From 7cdef7ee9651e2838b802d718e5f1d376f53be67 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 23 Jan 2021 17:19:50 +0100 Subject: [PATCH 01/20] Fix: keep the logs for 90 days --- roles/logrotate/templates/logrotate.d/rsyslog.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2 index beab470..f47e725 100644 --- a/roles/logrotate/templates/logrotate.d/rsyslog.j2 +++ b/roles/logrotate/templates/logrotate.d/rsyslog.j2 @@ -26,7 +26,7 @@ /var/log/debug /var/log/messages { - rotate 1 + rotate 90 daily missingok notifempty -- 2.45.2 From 5fc2d0a3f9f30aae5a6699a0e62584e6e2f75c46 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 24 Jan 2021 00:09:48 +0100 Subject: [PATCH 02/20] Ajout d'accueil dans keepalived --- roles/router/templates/keepalived.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf index cd217f3..45f5661 100644 --- a/roles/router/templates/keepalived.conf +++ b/roles/router/templates/keepalived.conf @@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 { # Wifi 10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global + + # Accueil + 10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global } -- 2.45.2 From 5a09b77070d26d70d6d43afbe547892939b2e1d2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 01:30:31 +0100 Subject: [PATCH 03/20] Resolve DNS for the accueil vlan Signed-off-by: Yohann D'ANELLO --- roles/unbound/templates/recursive.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index efdebe1..74d77d9 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -23,12 +23,14 @@ server: interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }} # IPv6 interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }} interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }} + interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }} # By default, anything other than localhost is refused. @@ -36,6 +38,7 @@ server: access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :) num-threads: {{ ansible_processor_vcpus }} -- 2.45.2 From 9af9a7bab8f9c1b7b5fde963c8b8a4a9827f5a51 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 11:38:52 +0100 Subject: [PATCH 04/20] Redirect the proxy IP address to intranet.auro.re by default Signed-off-by: Yohann D'ANELLO --- host_vars/proxy.adm.auro.re.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml index b8fb2c3..04184fc 100644 --- a/host_vars/proxy.adm.auro.re.yml +++ b/host_vars/proxy.adm.auro.re.yml @@ -33,7 +33,7 @@ nginx: redirect_sites: - from: 45.66.111.61 - to: auro.re + to: intranet.auro.re reverseproxy_sites: - from: re2o.auro.re -- 2.45.2 From 89ebbd423e3d3f128766616776962af8f8a024e6 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 11:44:30 +0100 Subject: [PATCH 05/20] Use the local firewall repository Signed-off-by: Yohann D'ANELLO --- roles/router/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index 2014572..a0b8805 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -34,7 +34,7 @@ import_role: name: re2o-service vars: - service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git + service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git service_name: aurore-firewall service_version: aurore service_config: -- 2.45.2 From a7b073e1cc8cf92a1bb2741853a14b4c53e30c35 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 12:04:21 +0100 Subject: [PATCH 06/20] Add captive portal firewall configuration Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 31 ++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 4f6b755..68f66b2 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,13 +25,14 @@ ### Give me a role # previously: routeur4 = routeur IPv4 -role = ['routeur'] +role = ['routeur', 'portail'] ### Specify each interface role interfaces_type = { - 'routable' : ['ens20', 'ens21'], + 'routable' : ['ens20', 'ens21', 'ens23'], + 'routable-portail' : ['ens23'], 'sortie' : ['ens19'], 'admin' : ['ens18'] } @@ -61,5 +62,29 @@ nat = [ apartment_block_id }}', '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' } - } + }, + { + 'name': 'Accueil', + 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', + 'extra_nat': { + '10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}' + }, + }, ] + +portail = { + "authorized_hosts": { + "tcp": { + "45.66.111.61": ["80", "443"], + "92.222.211.195": ["80", "443"] + }, + "udp": {} + }, + "ip_redirect": { + "0.0.0.0/0": { + "tcp": { + "45.66.111.61": ["80", "443"] + } + } + } +} -- 2.45.2 From e02670afb0e3919a3135f9595e4f4960402a1755 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 24 Jan 2021 14:28:31 +0100 Subject: [PATCH 07/20] Les caches unbound renvoie les addresses en 10/8 --- roles/unbound/templates/recursive.conf.