diff options
| author | Georg Pfuetzenreuter | 2023-02-08 00:10:17 +0100 |
|---|---|---|
| committer | Georg Pfuetzenreuter | 2023-02-12 05:21:39 +0100 |
| commit | eed4945a9f6981041260a593fde7bc54150c0740 (patch) | |
| tree | 27a16fbc685318511406ce80591a6289df46698c | |
| parent | 1b0965943f6223354e2de6c647a2024f4c835a83 (diff) | |
| download | salt-eed4945a9f6981041260a593fde7bc54150c0740.tar.gz salt-eed4945a9f6981041260a593fde7bc54150c0740.tar.bz2 salt-eed4945a9f6981041260a593fde7bc54150c0740.zip | |
nemesis/hubris: import nginx configuration
Add shared configuration to cluster.denc.web-proxy.
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| -rw-r--r-- | pillar/cluster/denc/web-proxy.sls | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls new file mode 100644 index 0000000..4cf84ab --- /dev/null +++ b/pillar/cluster/denc/web-proxy.sls @@ -0,0 +1,149 @@ +{%- from 'map.jinja' import nginx_crtkeypair -%} +{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%} +{%- set stapler = 'http://gaia.syscid.com:8900/' -%} +{%- set resolver = '192.168.0.115' -%} + +nginx: + snippets: + listen_ha: + - listen: + - 81.16.19.62:443 ssl http2 + - '[2a03:4000:20:21f::]:443 ssl http2' + proxy: + - proxy_set_header: + - Host $host + - X-Real-IP $remote_addr + - X-Forwarded-For $proxy_add_x_forwarded_for + - X-Forwarded-Host $host + - X-Forwarded-Server $host + - X-Forwarded-Port $server_port + - X-Forwarded-Proto $scheme + - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt + tls: + - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + + {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #} + {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }} + - include: snippets/tls + {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }} + - include: snippets/tls + tls_syscidsso: + - ssl_trusted_certificate: {{ trustcrt }} + - ssl_client_certificate: {{ trustcrt }} + - ssl_certificate: /etc/ssl/syscid/sso.syscid.com.crt + - ssl_certificate_key: /etc/ssl/syscid/sso.syscid.com.key + - ssl_ocsp: 'on' + - ssl_ocsp_responder: {{ stapler }} + - ssl_stapling: 'on' + - ssl_stapling_responder: {{ stapler }} + - ssl_stapling_verify: 'on' + - ssl_verify_client: 'on' + - resolver: {{ resolver }} ipv6=off + - include: snippets.d/tls + + servers: + managed: + jboss-cluster.conf: + available_dir: /etc/nginx/conf.d + config: + - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m + - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m + - upstream jboss: + - ip: hash + - server: + - theia.backend.syscid.com:8443 + - orpheus.backend.syscid.com:8443 + - selene.backend.syscid.com:8443 + + bookstack.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_libertacasa + - server_name: libertacasa.info libcasa.info + - location /: + - proxy_pass: https://bookstack.themis.backend.syscid.com + - proxy_http_version: 1.1 + - client_max_body_size: 20M + + http.conf: + config: + - server: + - listen: + - 81.16.19.62:80 default_server + - '[2a03:4000:20:21f::]:80 default_server' + - include: snippets/robots + - location /: + - return: 301 https://$host$request_uri + + privatebin.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_lysergic + - server_name: pasta.lysergic.dev + - location /: + - proxy_pass: https://privatebin.themis.backend.syscid.com + - proxy_http_version: 1.1 + - client_max_body_size: 50M + + sso_private.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_syscidsso + - server_name: sso.syscid.com + - root: /srv/www/sso.syscid.com + - location = /: [] + - location /index.html: [] + - location /: + - proxy_pass: https://jboss + - proxy_cache: cache_sso_private + - include: snippets/proxy + - proxy_buffer_size: 256k + - proxy_buffers: 4 512k + - proxy_busy_buffers_size: 512k + - error_log: /var/log/nginx/sso_private.error.log + - access_log: /var/log/nginx/sso_private.access.log combined + + sso_public.conf: + config: + - server: + - include: + - snippets/listen + - snippets/tls_libsso + - server_name: sso.casa www.sso.casa + - location /: + - root: /srv/www/sso.casa + - server: + - include: + - snippets/listen + - snippets/tls_libsso + - server_name: libsso.net www.libsso.net + - location /: + - root: /srv/www/libsso.net + - location /auth: {#- compat, consider removing #} + - rewrite: '^/auth(.*)$ https://libsso.net$1 break' + {%- for path in ['realms', 'resources', 'js'] %} + - location /{{ path }}: + - proxy_pass: https://jboss/{{ path }} + - proxy_cache: cache_sso_public + {#- - proxy_ssl_verify: on #to-do: enable this #} + - include: snippets/proxy + {%- endfor %} + {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %} + - location /{{ path }}: + - return: https://liberta.casa/ + {%- endfor %} + - proxy_buffer_size: 256k + - proxy_buffers: 4 512k + - proxy_busy_buffers_size: 512k + - error_log: /var/log/nginx/libsso_public.error.log + - access_log: /var/log/nginx/libsso_public.access.log combined |