fix basic RP stream config

2 years ago · 105c53e82d
parent 898cfa69dc
commit 105c53e82d
4 changed files with 27 additions and 39 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -63,12 +63,7 @@
    dest: /etc/nginx/nginx.conf
  notify: Reload nginx

-# TODO: << Manage reverse proxy >>
- name: Create the SSL reverse proxy conf
-  template:
-    src: stream_rp.conf
-    dest: /etc/nginx/stream_rp.conf
-    force: no
+# TODO: << Manage SSL stream reverse proxy >>

 # Manage each http site
 - name: Copy Http Servers
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@ -38,24 +38,30 @@ http {
 stream {
    include /etc/nginx/stream_rp.conf;

-    # Proxy request from the back end address
-#    map $ssl_preread_server_name $name_from_back {
-#        acme-v02.api.letsencrypt.org    acme;
-#        r3.o.lencr.org                  r3;
-#        default            self-back;
-#    }
-#    upstream acme {
-#        server acme-v02.api.letsencrypt.org:443;
-#    }
-#    upstream r3 {
-#        server r3.o.lencr.org:443;
-#    }
-#    upstream self-back {
-#        server 127.0.0.1:9443;
-#    }
-#    server {
-#        listen 192.168.10.1:443;
-#        proxy_pass $name_from_back;
-#        ssl_preread on;
-#    }
+    # Map the SNI from the TLS hello packet to an upstream server.
+    # This allow to RP request without breaking the TLS encryption
+    # like a proxy_pass does
+    map $ssl_preread_server_name $upstream_server {
+        acme-v02.api.letsencrypt.org    acme;
+        r3.o.lencr.org                  r3;
+        default                         self;
+    }
+
+    # let's encrypt servers, to generate LE cert from isolated network
+    upstream acme {
+        server acme-v02.api.letsencrypt.org:443;
+    }
+    upstream r3 {
+        server r3.o.lencr.org:443;
+    }
+    # default to this server sites
+    upstream self {
+        server 127.0.0.1:8443;
+    }
+
+    server {
+        listen 0.0.0.0:443;
+        proxy_pass $upstream_server;
+        ssl_preread on;
+    }
 }
--- a/templates/static_site.j2
+++ b/templates/static_site.j2
--- a/templates/stream_rp.conf
+++ b/templates/stream_rp.conf
@ -1,13 +0,0 @@
-{{ ansible_managed | comment }}
-
-map $ssl_preread_server_name $name_from_front {
-    default         self;
-}
-upstream self {
-    server 127.0.0.1:8443;
-}
-server {
-    listen 172.20.198.2:443;
-    proxy_pass $name_from_front;
-    ssl_preread on;
- }