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index 74d77d9..6956ae5 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -43,8 +43,6 @@ server: num-threads: {{ ansible_processor_vcpus }} - private-address: 10.0.0.0/8 - # The host cache TTL affects blacklisting of supposedly bogus hosts. # The default was 900 (15 minutes). infra-host-ttl: 60 -- 2.45.2 From 6df41d16b52e5c9c4539074cb55f4a7d0228680b Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 15:50:40 +0100 Subject: [PATCH 08/20] Add portail VM Signed-off-by: Yohann D'ANELLO --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index eec54a0..3f03ed2 100644 --- a/hosts +++ b/hosts @@ -35,6 +35,7 @@ services-web.adm.auro.re mail.adm.auro.re wikijs.adm.auro.re prometheus-aurore.adm.auro.re +portail.adm.auro.re [aurore_testing_vm] pendragon.adm.auro.re -- 2.45.2 From 9bd06520fb8671bbcded98a24f345b5988dfe0b3 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Sun, 24 Jan 2021 21:20:53 +0100 Subject: [PATCH 09/20] Add reverse-proxy for Re2o on the portal VM Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 40 +++++++++++++++++++ .../nginx/sites-available/redirect.j2 | 8 ++-- .../nginx/sites-available/reverseproxy.j2 | 6 +++ services_web.yml | 2 +- 4 files changed, 51 insertions(+), 5 deletions(-) create mode 100644 host_vars/portail.adm.auro.re.yml diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml new file mode 100644 index 0000000..65aea34 --- /dev/null +++ b/host_vars/portail.adm.auro.re.yml @@ -0,0 +1,40 @@ +--- +certbot: + domains: + - portail.auro.re + mail: tech.aurore@lists.crans.org + certname: auro.re + +nginx: + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + + redirect_dnames: {} + + redirect_tcp: {} + + redirect_sites: + - from: portail.adm.auro.re + to: portail.auro.re + norequesturi: true + + - from: 10.128.0.247 + to: portail.auro.re + norequesturi: true + + - from: 45.66.111.247 + to: portail.auro.re + norequesturi: true + + reverseproxy_sites: + - from: portail.auro.re + to: 10.128.0.20 + custom_args: + - "allow 45.66.108.251" + - "allow 45.66.108.252" + - "allow 45.66.108.253" + - "allow 45.66.108.254" + - "allow 45.66.108.255" + - "deny all" diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 index 28e9b7d..9b0e8ca 100644 --- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 +++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 @@ -9,7 +9,7 @@ server { server_name {{ site.from }}; location / { - return 302 http://{{ site.to }}$request_uri; + return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -24,7 +24,7 @@ server { include "/etc/nginx/snippets/options-ssl.conf"; location / { - return 302 https://{{ site.to }}$request_uri; + return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -43,7 +43,7 @@ server { server_name {{ from }}; location / { - return 302 http://{{ site.to }}$request_uri; + return 302 http://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } @@ -58,7 +58,7 @@ server { include "/etc/nginx/snippets/options-ssl.conf"; location / { - return 302 https://{{ site.to }}$request_uri; + return 302 https://{{ site.to }}{% if site.norequesturi is not defined %}$request_uri{% endif %}; } } diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 index d29d13c..9c8c152 100644 --- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 +++ b/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 @@ -47,6 +47,12 @@ server { set_real_ip_from 2a0c:700:0:2::/64; real_ip_header P-Real-Ip; +{% if site.custom_args is defined -%} +{% for arg in site.custom_args %} + {{ arg }}; +{% endfor %} +{% endif %} + location / { proxy_pass http://{{ site.to }}; include "/etc/nginx/snippets/options-proxypass.conf"; diff --git a/services_web.yml b/services_web.yml index 6bc6a6d..73b900b 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,7 +11,7 @@ - passbolt # Deploy reverse proxy -- hosts: proxy*.adm.auro.re +- hosts: portail.adm.auro.re,proxy*.adm.auro.re roles: - certbot - nginx_reverseproxy -- 2.45.2 From ba9e60dba88918f70af5759bc02be26fffb59d99 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Thu, 28 Jan 2021 22:08:48 +0100 Subject: [PATCH 10/20] Update the nginx configuration of the captive portal Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 41 ++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index 65aea34..8af0987 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -16,25 +16,38 @@ nginx: redirect_tcp: {} redirect_sites: - - from: portail.adm.auro.re - to: portail.auro.re + - from: 10.13.0.247 + to: portail-fleming.auro.re norequesturi: true - - from: 10.128.0.247 - to: portail.auro.re + - from: 10.23.0.247 + to: portail-.auro.re norequesturi: true - - from: 45.66.111.247 - to: portail.auro.re + - from: 10.33.0.247 + to: portail-rives.auro.re + norequesturi: true + + - from: 10.43.0.247 + to: portail-edc.auro.re + norequesturi: true + + - from: 10.53.0.247 + to: portail-gs.auro.re norequesturi: true