StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request 'proxy-protocol' (#7) from proxy-protocol into master

Browse source 
Reviewed-on: https://codeberg.org/stura-htw-dresden/stura-infra/pulls/7
This commit is contained in:
goeranh 2026-04-20 10:28:37 +02:00
commit 8c358daf56
4 changed files with 82 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

23
hosts/nextcloud/default.nix
View file

@ -87,6 +87,11 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
real_ip_header proxy_protocol;
set_real_ip_from 141.56.51.1/32;
'';
logError = ''
/dev/null emerg
'';
@ -94,9 +99,21 @@
virtualHosts.${config.networking.fqdn} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
access_log off;
'';
listen = [
{
port = 80;
addr = "0.0.0.0";
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
proxyProtocol = true;
}
];
# extraConfig = ''
# access_log off;
# '';
};
# virtualHosts."cloud.htw.stura-dresden.de" = {
# forceSSL = true;

42
hosts/proxy/default.nix
View file

@ -98,108 +98,112 @@
domain = "docs.adm.htw.stura-dresden.de";
httpPort = 8080;
httpsPort = 8443;
sendProxy = false;
};
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
plone_neu = {
dest = "141.56.51.3";
domain = "www.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
plone_neu2 = {
dest = "141.56.51.3";
domain = "htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
post = {
dest = "141.56.51.56";
domain = "post.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
vot = {
dest = "141.56.51.57";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
mail = {
dest = "141.56.51.14";
domain = "mail.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
lists = {
dest = "141.56.51.14";
domain = "lists.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
dat = {
dest = "141.56.51.17";
domain = "dat.stu.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = true;
};
beach = {
dest = "141.56.51.51";
domain = "beach.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
studicloud = {
dest = "141.56.51.17";
domain = "dat.stu.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
bbb = {
dest = "141.56.51.94";
domain = "bbb.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
bbb-test = {
dest = "141.56.51.94";
domain = "bbb.test.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
sendProxy = false;
};
}
# zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert
@ -218,6 +222,15 @@
prev
// (builtins.foldl' (
val: vhost:
let
proxyProtocol =
if
self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [ ]
then
false
else
true;
in
val
// {
"${vhost}" = {
@ -225,6 +238,7 @@
domain = vhost;
httpsPort = 443;
httpPort = 80;
sendProxy = proxyProtocol;
};
}
) { } vhosts)
@ -525,7 +539,9 @@
option tcpka # Enable server TCP keep-alive (Phase 4)
timeout server 60s # Increase from 30s for long-lived HTTPS
timeout connect 3s # Reduce from 5s (local network)
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check inter 3000 rise 2 fall 3 maxconn 5000
server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${
if value.sendProxy == true then "send-proxy-v2" else ""
} check inter 3000 rise 2 fall 3 maxconn 5000
''
) "" forwards}

16
hosts/redmine/default.nix
View file

@ -137,10 +137,26 @@
services.nginx.appendHttpConfig = ''
access_log off;
'';
services.nginx.commonHttpConfig = ''
real_ip_header proxy_protocol;
set_real_ip_from 141.56.51.1/32;
'';
#### Anscheinend kann mit nix nur die Konfiguration fuer eine konkrete (manuelle) Konfiguration fuer den Dienst web server.
services.nginx.virtualHosts."${config.networking.fqdn}" = {
#### https://search.nixos.org/options?show=services.nginx.virtualHosts.<name>.default
listen = [
{
port = 80;
addr = "0.0.0.0";
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
proxyProtocol = true;
}
];
default = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.redmine.port}";

23
hosts/wiki/default.nix
View file

@ -99,6 +99,17 @@
services.mediawiki.database.passwordFile = "/var/lib/mediawiki/mediawiki-dbpassword";
services.httpd = {
extraModules = [ "remoteip" ];
extraConfig = ''
# Trust HAProxy's address (adjust to your HAProxy IP/subnet)
RemoteIPProxyProtocol On
# RemoteIPProxyProtocolExceptions 127.0.0.1 ::1
RemoteIPTrustedProxy 141.56.51.1/32
'';
};
#### 2024-02-17 vater:
#### trace: warning: The option `services.mediawiki.virtualHost' defined in `/etc/nixos/configuration.nix' has been renamed to `services.mediawiki.httpd.virtualHost'.
# services.mediawiki.virtualHost.hostName = "wiki.stura.htw-dresden.de";
@ -150,8 +161,8 @@
Lockdown = pkgs.fetchzip {
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_43-7ac8966.tar.gz";
# url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_44-af1f4df.tar.gz";
url = "https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_45-a46dbea.tar.gz";
sha256 = "sha256-zTTpbQiqudLILPSzmKGjKr6wZjh0YUttGmqwjPpAToc=";
url = "https://extdist.wmflabs.org/dist/extensions/CategoryLockdown-REL1_45-a715472.tar.gz";
sha256 = "sha256-1gl5m9xkmLrdjoR0M13gcQHLtZt4Bt0PUXDiDEqjpvk=";
};
#### Hinzufuegen der Erweiterung ConfirmEdit fuer eine zusaetzliche Bestaetigung bei Bearbeitungen, etwa um Herausforderungen (aka CAPTCHA) zu stellen
@ -168,8 +179,8 @@
#### Hinzufuegen der Erweiterung ContributionScores fuer eine Statistik von Beitraegen nach Beitragenden
#### https://www.mediawiki.org/wiki/Extension:ContributionScores
ContributionScores = pkgs.fetchzip {
url = "https://extdist.wmflabs.org/dist/extensions/ContributionScores-REL1_45-cd4c94b.tar.gz";
sha256 = "sha256-8ClNtEQ66deKM1DsRYaaZ3KlRl4yCt6UhpXcozRQzQ8=";
url = "https://extdist.wmflabs.org/dist/extensions/ContributionCredits-REL1_45-22c28de.tar.gz";
sha256 = "sha256-9T67jCEYQyU7P9sN7tYbnevU5+FX6Y1nydXGEdzQS9k=";
};
#### Hinzufuegen der Erweiterung Interwiki fuer das Verwenden von Verweisen als eine Art Namensraum, wie beispielweise auf Wikipedia oder selbst festgelegte Verweise
@ -190,8 +201,8 @@
#### https://www.mediawiki.org/wiki/Extension:UserMerge
UserMerge = pkgs.fetchzip {
# url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_43-ed4a689.tar.gz";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-446566b.tar.gz";
sha256 = "sha256-DTDKlzet3lThh/sRLucyb8b9lhK5FYZ+dMgwrThFFBM=";
url = "https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_45-437c211.tar.gz";
sha256 = "sha256-DWdcvubqZkvtywuDEOjui68WYuETt5hGpJJlpZ+pJgE=";
};
};