing a single certificate for the
server itself (e.g. the "*.sslip.io" certificate), and
a second file containing the intermediate certificate
authorities (e.g. the two COMODO certificate authorities).</p>
<p>You can split the chained certificate file by hand, or
you can download them, pre-split, from GitHub: </p>
<ul>
<li>the server <a href="https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/sslip.io.crt.pem">certificate</a> ("*.sslip.io") </li>
<li>the intermediate certificate <a href="https://raw.githubusercontent.com/cunnie/sslip.io/master/ssl/intermediate-ca.crt.pem">chain</a> (the COMODO CAs)</li>
</ul>
<p class="lead">Why can't I use dots in my hostname? xip.io lets me use
dots. </p>
<p>You can't have dots, but you can have dashes: for example,
"www-sf-ca-us-10-9-9-142.sslip.io" will work with sslip.io's
wildcard SSL certificate, but "www.sf.ca.us.10.9.9.142.sslip.io"
will not. This is a technical limitation of wildcard
certs and the manner in which browsers treat them (read
more <a href="http://security.stackexchange.com/questions/10538/what-certificates-are-needed-for-multi-level-subdomains">here</a>).</p>
<p>This restricts sslip.io's usage model. For example, it
won't work properly with Cloud Foundry's app domain or
system domain.</p>
<p class="lead">Does sslip.io work with name-based virtual hosting? We
have multiple projects but only one webserver.</p>
<p> sslip.io interoperates quite well with <a href="https://en.wikipedia.org/wiki/Virtual_hosting#Name-based">name-based virtual hosting</a>.
You can prepend identifying information to the sslip.io
hostname without jeopardizing the address resolution, and then use
those hostnames to distinguish the content being served.
For example, let's assume that your webserver's IP address
is 10.9.9.30, and that you have three projects you're
working on (Apple, Google, and Facebook). You would use
the following three sslip.io hostnames: </p>
<ul>
<li>apple-10-9-9-30.sslip.io</li>
<li>facebook-10-9-9-30.sslip.io</li>
<li>google-10-9-9-30.sslip.io</li>
</ul>
<p class="lead">Can you make the hostnames easier to remember? It's as
hard as memorizing IP addresses.</p>
<p>Unfortunately, no. We appreciate that "52-0-56-137.sslip.io"
is not an easy-to-remember hostname, whereas something
along the lines of "aws-server.sslip.io" would be much
simpler, but we don't see an easy solution&mdash;we need
to be able to extract the IP address from the hostname
in order for our DNS nameserver to reply with the proper
address when queried.</p>
<p class="lead">Do you have support for IPv6-style addresses?</p>
<p>Not yet, but if there's enough demand for it we might try
implementing it.</p>
<p class="lead">Why did you choose a 4096-bit key instead of a 2048-bit
key?
</p>
<p>We couldn't help ourselves&mdash;when it comes to keys,
longer is better. In retrospect there were flaws in our
thinking: certain hardware devices, e.g. YubiKeys, only
support keys of length 2048 bits or less. Also, there
was no technical value in making a long key&mdash;it's
publicly available on GitHub, so a zero-bit key would
have been equally secure.</p>
<p class="lead">Do I have to use the sslip.io domain? I'd rather have a
valid cert for my domain.</p>
<p>If you want valid SSL certificate, and you don't want to
use the sslip.io domain, then you'll need to purchase
a certificate for your domain. We purchased ours from
<a href="https://www.cheapsslshop.com">Cheap SSL Shop</a>,
but use a vendor with whom you're comfortable. </p>
<p class="lead">What is the sslip.io certificate chain? </p>
<p>The sslip.io certificate chain is the series of certificates,
each signing the next, with a root certificate at the
top. It looks like the following:</p>
<div class="col-sm-12">
<img src="img/cert_chain.png" height="206" /> </div>
<div class="row"></div>
<p></p>
<p>Note that the "root" certificate is "AddTrust's External
CA Root", which issued a certificate to the "COMODO RSA
Certification Authority", which in turn issued a certificate
to the "COMODO RSA Domain Validation Secure Server CA"
which in turn issued our certificate, "*.sslip.io".
