Migrate to NixOS: Remove Z9 Public-Reverse-Proxy host from this repo
This commit is contained in:
parent
c5eae99a7f
commit
de97436706
4 changed files with 0 additions and 145 deletions
|
@ -1,8 +0,0 @@
|
|||
nginx__version_spec: ""
|
||||
nginx__deploy_redirect_conf: false
|
||||
nginx__configurations:
|
||||
- name: acme_challenge
|
||||
content: "{{ lookup('ansible.builtin.file', 'z9/configs/public-reverse-proxy/nginx/acme_challenge.conf') }}"
|
||||
nginx__use_custom_nginx_conf: true
|
||||
nginx__custom_nginx_conf: |
|
||||
{{ lookup('file', 'z9/configs/public-reverse-proxy/nginx/nginx.conf') }}
|
|
@ -31,19 +31,14 @@ all:
|
|||
ansible_user: chaos
|
||||
debian_12:
|
||||
hosts:
|
||||
public-reverse-proxy:
|
||||
ansible_host: public-reverse-proxy.z9.ccchh.net
|
||||
ansible_user: chaos
|
||||
nginx_hosts:
|
||||
hosts:
|
||||
public-reverse-proxy:
|
||||
esphome:
|
||||
zigbee2mqtt:
|
||||
light:
|
||||
uptime-kuma:
|
||||
public_reverse_proxy_hosts:
|
||||
hosts:
|
||||
public-reverse-proxy:
|
||||
cert_hosts:
|
||||
hosts:
|
||||
certbot_hosts:
|
||||
|
@ -53,7 +48,6 @@ all:
|
|||
uptime-kuma:
|
||||
ssh_server_config_hosts:
|
||||
hosts:
|
||||
public-reverse-proxy:
|
||||
mailserver-endpoint:
|
||||
esphome_hosts:
|
||||
hosts:
|
||||
|
|
|
@ -1,69 +0,0 @@
|
|||
map $host $upstream_acme_challenge_host {
|
||||
club-assistant.ccchh.net 10.31.208.10;
|
||||
netbox.ccchh.net 10.31.208.29;
|
||||
light.ccchh.net 10.31.208.23;
|
||||
thinkcccore0.ccchh.net 10.31.242.3;
|
||||
thinkcccore1.ccchh.net 10.31.242.4;
|
||||
thinkcccore2.ccchh.net 10.31.242.5;
|
||||
thinkcccore3.ccchh.net 10.31.242.6;
|
||||
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
|
||||
esphome.ccchh.net 10.31.208.24:31820;
|
||||
proxmox-backup-server.ccchh.net 10.31.208.28;
|
||||
status.ccchh.net 10.31.206.15:31820;
|
||||
default "";
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80 default_server;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
proxy_pass http://$upstream_acme_challenge_host;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# This is http in any case.
|
||||
proxy_set_header X-Forwarded-Proto http;
|
||||
}
|
||||
|
||||
# Better safe than sorry.
|
||||
# Don't do a permanent redirect to avoid acme challenge pain (even tho 443
|
||||
# still should work).
|
||||
location / {
|
||||
return 307 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 127.0.0.1;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
# ssl_certificate /path/to/signed_cert_plus_intermediates;
|
||||
# ssl_certificate_key /path/to/private_key;
|
||||
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
|
||||
ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt;
|
||||
ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver 127.0.0.1;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
proxy_pass http://$upstream_acme_challenge_host;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# This is http in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
}
|
|
@ -1,62 +0,0 @@
|
|||
# This config is based on the standard `nginx.conf` shipping with the stable
|
||||
# nginx package from the NGINX mirrors as of 2023-01.
|
||||
|
||||
user nginx;
|
||||
worker_processes auto;
|
||||
|
||||
error_log /var/log/nginx/error.log notice;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
|
||||
# upstreams.
|
||||
stream {
|
||||
map $ssl_preread_server_name $first_jump {
|
||||
aes.ccchh.net 212.12.48.125:443;
|
||||
wiki.ccchh.net 212.12.48.125:443;
|
||||
default 127.0.0.1:9443;
|
||||
}
|
||||
|
||||
map $ssl_preread_server_name $address {
|
||||
status.ccchh.net 10.31.206.15:8443;
|
||||
default 127.0.0.1:8443;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:443;
|
||||
proxy_pass $first_jump;
|
||||
ssl_preread on;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 0.0.0.0:9443;
|
||||
proxy_pass $address;
|
||||
ssl_preread on;
|
||||
proxy_protocol on;
|
||||
}
|
||||
}
|
||||
|
||||
# Still have the default http block, so the `acme_challenge.conf` works.
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
Loading…
Reference in a new issue