reverseproxy_sites: - - from: portail.auro.re + - from: portail-fleming.auro.re + to: 10.128.0.20 + + - from: portail-pacaterie.auro.re + to: 10.128.0.20 + + - from: portail-rives.auro.re + to: 10.128.0.20 + + - from: portail-edc.auro.re + to: 10.128.0.20 + + - from: portail-gs.auro.re to: 10.128.0.20 - custom_args: - - "allow 45.66.108.251" - - "allow 45.66.108.252" - - "allow 45.66.108.253" - - "allow 45.66.108.254" - - "allow 45.66.108.255" - - "deny all" -- 2.45.2 From 154cbedec214b61e012a94e7114f57f01e6cf284 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 15:50:32 +0100 Subject: [PATCH 11/20] Deploy firewall config for the captive portal Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 42 ++++++++++++++--------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 68f66b2..6909b85 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -25,14 +25,13 @@ ### Give me a role # previously: routeur4 = routeur IPv4 -role = ['routeur', 'portail'] +role = ['routeur'] ### Specify each interface role interfaces_type = { 'routable' : ['ens20', 'ens21', 'ens23'], - 'routable-portail' : ['ens23'], 'sortie' : ['ens19'], 'admin' : ['ens18'] } @@ -67,24 +66,35 @@ nat = [ 'name': 'Accueil', 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', 'extra_nat': { - '10.{{ subnet_ids.users_accueil }}.0.0/16': '45.66.108.25{{ apartment_block_id }}' + '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ + apartment_block_id }}', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' }, + 'extra_nat_group': 'accueil_ens23_allowed', }, ] -portail = { - "authorized_hosts": { - "tcp": { - "45.66.111.61": ["80", "443"], - "92.222.211.195": ["80", "443"] - }, - "udp": {} - }, - "ip_redirect": { - "0.0.0.0/0": { +# ATTENTION: on doit avoir retry ≥ grace +# ATTENTION: il faut que ip_redirect gère tous les ports +# autorisés dans le profile re2o, sinon on laisse sortir +# du trafic +accueils = [ + { + 'iface': 'ens23', + 'grace_period': 1800, + 'retry_period': 86400, + 'ip_sources': [ + '10.{{ subnet_ids.users_accueil }}.1.0/24', + '10.{{ subnet_ids.users_accueil }}.2.0/24', + ], + 'ip_redirect': { "tcp": { - "45.66.111.61": ["80", "443"] + "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"], } - } + }, + 'triggers': [ + ('4', 'tcp', '46.255.53.35', 443), # ComNPay + ('4', 'tcp', '46.255.53.35', 80), + ] } -} +] -- 2.45.2 From 889cb764c138887bbeb5d5e564f3c45eabc947b2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:07:10 +0100 Subject: [PATCH 12/20] Clone certbot role from Crans Signed-off-by: Yohann D'ANELLO --- group_vars/certbot.yml | 8 ++++++++ roles/certbot/tasks/main.yml | 17 +++++++++++++++-- .../letsencrypt/conf.d/certname.ini.j2 | 9 +++++++-- .../templates/letsencrypt/rfc2136.ini.j2 | 7 +++++++ 4 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 group_vars/certbot.yml create mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml new file mode 100644 index 0000000..011aa68 --- /dev/null +++ b/group_vars/certbot.yml @@ -0,0 +1,8 @@ +--- +glob_certbot: + dns_rfc2136_server: '10.128.0.30' + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}" + mail: tech.aurore@lists.crans.org + certname: auro.re + domains: "auro.re" diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index cbce286..549e7a2 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -1,10 +1,10 @@ --- -- name: Install certbot and nginx plugin +- name: Install certbot and RFC2136 plugin apt: update_cache: true name: - certbot - - python3-certbot-nginx + - python3-certbot-dns-rfc2136 register: pkg_result retries: 3 until: pkg_result is succeeded @@ -15,6 +15,19 @@ state: directory mode: 0755 +- name: Lookup DNS masters IPv4 + set_fact: + dns_masters_ipv4: + - "10.128.0.30" + cacheable: true + +- name: Add DNS credentials + template: + src: letsencrypt/rfc2136.ini.j2 + dest: /etc/letsencrypt/rfc2136.ini + mode: 0600 + owner: root + - name: Add Certbot configuration template: src: "letsencrypt/conf.d/certname.ini.j2" diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 index c23d930..88512d2 100644 --- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -15,8 +15,13 @@ email = {{ certbot.mail }} # Uncomment to use a text interface instead of ncurses text = True -# Use nginx challenge -authenticator = nginx +# Yes I want to sell my soul and my guinea pig. +agree-tos = True + +# Use DNS-01 challenge +authenticator = dns-rfc2136 +dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini +dns-rfc2136-propagation-seconds = 30 # Wildcard the domain cert-name = {{ certbot.certname }} diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 new file mode 100644 index 0000000..948f6a1 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -0,0 +1,7 @@ +{{ ansible_managed | comment(decoration='# ') }} + +dns_rfc2136_server = {{ certbot.dns_rfc2136_server }} +dns_rfc2136_port = 53 +dns_rfc2136_name = {{ certbot.dns_rfc2136_name }} +dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }} +dns_rfc2136_algorithm = HMAC-SHA512 -- 2.45.2 From 7e4a2d20c01157247d3abf124dd2203785580c7d Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:07:23 +0100 Subject: [PATCH 13/20] Clone nginx role from Crans Signed-off-by: Yohann D'ANELLO --- group_vars/nginx.yml | 24 ++++ roles/nginx/handlers/main.yml | 5 + roles/nginx/tasks/main.yml | 121 ++++++++++++++++++ roles/nginx/templates/letsencrypt/dhparam.j2 | 8 ++ roles/nginx/templates/nginx/passwd.j2 | 4 + .../nginx/sites-available/redirect.j2 | 67 ++++++++++ .../nginx/sites-available/reverseproxy.j2 | 56 ++++++++ .../reverseproxy_redirect_dname.j2 | 37 ++++++ .../nginx/sites-available/service.j2 | 114 +++++++++++++++++ .../templates/nginx/snippets/fastcgi.conf.j2 | 18 +++ .../nginx/snippets/options-proxypass.conf.j2 | 19 +++ .../nginx/snippets/options-ssl.conf.j2 | 17 +++ .../templates/update-motd.d/05-service.j2 | 3 + roles/nginx/templates/www/html/401.html.j2 | 18 +++ roles/nginx/templates/www/html/50x.html.j2 | 63 +++++++++ roles/nginx/templates/www/html/robots.txt.j2 | 4 + 16 files changed, 578 insertions(+) create mode 100644 group_vars/nginx.yml create mode 100644 roles/nginx/handlers/main.yml create mode 100644 roles/nginx/tasks/main.yml create mode 100644 roles/nginx/templates/letsencrypt/dhparam.j2 create mode 100644 roles/nginx/templates/nginx/passwd.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/redirect.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/reverseproxy.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 create mode 100644 roles/nginx/templates/nginx/sites-available/service.j2 create mode 100644 roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 create mode 100644 roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 create mode 100755 roles/nginx/templates/update-motd.d/05-service.j2 create mode 100644 roles/nginx/templates/www/html/401.html.j2 create mode 100644 roles/nginx/templates/www/html/50x.html.j2 create mode 100644 roles/nginx/templates/www/html/robots.txt.j2 diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml new file mode 100644 index 0000000..eef80da --- /dev/null +++ b/group_vars/nginx.yml @@ -0,0 +1,24 @@ +--- +glob_nginx: + contact: tech.aurore@lists.crans.org + who: "L'équipe technique d'Aurore" + service_name: service + ssl: + cert: /etc/letsencrypt/live/auro.re/fullchain.pem + cert_key: /etc/letsencrypt/live/auro.re/privkey.pem + trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem + servers: + - ssl: false + server_name: + - "default" + - "_" + root: "/var/www/html" + locations: + - filter: "/" + params: [] + upstreams: [] + + auth_passwd: [] + default_server: + default_ssl_server: + deploy_robots_file: false diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..6dfcdd7 --- /dev/null +++ b/roles/nginx/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..4d4179c --- /dev/null +++ b/roles/nginx/tasks/main.yml @@ -0,0 +1,121 @@ +--- +- name: Install NGINX + apt: + update_cache: true + name: nginx + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Copy snippets + template: + src: "nginx/snippets/{{ item }}.j2" + dest: "/etc/nginx/snippets/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - options-ssl.conf + - options-proxypass.conf + +- name: Copy dhparam + template: + src: letsencrypt/dhparam.j2 + dest: /etc/letsencrypt/dhparam + owner: root + group: root + mode: 0644 + +- name: Disable default site + file: + dest: "/etc/nginx/sites-enabled/default" + state: absent + +- name: Copy reverse proxy sites + when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined + template: + src: "nginx/sites-available/{{ item }}.j2" + dest: "/etc/nginx/sites-available/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + +- name: Activate reverse proxy sites + when: nginx.reverseproxy_sites is defined or nginx.redirect_sites is defined + file: + src: "/etc/nginx/sites-available/{{ item }}" + dest: "/etc/nginx/sites-enabled/{{ item }}" + owner: root + group: root + state: link + loop: + - reverseproxy + - reverseproxy_redirect_dname + - redirect + notify: Reload nginx + ignore_errors: "{{ ansible_check_mode }}" + +- name: Copy service nginx configuration + when: nginx.servers is defined and nginx.servers|length > 0 + template: + src: "nginx/sites-available/service.j2" + dest: "/etc/nginx/sites-available/{{ nginx.service_name }}" + owner: root + group: root + mode: 0644 + notify: Reload nginx + +- name: Activate local nginx service site + when: nginx.servers is defined and nginx.servers|length > 0 + file: + src: "/etc/nginx/sites-available/{{ nginx.service_name }}" + dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}" + owner: