Pains-Perdus/nginx
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

add support for reverse proxy ssl

Browse source
This commit is contained in:
histausse 2022-07-17 18:54:55 +02:00
parent 105c53e82d
commit 94e48cbdae
Signed by: histausse
GPG key ID: 67486F107F62E9E9
3 changed files with 21 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -17,6 +17,11 @@ http_sites: dictionnary of site, see the Http Sites section bellow
``` ```
in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead` in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
ssl_reverse_proxy_upstream:
`upstream_key`: # `upstream_key` is a string value that need to be unique in the same host
to: str, the address of destination, either a domain name or ip address
sni_server_name: str, the server_name expected in the SNI of the incomming connection
to_port: str | int, optionnal, default 443, the port of destination
``` ```
## Add role to you ansible playbook: ## Add role to you ansible playbook:
@ -39,7 +44,8 @@ http_sites:
- ? TODO - ? TODO
locations: locations:
`location`: `location`:
template: `template` templates:
- `template`
... ...
``` ```

6
templates/http_server.j2
View file

@ -49,10 +49,12 @@ server {
access_log /var/log/nginx/{{ item.key }}.log; access_log /var/log/nginx/{{ item.key }}.log;
error_log /var/log/nginx/{{ item.key }}_error.log; error_log /var/log/nginx/{{ item.key }}_error.log;
{% for location in (item.value.locations | default([]) | dict2items) -%} {% for location in (item.value.locations | default({}) | dict2items) -%}
location {{ location.key }} { location {{ location.key }} {
{% filter indent(width=8) -%} {% filter indent(width=8) -%}
{% include location.value.template -%} {% for template in (location.value.templates | default([])) -%}
{% include template -%}
{%- endfor %}
{%- endfilter %} {%- endfilter %}
} }
{%- endfor %} {%- endfor %}

14
templates/nginx.conf
View file

@ -36,15 +36,16 @@ http {
} }
stream { stream {
include /etc/nginx/stream_rp.conf;
# Map the SNI from the TLS hello packet to an upstream server. # Map the SNI from the TLS hello packet to an upstream server.
# This allow to RP request without breaking the TLS encryption # This allow to RP request without breaking the TLS encryption
# like a proxy_pass does # like a proxy_pass does
map $ssl_preread_server_name $upstream_server { map $ssl_preread_server_name $upstream_server {
acme-v02.api.letsencrypt.org acme; acme-v02.api.letsencrypt.org acme;
r3.o.lencr.org r3; r3.o.lencr.org r3;
default self; {% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
{{ rp.value.sni_server_name }} {{ rp.key }};
{%- endfor %}
default local;
} }
# let's encrypt servers, to generate LE cert from isolated network # let's encrypt servers, to generate LE cert from isolated network
@ -54,8 +55,13 @@ stream {
upstream r3 { upstream r3 {
server r3.o.lencr.org:443; server r3.o.lencr.org:443;
} }
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
upstream {{ rp.key }} {
server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
}
{%- endfor %}
# default to this server sites # default to this server sites
upstream self { upstream local {
server 127.0.0.1:8443; server 127.0.0.1:8443;
} }