add: multiple fixes, docs for deployment

2025-04-19 22:26:33 -07:00
1 changed files with 32 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -144,3 +144,35 @@ spec:
 ```

 NOTE: you should need to make an entry in the firewall to allow this request through. It is very important that the firewall entry has a source filter; it should only be allowed from the Kubernetes cluster. Nginx will forward traffic to any host that registers, and this could easily become a MitM vulnerability.
+
+## Other tips
+
+### Use 'upstream' in nginx
+
+Do this:
+
+```
+upstream hosts {
+        server 10.182.0.36:30004;
+        server 10.182.0.39:30004;
+}
+server {
+        server_name git.tipsy.codes tipsy.codes;
+
+        location / {
+                proxy_pass http://hosts;
+        }
+}
+```
+
+Rather than just writing out the IP in the proxy_pass.
+
+### visudo to only allow the nginx reload command
+
+Use `sudo visudo` to update the sudoers file and add this line:
+
+```
+skubelb ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
+```
+
+This will prevent the user from running commands other than reload.