services/homelab
1
1
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

standardize http/https ports in nginx config

Browse Source
This commit is contained in:
Reese Wells
2024-05-29 11:46:23 -04:00
parent a853df3cbc
commit 21d7cef56b
7 changed files with 197 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
nextcloud/README.md
View File

@@ -20,3 +20,11 @@ docker run \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \ --volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest nextcloud/all-in-one:latest
``` ```
## Uninstall
```bash
docker stop $(docker ps -a -q)
docker system prune
docker volume prune -a -f
```

11
nginx/certbot.yaml
View File

@@ -12,7 +12,12 @@
name: name:
- certbot - certbot
state: present state: present
- name: Get certs for all domains - name: Get certs for all internal domains
ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.1 }}' -n ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}{{ internal_tld }}' -n
# Loops over every external.domains sub list # Loops over every external.domains sub list
loop: "{{ http | subelements('external.domains') }}" loop: "{{ http }}"
- name: Get certs for all external domains
ansible.builtin.shell: /usr/bin/certbot certonly --dns-route53 -d '{{ item.external.domain }}{{ expose_tld }}' -n
# Loops over every external.domains sub list
loop: "{{ http }}"
when: item.external.expose

95
nginx/https.conf
View File

@@ -1,18 +1,16 @@
map $http_upgrade $connection_upgrade { # Internal Server
default upgrade;
'' close;
}
server { server {
access_log /var/log/nginx/nginx_https_access.log basic; access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn; error_log /var/log/nginx/nginx_https_error.log warn;
{%- for port in item.0.external.ports +%} # Listen for the default http internal ports
listen 127.0.0.1:{{ port }} ssl proxy_protocol; listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
{%- endfor +%} listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;
listen 127.0.0.1:80 proxy_protocol; # Listen for any extra ports specified by the user
listen 127.0.0.1:81 proxy_protocol; {% for port in item.external.extra_ports %}
listen 127.0.0.1:{{ port }} proxy_protocol ssl;
{% endfor %}
if ($scheme = "http") { if ($scheme = "http") {
return 301 https://$host:443$request_uri; return 301 https://$host:443$request_uri;
@@ -20,10 +18,17 @@ server {
set_real_ip_from 127.0.0.1; set_real_ip_from 127.0.0.1;
server_name {{ item.1 }}; server_name {{ item.external.domain }}{{ internal_tld }};
location / { location / {
proxy_pass {{ item.0.internal.protocol }}://{{ item.0.internal.ip }}:{{ item.0.internal.port }}$request_uri; {% for port in item.external.extra_ports %}
if ($server_port = "{{ port }}") {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
}
{% endfor %}
if ($server_port = "{{ defaults.http.internal_https_port }}"){
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
}
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Scheme $scheme;
@@ -44,8 +49,8 @@ server {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
} }
ssl_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem; # managed by certbot on host machine ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.1 }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/privkey.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
@@ -58,8 +63,68 @@ server {
# OCSP stapling # OCSP stapling
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/{{ item.1 }}/fullchain.pem; ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ internal_tld }}/fullchain.pem;
# replace with the IP address of your resolver # replace with the IP address of your resolver
resolver 127.0.0.1; resolver 127.0.0.1;
} }
# External Server
{% if item.external.expose %}
server {
access_log /var/log/nginx/nginx_https_access.log basic;
error_log /var/log/nginx/nginx_https_error.log warn;
listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;
if ($scheme = "http") {
return 301 https://$host:443$request_uri;
}
set_real_ip_from 127.0.0.1;
server_name {{ item.external.domain }}{{ expose_tld }};
location / {
proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
client_max_body_size 0;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers on;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;
# replace with the IP address of your resolver
resolver 127.0.0.1;
}
{%- endif %}

76
nginx/nginx.conf
View File

@@ -1,20 +1,7 @@
{%- set unique_ports = [] %} {%- set unique_ports = [] %}
{%- for port in default_ports %} {%- for item in http %}
{{- unique_ports.append(port) }} {%- for port in item.external.extra_ports %}
{%- endfor %}
# For each domain we want to terminate, forward to internal http server
{%- set http_domains = [] %}
{%- for item in (http | subelements('external.domains')) %}
{#- Collect unique domains #}
{%- if item.1 not in http_domains %}
{{- http_domains.append(item.1) }}
{%- endif %}
{#- Collect unique ports #}
{%- for port in item.0.external.ports %}
{%- if port not in unique_ports %} {%- if port not in unique_ports %}
{{- unique_ports.append(port) }} {{- unique_ports.append(port) }}
{%- endif %} {%- endif %}
@@ -29,27 +16,32 @@ worker_processes 8;
events {} events {}
stream { stream {
log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward IP: $forward_ip:$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |'; log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip:$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
# Map all SSL parsed server names to hosts # Map all SSL parsed server names to hosts
map $ssl_preread_server_name $forward_ip { map $ssl_preread_server_name $map_forward_ip {
# Empty ssl preread gets forwarded to internal # Empty ssl preread gets forwarded to internal
"" 127.0.0.1; "" 127.0.0.1;
{% for item in http_domains %} # These domains will get forwarded to the internal http server
{{ item }} 127.0.0.1; {% for item in http %}
{{ item.external.domain }}{{ internal_tld }} 127.0.0.1;
{% if item.external.expose %}
{{ item.external.domain }}{{ expose_tld }} 127.0.0.1;
{% endif %}
{% endfor %} {% endfor %}
default {{ nginx.defaults.ip }}; # By default forward to our internal nginx server (probably kubernetes)
default {{ defaults.forward_ip }};
} }
# Since external traffic will be coming in on port 444, and we need to get some of that traffic # Since external traffic will be coming in on port 444, and we need to get some of that traffic
# to kubernetes ingress-nginx on port 443, we need to detect if the destination IP is kubernetes. # to kubernetes ingress-nginx on port 443, we need to detect if the destination IP is kubernetes.
