From 9041fe3d699cbbbf9d0a822a87ec76a821399809 Mon Sep 17 00:00:00 2001 From: goeranh Date: Mon, 20 Apr 2026 08:56:40 +0200 Subject: [PATCH] conditionally send proxy protocol --- hosts/proxy/default.nix | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index 52c9d82..8c1b49c 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -98,108 +98,126 @@ domain = "docs.adm.htw.stura-dresden.de"; httpPort = 8080; httpsPort = 8443; + sendProxy = false; }; plone = { dest = "141.56.51.3"; domain = "stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_alt = { dest = "141.56.51.3"; domain = "www.stura.htw-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu = { dest = "141.56.51.3"; domain = "www.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; plone_neu2 = { dest = "141.56.51.3"; domain = "htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; tix = { dest = "141.56.51.220"; domain = "tix.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; post = { dest = "141.56.51.56"; domain = "post.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; vot = { dest = "141.56.51.57"; domain = "vot.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; mail = { dest = "141.56.51.14"; domain = "mail.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; lists = { dest = "141.56.51.14"; domain = "lists.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; dat = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; pro = { dest = "141.56.51.15"; domain = "pro.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; cloud = { dest = "141.56.51.16"; domain = "cloud.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; wiki = { dest = "141.56.51.13"; domain = "wiki.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; beach = { dest = "141.56.51.51"; domain = "beach.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; studicloud = { dest = "141.56.51.17"; domain = "dat.stu.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb = { dest = "141.56.51.94"; domain = "bbb.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; bbb-test = { dest = "141.56.51.94"; domain = "bbb.test.htw.stura-dresden.de"; httpPort = 80; httpsPort = 443; + sendProxy = false; }; } # zusätzlich zu den oben definierten wird hier noch ein redirect für jeden nginx virtualhost in diese flake generiert @@ -218,6 +236,10 @@ prev // (builtins.foldl' ( val: vhost: + let + proxyProtocol = if self.nixosConfigurations.${name}.config.services.nginx.virtualHosts.${vhost}.listen == [] then false else + true; + in val // { "${vhost}" = { @@ -225,6 +247,7 @@ domain = vhost; httpsPort = 443; httpPort = 80; + sendProxy = proxyProtocol; }; } ) { } vhosts) @@ -519,13 +542,13 @@ backend ${name}_80 mode http - server ${name} ${value.dest}:${builtins.toString value.httpPort} + server ${name} ${value.dest}:${builtins.toString value.httpPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} backend ${name}_443 mode tcp option tcpka # Enable server TCP keep-alive (Phase 4) timeout server 60s # Increase from 30s for long-lived HTTPS timeout connect 3s # Reduce from 5s (local network) - server ${name} ${value.dest}:${builtins.toString value.httpsPort} check inter 3000 rise 2 fall 3 maxconn 5000 + server ${name} ${value.dest}:${builtins.toString value.httpsPort} ${if value.sendProxy == true then "send-proxy-v2" else ""} check inter 3000 rise 2 fall 3 maxconn 5000 '' ) "" forwards}