Add reverse-proxy for Re2o on the portal VM

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-01-24 21:20:53 +01:00 · 2021-01-24 21:20:53 +01:00 · 9bd06520fb
commit 9bd06520fb
parent 6df41d16b5
4 changed files with 51 additions and 5 deletions
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@ -0,0 +1,40 @@
+---
+certbot:
+  domains:
+    - portail.auro.re
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+
+nginx:
+  ssl:
+    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+  redirect_dnames: {}
+
+  redirect_tcp: {}
+
+  redirect_sites:
+    - from: portail.adm.auro.re
+      to: portail.auro.re
+      norequesturi: true
+
+    - from: 10.128.0.247
+      to: portail.auro.re
+      norequesturi: true
+
+    - from: 45.66.111.247
+      to: portail.auro.re
+      norequesturi: true
+
+  reverseproxy_sites:
+    - from: portail.auro.re
+      to: 10.128.0.20
+      custom_args:
+        - "allow 45.66.108.251"
+        - "allow 45.66.108.252"
+        - "allow 45.66.108.253"
+        - "allow 45.66.108.254"
+        - "allow 45.66.108.255"
+        - "deny all"
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
@ -9,7 +9,7 @@ server {
    server_name {{ site.from }};

    location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }

@ -24,7 +24,7 @@ server {
    include "/etc/nginx/snippets/options-ssl.conf";

    location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }

@ -43,7 +43,7 @@ server {
    server_name {{ from }};

    location / {
-        return 302 http://{{ site.to }}$request_uri;
+        return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }

@ -58,7 +58,7 @@ server {
    include "/etc/nginx/snippets/options-ssl.conf";

    location / {
-        return 302 https://{{ site.to }}$request_uri;
+        return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %};
    }
 }

--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
@ -47,6 +47,12 @@ server {
    set_real_ip_from 2a0c:700:0:2::/64;
    real_ip_header P-Real-Ip;

+{% if site.custom_args is defined -%}
+{% for arg in site.custom_args %}
+    {{ arg }};
+{% endfor %}
+{% endif %}
+
    location / {
        proxy_pass http://{{ site.to }};
        include "/etc/nginx/snippets/options-proxypass.conf";
--- a/services_web.yml
+++ b/services_web.yml
@ -11,7 +11,7 @@
    - passbolt

 # Deploy reverse proxy
- hosts: proxy*.adm.auro.re
+- hosts: portail.adm.auro.re,proxy*.adm.auro.re
  roles:
    - certbot
    - nginx_reverseproxy