Merge pull request 'proxy-protocol' (#7) from proxy-protocol into master
Reviewed-on: https://codeberg.org/stura-htw-dresden/stura-infra/pulls/7
This commit is contained in:
goeranh
commit
8c358daf56
4 changed files with 82 additions and 22 deletions
|
|
@ -87,6 +87,11 @@
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
commonHttpConfig = ''
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
set_real_ip_from 141.56.51.1/32;
|
||||||
|
'';
|
||||||
|
|
||||||
logError = ''
|
logError = ''
|
||||||
/dev/null emerg
|
/dev/null emerg
|
||||||
'';
|
'';
|
||||||
|
|
@ -94,9 +99,21 @@
|
||||||
virtualHosts.${config.networking.fqdn} = {
|
virtualHosts.${config.networking.fqdn} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
listen = [
|
||||||
access_log off;
|
{
|
||||||
'';
|
port = 80;
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
port = 443;
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
ssl = true;
|
||||||
|
proxyProtocol = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
# extraConfig = ''
|
||||||
|
# access_log off;
|
||||||
|
# '';
|
||||||
};
|
};
|
||||||
# virtualHosts."cloud.htw.stura-dresden.de" = {
|
# virtualHosts."cloud.htw.stura-dresden.de" = {
|
||||||
# forceSSL = true;
|
# forceSSL = true;
|
||||||
|
|
|
||||||
|
|
@ -98,108 +98,112 @@
|
||||||
domain = "docs.adm.htw.stura-dresden.de";
|
domain = "docs.adm.htw.stura-dresden.de";
|
||||||
httpPort = 8080;
|
httpPort = 8080;
|
||||||
httpsPort = 8443;
|
httpsPort = 8443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
plone = {
|
plone = {
|
||||||
dest = "141.56.51.3";
|
dest = "141.56.51.3";
|
||||||
domain = "stura.htw-dresden.de";
|
domain = "stura.htw-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
plone_alt = {
|
plone_alt = {
|
||||||
dest = "141.56.51.3";
|
dest = "141.56.51.3";
|
||||||
domain = "www.stura.htw-dresden.de";
|
domain = "www.stura.htw-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
plone_neu = {
|
plone_neu = {
|
||||||
dest = "141.56.51.3";
|
dest = "141.56.51.3";
|
||||||
domain = "www.htw.stura-dresden.de";
|
domain = "www.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
plone_neu2 = {
|
plone_neu2 = {
|
||||||
dest = "141.56.51.3";
|
dest = "141.56.51.3";
|
||||||
domain = "htw.stura-dresden.de";
|
domain = "htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
tix = {
|
tix = {
|
||||||
dest = "141.56.51.220";
|
dest = "141.56.51.220";
|
||||||
domain = "tix.htw.stura-dresden.de";
|
domain = "tix.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
post = {
|
post = {
|
||||||
dest = "141.56.51.56";
|
dest = "141.56.51.56";
|
||||||
domain = "post.htw.stura-dresden.de";
|
domain = "post.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
vot = {
|
vot = {
|
||||||
dest = "141.56.51.57";
|
dest = "141.56.51.57";
|
||||||
domain = "vot.htw.stura-dresden.de";
|
domain = "vot.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
mail = {
|
mail = {
|
||||||
dest = "141.56.51.14";
|
dest = "141.56.51.14";
|
||||||
domain = "mail.htw.stura-dresden.de";
|
domain = "mail.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
lists = {
|
lists = {
|
||||||
dest = "141.56.51.14";
|
dest = "141.56.51.14";
|
||||||
domain = "lists.htw.stura-dresden.de";
|
domain = "lists.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
dat = {
|
dat = {
|
||||||
dest = "141.56.51.17";
|
dest = "141.56.51.17";
|
||||||
domain = "dat.stu.htw.stura-dresden.de";
|
domain = "dat.stu.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
};
|