root + group: root + state: link + notify: Reload nginx + ignore_errors: "{{ ansible_check_mode }}" + +- name: Copy 50x error page + template: + src: www/html/50x.html.j2 + dest: /var/www/html/50x.html + owner: www-data + group: www-data + mode: 0644 + +- name: Copy robots.txt file + when: nginx.deploy_robots_file + template: + src: www/html/robots.txt.j2 + dest: /var/www/html/robots.txt + owner: www-data + group: www-data + mode: 0644 + +- name: Indicate role in motd + template: + src: update-motd.d/05-service.j2 + dest: /etc/update-motd.d/05-nginx + mode: 0755 + +- name: Install passwords + when: nginx.auth_passwd|length > 0 + template: + src: nginx/passwd.j2 + dest: /etc/nginx/passwd + mode: 0644 + +- name: Copy 401 error page + when: nginx.auth_passwd|length > 0 + template: + src: www/html/401.html.j2 + dest: /var/www/html/401.html + owner: www-data + group: www-data + mode: 0644 diff --git a/roles/nginx/templates/letsencrypt/dhparam.j2 b/roles/nginx/templates/letsencrypt/dhparam.j2 new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/nginx/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2 new file mode 100644 index 0000000..6e61ce2 --- /dev/null +++ b/roles/nginx/templates/nginx/passwd.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +{% for user, hash in nginx.auth_passwd.items() -%} +{{ user }}: {{ hash }} +{% endfor -%} diff --git a/roles/nginx/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2 new file mode 100644 index 0000000..28e9b7d --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/redirect.j2 @@ -0,0 +1,67 @@ +# {{ ansible_managed }} + +{% for site in nginx.redirect_sites %} +# Redirect http://{{ site.from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ site.from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endfor %} + +{# Also redirect for DNAMEs #} +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.redirect_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ site.to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ site.to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ site.to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 new file mode 100644 index 0000000..d29d13c --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2 @@ -0,0 +1,56 @@ +# {{ ansible_managed }} + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +{% for site in nginx.reverseproxy_sites %} +# Redirect http://{{ site.from }} to https://{{ site.from }} +server { + listen 80; + listen [::]:80; + + server_name {{ site.from }}; + + location / { + return 302 https://$host$request_uri; + } +} + +# Reverse proxify https://{{ site.from }} to http://{{ site.to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ site.from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + # Log into separate log files + access_log /var/log/nginx/{{ site.from }}.log; + error_log /var/log/nginx/{{ site.from }}_error.log; + + # Keep the TCP connection open a bit for faster browsing + keepalive_timeout 70; + + # Custom error page + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /var/www/html; + } + + set_real_ip_from 10.231.136.0/24; + set_real_ip_from 2a0c:700:0:2::/64; + real_ip_header P-Real-Ip; + + location / { + proxy_pass http://{{ site.to }}; + include "/etc/nginx/snippets/options-proxypass.conf"; + } +} + +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 new file mode 100644 index 0000000..4edda25 --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 @@ -0,0 +1,37 @@ +# {{ ansible_managed }} + +{% for dname in nginx.redirect_dnames %} +{% for site in nginx.reverseproxy_sites %} +{% set from = site.from | regex_replace('crans.org', dname) %} +{% set to = site.from %} +{% if from != site.from %} +# Redirect http://{{ from }} to http://{{ to }} +server { + listen 80; + listen [::]:80; + + server_name {{ from }}; + + location / { + return 302 http://{{ to }}$request_uri; + } +} + +# Redirect https://{{ from }} to https://{{ to }} +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ from }}; + + # SSL common conf + include "/etc/nginx/snippets/options-ssl.conf"; + + location / { + return 302 https://{{ to }}$request_uri; + } +} + +{% endif %} +{% endfor %} +{% endfor %} diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2 new file mode 100644 index 0000000..3d9db5d --- /dev/null +++ b/roles/nginx/templates/nginx/sites-available/service.j2 @@ -0,0 +1,114 @@ +# {{ ansible_managed }} + +# Automatic Connection header for WebSocket support +# See http://nginx.org/en/docs/http/websocket.html +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +{% for upstream in nginx.upstreams -%} +upstream {{ upstream.name }} { + # Path of the server + server {{ upstream.server }}; +} +{% endfor -%} + +{% if nginx.default_ssl_server -%} +# Redirect all services to the main