restrict domains based on port

nginx/README.md

@@ -8,3 +8,8 @@ Check vars.yaml to edit your servers.
 ansible-playbook -i ansible/inventory.yaml nginx/nginx.yaml
 ansible-playbook -i ansible/inventory.yaml nginx/certbot.yaml
 ```
+
+## Restricted Addresses
+
+We can detect whether traffic is originating internally or externally by checking if
+it came in on port 443 or 444.

nginx/https.conf

@@ -4,15 +4,12 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
-    listen 127.0.0.1:80;
+
     listen 127.0.0.1:443 ssl http2;
-    server_name {{ item.external_domain }};
 
-    access_log /var/log/nginx/{{ item.external_domain }}-access.log compression;
+    server_name {{ item.external.domain }};
 
-    if ($scheme = "http") {
+    access_log /var/log/nginx/{{ item.external.domain }}-access.log compression;
-        return 301 https://$host:443$request_uri;
-    }
 
     # listen 443 ssl http2;      # for nginx versions below v1.25.1
     # listen [::]:443 ssl http2; # for nginx versions below v1.25.1 - comment to disable IPv6
@@ -26,7 +23,7 @@ server {
 
     location / {
         resolver 1.1.1.1;
-        proxy_pass {{ item.internal_protocol }}://{{ item.internal_domain }}:{{ item.internal_port }}$request_uri;
+        proxy_pass {{ item.internal.protocol }}://{{ item.internal.domain }}:{{ item.internal.port }}$request_uri;
 
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Port $server_port;
@@ -46,8 +43,8 @@ server {
         proxy_set_header Connection $connection_upgrade;
     }
 
-    ssl_certificate /etc/letsencrypt/live/{{ item.external_domain }}/fullchain.pem;   # managed by certbot on host machine
+    ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}/fullchain.pem;   # managed by certbot on host machine
-    ssl_certificate_key /etc/letsencrypt/live/{{ item.external_domain }}/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}/privkey.pem;
 
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

nginx/nginx.conf

@@ -5,38 +5,47 @@ worker_processes 8;
 events {}
 
 stream {
-    log_format basic '$remote_addr $name [$time_local] '
+    log_format basic '$remote_addr $restricted_domain [$time_local] '
                  '$protocol $status $bytes_sent $bytes_received '
                  '$session_time';
 
     include /etc/nginx/stream.d/*.conf;
 
     # Map all SSL parsed server names to hosts
-    map $ssl_preread_server_name $name {
+    map $ssl_preread_server_name $unrestricted_domain {
 
         "" 127.0.0.1:443;
 
         # For each domain we need to stream to a remote server, forward to internal domain
         {% for domain in stream_ssl %}
-        {{ domain.external_domain }} {{ domain.internal_domain }}:{{ domain.internal_port }};
+        {{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }};
         {% endfor %}
 
         # For each domain we want to terminate, forward to internal http server
         {% for domain in terminate_ssl %}
-        {{ domain.external_domain }} 127.0.0.1:443;
+        {% if not domain.restricted %}
+        {{ domain.external.domain }} 127.0.0.1:443;
+        {% endif %}
         {% endfor %}
 
         default {{ nginx.defaults.domain }}:443;
     }
 
-    # Forward 80 traffic
+    map $ssl_preread_server_name $restricted_domain {
-    server {
+
-        access_log /var/log/nginx/stream-access-80.log basic;
+        "" 127.0.0.1:443;
-        listen {{ ansible_default_ipv4.address }}:80;
+
-        resolver 1.1.1.1;
+        # For each domain we need to stream to a remote server, forward to internal domain
-        proxy_pass $name;
+        {% for domain in stream_ssl %}
-        ssl_preread on;
+        {{ domain.external.domain }} {{ domain.internal.domain }}:{{ domain.internal.port }};
-        proxy_socket_keepalive on;
+        {% endfor %}
+
+        # For each domain we want to terminate, forward to internal http server
+        {% for domain in terminate_ssl %}
+        {{ domain.external.domain }} 127.0.0.1:443;
+        {% endfor %}
+
+        default {{ nginx.defaults.domain }}:443;
     }
 
     # Forward 443 traffic
@@ -44,11 +53,20 @@ stream {
         access_log /var/log/nginx/stream-access-443.log basic;
         listen {{ ansible_default_ipv4.address }}:443;
         resolver 1.1.1.1;
-        proxy_pass $name;
+        proxy_pass $restricted_domain;
         ssl_preread on;
         proxy_socket_keepalive on;
     }
 
+    # Forward 444 (restricted) traffic
+    server {
+        access_log /var/log/nginx/stream-access-444.log basic;
+        listen {{ ansible_default_ipv4.address }}:444;
+        resolver 1.1.1.1;
+        proxy_pass $unrestricted_domain;
+        ssl_preread on;
+        proxy_socket_keepalive on;
+    }
 }
 
 http {
@@ -56,11 +74,15 @@ http {
                        '"$request" $status $bytes_sent '
                        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
 
-    include /etc/nginx/http.d/*.conf;
-
     server {
         access_log /var/log/nginx/http-access.log compression;
