restrict domains based on port

2024-02-01 01:17:06 -05:00
parent 044f3439ed
commit 7251627477
5 changed files with 144 additions and 80 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -5,38 +5,47 @@ worker_processes 8;
 events {}

 stream {
-    log_format basic '$remote_addr $name [$time_local] '
+    log_format basic '$remote_addr $restricted_domain [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time';

    include /etc/nginx/stream.d/*.conf;

    # Map all SSL parsed server names to hosts
-    map $ssl_preread_server_name $name {
+    map $ssl_preread_server_name $unrestricted_domain {

        "" 127.0.0.1:443;

        # For each domain we need to stream to a remote server, forward to internal domain
        {% for domain in stream_ssl %}
-        {{ domain.external_domain }} {{ domain.internal_domain }}:{{ domain.internal_port }};
+        {{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }};
        {% endfor %}

        # For each domain we want to terminate, forward to internal http server
        {% for domain in terminate_ssl %}
-        {{ domain.external_domain }} 127.0.0.1:443;
+        {% if not domain.restricted %}
+        {{ domain.external.domain }} 127.0.0.1:443;
+        {% endif %}
        {% endfor %}

        default {{ nginx.defaults.domain }}:443;
    }

-    # Forward 80 traffic
-    server {
-        access_log /var/log/nginx/stream-access-80.log basic;
-        listen {{ ansible_default_ipv4.address }}:80;
-        resolver 1.1.1.1;
-        proxy_pass $name;
-        ssl_preread on;
-        proxy_socket_keepalive on;
+    map $ssl_preread_server_name $restricted_domain {
+
+        "" 127.0.0.1:443;
+
+        # For each domain we need to stream to a remote server, forward to internal domain
+        {% for domain in stream_ssl %}
+        {{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }};
+        {% endfor %}
+
+        # For each domain we want to terminate, forward to internal http server
+        {% for domain in terminate_ssl %}
+        {{ domain.external.domain }} 127.0.0.1:443;
+        {% endfor %}
+
+        default {{ nginx.defaults.domain }}:443;
    }

    # Forward 443 traffic
@@ -44,11 +53,20 @@ stream {
        access_log /var/log/nginx/stream-access-443.log basic;
        listen {{ ansible_default_ipv4.address }}:443;
        resolver 1.1.1.1;
-        proxy_pass $name;
+        proxy_pass $restricted_domain;
        ssl_preread on;
        proxy_socket_keepalive on;
    }

+    # Forward 444 (restricted) traffic
+    server {
+        access_log /var/log/nginx/stream-access-444.log basic;
+        listen {{ ansible_default_ipv4.address }}:444;
+        resolver 1.1.1.1;
+        proxy_pass $unrestricted_domain;
+        ssl_preread on;
+        proxy_socket_keepalive on;
+    }
 }

 http {
@@ -56,11 +74,15 @@ http {
                       '"$request" $status $bytes_sent '
                       '"$http_referer" "$http_user_agent" "$gzip_ratio"';

-    include /etc/nginx/http.d/*.conf;
-
    server {
        access_log /var/log/nginx/http-access.log compression;
-        listen 127.0.0.1:80 default_server;
-        return 301 https://$host$request_uri;
+
+        listen 80 default_server;
+
+        if ($scheme = "http") {
+            return 301 https://$host:443$request_uri;
+        }
    }
+
+    include /etc/nginx/http.d/*.conf;
 }