</p>
<p class="lead">How is "sslip.io" pronounced?</p>
<p>ESS-ESS-ELL-EYE-PEE-DOT-EYE-OH</p>
<p class="lead">Where do I report bugs? I think I found one.</p>
<p>Open an issue on <a href="https://github.com/cunnie/sslip.io/issues">GitHub</a>;
we're tracking our issues there.</p>
<p class="lead">There's a typo/mistake on the sslip.io website. </p>
<p>Thanks! We love <a href="https://github.com/cunnie/sslip.io/pulls">pull requests</a>.</p>
<div class="row">
<p></p>
</div>
<p>&copy; 2015 Brian Cunnie, Pivotal Software </p>
</div>
</div>
<!-- /.container -->
<!-- Bootstrap core JavaScript ================================================== -->
<!--
Placed at the end of the document so the pages load faster -->
<!-- jQuery
(necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
<!--
Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<!--
IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src="https://raw.githubusercontent.com/twbs/bootstrap/master/docs/assets/js/ie10-viewport-bug-workaround.js"></script>
<!--
Google Analytics -->
<script>
(function(i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function() {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o), m = s.getElementsByTagName(
o)[0];
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
})(window, document, 'script',
'//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-43107212-2', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>

BIN
k8s/document_root/img/cert_chain.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
k8s/document_root/img/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
k8s/document_root/img/green_lock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
k8s/document_root/img/red_lock.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

217
k8s/document_root/index.html Normal file
View File

@@ -0,0 +1,217 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta name="generator" content="HTML Tidy for HTML5 for Apple macOS version 5.6.0">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- The above 3 meta tags *must* come first in the head; any
other head content must come *after* these tags -->
<title>Welcome to sslip.io</title>
<meta name="description" content="sslip.io">
<meta name="author" content="Brian Cunnie"><!-- cute Green Lock icon -->
<link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico"><!-- Latest
compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css"><!--
Optional theme -->
<link rel="stylesheet" href="css/starter-template.css"><!--
HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!--
WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt
IE 9]> <script
src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script> <script
src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]-->
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar"
aria-expanded="false" aria-controls="navbar"><span class="sr-only">Toggle navigation</span></button> <a class=
"navbar-brand" href="/">sslip.io</a>
</div>
<div id="navbar" class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active">
<a href="/">Home</a>
</li><!--
<li><a href="faq.html">FAQ</a></li>
<li><a href="about.html">About</a></li>
-->
</ul>
</div><!--/.nav-collapse -->
</div>
</nav>
<div class="container">
<div class="starter-template">
<h3 id="sslip.io">sslip.io</h3>
<p>Operational Status: <a href="https://ci.nono.io/?groups=sslip.io"><img src=
"https://ci.nono.io/api/v1/pipelines/sslip.io/jobs/check-dns/badge" alt="ci.nono.io"></a> <sup><a href="#status"
class="alert-link">[Status]</a></sup></p>
<p><em>sslip.io</em> is a DNS (<a href="https://en.wikipedia.org/wiki/Domain_Name_System">Domain Name System</a>)
service that, when queried with a hostname with an embedded IP address, returns that IP Address. It was inspired
by and uses much of the code of <a href="http://xip.io">xip.io</a>, which was created by <a href=
"https://github.com/sstephenson">Sam Stephenson</a>.</p>
<p>Here are some examples:</p>
<table class="table">
<thead>
<tr class="header">
<th>Hostname / URL</th>
<th>IP Address</th>
<th>Notes</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>192.168.0.1.sslip.io</td>
<td>192.168.0.1</td>
<td>dot separators</td>
</tr>
<tr class="even">
<td><a href="https://52-0-56-137.sslip.io">https://52-0-56-137.sslip.io</a></td>
<td>52.0.56.137</td>
<td>dash separators, sslip.io website mirror (IPv4)</td>
</tr>
<tr class="odd">
<td>www.192.168.0.1.sslip.io</td>
<td>192.168.0.1</td>
<td>subdomain</td>
</tr>
<tr class="even">
<td>www.192-168-0-1.sslip.io</td>
<td>192.168.0.1</td>
<td>subdomain + dashes</td>
</tr>
<tr class="odd">
<td><a href="https://www-78-46-204-247.sslip.io">https://www-78-46-204-247.sslip.io</a></td>
<td>78.46.204.247</td>
<td>embedded, sslip.io website mirror (IPv4)</td>
</tr>
<tr class="even">
<td>1.sslip.io</td>
<td>::1</td>
<td>IPv6 — always use dashes</td>
</tr>
<tr class="odd">
