From f44e3f28b067224324e6568cf24c5f77fa9d6fb7 Mon Sep 17 00:00:00 2001 From: julian Date: Sun, 8 Jan 2023 02:50:23 +0100 Subject: [PATCH] Add Public-Reverse-Proxy --- .../z9/host_vars/public-reverse-proxy.yaml | 4 ++ inventories/z9/hosts.yml | 3 ++ playbooks/deploy_public_reverse_proxy.yaml | 6 +++ .../nginx/acme_challenge.conf | 48 +++++++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 inventories/z9/host_vars/public-reverse-proxy.yaml create mode 100644 playbooks/deploy_public_reverse_proxy.yaml create mode 100644 playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf diff --git a/inventories/z9/host_vars/public-reverse-proxy.yaml b/inventories/z9/host_vars/public-reverse-proxy.yaml new file mode 100644 index 0000000..30cbe8e --- /dev/null +++ b/inventories/z9/host_vars/public-reverse-proxy.yaml @@ -0,0 +1,4 @@ +nginx__enable_https_redirect: false +nginx__configs: + - name: acme_challenge + content: "{{ lookup('ansible.builtin.file', 'configs/public-reverse-proxy/nginx/acme_challenge.conf') }}" diff --git a/inventories/z9/hosts.yml b/inventories/z9/hosts.yml index fbe79c2..fad0e75 100644 --- a/inventories/z9/hosts.yml +++ b/inventories/z9/hosts.yml @@ -14,3 +14,6 @@ all: ansible_host: printserver.z9.ccchh.net audio: ansible_host: audio.z9.ccchh.net + public-reverse-proxy: + ansible_host: public-reverse-proxy.z9.ccchh.net + ansible_user: chaos diff --git a/playbooks/deploy_public_reverse_proxy.yaml b/playbooks/deploy_public_reverse_proxy.yaml new file mode 100644 index 0000000..a56f18d --- /dev/null +++ b/playbooks/deploy_public_reverse_proxy.yaml @@ -0,0 +1,6 @@ +--- +- name: Deploy the Public-Reverse-Proxy + hosts: public-reverse-proxy + become: true + roles: + - nginx diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf new file mode 100644 index 0000000..5c9cfb6 --- /dev/null +++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf @@ -0,0 +1,48 @@ +map $host $upstream_acme_challenge_host { + club-assistant.ccchh.net 10.31.208.10; + netbox.ccchh.net 10.31.208.29; + thinkcccore0.ccchh.net 10.31.242.3; + thinkcccore1.ccchh.net 10.31.242.4; + thinkcccore2.ccchh.net 10.31.242.5; + thinkcccore3.ccchh.net 10.31.242.6; + default ""; +} + +server { + listen 80 default_server; + + location /.well-known/acme-challenge/ { + proxy_pass http://$upstream_acme_challenge_host; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # This is http in any case. + proxy_set_header X-Forwarded-Proto http; + } +} + +server { + listen 443 ssl http2 default_server; + + # ssl_certificate /path/to/signed_cert_plus_intermediates; + # ssl_certificate_key /path/to/private_key; + # # verify chain of trust of OCSP response using Root CA and Intermediate certs + # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; + ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt; + ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # replace with the IP address of your resolver + resolver 127.0.0.1; + + location /.well-known/acme-challenge/ { + proxy_pass http://$upstream_acme_challenge_host; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # This is http in any case. + proxy_set_header X-Forwarded-Proto https; + } +}