StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

proxy temp fixes only passthrough

Browse source
This commit is contained in:
goeranh 2026-02-24 21:16:00 +01:00
parent 10b76c4a72
commit d012e134f3
No known key found for this signature in database
1 changed files with 66 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

87
hosts/proxy/default.nix
View file

@ -24,12 +24,16 @@
];
security.acme = {
certs."stura.htw-dresden.de" = {
listenHTTP = "127.0.0.1:8888";
postRun = ''
cat cert.pem key.pem > full.pem
chmod 640 full.pem
systemctl reload haproxy
'';
listenHTTP = ":8888";
extraDomainNames = [
"www.stura.htw-dresden.de"
];
group = "haproxy";
# postRun = ''
# cat cert.pem key.pem > full.pem
# chmod 640 full.pem
# systemctl reload haproxy
# '';
};
};
@ -50,6 +54,7 @@ services = {
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
defaults
@ -60,21 +65,42 @@ services = {
timeout client 30s
timeout server 30s
# ---- HTTP (port 80) for ACME challenges ----
frontend http_in
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:yourpassword
stats show-legends
stats show-node
# # ---- HTTP (port 80) for ACME challenges ----
# frontend http_in
# bind *:80
# mode http
# option httplog
# acl is_acme path_beg /.well-known/acme-challenge/
# acl is_my_domain hdr(host) -i stura.htw-dresden.de
# use_backend acme_backend if is_acme is_my_domain
# # redirect everything else to HTTPS
# redirect scheme https code 301 if !is_acme
# backend acme_backend
# mode http
# server acme 127.0.0.1:8888
frontend http-in
bind *:80
mode http
option httplog
acl is_acme path_beg /.well-known/acme-challenge/
acl is_my_domain hdr(host) -i stura.htw-dresden.de
use_backend acme_backend if is_acme is_my_domain
# redirect everything else to HTTPS
redirect scheme https code 301 if !is_acme
backend acme_backend
mode http
server acme 127.0.0.1:8888 check
acl is_plone hdr(host) -i stura.htw-dresden.de
acl is_www_plone hdr(host) -i www.stura.htw-dresden.de
acl is_pro hdr(host) -i pro.stura.htw-dresden.de
use_backend plone_80 if is_plone
use_backend plone_80 if is_www_plone
use_backend pro_80 if is_pro
default_backend plone_80
# ---- SNI routing (TCP, peek at handshake) ----
@ -85,7 +111,9 @@ services = {
tcp-request content accept if { req_ssl_hello_type 1 }
# terminated here
use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de }
#use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de }
use_backend plone_passthrough if { req_ssl_sni -i stura.htw-dresden.de }
use_backend plone_passthrough if { req_ssl_sni -i www.stura.htw-dresden.de }
# passed through to nginx on remote host
use_backend tls_passthrough if { req_ssl_sni -i pro.stura.htw-dresden.de }
@ -98,12 +126,24 @@ services = {
mode tcp
server nginx_host 141.56.51.15:443 check
backend plone_passthrough
mode tcp
server nginx_host 141.56.51.3:443 check
frontend https_terminated
bind 127.0.0.1:8443 ssl crt /var/lib/acme/stura.htw-dresden.de/full.pem
mode http
default_backend plone_backend
backend plone_80
mode http
server plone 141.56.51.3:80 check
backend pro_80
mode http
server plone 141.56.51.15:80 check
backend plone_backend
mode http
http-request set-header Host stura.htw-dresden.de
@ -121,6 +161,11 @@ services = {
443
];
environment.systemPackages = with pkgs; [
openvpn
tcpdump
];
system.stateVersion = "25.11";
}