Add reverse-proxy for Re2o on the portal VM

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-01-24 21:20:53 +01:00 · 2021-01-24 21:20:53 +01:00 · 9bd06520fb
commit 9bd06520fb
parent 6df41d16b5
4 changed files with 51 additions and 5 deletions
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@ -0,0 +1,40 @@
 ---
 certbot:
  domains:
    - portail.auro.re
  mail: tech.aurore@lists.crans.org
  certname: auro.re
 nginx:
  ssl:
    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
  redirect_dnames: {}
  redirect_tcp: {}
  redirect_sites:
    - from: portail.adm.auro.re
      to: portail.auro.re
      norequesturi: true
    - from: 10.128.0.247
      to: portail.auro.re
      norequesturi: true
    - from: 45.66.111.247
      to: portail.auro.re
      norequesturi: true
  reverseproxy_sites:
    - from: portail.auro.re
      to: 10.128.0.20
      custom_args:
        - "allow 45.66.108.251"
        - "allow 45.66.108.252"
        - "allow 45.66.108.253"
        - "allow 45.66.108.254"
        - "allow 45.66.108.255"
        - "deny all"
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
@ -9,7 +9,7 @@ server {
    server_name {{ site.from }};
    location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }
@ -24,7 +24,7 @@ server {
    include "/etc/nginx/snippets/options-ssl.conf";
    location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }
@ -43,7 +43,7 @@ server {
    server_name {{ from }};
    location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }
@ -58,7 +58,7 @@ server {
    include "/etc/nginx/snippets/options-ssl.conf";
    location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@ -47,6 +47,12 @@ server {
    set_real_ip_from 2a0c:700:0:2::/64;
    real_ip_header P-Real-Ip;
 {% if site.custom_args is defined -%}
 {% for arg in site.custom_args %}
    {{ arg }};
 {% endfor %}
 {% endif %}
    location / {
        proxy_pass http://{{ site.to }};
        include "/etc/nginx/snippets/options-proxypass.conf";
--- a/services_web.yml
+++ b/services_web.yml
@ -11,7 +11,7 @@
    - passbolt
 # Deploy reverse proxy
- hosts: proxy*.adm.auro.re
+- hosts: portail.adm.auro.re,proxy*.adm.auro.re
  roles:
    - certbot
    - nginx_reverseproxy