# If it is, forward that traffic to port 443. Otherwise, preserve the original port the traffic # If it is, forward that traffic to port 443. Otherwise, preserve the original port the traffic
# came in on. # came in on.
map $forward_ip $upstream_port { map $map_forward_ip $upstream_port {
{{ nginx.defaults.ip }} 443; {{ defaults.forward_ip }} 443;
default $server_port; default $server_port;
} }
@@ -59,11 +51,17 @@ stream {
proxy_protocol on; proxy_protocol on;
# The default http ports
{% for port in defaults.listen_ports %}
listen {{ ansible_default_ipv4.address }}:{{ port }};
{% endfor %}
# Any unique ports listed in the extra_ports field
{% for port in unique_ports %} {% for port in unique_ports %}
listen {{ ansible_default_ipv4.address }}:{{ port }}; listen {{ ansible_default_ipv4.address }}:{{ port }};
{% endfor %} {% endfor %}
proxy_pass $forward_ip:$upstream_port; proxy_pass $map_forward_ip:$upstream_port;
ssl_preread on; ssl_preread on;
proxy_socket_keepalive on; proxy_socket_keepalive on;
} }
@@ -72,16 +70,21 @@ stream {
} }
http { http {
log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward IP: $forward_ip | Referer: $http_referer | $request | $time_local | $status |'; log_format basic '| Proxy Proto Addr: $proxy_protocol_addr | Remote Addr: $remote_addr:$server_port | Host: $host | Forward: $map_forward_ip:$server_port | Referer: $http_referer | $request | $time_local | $status |';
map $host $forward_ip { map $host $map_forward_ip {
"" ""; "" "127.0.0.1";
{% for item in http_domains %} # We don't want to forward traffic we're terminating
{{ item }} ""; # Rather we'll catch it here and redirect to 443.
{% for item in http %}
{{ item.external.domain }}{{ internal_tld }} "127.0.0.1";
{% if item.external.expose %}
{{ item.external.domain }}{{ expose_tld }} "127.0.0.1";
{% endif %}
{% endfor %} {% endfor %}
default {{ nginx.defaults.ip }}; default {{ defaults.forward_ip }};
} }
# Internal requests come through 80 # Internal requests come through 80
@@ -92,9 +95,9 @@ http {
listen 127.0.0.1:80 default_server proxy_protocol; listen 127.0.0.1:80 default_server proxy_protocol;
location / { location / {
# If we have a foward IP, forward the traffic # If we have an external forward IP, forward traffic
if ($forward_ip) { if ($map_forward_ip != "127.0.0.1") {
proxy_pass $forward_ip:80; proxy_pass $map_forward_ip:80;
} }
# Else redirect if the scheme is http # Else redirect if the scheme is http
if ($scheme = "http") { if ($scheme = "http") {
@@ -112,8 +115,8 @@ http {
location / { location / {
# If we have a foward IP, forward the traffic # If we have a foward IP, forward the traffic
if ($forward_ip) { if ($map_forward_ip) {
proxy_pass $forward_ip:81; proxy_pass $map_forward_ip:81;
} }
# Else redirect if the scheme is http # Else redirect if the scheme is http
if ($scheme = "http") { if ($scheme = "http") {
@@ -122,5 +125,10 @@ http {
} }
} }
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
include /etc/nginx/http.d/*.conf; include /etc/nginx/http.d/*.conf;
} }

6
nginx/nginx.yaml
View File

@@ -58,13 +58,11 @@
- name: Template all http configurations - name: Template all http configurations
template: template:
src: https.conf src: https.conf
dest: /etc/nginx/http.d/{{ item.1 }}.{{ item.0.internal.port }}.conf dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
# item.0 == full dictionary loop: "{{ http }}"
# item.1 == external domain
loop: "{{ http | subelements('external.domains') }}"
- name: Test nginx configuration - name: Test nginx configuration
ansible.builtin.shell: /usr/sbin/nginx -t ansible.builtin.shell: /usr/sbin/nginx -t
- name: Reload nginx service - name: Reload nginx service

14
