New reverse proxy role

roles/nginx-reverse-proxy/handlers/main.yml

@@ -1,6 +0,0 @@
----
-# Reload NGINX when a site changes
-- name: Reload NGINX service
-  service:
-    name: nginx
-    state: reloaded

roles/nginx-reverse-proxy/tasks/main.yml

@@ -1,64 +0,0 @@
----
-# nginx is the proxy server
-# nginx-light contains less modules
-# but also reduces the surface of attack
-- name: Install NGINX server
-  apt:
-    update_cache: true
-    name: nginx-light
-    state: present
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-# Install proxy snippets
-- name: Configure NGINX proxy snippets
-  template:
-    src: nginx/snippets/{{ item }}.j2
-    dest: /etc/nginx/snippets/{{ item }}
-    mode: 0644
-  loop:
-    - proxy-common.conf
-    - proxy-common-ssl.conf
-  notify: Reload NGINX service
-
-# Install sites
-- name: Configure NGINX sites
-  template:
-    src: nginx/nginx-sites-available.j2
-    dest: /etc/nginx/sites-available/{{ item.name }}
-    mode: 0644
-  loop: "{{ reversed_proxy_subdomains }}"
-  notify: Reload NGINX service
-
-# Desactive useless nginx sites
-- name: Deactivate the default NGINX site
-  file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-  notify: Reload NGINX service
-
-# Activate sites
-- name: Activate sites
-  file:
-    src: /etc/nginx/sites-available/{{ item.name }}
-    dest: /etc/nginx/sites-enabled/{{ item.name }}
-    state: link
-  loop: "{{ reversed_proxy_subdomains }}"
-  notify: Reload NGINX service
-
-# Install main site
-- name: Configure NGINX main site
-  template:
-    src: nginx/nginx-sites-available-main.j2
-    dest: /etc/nginx/sites-available/main
-    mode: 0644
-  notify: Reload NGINX service
-
-# Activate main site
-- name: Activate main site
-  file:
-    src: /etc/nginx/sites-available/main
-    dest: /etc/nginx/sites-enabled/main
-    state: link
-  notify: Reload NGINX service

roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2

@@ -1,107 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    # Common proxy snippet
-    include "snippets/proxy-common.conf";
-
-    # Set witch server name we define
-    server_name auro.re;
-
-    # Permanentely moved to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    # For Matrix Synapse Discord Appservice Media
-    location /_matrix {
-        proxy_pass http://synapse.adm.auro.re:8008;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-}
-
-server {
-    # Common proxy snippet
-    include "snippets/proxy-common-ssl.conf";
-
-    # Set witch server name we define
-    server_name auro.re;
-
-    # Separate log files
-    access_log  /var/log/nginx/main.access.log;
-    error_log  /var/log/nginx/main.error.log;
-
-    # Use LetsEncrypt SSL
-    ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
-
-    location / {
-        proxy_redirect off;
-        proxy_pass http://www.adm.auro.re;
-        proxy_set_header Host auro.re;
-        proxy_set_header P-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-
-        # "A man is not dead while his name is still spoken." -- Going Postal
-        add_header X-Clacks-Overhead "GNU Terry Pratchett";
-    }
-
-    # For Matrix identity server
-    location /_matrix/identity {
-        proxy_pass http://synapse.adm.auro.re:8090/_matrix/identity;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-
-    # For Matrix Synapse
-    location /_matrix {
-        proxy_pass http://synapse.adm.auro.re:8008;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-}
-
-server {
-    listen 8448 ssl;
-    listen [::]:8448 ssl;
-
-    # Set witch server name we define
-    server_name auro.re;
-
-    # Separate log files
-    access_log  /var/log/nginx/main.access.log;
-    error_log  /var/log/nginx/main.error.log;
-
-    # Use LetsEncrypt SSL
-    ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
-
-    # For Matrix Synapse federation
-    location / {
-        proxy_pass http://synapse.adm.auro.re:8008;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-}
-
-server {
-    listen 9442 ssl;
-    listen [::]:9442 ssl;
-
-    # Set witch server name we define
-    server_name auro.re;
-
-    # Separate log files
-    access_log  /var/log/nginx/main.access.log;
-    error_log  /var/log/nginx/main.error.log;
-
-    # Use LetsEncrypt SSL
-    ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
-
-    # For Matrix Appservice Webhooks
-    location / {
-        proxy_pass http://synapse.adm.auro.re:9000;
-        proxy_set_header X-Forwarded-For $remote_addr;
-    }
-}

roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2

@@ -1,40 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    # Common proxy snippet
-    include "snippets/proxy-common.conf";
-
-    # Set witch server name we define
-    server_name {{ item.from }};
-
-    # Permanentely moved to HTTPS
-    return 301 https://$host$request_uri;
-}
-
-server {
-    # Common proxy snippet
-    include "snippets/proxy-common-ssl.conf";
-
-    # Set witch server name we define
-    server_name {{ item.from }};
-
-    # Separate log files
-    access_log  /var/log/nginx/{{ item.name }}.access.log;
-    error_log  /var/log/nginx/{{ item.name }}.error.log;
-
-    # Use LetsEncrypt SSL
-    ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
-
-    location / {
-        proxy_redirect off;
-        proxy_pass http://{{ item.to }};
-        proxy_set_header Host {{ item.from }};
-        proxy_set_header P-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-
-        # "A man is not dead while his name is still spoken." -- Going Postal
-        add_header X-Clacks-Overhead "GNU Terry Pratchett";
-    }
-}

roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2

@@ -1,32 +0,0 @@
-# {{ ansible_managed }}
-
-# Listen for IPv4 and IPv6 with HTTP2
-listen [::]:443 ssl http2;
-listen 443 ssl http2;
-
-# Hide NGINX version
-server_tokens off;
-
-# Reverse Proxy Adm
-set_real_ip_from 10.128.0.0/16;
-real_ip_header P-Real-Ip;
-
-# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/
-ssl on;
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
-ssl_session_tickets off;
-ssl_protocols TLSv1.2;
-ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
-ssl_prefer_server_ciphers on;
-add_header Strict-Transport-Security max-age=15768000;
-
-# OCSP Stapling,
-ssl_stapling on;
-ssl_stapling_verify on;
-
-# Use more secure ECDH curve
-ssl_ecdh_curve secp521r1:secp384r1;
-
-# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer
-ssl_dhparam /etc/ssl/certs/dhparam.pem;

roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2

@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-# Listen for IPv4 and IPv6
-listen 80;
-listen [::]:80;
-
-# Hide NGINX version
-server_tokens off;
-
-# Reverse Proxy Adm
-set_real_ip_from 10.128.0.0/16;
-real_ip_header P-Real-Ip;

roles/nginx-reverseproxy/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded

roles/nginx-reverseproxy/tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: Install NGINX
+  apt:
+    update_cache: true
+    name: nginx
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy snippets
+  template:
+    src: "nginx/snippets/{{ item }}.j2"
+    dest: "/etc/nginx/snippets/{{ item }}"
+  loop:
+    - options-ssl.conf
+    - options-proxypass.conf
+
+- name: Copy dhparam
+  template:
+    src: letsencrypt/dhparam.j2
+    dest: /etc/letsencrypt/dhparam
+
+- name: Copy reverse proxy sites
+  template:
+    src: "nginx/sites-available/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Activate sites
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    state: link
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Copy 50x error page
+  template:
+    src: www/html/50x.html.j2
+    dest: /var/www/html/50x.html
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-nginx
+    mode: 0755

roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2

@@ -0,0 +1,67 @@
+{{ ansible_header | comment }}
+
+{% for site in nginx.redirect_sites %}
+# Redirect http://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ site.from }} to https://{{ site.to }}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ site.from }};
+
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endfor %}
+
+{# Also redirect for DNAMEs #}
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.redirect_sites %}
+{% set from = site.from | regex_replace('crans.org', dname) %}
+{% if from != site.from %}
+# Redirect http://{{ from }} to http://{{ site.to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ site.to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ site.to }}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ from }};
+
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
+
+    location / {
+        return 302 https://{{ site.to }}$request_uri;
+    }
+}
+
+{% endif %}
+{% endfor %}
+{% endfor %}

roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2

@@ -0,0 +1,56 @@
+{{ ansible_header | comment }}
+
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+{% for site in nginx.reverseproxy_sites %}
+# Redirect http://{{ site.from }} to https://{{ site.from }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ site.from }};
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+
+# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ site.from }};
+
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
+
+    # Log into separate log files
+    access_log      /var/log/nginx/{{ site.from }}.log;
+    error_log       /var/log/nginx/{{ site.from }}_error.log;
+
+    # Keep the TCP connection open a bit for faster browsing
+    keepalive_timeout 70;
+
+    # Custom error page
+    error_page  500 502 503 504  /50x.html;
+    location = /50x.html {
+        root /var/www/html;
+    }
+
+    set_real_ip_from 10.231.136.0/24;
+    set_real_ip_from 2a0c:700:0:2::/64;
+    real_ip_header P-Real-Ip;
+
+    location / {
+        proxy_pass http://{{ site.to }};
+        include "/etc/nginx/snippets/options-proxypass.conf";
+    }
+}
+
+{% endfor %}

roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2

@@ -0,0 +1,37 @@
+{{ ansible_header | comment }}
+
+{% for dname in nginx.redirect_dnames %}
+{% for site in nginx.reverseproxy_sites %}
+{% set from = site.from | regex_replace('auro.re', dname) %}
+{% set to = site.from %}
+{% if from != site.from %}
+# Redirect http://{{ from }} to http://{{ to }}
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ from }};
+
+    location / {
+        return 302 http://{{ to }}$request_uri;
+    }
+}
+
+# Redirect https://{{ from }} to https://{{ to }}
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ from }};
+
+    # SSL common conf
+    include "/etc/nginx/snippets/options-ssl.conf";
+
+    location / {
+        return 302 https://{{ to }}$request_uri;
+    }
+}
+
+{% endif %}
+{% endfor %}
+{% endfor %}

roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2

@@ -0,0 +1,19 @@
+{{ ansible_header | comment }}
+
+proxy_redirect off;
+proxy_set_header Host $host;
+
+# Pass the real client IP
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+# Tell proxified server that we are HTTPS, fix Wordpress
+proxy_set_header X-Forwarded-Proto https;
+
+# WebSocket support
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+
+# For Owncloud WebDav
+client_max_body_size 10G;

roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2

@@ -0,0 +1,17 @@
+{{ ansible_header | comment }}
+
+ssl_certificate {{ nginx.ssl.cert }};
+ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;
+ssl_session_tickets off;
+ssl_dhparam /etc/letsencrypt/dhparam;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# Enable OCSP Stapling, point to certificate chain
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+

roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2

@@ -0,0 +1,3 @@
+#!/usr/bin/tail +14
+{{ ansible_header | comment }}
+> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

roles/nginx-reverseproxy/templates/www/html/50x.html.j2

@@ -0,0 +1,63 @@
+<!doctype html>
+<html lang="fr">
+<head>
+    <meta charset="utf-8">
+    <title>502</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <style>
+        * {
+            line-height: 1.2;
+            margin: 0;
+        }
+
+        html {
+            color: #888;
+            display: table;
+            font-family: sans-serif;
+            height: 100%;
+            text-align: center;
+            width: 100%;
+        }
+
+        body {
+            display: table-cell;
+            vertical-align: middle;
+            margin: 2em auto;
+        }
+
+	a {
+	    color: #888;
+            text-decoration: underline dotted;
+	}
+
+        h1 {
+            color: #555;
+            font-size: 2em;
+            font-weight: 400;
+        }
+
+        p {
+            margin: 1em auto;
+            max-width: 480px;
+        }
+
+        @media only screen and (max-width: 280px) {
+            body, p {
+                width: 95%;
+            }
+
+            h1 {
+                font-size: 1.5em;
+                margin: 0 0 0.3em;
+            }
+        }
+    </style>
+</head>
+<body>
+    <h1>502</h1>
+    <p>Whoops, le service prend trop de temps à répondre…</p>
+    <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
+    à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
+</body>
+</html>
+