nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
parent
f678de8560
commit
280cb2c596
149
pillar/cluster/denc/web-proxy.sls
Normal file
149
pillar/cluster/denc/web-proxy.sls
Normal file
@ -0,0 +1,149 @@
|
|||||||
|
{%- from 'map.jinja' import nginx_crtkeypair -%}
|
||||||
|
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
|
||||||
|
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
|
||||||
|
{%- set resolver = '192.168.0.115' -%}
|
||||||
|
|
||||||
|
nginx:
|
||||||
|
snippets:
|
||||||
|
listen_ha:
|
||||||
|
- listen:
|
||||||
|
- 81.16.19.62:443 ssl http2
|
||||||
|
- '[2a03:4000:20:21f::]:443 ssl http2'
|
||||||
|
proxy:
|
||||||
|
- proxy_set_header:
|
||||||
|
- Host $host
|
||||||
|
- X-Real-IP $remote_addr
|
||||||
|
- X-Forwarded-For $proxy_add_x_forwarded_for
|
||||||
|
- X-Forwarded-Host $host
|
||||||
|
- X-Forwarded-Server $host
|
||||||
|
- X-Forwarded-Port $server_port
|
||||||
|
- X-Forwarded-Proto $scheme
|
||||||
|
- proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
|
||||||
|
tls:
|
||||||
|
- ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
|
||||||
|
{#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
|
||||||
|
{{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
|
||||||
|
- include: snippets/tls
|
||||||
|
{{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
|
||||||
|
- include: snippets/tls
|
||||||
|
{{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
|
||||||
|
- include: snippets/tls
|
||||||
|
{{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
|
||||||
|
- include: snippets/tls
|
||||||
|
tls_syscidsso:
|
||||||
|
- ssl_trusted_certificate: {{ trustcrt }}
|
||||||
|
- ssl_client_certificate: {{ trustcrt }}
|
||||||
|
- ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt
|
||||||
|
- ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key
|
||||||
|
- ssl_ocsp: 'on'
|
||||||
|
- ssl_ocsp_responder: {{ stapler }}
|
||||||
|
- ssl_stapling: 'on'
|
||||||
|
- ssl_stapling_responder: {{ stapler }}
|
||||||
|
- ssl_stapling_verify: 'on'
|
||||||
|
- ssl_verify_client: 'on'
|
||||||
|
- resolver: {{ resolver }} ipv6=off
|
||||||
|
- include: snippets.d/tls
|
||||||
|
|
||||||
|
servers:
|
||||||
|
managed:
|
||||||
|
jboss-cluster.conf:
|
||||||
|
available_dir: /etc/nginx/conf.d
|
||||||
|
config:
|
||||||
|
- proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
|
||||||
|
- proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
|
||||||
|
- upstream jboss:
|
||||||
|
- ip: hash
|
||||||
|
- server:
|
||||||
|
- theia.backend.syscid.com:8443
|
||||||
|
- orpheus.backend.syscid.com:8443
|
||||||
|
- selene.backend.syscid.com:8443
|
||||||
|
|
||||||
|
bookstack.conf:
|
||||||
|
config:
|
||||||
|
- server:
|
||||||
|
- include:
|
||||||
|
- snippets/listen
|
||||||
|
- snippets/tls_libertacasa
|
||||||
|
- server_name: libertacasa.info libcasa.info
|
||||||
|
- location /:
|
||||||
|
- proxy_pass: https://bookstack.themis.backend.syscid.com
|
||||||
|
- proxy_http_version: 1.1
|
||||||
|
- client_max_body_size: 20M
|
||||||
|
|
||||||
|
http.conf:
|
||||||
|
config:
|
||||||
|
- server:
|
||||||
|
- listen:
|
||||||
|
- 81.16.19.62:80 default_server
|
||||||
|
- '[2a03:4000:20:21f::]:80 default_server'
|
||||||
|
- include: snippets/robots
|
||||||
|
- location /:
|
||||||
|
- return: 301 https://$host$request_uri
|
||||||
|
|
||||||
|
privatebin.conf:
|
||||||
|
config:
|
||||||
|
- server:
|
||||||
|
- include:
|
||||||
|
- snippets/listen
|
||||||
|
- snippets/tls_lysergic
|
||||||
|
- server_name: pasta.lysergic.dev
|
||||||
|
- location /:
|
||||||
|
- proxy_pass: https://privatebin.themis.backend.syscid.com
|
||||||
|
- proxy_http_version: 1.1
|
||||||
|
- client_max_body_size: 50M
|
||||||
|
|
||||||
|
sso_private.conf:
|
||||||
|
config:
|
||||||
|
- server:
|
||||||
|
- include:
|
||||||
|
- snippets/listen
|
||||||
|
- snippets/tls_syscidsso
|
||||||
|
- server_name: sso.syscid.com
|
||||||
|
- root: /srv/www/sso.syscid.com
|
||||||
|
- location = /: []
|
||||||
|
- location /index.html: []
|
||||||
|
- location /:
|
||||||
|
- proxy_pass: https://jboss
|
||||||
|
- proxy_cache: cache_sso_private
|
||||||
|
- include: snippets/proxy
|
||||||
|
- proxy_buffer_size: 256k
|
||||||
|
- proxy_buffers: 4 512k
|
||||||
|
- proxy_busy_buffers_size: 512k
|
||||||
|
- error_log: /var/log/nginx/sso_private.error.log
|
||||||
|
- access_log: /var/log/nginx/sso_private.access.log combined
|
||||||
|
|
||||||
|
sso_public.conf:
|
||||||
|
config:
|
||||||
|
- server:
|
||||||
|
- include:
|
||||||
|
- snippets/listen
|
||||||
|
- snippets/tls_libsso
|
||||||
|
- server_name: sso.casa www.sso.casa
|
||||||
|
- location /:
|
||||||
|
- root: /srv/www/sso.casa
|
||||||
|
- server:
|
||||||
|
- include:
|
||||||
|
- snippets/listen
|
||||||
|
- snippets/tls_libsso
|
||||||
|
- server_name: libsso.net www.libsso.net
|
||||||
|
- location /:
|
||||||
|
- root: /srv/www/libsso.net
|
||||||
|
- location /auth: {#- compat, consider removing #}
|
||||||
|
- rewrite: '^/auth(.*)$ https://libsso.net$1 break'
|
||||||
|
{%- for path in ['realms', 'resources', 'js'] %}
|
||||||
|
- location /{{ path }}:
|
||||||
|
- proxy_pass: https://jboss/{{ path }}
|
||||||
|
- proxy_cache: cache_sso_public
|
||||||
|
{#- - proxy_ssl_verify: on #to-do: enable this #}
|
||||||
|
- include: snippets/proxy
|
||||||
|
{%- endfor %}
|
||||||
|
{%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
|
||||||
|
- location /{{ path }}:
|
||||||
|
- return: https://liberta.casa/
|
||||||
|
{%- endfor %}
|
||||||
|
- proxy_buffer_size: 256k
|
||||||
|
- proxy_buffers: 4 512k
|
||||||
|
- proxy_busy_buffers_size: 512k
|
||||||
|
- error_log: /var/log/nginx/libsso_public.error.log
|
||||||
|
- access_log: /var/log/nginx/libsso_public.access.log combined
|
Loading…
Reference in New Issue
Block a user