nginx/stream.d/unifi-external.conf
View File

@@ -1,8 +1,8 @@
server { # server {
access_log /var/log/nginx/nginx_stream_access.log basic; # access_log /var/log/nginx/nginx_stream_access.log basic;
error_log /var/log/nginx/nginx_stream_error.log warn; # error_log /var/log/nginx/nginx_stream_error.log warn;
resolver 1.1.1.1; # resolver 1.1.1.1;
listen {{ ansible_default_ipv4.address }}:8082; # listen {{ ansible_default_ipv4.address }}:8082;
proxy_pass {{ unifi_external.domain }}:8080; # proxy_pass {{ ansible_default_ipv4.address }}:8080;
} # }

131
nginx/vars.yaml
View File

@@ -1,140 +1,109 @@
nginx: defaults:
defaults: forward_ip: "10.1.2.101"
ip: "10.1.2.101" listen_ports:
iperf:
domain: 10.1.2.100
unifi_external:
domain: unifi-server1.reeselink.com
internal_ip: 10.1.0.0/16
default_ports:
- 80
- 81
- 443 - 443
- 80
- 444 - 444
- 81
http:
internal_http_port: 80
internal_https_port: 443
external_http_port: 81
external_https_port: 444
internal_ip: 10.1.0.0/16
expose_tld: .reeseapps.com
internal_tld: .reeselink.com
http: http:
- external: - external:
domains: domain: homeassistant
- homeassistant.reeseapps.com expose: true
- homeassistant.reeselink.com extra_ports: []
ports:
- 443
- 444
internal: internal:
ip: "10.2.131.2" ip: "10.2.131.2"
port: 8123 port: 8123
protocol: https protocol: https
- external: - external:
domains: domain: driveripper
- driveripper.reeseapps.com expose: true
- driveripper.reeselink.com extra_ports: []
ports:
- 443
- 444
internal: internal:
ip: "10.1.2.10" ip: "10.1.2.10"
port: 8443 port: 8443
protocol: https protocol: https
- external: - external:
domains: domain: e3s1plus
- replicator.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: "10.2.224.77" ip: "10.2.224.77"
port: 80 port: 80
protocol: http protocol: http
- external: - external:
domains: domain: yellow
- yellow.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: "10.1.203.197" ip: "10.1.203.197"
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domains: domain: node1
- node1.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: "10.1.2.13" ip: "10.1.2.13"
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domains: domain: node2
- node2.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: "10.1.2.14" ip: "10.1.2.14"
port: 9090 port: 9090
protocol: https protocol: https
- external: - external:
domains: domain: node3
- node3.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: "10.1.2.15" ip: "10.1.2.15"
port: 9090 port: 9090
protocol: https protocol: https
# Printer # Printer
- external: - external:
domains: domain: cr10se
- cr10se.reeselink.com expose: false
ports: extra_ports:
- 443 # websocket
- 9999
# camera
- 8080
internal: internal:
ip: "10.3.165.70" ip: "10.3.165.70"
port: 80 port: 80
protocol: http protocol: http
# Websocket
- external: - external:
domains: domain: pihole
- cr10se.reeselink.com expose: false
ports: extra_ports: []
- 9999
internal:
ip: "10.3.165.70"
port: 9999
protocol: http
# Camera
- external:
domains:
- cr10se.reeselink.com
ports:
- 8080
internal:
ip: "10.3.165.70"
port: 8080
protocol: http
- external:
domains:
- pihole.reeselink.com
ports:
- 443
internal: internal:
ip: 10.1.203.197 ip: 10.1.203.197
port: 8081 port: 8081
protocol: http protocol: http
- external: - external:
domains: domain: attmodem
- attmodem.reeselink.com expose: false
ports: extra_ports: []
- 443
internal: internal:
ip: 192.168.1.254 ip: 192.168.1.254
port: 80 port: 80
protocol: http protocol: http
- external: - external:
domains: domain: nextcloud-aio
- nextcloud-aio.reeseapps.com expose: true
- nextcloud-aio.reeselink.com extra_ports: []
ports:
- 443
- 444
internal: internal:
ip: 10.1.175.237 ip: 10.1.175.237
port: 11000 port: 11000