summaryrefslogtreecommitdiffstats
path: root/pillar/cluster/denc/web-proxy.sls
blob: 4cf84ab558857690fadbc6f6032bc2cade37318a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
{%- from 'map.jinja' import nginx_crtkeypair -%}
{%- set trustcrt = '/usr/share/pki/trust/anchors/syscid-ca.crt' -%}
{%- set stapler = 'http://gaia.syscid.com:8900/' -%}
{%- set resolver = '192.168.0.115' -%}

nginx:
  snippets:
    listen_ha:
      - listen:
        - 81.16.19.62:443 ssl http2
        - '[2a03:4000:20:21f::]:443 ssl http2'
    proxy:
      - proxy_set_header:
        - Host                $host
        - X-Real-IP           $remote_addr
        - X-Forwarded-For     $proxy_add_x_forwarded_for
        - X-Forwarded-Host    $host
        - X-Forwarded-Server  $host
        - X-Forwarded-Port    $server_port
        - X-Forwarded-Proto   $scheme
      - proxy_ssl_trusted_certificate: /etc/pki/trust/anchors/backend-ca.crt
    tls:
      - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    {#- certificate snippets, to-do: merge snippets/tls include into crtkeypair #}
    {{ nginx_crtkeypair('libertacasa', 'liberta.casa') | indent }}
      - include: snippets/tls
    {{ nginx_crtkeypair('libertacasanet', 'libertacasa.net') | indent }}
      - include: snippets/tls
    {{ nginx_crtkeypair('libsso', 'libsso.net') | indent }}
      - include: snippets/tls
    {{ nginx_crtkeypair('lysergic', 'lysergic.dev') | indent }}
      - include: snippets/tls
    tls_syscidsso:
      - ssl_trusted_certificate: {{ trustcrt }}
      - ssl_client_certificate:  {{ trustcrt }}
      - ssl_certificate:         /etc/ssl/syscid/sso.syscid.com.crt
      - ssl_certificate_key:     /etc/ssl/syscid/sso.syscid.com.key
      - ssl_ocsp:                'on'
      - ssl_ocsp_responder:      {{ stapler }}
      - ssl_stapling:            'on'
      - ssl_stapling_responder:  {{ stapler }}
      - ssl_stapling_verify:     'on'
      - ssl_verify_client:       'on'
      - resolver:                {{ resolver }} ipv6=off
      - include:                 snippets.d/tls

  servers:
    managed:
      jboss-cluster.conf:
        available_dir: /etc/nginx/conf.d
        config:
        - proxy_cache_path: /var/cache/nginx/sso_public keys_zone=cache_sso_public:10m
        - proxy_cache_path: /var/cache/nginx/sso_private keys_zone=cache_sso_private:10m
        - upstream jboss:
          - ip: hash
          - server:
            - theia.backend.syscid.com:8443
            - orpheus.backend.syscid.com:8443
            - selene.backend.syscid.com:8443

      bookstack.conf:
        config:
          - server:
            - include:
              - snippets/listen
              - snippets/tls_libertacasa
            - server_name: libertacasa.info libcasa.info
            - location /:
              - proxy_pass: https://bookstack.themis.backend.syscid.com
              - proxy_http_version: 1.1
            - client_max_body_size: 20M

      http.conf:
        config:
          - server:
            - listen:
              - 81.16.19.62:80 default_server
              - '[2a03:4000:20:21f::]:80 default_server'
              - include: snippets/robots
              - location /:
                - return: 301 https://$host$request_uri

      privatebin.conf:
        config:
          - server:
            - include:
              - snippets/listen
              - snippets/tls_lysergic
            - server_name: pasta.lysergic.dev
            - location /:
              - proxy_pass: https://privatebin.themis.backend.syscid.com
              - proxy_http_version: 1.1
            - client_max_body_size: 50M

      sso_private.conf:
        config:
          - server:
            - include:
              - snippets/listen
              - snippets/tls_syscidsso
            - server_name: sso.syscid.com
            - root: /srv/www/sso.syscid.com
            - location = /: []
            - location /index.html: []
            - location /:
              - proxy_pass: https://jboss
              - proxy_cache: cache_sso_private
              - include: snippets/proxy
            - proxy_buffer_size: 256k
            - proxy_buffers: 4 512k
            - proxy_busy_buffers_size: 512k
            - error_log: /var/log/nginx/sso_private.error.log
            - access_log: /var/log/nginx/sso_private.access.log combined

      sso_public.conf:
        config:
          - server:
            - include:
              - snippets/listen
              - snippets/tls_libsso
            - server_name: sso.casa www.sso.casa
            - location /:
              - root: /srv/www/sso.casa
          - server:
            - include:
              - snippets/listen
              - snippets/tls_libsso
            - server_name: libsso.net www.libsso.net
            - location /:
              - root: /srv/www/libsso.net
            - location /auth: {#- compat, consider removing #}
              - rewrite: '^/auth(.*)$ https://libsso.net$1 break'
            {%- for path in ['realms', 'resources', 'js'] %}
            - location /{{ path }}:
              - proxy_pass: https://jboss/{{ path }}
              - proxy_cache: cache_sso_public
              {#- - proxy_ssl_verify: on #to-do: enable this #}
              - include: snippets/proxy
            {%- endfor %}
            {%- for path in ['admin', 'welcome', 'metrics', 'health' ] %}
            - location /{{ path }}:
              - return: https://liberta.casa/
            {%- endfor %}
            - proxy_buffer_size: 256k
            - proxy_buffers: 4 512k
            - proxy_busy_buffers_size: 512k
            - error_log: /var/log/nginx/libsso_public.error.log
            - access_log: /var/log/nginx/libsso_public.access.log combined