sendProxy = false;
|
||||||
pro = {
|
|
||||||
dest = "141.56.51.15";
|
|
||||||
domain = "pro.htw.stura-dresden.de";
|
|
||||||
httpPort = 80;
|
|
||||||
httpsPort = 443;
|
|
||||||
};
|
|
||||||
cloud = {
|
|
||||||
dest = "141.56.51.16";
|
|
||||||
domain = "cloud.htw.stura-dresden.de";
|
|
||||||
httpPort = 80;
|
|
||||||
httpsPort = 443;
|
|
||||||
};
|
};
|
||||||
wiki = {
|
wiki = {
|
||||||
dest = "141.56.51.13";
|
dest = "141.56.51.13";
|
||||||
domain = "wiki.htw.stura-dresden.de";
|
domain = "wiki.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = true;
|
||||||
};
|
};
|
||||||
beach = {
|
beach = {
|
||||||
dest = "141.56.51.51";
|
dest = "141.56.51.51";
|
||||||
domain = "beach.htw.stura-dresden.de";
|
domain = "beach.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
studicloud = {
|
studicloud = {
|
||||||
dest = "141.56.51.17";
|
dest = "141.56.51.17";
|
||||||
domain = "dat.stu.htw.stura-dresden.de";
|
domain = "dat.stu.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
bbb = {
|
bbb = {
|
||||||
dest = "141.56.51.94";
|
dest = "141.56.51.94";
|
||||||
domain = "bbb.htw.stura-dresden.de";
|
domain = "bbb.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
bbb-test = {
|
bbb-test = {
|
||||||
dest = "141.56.51.94";
|
dest = "141.56.51.94";
|
||||||
domain = "bbb.test.htw.stura-dresden.de";
|
domain = "bbb.test.htw.stura-dresden.de";
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
|
sendProxy = false;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
# zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert
|
# zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert
|
||||||
|
|
@ -218,6 +222,15 @@
|
||||||
prev
|
prev
|
||||||
// (builtins.foldl' (
|
// (builtins.foldl' (
|
||||||
val: vhost:
|
val: vhost:
|
||||||
|
let
|
||||||
|
proxyProtocol =
|
||||||
|
if
|
||||||
|
self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [ ]
|
||||||
|
then
|
||||||
|
false
|
||||||
|
else
|
||||||
|
true;
|
||||||
|
in
|
||||||
val
|
val
|
||||||
// {
|
// {
|
||||||
"${vhost}" = {
|
"${vhost}" = {
|
||||||
|
|
@ -225,6 +238,7 @@
|
||||||
domain = vhost;
|
domain = vhost;
|
||||||
httpsPort = 443;
|
httpsPort = 443;
|
||||||
httpPort = 80;
|
httpPort = 80;
|
||||||
|
sendProxy = proxyProtocol;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
) { } vhosts)
|
) { } vhosts)
|
||||||
|
|
@ -525,7 +539,9 @@
|
||||||
option tcpka # Enable server TCP keep-alive (Phase 4)
|
option tcpka # Enable server TCP keep-alive (Phase 4)
|
||||||
timeout server 60s # Increase from 30s for long-lived HTTPS
|
timeout server 60s # Increase from 30s for long-lived HTTPS
|
||||||
timeout connect 3s # Reduce from 5s (local network)
|
timeout connect 3s # Reduce from 5s (local network)
|
||||||
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check inter 3000 rise 2 fall 3 maxconn 5000
|
server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${
|
||||||
|
if value.sendProxy == true then "send-proxy-v2" else ""
|
||||||
|
} check inter 3000 rise 2 fall 3 maxconn 5000
|
||||||
|
|
||||||
''
|
''
|
||||||
) "" forwards}
|
) "" forwards}
|
||||||
|
|
|
||||||
|
|
@ -137,10 +137,26 @@
|
||||||
services.nginx.appendHttpConfig = ''
|
services.nginx.appendHttpConfig = ''
|
||||||
access_log off;
|
access_log off;
|
||||||
'';
|
'';
|
||||||
|
services.nginx.commonHttpConfig = ''
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
set_real_ip_from 141.56.51.1/32;
|
||||||
|
'';
|
||||||
|
|
||||||
#### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server.
|
#### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server.
|
||||||
services.nginx.virtualHosts."${config.networking.fqdn}" = {
|
services.nginx.virtualHosts."${config.networking.fqdn}" = {
|
||||||
#### https://search.nixos.org/options?show=services.nginx.virtualHosts.<name>.default
|
#### https://search.nixos.org/options?show=services.nginx.virtualHosts.<name>.default
|
||||||
|
listen = [
|
||||||
|
{
|
||||||
|
port = 80;
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
port = 443;
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
ssl = true;
|
||||||
|
proxyProtocol = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
default = true;
|
default = true;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}";
|
proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}";
|
||||||
|
|
|
||||||
|
|
@ -99,6 +99,17 @@
|
||||||
services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword";
|
services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword";
|
||||||
|
|
||||||
|
|
||||||
|
services.httpd = {
|
||||||
|
extraModules = [ "remoteip" ];
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
# Trust HAProxy's address (adjust to your HAProxy IP/subnet)
|
||||||
|
RemoteIPProxyProtocol On
|
||||||
|
# RemoteIPProxyProtocolExceptions 127.0.0.1 ::1
|
||||||
|
|
||||||
|
RemoteIPTrustedProxy 141.56.51.1/32
|
||||||
|
'';
|
||||||
|
};
|
||||||
#### 2024-02-17 vater:
|
#### 2024-02-17 vater:
|
||||||
#### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'.
|
#### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'.
|
||||||
# services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de";
|
# services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de";
|
||||||
|
|
@ -150,8 +161,8 @@
|
||||||
Lockdown = pkgs.fetchzip {
|
Lockdown = pkgs.fetchzip {
|
||||||
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz";
|
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz";
|
||||||
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz";
|
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz";
|
||||||
url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_45-a46dbea.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/CategoryLockdown-REL1_45-a715472.tar.gz";
|
||||||
sha256 = "sha256-zTTpbQiqudLILPSzmKGjKr6wZjh0YUttGmqwjPpAToc=";
|
sha256 = "sha256-1gl5m9xkmLrdjoR0M13gcQHLtZt4Bt0PUXDiDEqjpvk=";
|
||||||
};
|
};
|
||||||
|
|
||||||
#### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen
|
#### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen
|
||||||
|
|
@ -168,8 +179,8 @@
|
||||||
#### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden
|
#### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden
|
||||||
#### https://www.mediawiki.org/wiki/Extension:ContributionScores
|
#### https://www.mediawiki.org/wiki/Extension:ContributionScores
|
||||||
ContributionScores = pkgs.fetchzip {
|
ContributionScores = pkgs.fetchzip {
|
||||||
url = "https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_45-cd4c94b.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/ContributionCredits-REL1_45-22c28de.tar.gz";
|
||||||
sha256 = "sha256-8ClNtEQ66deKM1DsRYaaZ3KlRl4yCt6UhpXcozRQzQ8=";
|
sha256 = "sha256-9T67jCEYQyU7P9sN7tYbnevU5+FX6Y1nydXGEdzQS9k=";
|
||||||
};
|
};
|
||||||
|
|
||||||
#### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise
|
#### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise
|
||||||
|
|
@ -190,8 +201,8 @@
|
||||||
#### https://www.mediawiki.org/wiki/Extension:UserMerge
|
#### https://www.mediawiki.org/wiki/Extension:UserMerge
|
||||||
UserMerge = pkgs.fetchzip {
|
UserMerge = pkgs.fetchzip {
|
||||||
# url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz";
|
# url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz";
|
||||||
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-446566b.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-437c211.tar.gz";
|
||||||
sha256 = "sha256-DTDKlzet3lThh/sRLucyb8b9lhK5FYZ+dMgwrThFFBM=";
|
sha256 = "sha256-DWdcvubqZkvtywuDEOjui68WYuETt5hGpJJlpZ+pJgE=";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue