generate redirect for ever virtualhost
This commit is contained in:
goeranh
parent
86ae8197b5
commit
599f0803a1
1 changed files with 107 additions and 102 deletions
|
|
@ -122,22 +122,26 @@
|
||||||
prev: name:
|
prev: name:
|
||||||
let
|
let
|
||||||
cfg = self.nixosConfigurations.${name}.config;
|
cfg = self.nixosConfigurations.${name}.config;
|
||||||
|
vhosts = builtins.attrNames cfg.services.nginx.virtualHosts;
|
||||||
|
address =
|
||||||
|
(builtins.head
|
||||||
|
# dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel
|
||||||
|
cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses
|
||||||
|
).address;
|
||||||
in
|
in
|
||||||
prev
|
prev
|
||||||
// {
|
// (builtins.foldl' (
|
||||||
"${name}" = {
|
val: vhost:
|
||||||
dest =
|
val
|
||||||
(builtins.head
|
// {
|
||||||
# dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel
|
"${vhost}" = {
|
||||||
cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses
|
dest = address;
|
||||||
).address;
|
domain = vhost;
|
||||||
# bisher wird ein redirect für den ersten virtualHost generiert
|
httpsPort = 443;
|
||||||
# TODO rediret für jeden virtualHost
|
httpPort = 80;
|
||||||
domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts);
|
};
|
||||||
httpsPort = 443;
|
}
|
||||||
httpPort = 80;
|
) { } vhosts)
|
||||||
};
|
|
||||||
}
|
|
||||||
)
|
)
|
||||||
{ }
|
{ }
|
||||||
(
|
(
|
||||||
|
|
@ -187,109 +191,110 @@
|
||||||
haproxy = {
|
haproxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = ''
|
config = ''
|
||||||
global
|
global
|
||||||
# schreibe globalen log ins journal ip -> app
|
# schreibe globalen log ins journal ip -> app
|
||||||
log /dev/log format raw local0
|
log /dev/log format raw local0
|
||||||
maxconn 50000
|
maxconn 50000
|
||||||
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
||||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||||
tune.bufsize 32762
|
tune.bufsize 32762
|
||||||
|
|
||||||
defaults
|
defaults
|
||||||
log global
|
log global
|
||||||
mode tcp
|
mode tcp
|
||||||
option tcplog
|
option tcplog
|
||||||
timeout connect 5s
|
timeout connect 5s
|
||||||
timeout client 30s
|
timeout client 30s
|
||||||
timeout server 30s
|
timeout server 30s
|
||||||
|
|
||||||
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
||||||
frontend stats
|
frontend stats
|
||||||
bind 127.0.0.1:8404
|
bind 127.0.0.1:8404
|
||||||
mode http
|
mode http
|
||||||
stats enable
|
stats enable
|
||||||
stats uri /stats
|
stats uri /stats
|
||||||
stats refresh 10s
|
stats refresh 10s
|
||||||
stats show-legends
|
stats show-legends
|
||||||
stats show-node
|
stats show-node
|
||||||
stats show-modules
|
stats show-modules
|
||||||
|
|
||||||
frontend http-in
|
frontend http-in
|
||||||
bind *:80
|
bind *:80
|
||||||
|
|
||||||
# hier wird eine regel pro domain aus der forwarder liste generiert
|
# hier wird eine regel pro domain aus der forwarder liste generiert
|
||||||
${lib.foldlAttrs (
|
${lib.foldlAttrs (
|
||||||
prev: name: value:
|
prev: name: value:
|
||||||
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
|
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
|
||||||
) "" forwards}
|
) "" forwards}
|
||||||
|
|
||||||
# ist request eine acme challenge?
|
# ist request eine acme challenge?
|
||||||
acl is_acme path_beg /.well-known/acme-challenge/
|
acl is_acme path_beg /.well-known/acme-challenge/
|
||||||
|
|
||||||
# pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
|
# pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
|
||||||
${lib.foldlAttrs (
|
${lib.foldlAttrs (
|
||||||
prev: name: value:
|
prev: name: value:
|
||||||
prev + ''
|
prev
|
||||||
use_backend ${name}_80 if is_${name}
|
+ ''
|
||||||
http-request redirect scheme https code 301 if !is_acme is_${name}
|
use_backend ${name}_80 if is_${name}
|
||||||
''
|
http-request redirect scheme https code 301 if !is_acme is_${name}
|
||||||
) "" forwards}
|
''
|
||||||
|
) "" forwards}
|
||||||
|
|
||||||
# das default backend zeigt die liste aller redirects an
|
# das default backend zeigt die liste aller redirects an
|
||||||
# die liste darf nicht auf 443 redirected werden, da cert fehlt
|
# die liste darf nicht auf 443 redirected werden, da cert fehlt
|
||||||
default_backend default_backend
|
default_backend default_backend
|
||||||
|
|
||||||
# ssh redirect srs2
|
# ssh redirect srs2
|
||||||
frontend ssh_jump_alt
|
frontend ssh_jump_alt
|
||||||
bind *:2142
|
bind *:2142
|
||||||
mode tcp
|
mode tcp
|
||||||
# gönn mal session timeout
|
# gönn mal session timeout
|
||||||
timeout client 30m
|
timeout client 30m
|
||||||
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
||||||
use_backend ssh_srs2
|
use_backend ssh_srs2
|
||||||
|
|
||||||
# ---- SNI routing (TCP, peek at handshake) ----
|
# ---- SNI routing (TCP, peek at handshake) ----
|
||||||
frontend sni_router
|
frontend sni_router
|
||||||
bind *:443
|
bind *:443
|
||||||
mode tcp
|
mode tcp
|
||||||
# mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
|
# mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
|
||||||
tcp-request inspect-delay 1s
|
tcp-request inspect-delay 1s
|
||||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||||
|
|
||||||
# tcp redirect der anwendung basierend auf ssl_sni handshake parameter
|
# tcp redirect der anwendung basierend auf ssl_sni handshake parameter
|
||||||
${lib.foldlAttrs (
|
${lib.foldlAttrs (
|
||||||
prev: name: value:
|
prev: name: value:
|
||||||
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
||||||
) "" forwards}
|
) "" forwards}
|
||||||
|
|
||||||
# default backend http static file generated above
|
# default backend http static file generated above
|
||||||
backend default_backend
|
backend default_backend
|
||||||
mode http
|
mode http
|
||||||
http-request return status 200 content-type "text/html" file ${indexPage}
|
http-request return status 200 content-type "text/html" file ${indexPage}
|
||||||
|
|
||||||
# ssh srs2 backend
|
# ssh srs2 backend
|
||||||
backend ssh_srs2
|
backend ssh_srs2
|
||||||
mode tcp
|
mode tcp
|
||||||
timeout server 30m
|
timeout server 30m
|
||||||
timeout connect 10s
|
timeout connect 10s
|
||||||
option tcpka
|
option tcpka
|
||||||
server srs2 141.56.51.2:80 check
|
server srs2 141.56.51.2:80 check
|
||||||
|
|
||||||
# ein backend pro forwards eintrag für port 80 und 443
|
# ein backend pro forwards eintrag für port 80 und 443
|
||||||
${lib.foldlAttrs (
|
${lib.foldlAttrs (
|
||||||
prev: name: value:
|
prev: name: value:
|
||||||
prev
|
prev
|
||||||
+ ''
|
+ ''
|
||||||
|
|
||||||
backend ${name}_80
|
backend ${name}_80
|
||||||
mode http
|
mode http
|
||||||
server ${name} ${value.dest}:${builtins.toString value.httpPort}
|
server ${name} ${value.dest}:${builtins.toString value.httpPort}
|
||||||
backend ${name}_443
|
backend ${name}_443
|
||||||
mode tcp
|
mode tcp
|
||||||
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
|
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
|
||||||
|
|
||||||
''
|
''
|
||||||
) "" forwards}
|
) "" forwards}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue