From 94e48cbdaed706b987a0cec19bea5c388127e42d Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <jean-marie.mineau@protonmail.com>
Date: Sun, 17 Jul 2022 18:54:55 +0200
Subject: [PATCH] add support for reverse proxy ssl

---
 README.md                |  8 +++++++-
 templates/http_server.j2 |  6 ++++--
 templates/nginx.conf     | 14 ++++++++++----
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index df3ea84..1e415cb 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,11 @@ http_sites: dictionnary of site, see the Http Sites section bellow
 
 ```
 in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
+ssl_reverse_proxy_upstream:
+  `upstream_key`: # `upstream_key` is a string value that need to be unique in the same host
+    to: str, the address of destination, either a domain name or ip address
+    sni_server_name: str, the server_name expected in the SNI of the incomming connection
+    to_port: str | int, optionnal, default 443, the port of destination
 ```
 
 ## Add role to you ansible playbook:
@@ -39,7 +44,8 @@ http_sites:
       - ? TODO
     locations:
       `location`:
-        template: `template`
+        templates: 
+          - `template`
         ...
 ```
 
diff --git a/templates/http_server.j2 b/templates/http_server.j2
index a32bd25..11b753f 100644
--- a/templates/http_server.j2
+++ b/templates/http_server.j2
@@ -49,10 +49,12 @@ server {
     access_log /var/log/nginx/{{ item.key }}.log;
     error_log /var/log/nginx/{{ item.key }}_error.log;
 
-    {% for location in (item.value.locations | default([]) | dict2items) -%}
+    {% for location in (item.value.locations | default({}) | dict2items) -%}
     location {{ location.key }} {
         {% filter indent(width=8) -%}
-        {% include location.value.template -%}
+        {% for template in (location.value.templates | default([])) -%}
+        {% include template -%}
+        {%- endfor %}
         {%- endfilter %}
     }
     {%- endfor %}
diff --git a/templates/nginx.conf b/templates/nginx.conf
index 8e3cea4..c47de9c 100644
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@@ -36,15 +36,16 @@ http {
 }
 
 stream {
-    include /etc/nginx/stream_rp.conf;
-
     # Map the SNI from the TLS hello packet to an upstream server.
     # This allow to RP request without breaking the TLS encryption
     # like a proxy_pass does
     map $ssl_preread_server_name $upstream_server {
         acme-v02.api.letsencrypt.org    acme;
         r3.o.lencr.org                  r3;
-        default                         self;
+        {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
+        {{ rp.value.sni_server_name }}   {{ rp.key }};
+        {%- endfor %}
+        default                         local;
     }
 
     # let's encrypt servers, to generate LE cert from isolated network
@@ -54,8 +55,13 @@ stream {
     upstream r3 {
         server r3.o.lencr.org:443;
     }
+    {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
+    upstream {{ rp.key }} {
+        server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
+    }
+    {%- endfor %}
     # default to this server sites
-    upstream self {
+    upstream local {
         server 127.0.0.1:8443;
     }