From 9041fe3d699cbbbf9d0a822a87ec76a821399809 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 08:56:40 +0200 Subject: [PATCH 1/8] conditionally send proxy protocol --- hosts/proxy/default.nix | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 52c9d82..8c1b49c 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -98,108 +98,126 @@ domain = "docs.adm.htw.stura-dresden.de"; httpPort = 8080; httpsPort = 8443; + sendProxy = false; }; plone = { dest = "141.56.51.3"; domain = "stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_alt = { dest = "141.56.51.3"; domain = "www.stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu = { dest = "141.56.51.3"; domain = "www.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu2 = { dest = "141.56.51.3"; domain = "htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; post = { dest = "141.56.51.56"; domain = "post.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; vot = { dest = "141.56.51.57"; domain = "vot.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; mail = { dest = "141.56.51.14"; domain = "mail.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; lists = { dest = "141.56.51.14"; domain = "lists.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; dat = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; pro = { dest = "141.56.51.15"; domain = "pro.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; cloud = { dest = "141.56.51.16"; domain = "cloud.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; beach = { dest = "141.56.51.51"; domain = "beach.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; studicloud = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb = { dest = "141.56.51.94"; domain = "bbb.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb-test = { dest = "141.56.51.94"; domain = "bbb.test.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; } # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert @@ -218,6 +236,10 @@ prev // (builtins.foldl' ( val: vhost: + let + proxyProtocol = if self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [] then false else + true; + in val // { "${vhost}" = { @@ -225,6 +247,7 @@ domain = vhost; httpsPort = 443; httpPort = 80; + sendProxy = proxyProtocol; }; } ) { } vhosts) @@ -519,13 +542,13 @@ backend ${name}_80 mode http - server ${name} ${value.dest}:${builtins.toString value.httpPort} + server ${name} ${value.dest}:${builtins.toString value.httpPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} backend ${name}_443 mode tcp option tcpka # Enable server TCP keep-alive (Phase 4) timeout server 60s # Increase from 30s for long-lived HTTPS timeout connect 3s # Reduce from 5s (local network) - server ${name} ${value.dest}:${builtins.toString value.httpsPort} check inter 3000 rise 2 fall 3 maxconn 5000 + server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} check inter 3000 rise 2 fall 3 maxconn 5000 '' ) "" forwards} From a96f976be1ba4fb059aba8290656b1bb91b7ac0e Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 09:02:20 +0200 Subject: [PATCH 2/8] does not work on port 80 with acme --- hosts/proxy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 8c1b49c..200ede2 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -542,7 +542,7 @@ backend ${name}_80 mode http - server ${name} ${value.dest}:${builtins.toString value.httpPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} + server ${name} ${value.dest}:${builtins.toString value.httpPort} backend ${name}_443 mode tcp option tcpka # Enable server TCP keep-alive (Phase 4) From 279e1064270102934fb8607be70b7c2af7769fcb Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 09:17:36 +0200 Subject: [PATCH 3/8] fix cloud duplicate --- hosts/proxy/default.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 200ede2..2400a9a 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -177,13 +177,6 @@ httpsPort = 443; sendProxy = false; }; - cloud = { - dest = "141.56.51.16"; - domain = "cloud.htw.stura-dresden.de"; - httpPort = 80; - httpsPort = 443; - sendProxy = false; - }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; From 582822cd5b9a5a11c227d7438670a08da8d1d012 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 09:45:47 +0200 Subject: [PATCH 4/8] remove explicit proxy, its in this flake --- hosts/proxy/default.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 2400a9a..1d79967 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -170,13 +170,6 @@ httpsPort = 443; sendProxy = false; }; - pro = { - dest = "141.56.51.15"; - domain = "pro.htw.stura-dresden.de"; - httpPort = 80; - httpsPort = 443; - sendProxy = false; - }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; From 5b2eb482dfc9165b3af084ee7817146603374ce3 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 10:24:30 +0200 Subject: [PATCH 5/8] formatting in proxy --- hosts/proxy/default.nix | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 1d79967..b92bea6 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -222,10 +222,15 @@ prev // (builtins.foldl' ( val: vhost: - let - proxyProtocol = if self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [] then false else + let + proxyProtocol = + if + self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [ ] + then + false + else true; - in + in val // { "${vhost}" = { @@ -534,7 +539,9 @@ option tcpka # Enable server TCP keep-alive (Phase 4) timeout server 60s # Increase from 30s for long-lived HTTPS timeout connect 3s # Reduce from 5s (local network) - server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} check inter 3000 rise 2 fall 3 maxconn 5000 + server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${ + if value.sendProxy == true then "send-proxy-v2" else "" + } check inter 3000 rise 2 fall 3 maxconn 5000 '' ) "" forwards} From f91ac73b72b4cfe19e10731e1bf491585bf32c8d Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 10:26:33 +0200 Subject: [PATCH 6/8] enable proxy protocol in nextcloud --- hosts/nextcloud/default.nix | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/hosts/nextcloud/default.nix b/hosts/nextcloud/default.nix index 304becf..80c0bb3 100644 --- a/hosts/nextcloud/default.nix +++ b/hosts/nextcloud/default.nix @@ -87,6 +87,11 @@ recommendedProxySettings = true; recommendedTlsSettings = true; + commonHttpConfig = '' + real_ip_header proxy_protocol; + set_real_ip_from 141.56.51.1/32; + ''; + logError = '' /dev/null emerg ''; @@ -94,9 +99,21 @@ virtualHosts.${config.networking.fqdn} = { forceSSL = true; enableACME = true; - extraConfig = '' - access_log off; - ''; + listen = [ + { + port = 80; + addr = "0.0.0.0"; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + proxyProtocol = true; + } + ]; + # extraConfig = '' + # access_log off; + # ''; }; # virtualHosts."cloud.htw.stura-dresden.de" = { # forceSSL = true; From 29cff6eee846a586360439a72c84c0d04904b934 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 10:26:46 +0200 Subject: [PATCH 7/8] enable proxy protocol for wiki --- hosts/proxy/default.nix | 2 +- hosts/wiki/default.nix | 23 +++++++++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index b92bea6..a806790 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -175,7 +175,7 @@ domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; - sendProxy = false; + sendProxy = true; }; beach = { dest = "141.56.51.51"; diff --git a/hosts/wiki/default.nix b/hosts/wiki/default.nix index bd8bbb6..c73a5cb 100644 --- a/hosts/wiki/default.nix +++ b/hosts/wiki/default.nix @@ -99,6 +99,17 @@ services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword"; + services.httpd = { + extraModules = [ "remoteip" ]; + + extraConfig = '' + # Trust HAProxy's address (adjust to your HAProxy IP/subnet) + RemoteIPProxyProtocol On + # RemoteIPProxyProtocolExceptions 127.0.0.1 ::1 + + RemoteIPTrustedProxy 141.56.51.1/32 + ''; + }; #### 2024-02-17 vater: #### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'. # services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de"; @@ -150,8 +161,8 @@ Lockdown = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz"; # url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_45-a46dbea.tar.gz"; - sha256 = "sha256-zTTpbQiqudLILPSzmKGjKr6wZjh0YUttGmqwjPpAToc="; + url = "https://extdist.wmflabs.org/dist/extensions/CategoryLockdown-REL1_45-a715472.tar.gz"; + sha256 = "sha256-1gl5m9xkmLrdjoR0M13gcQHLtZt4Bt0PUXDiDEqjpvk="; }; #### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen @@ -168,8 +179,8 @@ #### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden #### https://www.mediawiki.org/wiki/Extension:ContributionScores ContributionScores = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_45-cd4c94b.tar.gz"; - sha256 = "sha256-8ClNtEQ66deKM1DsRYaaZ3KlRl4yCt6UhpXcozRQzQ8="; + url = "https://extdist.wmflabs.org/dist/extensions/ContributionCredits-REL1_45-22c28de.tar.gz"; + sha256 = "sha256-9T67jCEYQyU7P9sN7tYbnevU5+FX6Y1nydXGEdzQS9k="; }; #### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise @@ -190,8 +201,8 @@ #### https://www.mediawiki.org/wiki/Extension:UserMerge UserMerge = pkgs.fetchzip { # url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz"; - url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-446566b.tar.gz"; - sha256 = "sha256-DTDKlzet3lThh/sRLucyb8b9lhK5FYZ+dMgwrThFFBM="; + url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-437c211.tar.gz"; + sha256 = "sha256-DWdcvubqZkvtywuDEOjui68WYuETt5hGpJJlpZ+pJgE="; }; }; From 334c977988b70d573ae581b4d49c2895d7428135 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 10:26:54 +0200 Subject: [PATCH 8/8] enable proxy protocol for redmine --- hosts/redmine/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hosts/redmine/default.nix b/hosts/redmine/default.nix index 6bc3d5e..3e3e183 100644 --- a/hosts/redmine/default.nix +++ b/hosts/redmine/default.nix @@ -137,10 +137,26 @@ services.nginx.appendHttpConfig = '' access_log off; ''; + services.nginx.commonHttpConfig = '' + real_ip_header proxy_protocol; + set_real_ip_from 141.56.51.1/32; + ''; #### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server. services.nginx.virtualHosts."${config.networking.fqdn}" = { #### https://search.nixos.org/options?show=services.nginx.virtualHosts..default + listen = [ + { + port = 80; + addr = "0.0.0.0"; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + proxyProtocol = true; + } + ]; default = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}";