diff --git a/inventories/z9/host_vars/public-reverse-proxy.yaml b/inventories/z9/host_vars/public-reverse-proxy.yaml deleted file mode 100644 index 6d6920a..0000000 --- a/inventories/z9/host_vars/public-reverse-proxy.yaml +++ /dev/null @@ -1,8 +0,0 @@ -nginx__version_spec: "" -nginx__deploy_redirect_conf: false -nginx__configurations: - - name: acme_challenge - content: "{{ lookup('ansible.builtin.file', 'z9/configs/public-reverse-proxy/nginx/acme_challenge.conf') }}" -nginx__use_custom_nginx_conf: true -nginx__custom_nginx_conf: | - {{ lookup('file', 'z9/configs/public-reverse-proxy/nginx/nginx.conf') }} diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index 934c7d7..12f1a44 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -31,19 +31,14 @@ all: ansible_user: chaos debian_12: hosts: - public-reverse-proxy: - ansible_host: public-reverse-proxy.z9.ccchh.net - ansible_user: chaos nginx_hosts: hosts: - public-reverse-proxy: esphome: zigbee2mqtt: light: uptime-kuma: public_reverse_proxy_hosts: hosts: - public-reverse-proxy: cert_hosts: hosts: certbot_hosts: @@ -53,7 +48,6 @@ all: uptime-kuma: ssh_server_config_hosts: hosts: - public-reverse-proxy: mailserver-endpoint: esphome_hosts: hosts: diff --git a/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf deleted file mode 100644 index d20f132..0000000 --- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/acme_challenge.conf +++ /dev/null @@ -1,69 +0,0 @@ -map $host $upstream_acme_challenge_host { - club-assistant.ccchh.net 10.31.208.10; - netbox.ccchh.net 10.31.208.29; - light.ccchh.net 10.31.208.23; - thinkcccore0.ccchh.net 10.31.242.3; - thinkcccore1.ccchh.net 10.31.242.4; - thinkcccore2.ccchh.net 10.31.242.5; - thinkcccore3.ccchh.net 10.31.242.6; - zigbee2mqtt.ccchh.net 10.31.208.25:31820; - esphome.ccchh.net 10.31.208.24:31820; - proxmox-backup-server.ccchh.net 10.31.208.28; - status.ccchh.net 10.31.206.15:31820; - default ""; -} - -server { - listen 80 default_server; - - location /.well-known/acme-challenge/ { - proxy_pass http://$upstream_acme_challenge_host; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # This is http in any case. - proxy_set_header X-Forwarded-Proto http; - } - - # Better safe than sorry. - # Don't do a permanent redirect to avoid acme challenge pain (even tho 443 - # still should work). - location / { - return 307 https://$host$request_uri; - } -} - -server { - # Listen on a custom port for the proxy protocol. - listen 8443 ssl http2 proxy_protocol; - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 127.0.0.1; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - # ssl_certificate /path/to/signed_cert_plus_intermediates; - # ssl_certificate_key /path/to/private_key; - # # verify chain of trust of OCSP response using Root CA and Intermediate certs - # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; - ssl_certificate /etc/ssl/certs/public-reverse-proxy.crt; - ssl_certificate_key /etc/ssl/private/public-reverse-proxy.key; - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - add_header Strict-Transport-Security "max-age=63072000" always; - - # replace with the IP address of your resolver - resolver 127.0.0.1; - - location /.well-known/acme-challenge/ { - proxy_pass http://$upstream_acme_challenge_host; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # This is http in any case. - proxy_set_header X-Forwarded-Proto https; - } -} diff --git a/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf b/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf deleted file mode 100644 index 0a9b881..0000000 --- a/playbooks/files/z9/configs/public-reverse-proxy/nginx/nginx.conf +++ /dev/null @@ -1,62 +0,0 @@ -# This config is based on the standard `nginx.conf` shipping with the stable -# nginx package from the NGINX mirrors as of 2023-01. - -user nginx; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - -# Listen on port 443 as a reverse proxy and use PROXY Protocol for the -# upstreams. -stream { - map $ssl_preread_server_name $first_jump { - aes.ccchh.net 212.12.48.125:443; - wiki.ccchh.net 212.12.48.125:443; - default 127.0.0.1:9443; - } - - map $ssl_preread_server_name $address { - status.ccchh.net 10.31.206.15:8443; - default 127.0.0.1:8443; - } - - server { - listen 0.0.0.0:443; - proxy_pass $first_jump; - ssl_preread on; - } - - server { - listen 0.0.0.0:9443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } -} - -# Still have the default http block, so the `acme_challenge.conf` works. -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/conf.d/*.conf; -}