From 1b619358a8ffcec0385428275167220be4f8c02b Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 5 Feb 2023 11:56:27 +0100 Subject: [PATCH 1/3] deriweb01: import nginx configuration Transfer local/manual nginx configuration structure into pillar. Signed-off-by: Georg Pfuetzenreuter --- pillar/id/deriweb01_rigel_lysergic_dev.sls | 441 +++++++++++++++++++++ 1 file changed, 441 insertions(+) create mode 100644 pillar/id/deriweb01_rigel_lysergic_dev.sls diff --git a/pillar/id/deriweb01_rigel_lysergic_dev.sls b/pillar/id/deriweb01_rigel_lysergic_dev.sls new file mode 100644 index 0000000..5188a25 --- /dev/null +++ b/pillar/id/deriweb01_rigel_lysergic_dev.sls @@ -0,0 +1,441 @@ +{%- from 'map.jinja' import nginx_crtkeypair -%} +{%- set resolver = '[2a01:4f8:11e:2200::2]' -%} + +{#- to-do: move other service hosts to backend dict #} +{%- set backend = {'takahe': 'http://takahe.rigel.lysergic.dev:8000'} %} + +{#- generic macros #} +{%- macro proxyheaders(ForRemAdd=False) -%} +- proxy_set_header: + - 'Host $host' + - 'X-Real-IP $remote_addr' + - 'X-Forwarded-For {{ '$remote_addr' if ForRemAdd else '$proxy_add_x_forwarded_for' }}' + - 'X-Forwarded-Proto $scheme' +{%- endmacro -%} +{%- macro proxyheaders2(ForRemAdd=False) -%} +{{ proxyheaders(ForRemAdd) | indent(16) }} +{%- endmacro -%} +{%- macro jf_proxyheaders() -%} +{{ proxyheaders() | indent(16) }} + - 'X-Forwarded-Protocol $scheme' + - 'X-Forwarded-Host $http_host' +{%- endmacro -%} +{%- macro proxyheaders_upgrade() -%} +- proxy_set_header: Upgrade $http_upgrade +- proxy_set_header: Connection $connection_upgrade +{%- endmacro -%} +{%- macro proxyheaders2_upgrade() -%} +{{ proxyheaders_upgrade() | indent(16) }} +{%- endmacro -%} + +{#- application specific macros #} +{%- macro lcwebirc(port, indentinner) -%} + - location /webirc: + - proxy_pass: http://[2a01:4f8:11e:2200::cafe]:{{ port }} + - proxy_http_version: 1.1 + {{ proxyheaders_upgrade() | indent(16) }} + - proxy_set_header: X-Forwarded-For $remote_addr + - proxy_set_header: X-Forwarded-Proto $scheme + - proxy_read_timeout: 600s +{%- endmacro -%} +{%- macro lcactivitypub(wkpath) -%} + - location /.well-known/{{ wkpath }}: + - proxy_pass: {{ backend.takahe }} + - proxy_set_header: Host $http_host + - resolver: '{{ resolver }} ipv4=off valid=24h' +{%- endmacro -%} +{%- macro matterbridge_media(name) -%} + - server: + - include: + - snippets/listen + - snippets/tls_load + - snippets/tls + - server_name: {% if name == 'general' %}load.casa{%- else %}{{ name ~ '.load.casa' }}{%- endif %} + - location /: + - proxy_pass: http://libertacasa-{{ name }}.matterbridge.dericom02.rigel.lysergic.dev +{%- endmacro -%} + +nginx: + snippets: + tls: + - resolver: '{{ resolver }}' + + {#- certificate snippets #} + {{ nginx_crtkeypair('exhaustedlife', 'exhausted.life') | indent }} + {{ nginx_crtkeypair('georg', 'georg.systems') | indent }} + {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }} + {{ nginx_crtkeypair('libertacasa2', 'libertacasa.net') | indent }} + {{ nginx_crtkeypair('load', 'load.casa') | indent }} + {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }} + {{ nginx_crtkeypair('lysergic_media', 'lysergic.media') | indent }} + {{ nginx_crtkeypair('meet', 'meet.com.de') | indent }} + {{ nginx_crtkeypair('takahe', 'social.liberta.casa') | indent }} + {{ nginx_crtkeypair('pub_sectigo', 'pub') | indent }} + + {#- locations shared between clearnet and Tor LibertaCasa servers #} + libertacasa: + - location /: + - root: /srv/www/liberta.casa/static/website + - index: index.html + - location /register: + - proxy_pass: http://[2a01:4f8:11e:2200::11]:8965 + - location /kiwi: + - root: /srv/www/liberta.casa + - index: index.html + - try_files: $uri $uri/ =404 + - location /gamja: + - root: /srv/www/liberta.casa + - index: index.html + + servers: + managed: + general.conf: + available_dir: /etc/nginx/conf.d + config: + - server_names_hash_bucket_size: 128 + - port_in_redirect: 'off' + - server_tokens: 'off' + - limit_conn_zone: $binary_remote_addr zone=georg_conn:15m + - limit_req_zone: $binary_remote_addr zone=georg_req:15m rate=30r/s + + default-http.conf: + config: + - server: + - server_name: localhost + - listen: + - '80' + - location /: + - root: /srv/www/htdocs + - index: index.html + + cytube.