From 105c53e82d27d67cdd4ae5a7b25413381a00a2aa Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Wed, 22 Jun 2022 22:45:05 +0200
Subject: [PATCH] fix basic RP stream config

---
 tasks/main.yml                          |  7 +---
 templates/nginx.conf                    | 46 ++++++++++++++-----------
 templates/{folder.js => static_site.j2} |  0
 templates/stream_rp.conf                | 13 -------
 4 files changed, 27 insertions(+), 39 deletions(-)
 rename templates/{folder.js => static_site.j2} (100%)
 delete mode 100644 templates/stream_rp.conf

diff --git a/tasks/main.yml b/tasks/main.yml
index 35dc38f..e33aa35 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -63,12 +63,7 @@
     dest: /etc/nginx/nginx.conf
   notify: Reload nginx
 
-# TODO: << Manage reverse proxy >>
-- name: Create the SSL reverse proxy conf
-  template:
-    src: stream_rp.conf
-    dest: /etc/nginx/stream_rp.conf
-    force: no
+# TODO: << Manage SSL stream reverse proxy >>
 
 # Manage each http site
 - name: Copy Http Servers
diff --git a/templates/nginx.conf b/templates/nginx.conf
index 9856f43..8e3cea4 100644
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@@ -38,24 +38,30 @@ http {
 stream {
     include /etc/nginx/stream_rp.conf;
 
-    # Proxy request from the back end address
-#    map $ssl_preread_server_name $name_from_back {
-#        acme-v02.api.letsencrypt.org    acme;
-#        r3.o.lencr.org                  r3;
-#        default            self-back;
-#    }
-#    upstream acme {
-#        server acme-v02.api.letsencrypt.org:443;
-#    }
-#    upstream r3 {
-#        server r3.o.lencr.org:443;
-#    }
-#    upstream self-back {
-#        server 127.0.0.1:9443;
-#    }
-#    server {
-#        listen 192.168.10.1:443;
-#        proxy_pass $name_from_back;
-#        ssl_preread on;
-#    }
+    # Map the SNI from the TLS hello packet to an upstream server.
+    # This allow to RP request without breaking the TLS encryption
+    # like a proxy_pass does
+    map $ssl_preread_server_name $upstream_server {
+        acme-v02.api.letsencrypt.org    acme;
+        r3.o.lencr.org                  r3;
+        default                         self;
+    }
+
+    # let's encrypt servers, to generate LE cert from isolated network
+    upstream acme {
+        server acme-v02.api.letsencrypt.org:443;
+    }
+    upstream r3 {
+        server r3.o.lencr.org:443;
+    }
+    # default to this server sites
+    upstream self {
+        server 127.0.0.1:8443;
+    }
+
+    server {
+        listen 0.0.0.0:443;
+        proxy_pass $upstream_server;
+        ssl_preread on;
+    }
 }
diff --git a/templates/folder.js b/templates/static_site.j2
similarity index 100%
rename from templates/folder.js
rename to templates/static_site.j2
diff --git a/templates/stream_rp.conf b/templates/stream_rp.conf
deleted file mode 100644
index d7da21d..0000000
--- a/templates/stream_rp.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-{{ ansible_managed | comment }}
-
-map $ssl_preread_server_name $name_from_front {
-    default         self;
-}
-upstream self {
-    server 127.0.0.1:8443;
-}
-server {
-    listen 172.20.198.2:443;
-    proxy_pass $name_from_front;
-    ssl_preread on;
- }