nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
This commit is contained in:
		
							parent
							
								
									f678de8560
								
							
						
					
					
						commit
						4137ffb3e5
					
				
							
								
								
									
										147
									
								
								pillar/cluster/denc/web-proxy.sls
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										147
									
								
								pillar/cluster/denc/web-proxy.sls
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,147 @@ | ||||
| {%- from 'map.jinja' import nginx_crtkeypair -%} | ||||
| 
 | ||||
| nginx: | ||||
|   snippets: | ||||
|     listen_ha: | ||||
|       - listen: | ||||
|         - 81.16.19.62:443 ssl http2 | ||||
|         - '[2a03:4000:20:21f::]:443 ssl http2' | ||||
|     proxy: | ||||
|       - proxy_set_header: | ||||
|         - Host                $host | ||||
|         - X-Real-IP           $remote_addr | ||||
|         - X-Forwarded-For     $proxy_add_x_forwarded_for | ||||
|         - X-Forwarded-Host    $host | ||||
|         - X-Forwarded-Server  $host | ||||
|         - X-Forwarded-Port    $server_port | ||||
|         - X-Forwarded-Proto   $scheme | ||||
|       - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt | ||||
|     tls: | ||||
|       - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | ||||
|     tls_baseline: {#- compat, to-do: merge into role.web-proxy #} | ||||
|       - include: snippets/tls | ||||
| 
 | ||||
|     {#- certificate snippets #} | ||||
|     {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }} | ||||
|       - include: snippets/tls_baseline | ||||
|     {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }} | ||||
|       - include: snippets/tls_baseline | ||||
|     {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }} | ||||
|       - include: snippets/tls_baseline | ||||
|     {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }} | ||||
|       - include: snippets/tls_baseline | ||||
|     tls_syscidsso: | ||||
|       - ssl_trusted_certificate: /etc/pki/trust/anchors/syscid-ca.crt | ||||
|       - ssl_client_certificate:  /etc/pki/trust/anchors/syscid-ca.crt | ||||
|       - ssl_certificate:         /etc/ssl/syscid/sso.syscid.com.crt | ||||
|       - ssl_certificate_key:     /etc/ssl/syscid/sso.syscid.com.key | ||||
|       - ssl_ocsp:                on | ||||
|       - ssl_ocsp_responder:      http://gaia.syscid.com:8900/ | ||||
|       - ssl_stapling:            on | ||||
|       - ssl_stapling_responder:  http://gaia.syscid.com:8900/ | ||||
|       - ssl_stapling_verify:     on | ||||
|       - ssl_verify_client:       on | ||||
|       - resolver:                192.168.0.115 ipv6=off | ||||
|       - include:                 snippets.d/tls_baseline | ||||
| 
 | ||||
|   servers: | ||||
|     managed: | ||||
|       jboss-cluster.conf: | ||||
|         available_dir: /etc/nginx/conf.d | ||||
|         config: | ||||
|         - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m | ||||
|         - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m | ||||
|         - upstream jboss: | ||||
|           - ip: hash | ||||
|           - server: | ||||
|             - theia.backend.syscid.com:8443 | ||||
|             - orpheus.backend.syscid.com:8443 | ||||
|             - selene.backend.syscid.com:8443 | ||||
| 
 | ||||
|       bookstack.conf: | ||||
|         config: | ||||
|           - server: | ||||
|             - include: | ||||
|               - snippets/listen | ||||
|               - snippets/tls_libertacasa | ||||
|             - server_name: libertacasa.info libcasa.info | ||||
|             - location /: | ||||
|               - proxy_pass: https://bookstack.themis.backend.syscid.com | ||||
|               - proxy_http_version: 1.1 | ||||
|             - client_max_body_size: 20M | ||||
| 
 | ||||
|       http.conf: | ||||
|         config: | ||||
|           - server: | ||||
|             - listen: | ||||
|               - 81.16.19.62:80 default_server | ||||
|               - '[2a03:4000:20:21f::]:80 default_server' | ||||
|               - include: snippets/robots | ||||
|               - location /: | ||||
|                 - return: 301 https://$host$request_uri | ||||
| 
 | ||||
|       privatebin.conf: | ||||
|         config: | ||||
|           - server: | ||||
|             - include: | ||||
|               - snippets/listen | ||||
|               - snippets/tls_lysergic | ||||
|             - server_name: pasta.lysergic.dev | ||||
|             - location /: | ||||
|               - proxy_pass: https://privatebin.themis.backend.syscid.com | ||||
|               - proxy_http_version: 1.1 | ||||
|             - client_max_body_size: 50M | ||||
| 
 | ||||
|       sso_private.conf: | ||||
|         config: | ||||
|           - server: | ||||
|             - include: | ||||
|               - snippets/listen | ||||
|               - snippets/tls_syscidsso | ||||
|             - server_name: sso.syscid.com | ||||
|             - root: /srv/www/sso.syscid.com | ||||
|             - location = /: {} | ||||
|             - location /index.html: {} | ||||
|             - location /: | ||||
|               - proxy_pass: https://jboss | ||||
|               - proxy_cache: cache_sso_private | ||||
|               - include: snippets/proxy | ||||
|             - proxy_buffer_size: 256k | ||||
|             - proxy_buffers: 4 512k | ||||
|             - proxy_busy_buffers_size: 512k | ||||
|             - error_log: /var/log/nginx/sso_private.error.log | ||||
|             - access_log: /var/log/nginx/sso_private.access.log combined | ||||
|       sso_public.conf: | ||||
|         config: | ||||
|           - server: | ||||
|             - include: | ||||
|               - snippets/listen | ||||
|               - snippets/tls_libsso | ||||
|             - server_name: sso.casa www.sso.casa | ||||
|             - location /: | ||||
|               - root: /srv/www/sso.casa | ||||
|           - server: | ||||
|             - include: | ||||
|              - snippets/listen | ||||
|              - snippets/tls_libsso | ||||
|             - server_name: libsso.net www.libsso.net | ||||
|             - location /: | ||||
|               - root: /srv/www/libsso.net | ||||
|             - location /auth: {#- compat, consider removing #} | ||||
|               - rewrite: '^/auth(.*)$ https://libsso.net$1 break' | ||||
|             {%- for path in ['realms', 'resources', 'js'] %} | ||||
|             - location /{{ path }}: | ||||
|               - proxy_pass: https://jboss/{{ path }} | ||||
|               - proxy_cache: cache_sso_public | ||||
|               {#- - proxy_ssl_verify: on #to-do: enable this #} | ||||
|               - include: snippets/proxy | ||||
|             {%- endfor %} | ||||
|             {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %} | ||||
|             - location /{{ path }}: | ||||
|               - return: https://liberta.casa/ | ||||
|             {%- endfor %} | ||||
|             - proxy_buffer_size: 256k | ||||
|             - proxy_buffers: 4 512k | ||||
|             - proxy_busy_buffers_size: 512k | ||||
|             - error_log: /var/log/nginx/libsso_public.error.log | ||||
|             - access_log: /var/log/nginx/libsso_public.access.log combined | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user