generate redirect for ever virtualhost
This commit is contained in:
goeranh
parent
86ae8197b5
commit
599f0803a1
1 changed files with 107 additions and 102 deletions
|
|
@ -122,22 +122,26 @@
|
|||
prev: name:
|
||||
let
|
||||
cfg = self.nixosConfigurations.${name}.config;
|
||||
vhosts = builtins.attrNames cfg.services.nginx.virtualHosts;
|
||||
address =
|
||||
(builtins.head
|
||||
# dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel
|
||||
cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses
|
||||
).address;
|
||||
in
|
||||
prev
|
||||
// {
|
||||
"${name}" = {
|
||||
dest =
|
||||
(builtins.head
|
||||
# dieser ausdruck ermittelt den interface namen und die ipv4 addresse als redirect ziel
|
||||
cfg.networking.interfaces.${builtins.head (builtins.attrNames cfg.networking.interfaces)}.ipv4.addresses
|
||||
).address;
|
||||
# bisher wird ein redirect für den ersten virtualHost generiert
|
||||
# TODO rediret für jeden virtualHost
|
||||
domain = builtins.head (builtins.attrNames cfg.services.nginx.virtualHosts);
|
||||
httpsPort = 443;
|
||||
httpPort = 80;
|
||||
};
|
||||
}
|
||||
// (builtins.foldl' (
|
||||
val: vhost:
|
||||
val
|
||||
// {
|
||||
"${vhost}" = {
|
||||
dest = address;
|
||||
domain = vhost;
|
||||
httpsPort = 443;
|
||||
httpPort = 80;
|
||||
};
|
||||
}
|
||||
) { } vhosts)
|
||||
)
|
||||
{ }
|
||||
(
|
||||
|
|
@ -187,109 +191,110 @@
|
|||
haproxy = {
|
||||
enable = true;
|
||||
config = ''