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_lysergic + - snippets/tls + - server_name: party.lysergic.dev + - location /: + - proxy_pass: https://[2a01:4f8:11e:2200::11]:8250 + - proxy_set_header: + - X-Forwarded-For $proxy_add_x_forwarded_for + - X-Forwarded-Proto $scheme + - Host $http_host + + default-https.conf: + config: + - server: + - listen: + - '[2a01:4f8:11e:2200::dead]:443 ssl http2 default_server' + - 10.0.10.7:443 ssl http2 default_server + - include: snippets/tls_lysergic + - root: /srv/www/htdocs + + georg.conf: + config: + {%- macro georg_includes() %} + - include: + - snippets/listen + - snippets/tls_georg + - snippets/tls + {%- endmacro %} + - server: + {{ georg_includes() }} + - server_name: www.georg-pfuetzenreuter.net www.georg-pfuetzenreuter.de www.georg-pfuetzenreuter.at 240600.xyz + - return: 302 https://georg-pfuetzenreuter.net + - server: + {{ georg_includes() }} + - server_name: gippy.at + - return: 302 https://georg-pfuetzenreuter.net + - server: + {{ georg_includes() }} + - snippets/robots + - server_name: georg.systems georg-pfuetzenreuter.de + - location /: + - proxy_pass: https://georg-public01.rigel.lysergic.dev:8989 + {{ proxyheaders_upgrade() | indent(18) }} + - limit_conn: georg_conn 10 + - limit_req: zone=georg_req burst=5 delay=3 + - client_body_buffer_size: 2M + - resolver: '{{ resolver }} ipv6=on valid=60m' + - server: + {{ georg_includes() }} + - server_name: georg-pfuetzenreuter.net pfuetzenreuter.at + - location /: + - proxy_pass: https://georg-public01.rigel.lysergic.dev:8989 + {{ proxyheaders_upgrade() | indent(18) }} + - limit_conn: georg_conn 10 + - limit_req: zone=georg_req burst=10 delay=5 + - client_body_buffer_size: 2M + - resolver: '{{ resolver }} ipv6=on valid=60m' + - location /plain: + - root: /srv/www/georg + - autoindex: 'on' + + hedgedoc.conf: + config: + {%- macro lysergic_includes() %} + - include: + - snippets/listen + - snippets/tls_lysergic + - snippets/tls + {%- endmacro %} + - map $http_upgrade $connection_upgrade: + - default: upgrade + - "''": close + - server: + {{ lysergic_includes() }} + - server_name: hd.lysergic.dev hedge.lysergic.dev + - return: 302 https://hedgedoc.lysergic.dev + - server: + {{ lysergic_includes() }} + - server_name: hedgedoc.lysergic.dev + - location /: + - proxy_pass: 'http://[2a01:4f8:11e:2200::11]:3000' + {{ proxyheaders2() }} + - location /socket.io/: + - proxy_pass: 'http://[2a01:4f8:11e:2200::11]:3000' + {{ proxyheaders2() }} + {{ proxyheaders2_upgrade() }} + - location /build: + - root: /srv/www/hedgedoc + + hidden.conf: + config: + - server: + - listen: '[2a01:4f8:11e:2200::dead]:8085' + - server_name: qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion + {#- source the same LibertaCasa locations used on the clearnet #} + - include: snippets/libertacasa + {#- this proxies to an ergo tor=true + websocket=true listener #} + {{ lcwebirc(6663) }} + {#- we rewrite the Kiwi configuration with one using our onion websocket #} + - location /kiwi/static/config.json: + - root: /srv/www/liberta.casa + - rewrite: ^/kiwi/static/config.json$ /kiwi/static/config_onion.json + {#- we rewrite Gamja configuration with one using our onion websocket #} + - location /gamja/config.json: + - root: /srv/www/liberta.casa + - rewrite: ^/gamja/config.json$ /gamja/config_onion.json + - server: + - listen: '[2a01:4f8:11e:2200::dead]:8085' + - server_name: gitea.qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion + - location /: + - proxy_pass: https://git.com.de + - proxy_ssl_trusted_certificate: /etc/ssl/ca-bundle.pem + - server: + - listen: '[2a01:4f8:11e:2200::dead]:8085' + - server_name: cgit.qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion + - location /: + - proxy_pass: https://git.casa + - proxy_ssl_trusted_certificate: /etc/ssl/ca-bundle.pem + + http.conf: + config: + - server: + - listen: + - 10.0.10.7:80 default_server + - '[2a01:4f8:11e:2200::dead]:80 default_server' + - include: snippets/robots + - location /: + - return: 301 https://$host$request_uri + + jellyfin.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_lysergic_media + - snippets/tls + - server_name: lysergic.media www.lysergic.media + - set: '$jellyfin [2a01:4f8:11e:2200::abc]:8096' + - client_max_body_size: 20M + - add_header: X-Frame-Options "SAMEORIGIN" + - add_header: X-XSS-Protection "1; mode=block" + - add_header: X-Content-Type-Options "nosniff" + - location /: + - proxy_pass: http://$jellyfin + {{ jf_proxyheaders() }} + - proxy_buffering: 'off' + - location = /web/: + - proxy_pass: http://$jellyfin/web/index.html + {{ jf_proxyheaders() }} + - location /socket: + - proxy_pass: http://$jellyfin + - proxy_http_version: 1.1 + {{ proxyheaders_upgrade() | indent(16) }} + {{ jf_proxyheaders() }} + - location @force_get: + - proxy_method: GET + - proxy_pass: http://$jellyfin + {{ jf_proxyheaders() }} + - proxy_buffering: 'off' + - location /Items: + - proxy_pass: http://$jellyfin + {{ jf_proxyheaders() }} + - proxy_buffering: 'off' + - error_page: 550 = @force_get + - if ($request_method = HEAD): + - return: 550 + - access_log: /var/log/nginx/jellyfin.access.log + - error_log: /var/log/nginx/jellyfin.error.log + + libertacasa.conf: + config: + {%- macro lc_includes() %} + - include: + - snippets/listen + - snippets/tls_libertacasa2 + - snippets/tls + - snippets/robots + {%- endmacro %} + - server: + {{ lc_includes() }} + - server_name: libertacasa.net libsh.net libsh.com libsso.net libsso.com + - return: 302 https://liberta.casa + - server: + {{ lc_includes() }} + - snippets/error + - server_name: liberta.casa lib.casa www.liberta.casa www.lib.casa + - add_header: Onion-Location http://qzzf2qcfbhievvs5nzkccuwddroipy62qjocqtmgcgh75vd6w57m7yad.onion$request_uri + {#- this proxies to an ergo websocket=true listener #} + {{ lcwebirc(6661) }} + {#- we still receive a lot of attempted requests to this, let's reject it properly #} + - location /.well-known/matrix: + - return: 410 + {#- IRC channel statistics/graphs #} + - location /stats: + - proxy_pass: https://stats.theia.psyched.dev/ + {#- ActivityPub for @liberta.casa domain #} + {{ lcactivitypub('webfinger') }} + {{ lcactivitypub('host-meta') }} + {{ lcactivitypub('nodeinfo') }} + + matterbridge.conf: + config: + {{ matterbridge_media('general') }} + {{ matterbridge_media('irc') }} + + meet.conf: + config: + - server: + {{ lysergic_includes() }} + - server_name: meet.lysergic.dev meet.liberta.casa + - location /: + - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443/ + - proxy_http_version: 1.1 + {{ proxyheaders2(True) }} + {{ proxyheaders2_upgrade() }} + - tcp_nodelay: 'on' + - modsecurity_rules: "'SecRuleRemoveById 949110'" + + openmeetings.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_meet + - snippets/tls + - server_name: meet.com.de www.meet.com.de + - location /: + - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443 + - proxy_buffering: 'off' + - proxy_pass_header: Server + {{ proxyheaders2(True) }} + - location /openmeetings/wicket/websocket: + - proxy_pass: https://[2a01:4f8:11e:2200::c3]:5443/openmeetings/wicket/websocket + - proxy_buffering: 'off' + - proxy_pass_header: Server + {{ proxyheaders2(True) }} + {{ proxyheaders2_upgrade() }} + + plantuml.conf: + config: + - server: + {{ lysergic_includes() }} + - server_name: pu.lysergic.dev uml.lysergic.dev + - return: 302 https://plantuml.lysergic.dev + - server: + {{ lysergic_includes() }} + - server_name: plantuml.lysergic.dev + - location /: + - proxy_pass: http://[2a01:4f8:11e:2200::11]:8086 + {#- PlantUML needs a very specific proxy configuration, hence not using the macros #} + - proxy_set_header: HOST $host + - proxy_set_header: X-Forwarded-Host $host + - proxy_set_header: X-Forwarded-Proto $scheme + - proxy_redirect: http://$host/ https://$host/ + + pub.