diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix index 304becf..80c0bb3 100644 --- a/hosts/nextcloud/default.nix +++ b/hosts/nextcloud/default.nix @@ -87,6 +87,11 @@ recommendedProxySettings = true; recommendedTlsSettings = true; + commonHttpConfig = '' + real_ip_header proxy_protocol; + set_real_ip_from 141.56.51.1/32; + ''; + logError = '' /dev/null emerg ''; @@ -94,9 +99,21 @@ virtualHosts.${config.networking.fqdn} = { forceSSL = true; enableACME = true; - extraConfig = '' - access_log off; - ''; + listen = [ + { + port = 80; + addr = "0.0.0.0"; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + proxyProtocol = true; + } + ]; + # extraConfig = '' + # access_log off; + # ''; }; # virtualHosts."cloud.htw.stura-dresden.de" = { # forceSSL = true; diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 52c9d82..a806790 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -98,108 +98,112 @@ domain = "docs.adm.htw.stura-dresden.de"; httpPort = 8080; httpsPort = 8443; + sendProxy = false; }; plone = { dest = "141.56.51.3"; domain = "stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_alt = { dest = "141.56.51.3"; domain = "www.stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu = { dest = "141.56.51.3"; domain = "www.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu2 = { dest = "141.56.51.3"; domain = "htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; post = { dest = "141.56.51.56"; domain = "post.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; vot = { dest = "141.56.51.57"; domain = "vot.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; mail = { dest = "141.56.51.14"; domain = "mail.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; lists = { dest = "141.56.51.14"; domain = "lists.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; dat = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - }; - pro = { - dest = "141.56.51.15"; - domain = "pro.htw.stura-dresden.de"; - httpPort = 80; - httpsPort = 443; - }; - cloud = { - dest = "141.56.51.16"; - domain = "cloud.htw.stura-dresden.de"; - httpPort = 80; - httpsPort = 443; + sendProxy = false; }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = true; }; beach = { dest = "141.56.51.51"; domain = "beach.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; studicloud = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb = { dest = "141.56.51.94"; domain = "bbb.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb-test = { dest = "141.56.51.94"; domain = "bbb.test.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; } # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert @@ -218,6 +222,15 @@ prev // (builtins.foldl' ( val: vhost: + let + proxyProtocol = + if + self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [ ] + then + false + else + true; + in val // { "${vhost}" = { @@ -225,6 +238,7 @@ domain = vhost; httpsPort = 443; httpPort = 80; + sendProxy = proxyProtocol; }; } ) { } vhosts) @@ -525,7 +539,9 @@ option tcpka # Enable server TCP keep-alive (Phase 4) timeout server 60s # Increase from 30s for long-lived HTTPS timeout connect 3s # Reduce from 5s (local network) - server ${name} ${value.dest}:${builtins.toString value.httpsPort} check inter 3000 rise 2 fall 3 maxconn 5000 + server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${ + if value.sendProxy == true then "send-proxy-v2" else "" + } check inter 3000 rise 2 fall 3 maxconn 5000 '' ) "" forwards} diff --git a/hosts/redmine/default.nix b/hosts/redmine/default.nix index 6bc3d5e..3e3e183 100644 --- a/hosts/redmine/default.nix +++ b/hosts/redmine/default.nix @@ -137,10 +137,26 @@ services.nginx.appendHttpConfig = '' access_log off; ''; + services.nginx.commonHttpConfig = '' + real_ip_header proxy_protocol; + set_real_ip_from 141.56.51.1/32; + ''; #### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server. services.nginx.virtualHosts."${config.networking.fqdn}" = { #### https://search.nixos.org/options?show=services.nginx.virtualHosts..default + listen = [ + { + port = 80; + addr = "0.0.0.0"; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + proxyProtocol = true; + } + ]; default = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}"; diff --git a/hosts/wiki/default.nix b/hosts/wiki/default.nix index bd8bbb6..c73a5cb 100644 --- a/hosts/wiki/default.nix +++ b/hosts/wiki/default.nix @@ -99,6 +99,17 @@ services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword"; + services.httpd = { + extraModules = [ "remoteip" ]; + + extraConfig = '' + # Trust HAProxy's address (adjust to your HAProxy IP/subnet) + RemoteIPProxyProtocol On + # RemoteIPProxyProtocolExceptions 127.0.0.1 ::1 + + RemoteIPTrustedProxy 141.56.51.1/32 + ''; + }; #### 2024-02-17 vater: #### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'. # services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de"; @@ -150,8 +161,8 @@ Lockdown = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz"; # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_45-a46dbea.tar.gz"; - sha256 = "sha256-zTTpbQiqudLILPSzmKGjKr6wZjh0YUttGmqwjPpAToc="; + url = "https://extdist.wmflabs.org/dist/extensions/CategoryLockdown-REL1_45-a715472.tar.gz"; + sha256 = "sha256-1gl5m9xkmLrdjoR0M13gcQHLtZt4Bt0PUXDiDEqjpvk="; }; #### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen @@ -168,8 +179,8 @@ #### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden #### https://www.mediawiki.org/wiki/Extension:ContributionScores ContributionScores = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_45-cd4c94b.tar.gz"; - sha256 = "sha256-8ClNtEQ66deKM1DsRYaaZ3KlRl4yCt6UhpXcozRQzQ8="; + url = "https://extdist.wmflabs.org/dist/extensions/ContributionCredits-REL1_45-22c28de.tar.gz"; + sha256 = "sha256-9T67jCEYQyU7P9sN7tYbnevU5+FX6Y1nydXGEdzQS9k="; }; #### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise @@ -190,8 +201,8 @@ #### https://www.mediawiki.org/wiki/Extension:UserMerge UserMerge = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-446566b.tar.gz"; - sha256 = "sha256-DTDKlzet3lThh/sRLucyb8b9lhK5FYZ+dMgwrThFFBM="; + url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-437c211.tar.gz"; + sha256 = "sha256-DWdcvubqZkvtywuDEOjui68WYuETt5hGpJJlpZ+pJgE="; }; };