aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity

New reverse proxy role

Browse source
This commit is contained in:
Alexandre Iooss 2020-05-09 12:52:17 +02:00
parent eae3a3ff44
commit 544498c81a
No known key found for this signature in database
GPG key ID: 6C79278F3FCDCC02
16 changed files with 328 additions and 261 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
roles/nginx-reverse-proxy/handlers/main.yml
View file

@ -1,6 +0,0 @@
---
# Reload NGINX when a site changes
- name: Reload NGINX service
service:
name: nginx
state: reloaded

64
roles/nginx-reverse-proxy/tasks/main.yml
View file

@ -1,64 +0,0 @@
---
# nginx is the proxy server
# nginx-light contains less modules
# but also reduces the surface of attack
- name: Install NGINX server
apt:
update_cache: true
name: nginx-light
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
# Install proxy snippets
- name: Configure NGINX proxy snippets
template:
src: nginx/snippets/{{ item }}.j2
dest: /etc/nginx/snippets/{{ item }}
mode: 0644
loop:
- proxy-common.conf
- proxy-common-ssl.conf
notify: Reload NGINX service
# Install sites
- name: Configure NGINX sites
template:
src: nginx/nginx-sites-available.j2
dest: /etc/nginx/sites-available/{{ item.name }}
mode: 0644
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service
# Desactive useless nginx sites
- name: Deactivate the default NGINX site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: Reload NGINX service
# Activate sites
- name: Activate sites
file:
src: /etc/nginx/sites-available/{{ item.name }}
dest: /etc/nginx/sites-enabled/{{ item.name }}
state: link
loop: "{{ reversed_proxy_subdomains }}"
notify: Reload NGINX service
# Install main site
- name: Configure NGINX main site
template:
src: nginx/nginx-sites-available-main.j2
dest: /etc/nginx/sites-available/main
mode: 0644
notify: Reload NGINX service
# Activate main site
- name: Activate main site
file:
src: /etc/nginx/sites-available/main
dest: /etc/nginx/sites-enabled/main
state: link
notify: Reload NGINX service

107
roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available-main.j2
View file

@ -1,107 +0,0 @@
# {{ ansible_managed }}
server {
# Common proxy snippet
include "snippets/proxy-common.conf";
# Set witch server name we define
server_name auro.re;
# Permanentely moved to HTTPS
location / {
return 301 https://$host$request_uri;
}
# For Matrix Synapse Discord Appservice Media
location /_matrix {
proxy_pass http://synapse.adm.auro.re:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name auro.re;
# Separate log files
access_log /var/log/nginx/main.access.log;
error_log /var/log/nginx/main.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
location / {
proxy_redirect off;
proxy_pass http://www.adm.auro.re;
proxy_set_header Host auro.re;
proxy_set_header P-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
}
# For Matrix identity server
location /_matrix/identity {
proxy_pass http://synapse.adm.auro.re:8090/_matrix/identity;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
# For Matrix Synapse
location /_matrix {
proxy_pass http://synapse.adm.auro.re:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 8448 ssl;
listen [::]:8448 ssl;
# Set witch server name we define
server_name auro.re;
# Separate log files
access_log /var/log/nginx/main.access.log;
error_log /var/log/nginx/main.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
# For Matrix Synapse federation
location / {
proxy_pass http://synapse.adm.auro.re:8008;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
listen 9442 ssl;
listen [::]:9442 ssl;
# Set witch server name we define
server_name auro.re;
# Separate log files
access_log /var/log/nginx/main.access.log;
error_log /var/log/nginx/main.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
# For Matrix Appservice Webhooks
location / {
proxy_pass http://synapse.adm.auro.re:9000;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

40
roles/nginx-reverse-proxy/templates/nginx/nginx-sites-available.j2
View file

@ -1,40 +0,0 @@
# {{ ansible_managed }}
server {
# Common proxy snippet
include "snippets/proxy-common.conf";
# Set witch server name we define
server_name {{ item.from }};
# Permanentely moved to HTTPS
return 301 https://$host$request_uri;
}
server {
# Common proxy snippet
include "snippets/proxy-common-ssl.conf";
# Set witch server name we define
server_name {{ item.from }};
# Separate log files
access_log /var/log/nginx/{{ item.name }}.access.log;
error_log /var/log/nginx/{{ item.name }}.error.log;
# Use LetsEncrypt SSL
ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem;
location / {
proxy_redirect off;
proxy_pass http://{{ item.to }};
proxy_set_header Host {{ item.from }};
proxy_set_header P-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
# "A man is not dead while his name is still spoken." -- Going Postal
add_header X-Clacks-Overhead "GNU Terry Pratchett";
}
}

32
roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common-ssl.conf.j2
View file

@ -1,32 +0,0 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6 with HTTP2
listen [::]:443 ssl http2;
listen 443 ssl http2;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;
# SSL based on https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling,
ssl_stapling on;
ssl_stapling_verify on;
# Use more secure ECDH curve
ssl_ecdh_curve secp521r1:secp384r1;
# Executer "cd /etc/ssl/certs; openssl dhparam -out dhparam.pem 4096" avant d'activer
ssl_dhparam /etc/ssl/certs/dhparam.pem;

12
roles/nginx-reverse-proxy/templates/nginx/snippets/proxy-common.conf.j2
View file

@ -1,12 +0,0 @@
# {{ ansible_managed }}
# Listen for IPv4 and IPv6
listen 80;
listen [::]:80;
# Hide NGINX version
server_tokens off;
# Reverse Proxy Adm
set_real_ip_from 10.128.0.0/16;
real_ip_header P-Real-Ip;

5
roles/nginx-reverseproxy/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: nginx
state: reloaded

53
roles/nginx-reverseproxy/tasks/main.yml Normal file
View file

@ -0,0 +1,53 @@
---
- name: Install NGINX
apt:
update_cache: true
name: nginx
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Copy snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
loop:
- options-ssl.conf
- options-proxypass.conf
- name: Copy dhparam
template:
src: letsencrypt/dhparam.j2
dest: /etc/letsencrypt/dhparam
- name: Copy reverse proxy sites
template:
src: "nginx/sites-available/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Activate sites
file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop:
- reverseproxy
- reverseproxy_redirect_dname
- redirect
notify: Reload nginx
- name: Copy 50x error page
template:
src: www/html/50x.html.j2
dest: /var/www/html/50x.html
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755

8
roles/nginx-reverseproxy/templates/letsencrypt/dhparam.j2 Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

67
roles/nginx-reverseproxy/templates/nginx/sites-available/redirect.j2 Normal file
View file

@ -0,0 +1,67 @@
{{ ansible_header | comment }}
{% for site in nginx.redirect_sites %}
# Redirect http://{{ site.from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ site.from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ site.from }} to https://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endfor %}
{# Also redirect for DNAMEs #}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.redirect_sites %}
{% set from = site.from | regex_replace('crans.org', dname) %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ site.to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ site.to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ site.to }}$request_uri;
}
}
{% endif %}
{% endfor %}
{% endfor %}

56
roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy.j2 Normal file
View file

@ -0,0 +1,56 @@
{{ ansible_header | comment }}
# Automatic Connection header for WebSocket support
# See http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
{% for site in nginx.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
listen 80;
listen [::]:80;
server_name {{ site.from }};
location / {
return 302 https://$host$request_uri;
}
}
# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ site.from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
# Log into separate log files
access_log /var/log/nginx/{{ site.from }}.log;
error_log /var/log/nginx/{{ site.from }}_error.log;
# Keep the TCP connection open a bit for faster browsing
keepalive_timeout 70;
# Custom error page
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
set_real_ip_from 10.231.136.0/24;
set_real_ip_from 2a0c:700:0:2::/64;
real_ip_header P-Real-Ip;
location / {
proxy_pass http://{{ site.to }};
include "/etc/nginx/snippets/options-proxypass.conf";
}
}
{% endfor %}

37
roles/nginx-reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 Normal file
View file

@ -0,0 +1,37 @@
{{ ansible_header | comment }}
{% for dname in nginx.redirect_dnames %}
{% for site in nginx.reverseproxy_sites %}
{% set from = site.from | regex_replace('auro.re', dname) %}
{% set to = site.from %}
{% if from != site.from %}
# Redirect http://{{ from }} to http://{{ to }}
server {
listen 80;
listen [::]:80;
server_name {{ from }};
location / {
return 302 http://{{ to }}$request_uri;
}
}
# Redirect https://{{ from }} to https://{{ to }}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ from }};
# SSL common conf
include "/etc/nginx/snippets/options-ssl.conf";
location / {
return 302 https://{{ to }}$request_uri;
}
}
{% endif %}
{% endfor %}
{% endfor %}

19
roles/nginx-reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 Normal file
View file

@ -0,0 +1,19 @@
{{ ansible_header | comment }}
proxy_redirect off;
proxy_set_header Host $host;
# Pass the real client IP
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Tell proxified server that we are HTTPS, fix Wordpress
proxy_set_header X-Forwarded-Proto https;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# For Owncloud WebDav
client_max_body_size 10G;

17
roles/nginx-reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 Normal file
View file

@ -0,0 +1,17 @@
{{ ansible_header | comment }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};

3
roles/nginx-reverseproxy/templates/update-motd.d/05-service.j2 Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.

63
roles/nginx-reverseproxy/templates/www/html/50x.html.j2 Normal file
View file

@ -0,0 +1,63 @@
<!doctype html>
<html lang="fr">
<head>
<meta charset="utf-8">
<title>502</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<style>
* {
line-height: 1.2;
margin: 0;
}
html {
color: #888;
display: table;
font-family: sans-serif;
height: 100%;
text-align: center;
width: 100%;
}
body {
display: table-cell;
vertical-align: middle;
margin: 2em auto;
}
a {
color: #888;
text-decoration: underline dotted;
}
h1 {
color: #555;
font-size: 2em;
font-weight: 400;
}
p {
margin: 1em auto;
max-width: 480px;
}
@media only screen and (max-width: 280px) {
body, p {
width: 95%;
}
h1 {
font-size: 1.5em;
margin: 0 0 0.3em;
}
}
</style>
</head>
<body>
<h1>502</h1>
<p>Whoops, le service prend trop de temps à répondre…</p>
<p>Essayez de rafraîchir la page. Si le problème persiste, pensez
à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
</body>
</html>