site +server { + listen 443 default_server ssl; + listen [::]:443 default_server ssl; + include "/etc/nginx/snippets/options-ssl.conf"; + + server_name _; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 https://{{ nginx.default_ssl_server }}$request_uri; + } +} +{% endif -%} + +{% if nginx.default_server -%} +# Redirect all services to the main site +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 http://{{ nginx.default_server }}$request_uri; + } +} +{% endif -%} + +{% for server in nginx.servers %} +{% if server.ssl is defined and server.ssl -%} +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + + server_name {{ server.server_name|join(" ") }}; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + location / { + return 302 https://$host$request_uri; + } +} +{% endif -%} + +server { + {% if server.ssl is defined and server.ssl -%} + listen 443 ssl; + listen [::]:443 ssl; + include "/etc/nginx/snippets/options-ssl.conf"; + {% else -%} + listen 80; + listen [::]:80; + {% endif -%} + + server_name {{ server.server_name|join(" ") }}; + charset utf-8; + + # Hide Nginx version + server_tokens off; + + {% if server.root is defined -%} + root {{ server.root }}; + {% endif -%} + {% if server.index is defined -%} + index {{ server.index|join(" ") }}; + {% endif -%} + + {% if server.access_log is defined -%} + access_log {{ server.access_log }}; + {% endif -%} + {% if server.error_log is defined -%} + error_log {{ server.error_log }}; + {% endif -%} + + {% if server.locations is defined -%} + + {% for location in server.locations -%} + location {{ location.filter }} { + {% for param in location.params -%} + {{ param }}; + {% endfor -%} + } + {% endfor -%} +{% endif -%} +} +{% endfor %} diff --git a/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 new file mode 100644 index 0000000..0b21030 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +# regex to split $uri to $fastcgi_script_name and $fastcgi_path +fastcgi_split_path_info (^/[^/]*)(.*)$; + +# check that the PHP script exists before passing it +try_files $fastcgi_script_name =404; + +# Bypass the fact that try_files resets $fastcgi_path_info +# see: http://trac.nginx.org/nginx/ticket/321 +set $path_info $fastcgi_path_info; +fastcgi_param PATH_INFO $path_info; + +# Let NGINX handle errors +fastcgi_intercept_errors on; + +include /etc/nginx/fastcgi.conf; +fastcgi_pass unix:/var/run/fcgiwrap.socket; diff --git a/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 new file mode 100644 index 0000000..9515d81 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} + +proxy_redirect off; +proxy_set_header Host $host; + +# Pass the real client IP +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + +# Tell proxified server that we are HTTPS, fix Wordpress +proxy_set_header X-Forwarded-Proto https; + +# WebSocket support +proxy_http_version 1.1; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $connection_upgrade; + +# For Owncloud WebDav +client_max_body_size 10G; diff --git a/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 new file mode 100644 index 0000000..fee51c6 --- /dev/null +++ b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +ssl_certificate {{ nginx.ssl.cert }}; +ssl_certificate_key {{ nginx.ssl.cert_key }}; +ssl_session_timeout 1d; +ssl_session_cache shared:MozSSL:10m; +ssl_session_tickets off; +ssl_dhparam /etc/letsencrypt/dhparam; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; +ssl_prefer_server_ciphers off; + +# Enable OCSP Stapling, point to certificate chain +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; + diff --git a/roles/nginx/templates/update-motd.d/05-service.j2 b/roles/nginx/templates/update-motd.d/05-service.j2 new file mode 100755 index 0000000..fdff0b8 --- /dev/null +++ b/roles/nginx/templates/update-motd.d/05-service.j2 @@ -0,0 +1,3 @@ +#!/usr/bin/tail +14 +# {{ ansible_managed }} +> NGINX a été déployé sur cette machine. Voir /etc/nginx/. diff --git a/roles/nginx/templates/www/html/401.html.j2 b/roles/nginx/templates/www/html/401.html.j2 new file mode 100644 index 0000000..93fc38a --- /dev/null +++ b/roles/nginx/templates/www/html/401.html.j2 @@ -0,0 +1,18 @@ +{{ ansible_header | comment('xml') }} + + + + Accès refusé + + + +

Accès refusé

+

+ Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe. +

+
    +
  • Identifiant : Stop
  • +
  • Mot de passe : Spam
  • +
+ + diff --git a/roles/nginx/templates/www/html/50x.html.j2 b/roles/nginx/templates/www/html/50x.html.j2 new file mode 100644 index 0000000..078e2de --- /dev/null +++ b/roles/nginx/templates/www/html/50x.html.j2 @@ -0,0 +1,63 @@ + + + + + 502 + + + + +

502

+

Whoops, le service prend trop de temps à répondre…

+

Essayez de rafraîchir la page. Si le problème persiste, pensez + à contacter {{ nginx.who }}.

