add support for reverse proxy ssl

2 years ago · 94e48cbdae
parent 105c53e82d
commit 94e48cbdae
3 changed files with 21 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -17,6 +17,11 @@ http_sites: dictionnary of site, see the Http Sites section bellow

 ```
 in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
+ssl_reverse_proxy_upstream:
+  `upstream_key`: # `upstream_key` is a string value that need to be unique in the same host
+    to: str, the address of destination, either a domain name or ip address
+    sni_server_name: str, the server_name expected in the SNI of the incomming connection
+    to_port: str | int, optionnal, default 443, the port of destination
 ```

 ## Add role to you ansible playbook:
@ -39,7 +44,8 @@ http_sites:
      - ? TODO
    locations:
      `location`:
-        template: `template`
+        templates: 
+          - `template`
        ...
 ```

--- a/templates/http_server.j2
+++ b/templates/http_server.j2
@ -49,10 +49,12 @@ server {
    access_log /var/log/nginx/{{ item.key }}.log;
    error_log /var/log/nginx/{{ item.key }}_error.log;

-    {% for location in (item.value.locations | default([]) | dict2items) -%}
+    {% for location in (item.value.locations | default({}) | dict2items) -%}
    location {{ location.key }} {
        {% filter indent(width=8) -%}
-        {% include location.value.template -%}
+        {% for template in (location.value.templates | default([])) -%}
+        {% include template -%}
+        {%- endfor %}
        {%- endfilter %}
    }
    {%- endfor %}
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@ -36,15 +36,16 @@ http {
 }

 stream {
-    include /etc/nginx/stream_rp.conf;
-
    # Map the SNI from the TLS hello packet to an upstream server.
    # This allow to RP request without breaking the TLS encryption
    # like a proxy_pass does
    map $ssl_preread_server_name $upstream_server {
        acme-v02.api.letsencrypt.org    acme;
        r3.o.lencr.org                  r3;
-        default                         self;
+        {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
+        {{ rp.value.sni_server_name }}   {{ rp.key }};
+        {%- endfor %}
+        default                         local;
    }

    # let's encrypt servers, to generate LE cert from isolated network
@ -54,8 +55,13 @@ stream {
    upstream r3 {
        server r3.o.lencr.org:443;
    }
+    {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
+    upstream {{ rp.key }} {
+        server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
+    }
+    {%- endfor %}
    # default to this server sites
-    upstream self {
+    upstream local {
        server 127.0.0.1:8443;
    }