diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix index a422d97..cfe1886 100644 --- a/hosts/proxy/default.nix +++ b/hosts/proxy/default.nix @@ -24,12 +24,16 @@ ]; security.acme = { certs."stura.htw-dresden.de" = { - listenHTTP = "127.0.0.1:8888"; - postRun = '' - cat cert.pem key.pem > full.pem - chmod 640 full.pem - systemctl reload haproxy - ''; + listenHTTP = ":8888"; + extraDomainNames = [ + "www.stura.htw-dresden.de" + ]; + group = "haproxy"; + # postRun = '' + # cat cert.pem key.pem > full.pem + # chmod 640 full.pem + # systemctl reload haproxy + # ''; }; }; @@ -50,6 +54,7 @@ services = { log /dev/log local0 maxconn 4096 # for ACME/Let's Encrypt cert + key in one file: + stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners crt-base /var/lib/acme defaults @@ -60,21 +65,42 @@ services = { timeout client 30s timeout server 30s - # ---- HTTP (port 80) for ACME challenges ---- - frontend http_in + frontend stats + bind 127.0.0.1:8404 + mode http + stats enable + stats uri /stats + stats refresh 10s + stats auth admin:yourpassword + stats show-legends + stats show-node + + # # ---- HTTP (port 80) for ACME challenges ---- + # frontend http_in + # bind *:80 + # mode http + # option httplog + + # acl is_acme path_beg /.well-known/acme-challenge/ + # acl is_my_domain hdr(host) -i stura.htw-dresden.de + # use_backend acme_backend if is_acme is_my_domain + # # redirect everything else to HTTPS + # redirect scheme https code 301 if !is_acme + + # backend acme_backend + # mode http + # server acme 127.0.0.1:8888 + + frontend http-in bind *:80 - mode http - option httplog - - acl is_acme path_beg /.well-known/acme-challenge/ - acl is_my_domain hdr(host) -i stura.htw-dresden.de - use_backend acme_backend if is_acme is_my_domain - # redirect everything else to HTTPS - redirect scheme https code 301 if !is_acme - - backend acme_backend - mode http - server acme 127.0.0.1:8888 check + acl is_plone hdr(host) -i stura.htw-dresden.de + acl is_www_plone hdr(host) -i www.stura.htw-dresden.de + acl is_pro hdr(host) -i pro.stura.htw-dresden.de + + use_backend plone_80 if is_plone + use_backend plone_80 if is_www_plone + use_backend pro_80 if is_pro + default_backend plone_80 # ---- SNI routing (TCP, peek at handshake) ---- @@ -85,7 +111,9 @@ services = { tcp-request content accept if { req_ssl_hello_type 1 } # terminated here - use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de } + #use_backend terminate_plone if { req_ssl_sni -i stura.htw-dresden.de } + use_backend plone_passthrough if { req_ssl_sni -i stura.htw-dresden.de } + use_backend plone_passthrough if { req_ssl_sni -i www.stura.htw-dresden.de } # passed through to nginx on remote host use_backend tls_passthrough if { req_ssl_sni -i pro.stura.htw-dresden.de } @@ -98,12 +126,24 @@ services = { mode tcp server nginx_host 141.56.51.15:443 check + backend plone_passthrough + mode tcp + server nginx_host 141.56.51.3:443 check + frontend https_terminated bind 127.0.0.1:8443 ssl crt /var/lib/acme/stura.htw-dresden.de/full.pem mode http default_backend plone_backend + backend plone_80 + mode http + server plone 141.56.51.3:80 check + + backend pro_80 + mode http + server plone 141.56.51.15:80 check + backend plone_backend mode http http-request set-header Host stura.htw-dresden.de @@ -121,6 +161,11 @@ services = { 443 ]; + environment.systemPackages = with pkgs; [ + openvpn + tcpdump + ]; + system.stateVersion = "25.11"; }