+ + + diff --git a/roles/nginx/templates/www/html/robots.txt.j2 b/roles/nginx/templates/www/html/robots.txt.j2 new file mode 100644 index 0000000..3fbaed7 --- /dev/null +++ b/roles/nginx/templates/www/html/robots.txt.j2 @@ -0,0 +1,4 @@ +{{ ansible_header | comment }} + +User-agent: * +Disallow: / -- 2.45.2 From a808e3c7938c6a729ac78eef775ead423f09bdf1 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:08:06 +0100 Subject: [PATCH 14/20] Update captive portal nginx configuration Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 139 ++++++++++++++++++++++-------- hosts | 5 ++ services_web.yml | 10 ++- 3 files changed, 115 insertions(+), 39 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index 8af0987..cb3c466 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -1,53 +1,116 @@ --- -certbot: +loc_certbot: domains: - - portail.auro.re + - portail-fleming.auro.re + - portail-pacaterie.auro.re + - portail-rives.auro.re + - portail-edc.auro.re + - portail-gs.auro.re mail: tech.aurore@lists.crans.org certname: auro.re -nginx: - ssl: - cert: /etc/letsencrypt/live/auro.re/fullchain.pem - cert_key: /etc/letsencrypt/live/auro.re/privkey.pem - trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem +loc_nginx: + service_name: captive_portal + default_server: '$server_addr' + default_ssl_server: '$server_addr' - redirect_dnames: {} + servers: + - ssl: false + server_name: + - "10.13.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-fleming.auro.re/portail/" - redirect_tcp: {} + - ssl: true + server_name: + - portail-fleming.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-fleming.auro.re/portail/" - redirect_sites: - - from: 10.13.0.247 - to: portail-fleming.auro.re - norequesturi: true + - ssl: false + server_name: + - 10.23.0.247 + locations: + - filter: "/" + params: + - "return 302 https://portail-pacaterie.auro.re/portail/" - - from: 10.23.0.247 - to: portail-.auro.re - norequesturi: true + - ssl: true + server_name: + - portail-pacaterie.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-pacaterie.auro.re/portail/" - - from: 10.33.0.247 - to: portail-rives.auro.re - norequesturi: true + - ssl: false + server_name: + - "10.33.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-rives.auro.re/portail/" - - from: 10.43.0.247 - to: portail-edc.auro.re - norequesturi: true + - ssl: true + server_name: + - portail-rives.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-rives.auro.re/portail/" - - from: 10.53.0.247 - to: portail-gs.auro.re - norequesturi: true + - ssl: false + server_name: + - "10.43.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-edc.auro.re/portail/" - reverseproxy_sites: - - from: portail-fleming.auro.re - to: 10.128.0.20 + - ssl: true + server_name: + - portail-edc.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-edc.auro.re/portail/" - - from: portail-pacaterie.auro.re - to: 10.128.0.20 + - ssl: false + server_name: + - "10.53.0.247" + locations: + - filter: "/" + params: + - "return 302 https://portail-gs.auro.re/portail/" - - from: portail-rives.auro.re - to: 10.128.0.20 - - - from: portail-edc.auro.re - to: 10.128.0.20 - - - from: portail-gs.auro.re - to: 10.128.0.20 + - ssl: true + server_name: + - portail-gs.auro.re + locations: + - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + params: + - "proxy_pass http://10.128.0.80" + - "include /etc/nginx/snippets/options-proxypass.conf" + - filter: "/" + params: + - "return 302 https://portail-gs.auro.re/portail/" diff --git a/hosts b/hosts index 3f03ed2..55cf3fc 100644 --- a/hosts +++ b/hosts @@ -489,3 +489,8 @@ ldap-replica-ovh.adm.auro.re [ldap_replica_rives] ldap-replica-rives.adm.auro.re +[certbot] +portail.adm.auro.re + +[nginx] +portail.adm.auro.re diff --git a/services_web.yml b/services_web.yml index 73b900b..62b7044 100755 --- a/services_web.yml +++ b/services_web.yml @@ -11,7 +11,15 @@ - passbolt # Deploy reverse proxy -- hosts: portail.adm.auro.re,proxy*.adm.auro.re +- hosts: proxy*.adm.auro.re roles: - certbot - nginx_reverseproxy + +- hosts: portail.adm.auro.re + vars: + certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}' + nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' + roles: + - certbot + - nginx -- 2.45.2 From bbac76023c85307a089cf56be72c9b274edcf5c2 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 17:08:24 +0100 Subject: [PATCH 15/20] Update masquerade configuration for the captive portal Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 6909b85..5ccd388 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -71,6 +71,10 @@ nat = [ '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' }, 'extra_nat_group': 'accueil_ens23_allowed', + 'masquerade': [ + '10.{{ subnet_ids.users_accueil }}.1.0/24', + '10.