From 9670b6494c255ee1f176563b502073dee2bed8f4 Mon Sep 17 00:00:00 2001 From: julian Date: Sun, 16 Apr 2023 01:29:33 +0200 Subject: [PATCH] Make the wiki publicly accessible and configure nginxs to give it https --- .../z9/host_vars/public-reverse-proxy.yaml | 3 ++ inventories/z9/host_vars/wiki.yml | 2 + .../nginx/acme_challenge.conf | 19 ++++++- .../public-reverse-proxy/nginx/nginx.conf | 50 +++++++++++++++++++ .../configs/wiki/nginx/http_handler.conf | 14 ++++++ .../configs/wiki/nginx/wiki.ccchh.net.conf | 41 +++++++++++---- 6 files changed, 119 insertions(+), 10 deletions(-) create mode 100644 playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf create mode 100644 playbooks/files/configs/wiki/nginx/http_handler.conf diff --git a/inventories/z9/host_vars/public-reverse-proxy.yaml b/inventories/z9/host_vars/public-reverse-proxy.yaml index c62ac52..6086002 100644 --- a/inventories/z9/host_vars/public-reverse-proxy.yaml +++ b/inventories/z9/host_vars/public-reverse-proxy.yaml @@ -3,3 +3,6 @@ nginx__deploy_redirect_conf: false nginx__configurations: - name: acme_challenge content: "{{ lookup('ansible.builtin.file', 'configs/public-reverse-proxy/nginx/acme_challenge.conf') }}" +nginx__use_custom_nginx_conf: true +nginx__custom_nginx_conf: | + {{ lookup('file', 'configs/public-reverse-proxy/nginx/nginx.conf') }} diff --git a/inventories/z9/host_vars/wiki.yml b/inventories/z9/host_vars/wiki.yml index 9469464..81dc42f 100644 --- a/inventories/z9/host_vars/wiki.yml +++ b/inventories/z9/host_vars/wiki.yml @@ -1,5 +1,7 @@ nginx__version_spec: "" nginx__deploy_redirect_conf: false nginx__configurations: + - name: http_handler + content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/http_handler.conf') }}" - name: wiki.ccchh.net content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/wiki.ccchh.net.conf') }}" diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf index 42b648e..3174eef 100644 --- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -6,6 +6,7 @@ map $host $upstream_acme_challenge_host { thinkcccore1.ccchh.net 10.31.242.4; thinkcccore2.ccchh.net 10.31.242.5; thinkcccore3.ccchh.net 10.31.242.6; + wiki.ccchh.net 10.31.206.13; default ""; } @@ -20,10 +21,26 @@ server { # This is http in any case. proxy_set_header X-Forwarded-Proto http; } + + # Better safe than sorry. + # Don't do a permanent redirect to avoid acme challenge pain (even tho 443 + # still should work). + location / { + return 307 https://$host$request_uri; + } } server { - listen 443 ssl http2 default_server; + # Listen on a custom port for the proxy protocol. + listen 8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 127.0.0.1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; # ssl_certificate /path/to/signed_cert_plus_intermediates; # ssl_certificate_key /path/to/private_key; diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf new file mode 100644 index 0000000..82b3dec --- /dev/null +++ b/playbooks/files/configs/public-reverse-proxy/nginx/nginx.conf @@ -0,0 +1,50 @@ +# This config is based on the standard `nginx.conf` shipping with the stable +# nginx package from the NGINX mirrors as of 2023-01. + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + +# Listen on port 443 as a reverse proxy and use PROXY Protocol for the +# upstreams. +stream { + map $ssl_preread_server_name $address { + wiki.ccchh.net 10.31.206.13:8443; + default 127.0.0.1:8443; + } + + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } +} + +# Still have the default http block, so the `acme_challenge.conf` works. +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/playbooks/files/configs/wiki/nginx/http_handler.conf b/playbooks/files/configs/wiki/nginx/http_handler.conf new file mode 100644 index 0000000..2dcf7d9 --- /dev/null +++ b/playbooks/files/configs/wiki/nginx/http_handler.conf @@ -0,0 +1,14 @@ +server { + listen 80 default_server; + #listen [::]:80 default_server; + server_name _; + + location /.well-known/acme-challenge/ { + autoindex on; + root /webroot-for-acme-challenge; + } + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf index 311385c..856db70 100644 --- a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf +++ b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf @@ -1,29 +1,52 @@ # partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 server { - listen [::]:80 ipv6only=off; + # Listen on a custom port for the proxy protocol. + listen 8443 ssl http2 proxy_protocol; + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.31.206.11; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; - server_name wiki.z9.ccchh.net; + server_name wiki.ccchh.net; + + ssl_certificate /etc/letsencrypt/live/wiki.ccchh.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/wiki.ccchh.net/privkey.pem; + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/wiki.ccchh.net/chain.pem; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; # Maximum file upload size is 4MB - change accordingly if needed client_max_body_size 4M; client_body_buffer_size 128k; - + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # This is https in any case. + proxy_set_header X-Forwarded-Proto https; + root /var/www/dokuwiki; index doku.php; - + #Remember to comment the below out when you're installing, and uncomment it when done. location ~ /(conf/|bin/|inc/|vendor/|install.php) { deny all; } - + #Support for X-Accel-Redirect location ~ ^/data/ { internal ; } - + location ~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$ { expires 365d; } - + location / { try_files $uri $uri/ @dokuwiki; } - + location @dokuwiki { # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; @@ -31,7 +54,7 @@ server { rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; } - + location ~ \.php$ { try_files $uri $uri/ /doku.php; include fastcgi_params;