Update captive portal nginx configuration

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-02-01 17:08:06 +01:00 · 2021-02-01 17:08:06 +01:00 · a808e3c793
commit a808e3c793
parent 7e4a2d20c0
3 changed files with 115 additions and 39 deletions
--- a/host_vars/portail.adm.auro.re.yml
+++ b/host_vars/portail.adm.auro.re.yml
@ -1,53 +1,116 @@
 ---
-certbot:
+loc_certbot:
  domains:
-    - portail.auro.re
+    - portail-fleming.auro.re
+    - portail-pacaterie.auro.re
+    - portail-rives.auro.re
+    - portail-edc.auro.re
+    - portail-gs.auro.re
  mail: tech.aurore@lists.crans.org
  certname: auro.re

-nginx:
-  ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+loc_nginx:
+  service_name: captive_portal
+  default_server: '$server_addr'
+  default_ssl_server: '$server_addr'

-  redirect_dnames: {}
+  servers:
+    - ssl: false
+      server_name:
+        - "10.13.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"

-  redirect_tcp: {}
+    - ssl: true
+      server_name:
+        - portail-fleming.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"

-  redirect_sites:
-    - from: 10.13.0.247
-      to: portail-fleming.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - 10.23.0.247
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"

-    - from: 10.23.0.247
-      to: portail-.auro.re
-      norequesturi: true
+    - ssl: true
+      server_name:
+        - portail-pacaterie.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"

-    - from: 10.33.0.247
-      to: portail-rives.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - "10.33.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"

-    - from: 10.43.0.247
-      to: portail-edc.auro.re
-      norequesturi: true
+    - ssl: true
+      server_name:
+        - portail-rives.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"

-    - from: 10.53.0.247
-      to: portail-gs.auro.re
-      norequesturi: true
+    - ssl: false
+      server_name:
+        - "10.43.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"

-  reverseproxy_sites:
-    - from: portail-fleming.auro.re
-      to: 10.128.0.20
+    - ssl: true
+      server_name:
+        - portail-edc.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"

-    - from: portail-pacaterie.auro.re
-      to: 10.128.0.20
+    - ssl: false
+      server_name:
+        - "10.53.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"

-    - from: portail-rives.auro.re
-      to: 10.128.0.20
-
-    - from: portail-edc.auro.re
-      to: 10.128.0.20
-
-    - from: portail-gs.auro.re
-      to: 10.128.0.20
+    - ssl: true
+      server_name:
+        - portail-gs.auro.re
+      locations:
+        - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.80"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
--- a/5
+++ b/5
@ -489,3 +489,8 @@ ldap-replica-ovh.adm.auro.re
 [ldap_replica_rives]
 ldap-replica-rives.adm.auro.re

+[certbot]
+portail.adm.auro.re
+
+[nginx]
+portail.adm.auro.re
--- a/services_web.yml
+++ b/services_web.yml
@ -11,7 +11,15 @@
    - passbolt

 # Deploy reverse proxy
- hosts: portail.adm.auro.re,proxy*.adm.auro.re
+- hosts: proxy*.adm.auro.re
  roles:
    - certbot
    - nginx_reverseproxy
+
+- hosts: portail.adm.auro.re
+  vars:
+    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+  roles:
+    - certbot
+    - nginx