From e3e4caaabe9795c56468e67c3b9105b2a5f53145 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 5 Feb 2023 19:19:27 +0100 Subject: [PATCH] web-proxy: IPv6 listener brackets Add logic to wrap IPv6 listening addresses in brackets, to prevent nginx from failing to start. Signed-off-by: Georg Pfuetzenreuter --- pillar/map.jinja | 4 ++++ pillar/role/web-proxy.sls | 11 ++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pillar/map.jinja b/pillar/map.jinja index 849eb15..239144a 100644 --- a/pillar/map.jinja +++ b/pillar/map.jinja @@ -9,6 +9,8 @@ {#- START Listener detection logic -#} {%- set listen_ips = [] -%} +{%- set listen_ips4 = [] -%} +{%- set listen_ips6 = [] -%} {%- set minion = grains['id'] -%} {%- set legal6s = ('fd29', '2a01:4f8:11e:2200') -%} {%- set ip4s = salt.saltutil.runner('mine.get', tgt=minion, fun='network.ip_addrs', tgt_type='glob') -%} @@ -16,11 +18,13 @@ {%- if minion in ip4s -%}{%- for ip in ip4s[minion] -%} {%- if salt['network.is_private'](ip) -%} {%- do listen_ips.append(ip) -%} +{%- do listen_ips4.append(ip) -%} {%- endif -%} {%- endfor -%}{%- endif -%} {%- if minion in ip6s -%}{%- for ip in ip6s[minion] -%} {%- if ip.startswith(legal6s) -%} {%- do listen_ips.append(ip) -%} +{%- do listen_ips6.append(ip) -%} {%- endif -%} {%- endfor -%}{%- endif -%} diff --git a/pillar/role/web-proxy.sls b/pillar/role/web-proxy.sls index 2adc81c..398ecf0 100644 --- a/pillar/role/web-proxy.sls +++ b/pillar/role/web-proxy.sls @@ -1,4 +1,4 @@ -{%- from slspath ~ '/../map.jinja' import listen_ips -%} +{%- from slspath ~ '/../map.jinja' import listen_ips, listen_ips4, listen_ips6 -%} nginx: snippets: @@ -23,9 +23,14 @@ nginx: - fastcgi_param: SCRIPT_FILENAME $document_root$fastcgi_script_name {%- if listen_ips | length %} listen: - {%- for ip in listen_ips %} - - listen: {{ ip }}:443 ssl http2 + {%- for ip4 in listen_ips4 %} + - listen: {{ ip4 }}:443 ssl http2 {%- endfor %} + {%- if listen_ips6 | length %} + {%- for ip6 in listen_ips6 %} + - listen: '[{{ ip6 }}]:443 ssl http2' + {%- endfor %} + {%- endif %} {%- endif %} firewalld: