fix basic RP stream config

2022-06-22 22:45:05 +02:00 · 2022-06-22 22:45:05 +02:00 · 105c53e82d
commit 105c53e82d
parent 898cfa69dc
4 changed files with 27 additions and 39 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -63,12 +63,7 @@
    dest: /etc/nginx/nginx.conf
  notify: Reload nginx
-# TODO: << Manage reverse proxy >>
+# TODO: << Manage SSL stream reverse proxy >>
 - name: Create the SSL reverse proxy conf
  template:
    src: stream_rp.conf
    dest: /etc/nginx/stream_rp.conf
    force: no
 # Manage each http site
 - name: Copy Http Servers
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@ -38,24 +38,30 @@ http {
 stream {
    include /etc/nginx/stream_rp.conf;
-    # Proxy request from the back end address
+    # Map the SNI from the TLS hello packet to an upstream server.
-#    map $ssl_preread_server_name $name_from_back {
+    # This allow to RP request without breaking the TLS encryption
-#        acme-v02.api.letsencrypt.org    acme;
+    # like a proxy_pass does
-#        r3.o.lencr.org                  r3;
+    map $ssl_preread_server_name $upstream_server {
-#        default            self-back;
+        acme-v02.api.letsencrypt.org    acme;
-#    }
+        r3.o.lencr.org                  r3;
-#    upstream acme {
+        default                         self;
-#        server acme-v02.api.letsencrypt.org:443;
+    }
-#    }
+
-#    upstream r3 {
+    # let's encrypt servers, to generate LE cert from isolated network
-#        server r3.o.lencr.org:443;
+    upstream acme {
-#    }
+        server acme-v02.api.letsencrypt.org:443;
-#    upstream self-back {
+    }
-#        server 127.0.0.1:9443;
+    upstream r3 {
-#    }
+        server r3.o.lencr.org:443;
-#    server {
+    }
-#        listen 192.168.10.1:443;
+    # default to this server sites
-#        proxy_pass $name_from_back;
+    upstream self {
-#        ssl_preread on;
+        server 127.0.0.1:8443;
-#    }
+    }
    server {
        listen 0.0.0.0:443;
        proxy_pass $upstream_server;
        ssl_preread on;
    }
 }
--- a/templates/static_site.j2
+++ b/templates/static_site.j2
--- a/templates/stream_rp.conf
+++ b/templates/stream_rp.conf
@ -1,13 +0,0 @@
 {{ ansible_managed | comment }}
 map $ssl_preread_server_name $name_from_front {
    default         self;
 }
 upstream self {
    server 127.0.0.1:8443;
 }
 server {
    listen 172.20.198.2:443;
    proxy_pass $name_from_front;
    ssl_preread on;
 }