ipv6 working

2024-06-09 18:35:56 -04:00
parent 642c0011ff
commit 1f4769fdbe
33 changed files with 487 additions and 207 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -27,33 +27,32 @@ events {
 }

 stream {
-    log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip:$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
+    log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';

    # Map all SSL parsed server names to hosts
    map $ssl_preread_server_name $map_forward_ip {

-        # Empty ssl preread gets forwarded to internal
-        "" 127.0.0.1;
+        # Empty ssl preread gets forwarded to internal http server
+        "" "unix:/var/lib/nginx/tmp/nginx_http.sock";

-        # These domains will get forwarded to the internal http server
+        # These domains will get forwarded to the internal https server
 {% for item in http %}
-        {{ item.external.domain }}{{ internal_tld }} 127.0.0.1;
-{% if item.external.expose %}
-        {{ item.external.domain }}{{ expose_tld }} 127.0.0.1;
-{% endif %}
+        {{ item.external.domain }}{{ expose_tld }} unix:/var/lib/nginx/tmp/nginx_https.sock;
 {% endfor %}

        # By default forward to our internal nginx server (probably kubernetes)
        default {{ defaults.forward_ip }};
    }

-    # Since external traffic will be coming in on port 444, and we need to get some of that traffic
-    # to kubernetes ingress-nginx on port 443, we need to detect if the destination IP is kubernetes.
-    # If it is, forward that traffic to port 443. Otherwise, preserve the original port the traffic
-    # came in on.
+    # Since traffic being forwarded to the unix socket doesn't need a port we'll create
+    # a map here to enforce that case.
    map $map_forward_ip $upstream_port {
-        {{ defaults.forward_ip }} 443;
-        default $server_port;
+        {{ defaults.forward_ip }} ":443";
+
+        "unix:/var/lib/nginx/tmp/nginx_http.sock" "";
+        "unix:/var/lib/nginx/tmp/nginx_https.sock" "";
+
+        default ":$server_port";
    }

    server {
@@ -64,17 +63,17 @@ stream {

        # The default http ports
 {% for port in defaults.listen_ports %}
-        listen {{ ansible_default_ipv4.address }}:{{ port }};
-        listen [{{ ansible_default_ipv6.address }}]:{{ port }};
+        listen {{ port }};
+        listen [::]:{{ port }};
 {% endfor %}

        # Any unique ports listed in the extra_ports field
 {% for port in unique_ports %}
-        listen {{ ansible_default_ipv4.address }}:{{ port }};
-        listen [{{ ansible_default_ipv6.address }}]:{{ port }};
+        listen {{ port }};
+        listen [::]:{{ port }};
 {% endfor %}

-        proxy_pass $map_forward_ip:$upstream_port;
+        proxy_pass $map_forward_ip$upstream_port;
        ssl_preread on;
        proxy_socket_keepalive on;
    }
@@ -83,33 +82,30 @@ stream {
 }

 http {
-    log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip:$server_port | Referer: $http_referer | $request | $time_local | $status |';
+    log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip$server_port | Referer: $http_referer | $request | $time_local | $status |';

    map $host $map_forward_ip {
-        "" "127.0.0.1";
+        "" "unix:/var/lib/nginx/tmp/nginx_http.sock";

        # We don't want to forward traffic we're terminating
        # Rather we'll catch it here and redirect to 443.
 {% for item in http %}
-        {{ item.external.domain }}{{ internal_tld }} "127.0.0.1";
-{% if item.external.expose %}
-        {{ item.external.domain }}{{ expose_tld }} "127.0.0.1";
-{% endif %}
+        {{ item.external.domain }}{{ expose_tld }} "unix:/var/lib/nginx/tmp/nginx_https.sock";
 {% endfor %}

        default {{ defaults.forward_ip }};
    }

-    # Internal requests come through 80
+    # Handle internal http requests through unix:/var/lib/nginx/tmp/nginx_http.sock
    server {
        access_log /var/log/nginx/nginx_http_access.log basic;
        error_log /var/log/nginx/nginx_http_error.log warn;

-        listen 127.0.0.1:80 default_server proxy_protocol;
+        listen unix:/var/lib/nginx/tmp/nginx_http.sock default_server proxy_protocol;

        location / {
            # If we have an external forward IP, forward traffic
-            if ($map_forward_ip != "127.0.0.1") {
+            if ($map_forward_ip != "unix:/var/lib/nginx/tmp/nginx_http.sock") {
                proxy_pass $map_forward_ip:80;
            }
            # Else redirect if the scheme is http
@@ -119,25 +115,6 @@ http {
        }
    }

-    # External requests come through 81
-    server {
-        access_log /var/log/nginx/nginx_http_access.log basic;
-        error_log /var/log/nginx/nginx_http_error.log warn;
-
-        listen 127.0.0.1:81 default_server proxy_protocol;
-
-        location / {
-            # If we have a foward IP, forward the traffic
-            if ($map_forward_ip) {
-                proxy_pass $map_forward_ip:81;
-            }
-            # Else redirect if the scheme is http
-            if ($scheme = "http") {
-                return 301 https://$host:443$request_uri;
-            }
-        }
-    }
-
    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;