{{ subnet_ids.users_accueil }}.2.0/24', + ] }, ] -- 2.45.2 From a82edc3e24a3a0f24d5fd0ea95e253e2efaa8f07 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 18:30:37 +0100 Subject: [PATCH 16/20] Firewall configuration without MASQUERADE Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config.py | 25 +++++++++++-------- .../templates/firewall_config_aurore.py | 12 ++++++--- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py index 5ccd388..9971765 100644 --- a/roles/router/templates/firewall_config.py +++ b/roles/router/templates/firewall_config.py @@ -57,24 +57,29 @@ nat = [ }, 'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16', 'extra_nat' : { - '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ + 'ens19': { + '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{ apartment_block_id }}', - '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}' + '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}', + }, } }, { 'name': 'Accueil', 'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16', 'extra_nat': { - '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ - apartment_block_id }}', - '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}' + 'ens19': { + '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}', + }, + 'ens23' : { + '10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240', + '10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240', + }, + }, + 'extra_nat_group': { + 'ens19': 'accueil_ens23_allowed', }, - 'extra_nat_group': 'accueil_ens23_allowed', - 'masquerade': [ - '10.{{ subnet_ids.users_accueil }}.1.0/24', - '10.{{ subnet_ids.users_accueil }}.2.0/24', - ] }, ] diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py index c41fd92..af757a0 100644 --- a/roles/router/templates/firewall_config_aurore.py +++ b/roles/router/templates/firewall_config_aurore.py @@ -41,9 +41,15 @@ nat = [ { 'name' : 'AdminVlans', 'extra_nat' : { - '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', - '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', - '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}' + 'ens18': { + '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', + }, + 'ens19': { + '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + }, + 'ens20': { + '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', + }, } } ] -- 2.45.2 From 3f626449272bb313cf55d19666cef7d0fc9c01ab Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:02:14 +0100 Subject: [PATCH 17/20] Use production server Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index cb3c466..e9d005d 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -29,7 +29,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -49,7 +49,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -69,7 +69,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -89,7 +89,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: @@ -109,7 +109,7 @@ loc_nginx: locations: - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - - "proxy_pass http://10.128.0.80" + - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" - filter: "/" params: -- 2.45.2 From c527ce16b09ed4246fcc66ed776ddf24785cc61c Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:03:08 +0100 Subject: [PATCH 18/20] Use good output interface for the main router Signed-off-by: Yohann D'ANELLO --- roles/router/templates/firewall_config_aurore.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py index af757a0..9565e3b 100644 --- a/roles/router/templates/firewall_config_aurore.py +++ b/roles/router/templates/firewall_config_aurore.py @@ -43,11 +43,7 @@ nat = [ 'extra_nat' : { 'ens18': { '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}', - }, - 'ens19': { '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', - }, - 'ens20': { '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}', }, } -- 2.45.2 From ce00d5e50fc9a4034ac2b00300d7bba7a266f93a Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 19:57:33 +0100 Subject: [PATCH 19/20] Authorize comnpay urls in the captive portal Signed-off-by: Yohann D'ANELLO --- host_vars/portail.adm.auro.re.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml index e9d005d..e13a06d 100644 --- a/host_vars/portail.adm.auro.re.yml +++ b/host_vars/portail.adm.auro.re.yml @@ -27,7 +27,7 @@ loc_nginx: server_name: - portail-fleming.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -47,7 +47,7 @@ loc_nginx: server_name: - portail-pacaterie.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -67,7 +67,7 @@ loc_nginx: server_name: - portail-rives.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -87,7 +87,7 @@ loc_nginx: server_name: - portail-edc.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" @@ -107,7 +107,7 @@ loc_nginx: server_name: - portail-gs.auro.re locations: - - filter: "~ /(portail|static|javascript|media|about|contact|logout|.*-autocomplete)" + - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)" params: - "proxy_pass http://10.128.0.20" - "include /etc/nginx/snippets/options-proxypass.conf" -- 2.45.2 From 0e224df41f3a8156f11fd9cca838d39889d88d2a Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 1 Feb 2021 20:28:27 +0100 Subject: [PATCH 20/20] Install ipset on each router Signed-off-by: Yohann D'ANELLO --- roles/router/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml index a0b8805..cfbf28e 100644 --- a/roles/router/tasks/main.yml +++ b/roles/router/tasks/main.yml @@ -30,6 +30,14 @@ mode: 0644 when: "'routeur-aurore' in ansible_hostname" +- name: Install ipset + apt: + name: ipset + update_cache: true + register: apt_result + retries: 3 + until: apt_result is succeeded + - name: Install aurore-firewall (re2o-service) import_role: name: re2o-service -- 2.45.2