Deploy NGINX for acme_challenge and PROXY Prot. on PubRP on Chaosknoten

This commit is contained in:
June 2023-08-04 14:06:37 +02:00 committed by julian
parent 2825c5089f
commit 06233d22d5
4 changed files with 97 additions and 0 deletions

View file

@ -0,0 +1,8 @@
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: acme_challenge
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/public-reverse-proxy/nginx/acme_challenge.conf') }}"
nginx__use_custom_nginx_conf: true
nginx__custom_nginx_conf: |
{{ lookup('file', 'chaosknoten/configs/public-reverse-proxy/nginx/nginx.conf') }}

View file

@ -0,0 +1,14 @@
all:
children:
debian_12:
hosts:
public-reverse-proxy:
ansible_host: public-reverse-proxy.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos
nginx_hosts:
hosts:
public-reverse-proxy:
public_reverse_proxy_hosts:
hosts:
public-reverse-proxy:

View file

@ -0,0 +1,25 @@
map $host $upstream_acme_challenge_host {
# Something like this should be here at some point:
# aes.ccchh.net 10.31.206.14:31820;
default "";
}
server {
listen 80 default_server;
location /.well-known/acme-challenge/ {
proxy_pass http://$upstream_acme_challenge_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is http in any case.
proxy_set_header X-Forwarded-Proto http;
}
# Better safe than sorry.
# Don't do a permanent redirect to avoid acme challenge pain (even tho 443
# still should work).
location / {
return 307 https://$host$request_uri;
}
}

View file

@ -0,0 +1,50 @@
# This config is based on the standard `nginx.conf` shipping with the stable
# nginx package from the NGINX mirrors as of 2023-01.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
stream {
map $ssl_preread_server_name $address {
# Something like this should be here at some point:
# aes.ccchh.net 10.31.206.14:8443;
}
server {
listen 0.0.0.0:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
}
# Still have the default http block, so the `acme_challenge.conf` works.
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}