Add Public-Reverse-Proxy

This commit is contained in:
julian 2023-01-08 02:50:23 +01:00
parent 3031cc3ec9
commit f44e3f28b0
4 changed files with 61 additions and 0 deletions

View file

@ -0,0 +1,4 @@
nginx__enable_https_redirect: false
nginx__configs:
- name: acme_challenge
content: "{{ lookup('ansible.builtin.file', 'configs/public-reverse-proxy/nginx/acme_challenge.conf') }}"

View file

@ -14,3 +14,6 @@ all:
ansible_host: printserver.z9.ccchh.net
audio:
ansible_host: audio.z9.ccchh.net
public-reverse-proxy:
ansible_host: public-reverse-proxy.z9.ccchh.net
ansible_user: chaos

View file

@ -0,0 +1,6 @@
---
- name: Deploy the Public-Reverse-Proxy
hosts: public-reverse-proxy
become: true
roles:
- nginx

View file

@ -0,0 +1,48 @@
map $host $upstream_acme_challenge_host {
club-assistant.ccchh.net 10.31.208.10;
netbox.ccchh.net 10.31.208.29;
thinkcccore0.ccchh.net 10.31.242.3;
thinkcccore1.ccchh.net 10.31.242.4;
thinkcccore2.ccchh.net 10.31.242.5;
thinkcccore3.ccchh.net 10.31.242.6;
default "";
}
server {
listen 80 default_server;
location /.well-known/acme-challenge/ {
proxy_pass http://$upstream_acme_challenge_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is http in any case.
proxy_set_header X-Forwarded-Proto http;
}
}
server {
listen 443 ssl http2 default_server;
# ssl_certificate /path/to/signed_cert_plus_intermediates;
# ssl_certificate_key /path/to/private_key;
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt;
ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# replace with the IP address of your resolver
resolver 127.0.0.1;
location /.well-known/acme-challenge/ {
proxy_pass http://$upstream_acme_challenge_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# This is http in any case.
proxy_set_header X-Forwarded-Proto https;
}
}