|
||||
global
|
||||
# schreibe globalen log ins journal ip -> app
|
||||
log /dev/log format raw local0
|
||||
maxconn 50000
|
||||
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
tune.bufsize 32762
|
||||
global
|
||||
# schreibe globalen log ins journal ip -> app
|
||||
log /dev/log format raw local0
|
||||
maxconn 50000
|
||||
# man könnte metriken über einen socket file statt einen lokalen port machen für user permission control
|
||||
# stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
|
||||
tune.bufsize 32762
|
||||
|
||||
defaults
|
||||
log global
|
||||
mode tcp
|
||||
option tcplog
|
||||
timeout connect 5s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
defaults
|
||||
log global
|
||||
mode tcp
|
||||
option tcplog
|
||||
timeout connect 5s
|
||||
timeout client 30s
|
||||
timeout server 30s
|
||||
|
||||
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
||||
frontend stats
|
||||
bind 127.0.0.1:8404
|
||||
mode http
|
||||
stats enable
|
||||
stats uri /stats
|
||||
stats refresh 10s
|
||||
stats show-legends
|
||||
stats show-node
|
||||
stats show-modules
|
||||
# stats seite zeigt backend connection status, wenn check gesetzt ist
|
||||
frontend stats
|
||||
bind 127.0.0.1:8404
|
||||
mode http
|
||||
stats enable
|
||||
stats uri /stats
|
||||
stats refresh 10s
|
||||
stats show-legends
|
||||
stats show-node
|
||||
stats show-modules
|
||||
|
||||
frontend http-in
|
||||
bind *:80
|
||||
frontend http-in
|
||||
bind *:80
|
||||
|
||||
# hier wird eine regel pro domain aus der forwarder liste generiert
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
|
||||
) "" forwards}
|
||||
# hier wird eine regel pro domain aus der forwarder liste generiert
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
|
||||
) "" forwards}
|
||||
|
||||
# ist request eine acme challenge?
|
||||
acl is_acme path_beg /.well-known/acme-challenge/
|
||||
# ist request eine acme challenge?
|
||||
acl is_acme path_beg /.well-known/acme-challenge/
|
||||
|
||||
# pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + ''
|
||||
use_backend ${name}_80 if is_${name}
|
||||
http-request redirect scheme https code 301 if !is_acme is_${name}
|
||||
''
|
||||
) "" forwards}
|
||||
# pro domain wird ein backend festgelegt und auf https redirected wenn es keine acme request ist
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev
|
||||
+ ''
|
||||
use_backend ${name}_80 if is_${name}
|
||||
http-request redirect scheme https code 301 if !is_acme is_${name}
|
||||
''
|
||||
) "" forwards}
|
||||
|
||||
# das default backend zeigt die liste aller redirects an
|
||||
# die liste darf nicht auf 443 redirected werden, da cert fehlt
|
||||
default_backend default_backend
|
||||
# das default backend zeigt die liste aller redirects an
|
||||
# die liste darf nicht auf 443 redirected werden, da cert fehlt
|
||||
default_backend default_backend
|
||||
|
||||
# ssh redirect srs2
|
||||
frontend ssh_jump_alt
|
||||
bind *:2142
|
||||
mode tcp
|
||||
# gönn mal session timeout
|
||||
timeout client 30m
|
||||
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
||||
use_backend ssh_srs2
|
||||
# ssh redirect srs2
|
||||
frontend ssh_jump_alt
|
||||
bind *:2142
|
||||
mode tcp
|
||||
# gönn mal session timeout
|
||||
timeout client 30m
|
||||
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
|
||||
use_backend ssh_srs2
|
||||
|
||||
# ---- SNI routing (TCP, peek at handshake) ----
|
||||
frontend sni_router
|
||||
bind *:443
|
||||
mode tcp
|
||||
# mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
|
||||
tcp-request inspect-delay 1s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
# ---- SNI routing (TCP, peek at handshake) ----
|
||||
frontend sni_router
|
||||
bind *:443
|
||||
mode tcp
|
||||
# mehrere pakete puffern und connection beenden wenn es kein ssl handshake sieht
|
||||
tcp-request inspect-delay 1s
|
||||
tcp-request content accept if { req_ssl_hello_type 1 }
|
||||
|
||||
# tcp redirect der anwendung basierend auf ssl_sni handshake parameter
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
||||
) "" forwards}
|
||||
# tcp redirect der anwendung basierend auf ssl_sni handshake parameter
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
|
||||
) "" forwards}
|
||||
|
||||
# default backend http static file generated above
|
||||
backend default_backend
|
||||
mode http
|
||||
http-request return status 200 content-type "text/html" file ${indexPage}
|
||||
# default backend http static file generated above
|
||||
backend default_backend
|
||||
mode http
|
||||
http-request return status 200 content-type "text/html" file ${indexPage}
|
||||
|
||||
# ssh srs2 backend
|
||||
backend ssh_srs2
|
||||
mode tcp
|
||||
timeout server 30m
|
||||
timeout connect 10s
|
||||
option tcpka
|
||||
server srs2 141.56.51.2:80 check
|
||||
# ssh srs2 backend
|
||||
backend ssh_srs2
|
||||
mode tcp
|
||||
timeout server 30m
|
||||
timeout connect 10s
|
||||
option tcpka
|
||||
server srs2 141.56.51.2:80 check
|
||||
|
||||
# ein backend pro forwards eintrag für port 80 und 443
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev
|
||||
+ ''
|
||||
# ein backend pro forwards eintrag für port 80 und 443
|
||||
${lib.foldlAttrs (
|
||||
prev: name: value:
|
||||
prev
|
||||
+ ''
|
||||
|
||||
backend ${name}_80
|
||||
mode http
|
||||
server ${name} ${value.dest}:${builtins.toString value.httpPort}
|
||||
backend ${name}_443
|
||||
mode tcp
|
||||
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
|
||||
backend ${name}_80
|
||||
mode http
|
||||
server ${name} ${value.dest}:${builtins.toString value.httpPort}
|
||||
backend ${name}_443
|
||||
mode tcp
|
||||
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
|
||||
|
||||
''
|
||||
) "" forwards}
|
||||
''
|
||||
) "" forwards}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue