external and internal http/https ports working

2024-05-29 12:48:18 -04:00
parent 21d7cef56b
commit 861617d387
4 changed files with 70 additions and 29 deletions
--- a/nginx/https.conf
+++ b/nginx/https.conf
@@ -3,13 +3,27 @@ server {
    access_log /var/log/nginx/nginx_https_access.log basic;
    error_log /var/log/nginx/nginx_https_error.log warn;

+    http2 on;
+
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
+    gzip_disable "MSIE [1-6]\.";
+
    # Listen for the default http internal ports
    listen 127.0.0.1:{{ defaults.http.internal_http_port }} proxy_protocol;
    listen 127.0.0.1:{{ defaults.http.internal_https_port }} ssl proxy_protocol;

-    # Listen for any extra ports specified by the user
-{% for port in item.external.extra_ports %}
-    listen 127.0.0.1:{{ port }} proxy_protocol ssl;
+    # Listen for any extra http ports specified by the user
+{% for port in item.external.extra_http_ports %}
+    listen 127.0.0.1:{{ port }} proxy_protocol;
+{% endfor %}
+
+    # Listen for any extra https ports specified by the user
+{% for port in item.external.extra_https_ports %}
+    listen 127.0.0.1:{{ port }} ssl proxy_protocol;
 {% endfor %}

    if ($scheme = "http") {
@@ -21,7 +35,12 @@ server {
    server_name {{ item.external.domain }}{{ internal_tld }};

    location / {
-{% for port in item.external.extra_ports %}
+{% for port in item.external.extra_http_ports %}
+        if ($server_port = "{{ port }}") {
+            proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
+        }
+{% endfor %}
+{% for port in item.external.extra_https_ports %}
        if ($server_port = "{{ port }}") {
            proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ port }}$request_uri;
        }
@@ -57,7 +76,7 @@ server {
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;

    # OCSP stapling
@@ -75,6 +94,15 @@ server {
    access_log /var/log/nginx/nginx_https_access.log basic;
    error_log /var/log/nginx/nginx_https_error.log warn;

+    http2 on;
+
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
+    gzip_disable "MSIE [1-6]\.";
+
    listen 127.0.0.1:{{ defaults.http.external_http_port }} proxy_protocol;
    listen 127.0.0.1:{{ defaults.http.external_https_port }} ssl proxy_protocol;

@@ -116,7 +144,7 @@ server {
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;

    # OCSP stapling
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -1,7 +1,16 @@
 {%- set unique_ports = [] %}

 {%- for item in http %}
-{%- for port in item.external.extra_ports %}
+
+{#- Gather http ports #}
+{%- for port in item.external.extra_http_ports %}
+{%- if port not in unique_ports %}
+{{- unique_ports.append(port) }}
+{%- endif %}
+{%- endfor %}
+
+{#- Gather https ports #}
+{%- for port in item.external.extra_https_ports %}
 {%- if port not in unique_ports %}
 {{- unique_ports.append(port) }}
 {%- endif %}
@@ -11,9 +20,11 @@

 load_module /usr/lib64/nginx/modules/ngx_stream_module.so;

-worker_processes 8;
+worker_processes auto;

-events {}
+events {
+    worker_connections 1024;
+}

 stream {
    log_format basic '| Remote Addr: $remote_addr:$server_port | SSL Preread: $ssl_preread_server_name | Forward: $map_forward_ip:$upstream_port | Upstream Addr: $upstream_addr | $time_local | $protocol | $status | $bytes_sent | $bytes_received | $session_time |';
--- a/nginx/nginx.yaml
+++ b/nginx/nginx.yaml
@@ -46,15 +46,6 @@
      mode: '0644'
    with_fileglob:
    - stream.d/*
-  - name: Copy http configurations
-    template:
-      src: "{{ item }}"
-      dest: /etc/nginx/http.d/{{ item | basename }}
-      owner: root
-      group: root
-      mode: '0644'
-    with_fileglob:
-    - http.d/*
  - name: Template all http configurations
    template:
      src: https.conf
--- a/nginx/vars.yaml
+++ b/nginx/vars.yaml
@@ -18,7 +18,8 @@ http:
  - external:
      domain: homeassistant
      expose: true
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.2.131.2"
      port: 8123
@@ -26,7 +27,8 @@ http:
  - external:
      domain: driveripper
      expose: true
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.1.2.10"
      port: 8443
@@ -34,7 +36,8 @@ http:
  - external:
      domain: e3s1plus
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.2.224.77"
      port: 80
@@ -42,7 +45,8 @@ http:
  - external:
      domain: yellow
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.1.203.197"
      port: 9090
@@ -50,7 +54,8 @@ http:
  - external:
      domain: node1
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.1.2.13"
      port: 9090
@@ -58,7 +63,8 @@ http:
  - external:
      domain: node2
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.1.2.14"
      port: 9090
@@ -66,7 +72,8 @@ http:
  - external:
      domain: node3
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: "10.1.2.15"
      port: 9090
@@ -75,7 +82,8 @@ http:
  - external:
      domain: cr10se
      expose: false
-      extra_ports:
+      extra_http_ports: []
+      extra_https_ports:
      # websocket
      - 9999
      # camera
@@ -87,7 +95,8 @@ http:
  - external:
      domain: pihole
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: 10.1.203.197
      port: 8081
@@ -95,7 +104,8 @@ http:
  - external:
      domain: attmodem
      expose: false
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: 192.168.1.254
      port: 80
@@ -103,7 +113,8 @@ http:
  - external:
      domain: nextcloud-aio
      expose: true
-      extra_ports: []
+      extra_http_ports: []
+      extra_https_ports: []
    internal:
      ip: 10.1.175.237
      port: 11000