<td><a href="https://2a01-4f8-c17-b8f--2.sslip.io">https://2a01-4f8-c17-b8f--2.sslip.io</a></td>
<td>2a01:4f8:c17:b8f::2</td>
<td>sslip.io website mirror (IPv6)</td>
</tr>
</tbody>
</table>
<h3 id="branding">Branding / White Label / Custom Domains</h3>
<p>sslip.io can be used to brand your own site (you dont need to use the sslip.io domain). For example, say you
own the domain “example.com”, and you want your subdomain, “xip.example.com” to have xip.io-style features. To
accomplish this, set the following four DNS servers as NS records for the subdomain
“xip.example.com”</p>
<div class="alert alert-warning" role="alert">
<b>2018-09-20 Nameserver (NS) Change!</b> Update your nameservers. We have
deprecated ns-he.nono.io in favor of <b>ns-vultr.nono.io</b>
</div>
<table class="table">
<thead>
<tr class="header">
<th>hostname</th>
<th>IP address</th>
<th>Location</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><code>ns-aws.nono.io.</code></td>
<td>52.0.56.137</td>
<td>USA</td>
</tr>
<tr class="even">
<td><code>ns-gce.nono.io.</code></td>
<td>104.155.144.4</td>
<td>USA</td>
</tr>
<tr class="odd">
<td><code>ns-azure.nono.io.</code></td>
<td>52.187.42.158</td>
<td>Singapore</td>
</tr>
<tr class="even">
<td><code>ns-vultr.nono.io.</code></td>
<td>207.148.72.47<br />2001:19f0:4400:60d5::</td>
<td>Singapore</td>
</tr>
</tbody>
</table>
<p>Lets test it from the command line using <code>dig</code>:</p>
<pre>
<code>dig +short 169-254-169-254.xip.example.com @ns-gce.nono.io.</code></pre>
<p>Yields, hopefully: <sup><a href="#timeout" class="alert-link">[connection timed out]</a></sup></p>
<pre><code>169.254.169.254</code></pre>
<h4 id="tls-transport-layer-security">TLS (Transport Layer Security)</h4>
<p>If you have a wildcard certificate for your sslip.io-style subdomain, you may install it on your machines for
TLS-verified connections.</p>
<div class="alert alert-warning" data-role="alert">
<p>When using a TLS wildcard certificate in conjunction with your branded sslip.io style subdomain, you must
<b>use dashes not dots</b> as separators. For example, if you have the TLS certificate for
<i>*.xip.example.com</i>, you could browse to https://52-0-56-137.xip.example.com/ but not
https://52.0.56.137.xip.example.com/.</p>
</div>
<p>For a real-world example of a TLS wildcard cert and sslip.io domain, browse <a href=
"https://52-0-56-137.sslip.io" class="uri">https://52-0-56-137.sslip.io</a>.</p>
<p>Pivotal employees can download the <i>*.sslip.io</i> TLS private key <a href=
"https://drive.google.com/open?id=0ByweFu4TspftMWJPdE1US0hQTGc">here</a>.</p>
<hr>
<h4 id="footnotes">Footnotes</h4>
<p><a id="status"><sup>[Status]</sup></a> A status of “build failing” rarely means the system is
failing. Its more often an indication that when the servers were last checked (currently every six hours), the
CI (continuous integration) <a href="https://ci.nono.io/teams/main/pipelines/sslip.io">server</a> had difficulty
reaching one of the four sslip.io nameservers. Thats normal. <sup><a href="#timeout" class=
"alert-link">[connection timed out]</a></sup></p>
<p><a id="timeout"><sup>[connection timed out]</sup></a></p>
<p>DNS runs over <a href="https://en.wikipedia.org/wiki/User_Datagram_Protocol">UDP</a> which has no guaranteed
delivery, and its not uncommon for the packets to get lost in transmission. DNS clients are programmed to
seamlessly query a different server when that happens. Thats why DNS, by fiat, requires at least two nameservers
(for redundancy). From <a href="https://tools.ietf.org/html/rfc1034">IETF (Internet Engineering Task Force) RFC
(Request for Comment) 1034</a>:</p>
<blockquote>
<p>A given zone will be available from several name servers to insure its availability in spite of host or
communication link failure. By administrative fiat, we require every zone to be available on at least two
servers, and many zones have more redundancy than that.</p>
</blockquote>
</div>
</div><!-- /.container -->
<!--
Bootstrap core JavaScript ================================================== -->
<!--
Placed at the end of the document so the pages load faster -->
<!-- jQuery
(necessary for Bootstrap's JavaScript plugins) -->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script> <!--
Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script> <!--
IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script src=
"https://raw.githubusercontent.com/twbs/bootstrap/master/docs/assets/js/ie10-viewport-bug-workaround.js"></script>
<!--
Google Analytics -->
<script>
(function(i, s, o, g, r, a, m) {
i['GoogleAnalyticsObject'] = r;
i[r] = i[r] || function() {
(i[r].q = i[r].q || []).push(arguments)
}, i[r].l = 1 * new Date();
a = s.createElement(o), m = s.getElementsByTagName(
o)[0];
a.async = 1;
a.src = g;
m.parentNode.insertBefore(a, m)
})(window, document, 'script',
'//www.google-analytics.com/analytics.js', 'ga');
ga('create', 'UA-43107212-2', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>