-        listen 127.0.0.1:80 default_server;
+
-        return 301 https://$host$request_uri;
+        listen 80 default_server;
+
+        if ($scheme = "http") {
+            return 301 https://$host:443$request_uri;
         }
     }
+
+    include /etc/nginx/http.d/*.conf;
+}

nginx/nginx.yaml

@@ -12,6 +12,14 @@
         - nginx
         - nginx-mod-stream
       state: present
+  - name: Remove http.d dir before repopulating
+    file:
+      path: /etc/nginx/http.d/
+      state: absent
+  - name: Remove stream.d dir before repopulating
+    file:
+      path: /etc/nginx/stream.d/
+      state: absent
   - name: Create stream.d dir
     ansible.builtin.file:
       path: /etc/nginx/stream.d
@@ -50,7 +58,7 @@
   - name: Template all http configurations
     template:
       src: https.conf
-      dest: /etc/nginx/http.d/{{ item.external_domain }}.conf
+      dest: /etc/nginx/http.d/{{ item.external.domain }}.conf
       owner: root
       group: root
       mode: '0644'

nginx/vars.yaml

@@ -1,58 +1,89 @@
 terminate_ssl:
-  - external_domain: octoprint.reeseapps.com
+  - external:
-    external_port: 443
+      domain: octoprint.reeseapps.com
-    internal_domain: replicator.reeselink.com
+      port: 443
-    internal_port: 443
+    internal:
-    internal_protocol: https
+      domain: replicator.reeselink.com
-  - external_domain: truenas.reeseapps.com
+      port: 443
-    external_port: 443
+      protocol: https
-    internal_domain: driveripper.reeselink.com
+    restricted: true
-    internal_port: 8443
+  - external:
-    internal_protocol: https
+      domain: truenas.reeseapps.com
-  - external_domain: pihole-yellow.reeseapps.com
+      port: 443
-    external_port: 443
+    internal:
-    internal_domain: yellow.reeselink.com
+      domain: driveripper.reeselink.com
-    internal_port: 8081
+      port: 8443
-    internal_protocol: http
+      protocol: https
-  - external_domain: pihole-orange.reeseapps.com
+    restricted: false
-    external_port: 443
+  - external:
-    internal_domain: orange.reeselink.com
+      domain: pihole-yellow.reeseapps.com
-    internal_port: 8081
+      port: 443
-    internal_protocol: http
+    internal:
-  - external_domain: yellow.reeseapps.com
+      domain: yellow.reeselink.com
-    external_port: 443
+      port: 8081
-    internal_domain: yellow.reeselink.com
+      protocol: http
-    internal_port: 9090
+    restricted: true
-    internal_protocol: https
+  - external:
-  - external_domain: orange.reeseapps.com
+      domain: pihole-orange.reeseapps.com
-    external_port: 443
+      port: 443
-    internal_domain: orange.reeselink.com
+    internal:
-    internal_port: 9090
+      domain: orange.reeselink.com
-    internal_protocol: https
+      port: 8081
-  - external_domain: node1.reeseapps.com
+      protocol: http
-    external_port: 443
+    restricted: true
-    internal_domain: node1.reeselink.com
+  - external:
-    internal_port: 9090
+      domain: yellow.reeseapps.com
-    internal_protocol: https
+      port: 443
-  - external_domain: node2.reeseapps.com
+    internal:
-    external_port: 443
+      domain: yellow.reeselink.com
-    internal_domain: node2.reeselink.com
+      port: 9090
-    internal_port: 9090
+      protocol: https
-    internal_protocol: https
+    restricted: true
-  - external_domain: node3.reeseapps.com
+  - external:
-    external_port: 443
+      domain: orange.reeseapps.com
-    internal_domain: node3.reeselink.com
+      port: 443
-    internal_port: 9090
+    internal:
-    internal_protocol: https
+      domain: orange.reeselink.com
+      port: 9090
+      protocol: https
+    restricted: true
+  - external:
+      domain: node1.reeseapps.com
+      port: 443
+    internal:
+      domain: node1.reeselink.com
+      port: 9090
+      protocol: https
+    restricted: true
+  - external:
+      domain: node2.reeseapps.com
+      port: 443
+    internal:
+      domain: node2.reeselink.com
+      port: 9090
+      protocol: https
+    restricted: true
+  - external:
+      domain: node3.reeseapps.com
+      port: 443
+    internal:
+      domain: node3.reeselink.com
+      port: 9090
+      protocol: https
+    restricted: true
 stream_ssl:
-  - external_domain: nextcloud-aio.reeseapps.com
+  - external:
-    external_port: 443
+      domain: nextcloud-aio.reeseapps.com
-    internal_domain: nextcloud-aio.reeselink.com
+      port: 443
-    internal_port: 443
+    internal:
-  - external_domain: containers.reeseapps.com
+      domain: nextcloud-aio.reeselink.com
-    external_port: 443
+      port: 443
-    internal_domain: node1.reeselink.com
+  - external:
-    internal_port: 6443
+      domain: containers.reeseapps.com
+      port: 443
+    internal:
+      domain: node1.reeselink.com
+      port: 6443
 nextcloud:
   domain: nextcloud-aio.reeseapps.com
 nginx:
@@ -62,3 +93,4 @@ iperf:
   domain: lb.reeselink.com
 unifi_external:
   domain: unifi-server1.reeselink.com
+internal_ip: 10.1.0.0/16