add support for reverse proxy ssl

This commit is contained in:
histausse 2022-07-17 18:54:55 +02:00
parent 105c53e82d
commit 94e48cbdae
Signed by: histausse
GPG key ID: 67486F107F62E9E9
3 changed files with 21 additions and 7 deletions

View file

@ -17,6 +17,11 @@ http_sites: dictionnary of site, see the Http Sites section bellow
```
in_memoriam: str[], list of name to remember that will be advertised by `X-Clacks-Overhead`
ssl_reverse_proxy_upstream:
`upstream_key`: # `upstream_key` is a string value that need to be unique in the same host
to: str, the address of destination, either a domain name or ip address
sni_server_name: str, the server_name expected in the SNI of the incomming connection
to_port: str | int, optionnal, default 443, the port of destination
```
## Add role to you ansible playbook:
@ -39,7 +44,8 @@ http_sites:
- ? TODO
locations:
`location`:
template: `template`
templates:
- `template`
...
```

View file

@ -49,10 +49,12 @@ server {
access_log /var/log/nginx/{{ item.key }}.log;
error_log /var/log/nginx/{{ item.key }}_error.log;
{% for location in (item.value.locations | default([]) | dict2items) -%}
{% for location in (item.value.locations | default({}) | dict2items) -%}
location {{ location.key }} {
{% filter indent(width=8) -%}
{% include location.value.template -%}
{% for template in (location.value.templates | default([])) -%}
{% include template -%}
{%- endfor %}
{%- endfilter %}
}
{%- endfor %}

View file

@ -36,15 +36,16 @@ http {
}
stream {
include /etc/nginx/stream_rp.conf;
# Map the SNI from the TLS hello packet to an upstream server.
# This allow to RP request without breaking the TLS encryption
# like a proxy_pass does
map $ssl_preread_server_name $upstream_server {
acme-v02.api.letsencrypt.org acme;
r3.o.lencr.org r3;
default self;
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
{{ rp.value.sni_server_name }} {{ rp.key }};
{%- endfor %}
default local;
}
# let's encrypt servers, to generate LE cert from isolated network
@ -54,8 +55,13 @@ stream {
upstream r3 {
server r3.o.lencr.org:443;
}
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
upstream {{ rp.key }} {
server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
}
{%- endfor %}
# default to this server sites
upstream self {
upstream local {
server 127.0.0.1:8443;
}