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_pub_sectigo + - snippets/tls + - server_name: pub.syscid.com + - root: /srv/www/pub + - autoindex: 'on' + + takahe.conf: + config: + {%- macro takahe_includes() %} + - include: + - snippets/listen + - snippets/tls_takahe + - snippets/tls + - snippets/robots + - snippets/error + {%- endmacro %} + {%- macro takahe_gohome() %} + - location = /: + - return: 302 https://social.liberta.casa + {%- endmacro %} + {%- set takaheresolver = '- resolver: ' ~ '\'' ~ resolver ~ ' ipv4=off ipv6=on valid=24h\'' -%} + {#- Main #} + - server: + {{ takahe_includes() }} + - server_name: social.liberta.casa + - location /: + - proxy_pass: {{ backend.takahe }} + {#- does not need X-Real-IP, to-do: add conditional to macro #} + {{ proxyheaders2() }} + {{ takaheresolver }} + {#- Media #} + - server: + {{ takahe_includes() }} + - server_name: social.load.casa + {{ takahe_gohome() }} + - location /: + - proxy_pass: http://media.takahe.rigel.lysergic.dev:8001 + {{ takaheresolver }} + {#- despair.life is a second entry-point to social.liberta.casa instead of only a secondary domain in Takahe #} + - server: + {{ takahe_includes() }} + - server_name: despair.life + {{ takahe_gohome() }} + {#- if someone clicks "Log in" on despair.life, the SAML IDP (Keycloak) would redirect back to despair.life, which breaks the session cookie originating from social.liberta.casa (Django only allows a single "cookie domain" - hence we rewrite the login endpoints to handle sessions exclusively via social.liberta.casa #} + {%- for talopath in ['auth', 'saml2'] %} + - location /{{ talopath }}: + - rewrite: ^/(.*) https://social.liberta.casa/$1 redirect + {%- endfor %} + - location /: + - proxy_pass: {{ backend.takahe }} + {{ proxyheaders2() }} + {{ takaheresolver }} + {#- exhausted.life (secondary domain in Takahe) #} + - server: + - include: + - snippets/listen + - snippets/tls_exhaustedlife + - snippets/tls + - snippets/robots + - snippets/error + - server_name: exhausted.life + {{ takahe_gohome() }} + - location /.well-known/: + - proxy_pass: {{ backend.takahe }} + - sub_filter_types: application/xml + - sub_filter: takahe.rigel.lysergic.dev:8000 exhausted.life + -- 2.35.3 From 785986d2acc45ddb5451dffc1840b13accdd871c Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 5 Feb 2023 12:07:13 +0100 Subject: [PATCH 2/3] Enable syntax highlighting Initially for .sls and .jinja/.j2 files - we can add others later on if needed. Signed-off-by: Georg Pfuetzenreuter --- .gitattributes | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..f086e49 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,3 @@ +*.sls gitlab-language=jinja?parent=yaml +*.jinja gitlab-language=jinja +*.j2 gitlab-language=jinja -- 2.35.3 From 5e02090bc6037ac2e30190d97c3717c3fee01f96 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 5 Feb 2023 14:29:25 +0100 Subject: [PATCH 3/3] web-proxy: add firewall configuration Allow internal http and https to pass on web proxies. To-do: logic for web proxies directly attached to the internet. Signed-off-by: Georg Pfuetzenreuter --- pillar/role/web-proxy.sls | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pillar/role/web-proxy.sls b/pillar/role/web-proxy.sls index 1b7497c..2adc81c 100644 --- a/pillar/role/web-proxy.sls +++ b/pillar/role/web-proxy.sls @@ -28,4 +28,9 @@ nginx: {%- endfor %} {%- endif %} - +firewalld: + zones: + internal: + services: + - http + - https -- 2.35.3