Make the wiki publicly accessible and configure nginxs to give it https

This commit is contained in:
julian 2023-04-16 01:29:33 +02:00 committed by Jannik Beyerstedt
parent d3842f6b87
commit 9670b6494c
6 changed files with 119 additions and 10 deletions

View file

@ -3,3 +3,6 @@ nginx__deploy_redirect_conf: false
nginx__configurations:
- name: acme_challenge
content: "{{ lookup('ansible.builtin.file', 'configs/public-reverse-proxy/nginx/acme_challenge.conf') }}"
nginx__use_custom_nginx_conf: true
nginx__custom_nginx_conf: |
{{ lookup('file', 'configs/public-reverse-proxy/nginx/nginx.conf') }}

View file

@ -1,5 +1,7 @@
nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__configurations:
- name: http_handler
content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/http_handler.conf') }}"
- name: wiki.ccchh.net
content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/wiki.ccchh.net.conf') }}"

View file

@ -6,6 +6,7 @@ map $host $upstream_acme_challenge_host {
thinkcccore1.ccchh.net 10.31.242.4;
thinkcccore2.ccchh.net 10.31.242.5;
thinkcccore3.ccchh.net 10.31.242.6;
wiki.ccchh.net 10.31.206.13;
default "";
}
@ -20,10 +21,26 @@ server {
# This is http in any case.
proxy_set_header X-Forwarded-Proto http;
}
# Better safe than sorry.
# Don't do a permanent redirect to avoid acme challenge pain (even tho 443
# still should work).
location / {
return 307 https://$host$request_uri;
}
}
server {
listen 443 ssl http2 default_server;
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 127.0.0.1;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# ssl_certificate /path/to/signed_cert_plus_intermediates;
# ssl_certificate_key /path/to/private_key;

View file

@ -0,0 +1,50 @@
# This config is based on the standard `nginx.conf` shipping with the stable
# nginx package from the NGINX mirrors as of 2023-01.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
stream {
map $ssl_preread_server_name $address {
wiki.ccchh.net 10.31.206.13:8443;
default 127.0.0.1:8443;
}
server {
listen 0.0.0.0:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
}
# Still have the default http block, so the `acme_challenge.conf` works.
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

View file

@ -0,0 +1,14 @@
server {
listen 80 default_server;
#listen [::]:80 default_server;
server_name _;
location /.well-known/acme-challenge/ {
autoindex on;
root /webroot-for-acme-challenge;
}
location / {
return 301 https://$host$request_uri;
}
}

View file

@ -1,14 +1,37 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen [::]:80 ipv6only=off;
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 10.31.206.11;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name wiki.z9.ccchh.net;
server_name wiki.ccchh.net;
ssl_certificate /etc/letsencrypt/live/wiki.ccchh.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.ccchh.net/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/wiki.ccchh.net/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# Maximum file upload size is 4MB - change accordingly if needed
client_max_body_size 4M;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
root /var/www/dokuwiki;
index doku.php;