charles/skubelb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: charles:docs
Branches Tags
charles:main charles:docs
..
compare: charles:57e0db495027aa6ebee72fc5e1f0447b5a2d78ea
Branches Tags
charles:main charles:docs

1 Commits
docs ... 57e0db4950

Author SHA1 Message Date
Charles
57e0db4950 add: multiple fixes, docs for deployment 2025-04-19 22:18:52 -07:00
1 changed files with 0 additions and 32 deletions
Expand all files Collapse all files

32
README.md
View File

@@ -144,35 +144,3 @@ spec:
```
NOTE: you should need to make an entry in the firewall to allow this request through. It is very important that the firewall entry has a source filter; it should only be allowed from the Kubernetes cluster. Nginx will forward traffic to any host that registers, and this could easily become a MitM vulnerability.
## Other tips
### Use 'upstream' in nginx
Do this:
```
upstream hosts {
server 10.182.0.36:30004;
server 10.182.0.39:30004;
}
server {
server_name git.tipsy.codes tipsy.codes;
location / {
proxy_pass http://hosts;
}
}
```
Rather than just writing out the IP in the proxy_pass.
### visudo to only allow the nginx reload command
Use `sudo visudo` to update the sudoers file and add this line:
```
skubelb ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx
```
This will prevent the user from running commands other than reload.