Browse Source

storage-ng/public-address-proxy: proxy different fqdns to different hosts

container/radius
Markus Schmidl 2 years ago
parent
commit
f4b14c94fa

+ 58
- 0
hosts/storage-ng/public-access-proxy/configuration.nix View File

@@ -0,0 +1,58 @@
1
+# Edit this configuration file to define what should be installed on
2
+# your system.  Help is available in the configuration.nix(5) man page
3
+# and in the NixOS manual (accessible by running ‘nixos-help’).
4
+
5
+{ config, pkgs, lib, ... }:
6
+
7
+{
8
+  imports =
9
+    [ <nixpkgs/nixos/modules/profiles/minimal.nix>
10
+      ./proxy.nix
11
+    ];
12
+  nix.useSandbox = false;
13
+  nix.maxJobs = lib.mkDefault 2;
14
+  nix.buildCores = lib.mkDefault 16;
15
+
16
+  boot.isContainer = true;
17
+  # /sbin/init
18
+  boot.loader.initScript.enable = true;
19
+  boot.loader.grub.enable = false;
20
+
21
+  fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
22
+
23
+  networking.hostName = "public-access-proxy";
24
+  networking.defaultGateway = "172.22.99.4";
25
+
26
+  # Set your time zone.
27
+  time.timeZone = "Europe/Berlin";
28
+
29
+  services.openssh = {
30
+    enable = true;
31
+    permitRootLogin = "prohibit-password";
32
+    ports = [ 1122 ];
33
+  };
34
+
35
+  services.my.proxy = {
36
+    enable = true;
37
+    proxyHosts = [
38
+      {
39
+        hostNames = [ "mdm.arkom.men" ];
40
+        proxyTo = { host = "cloud.bombenverleih.de"; httpPort = 80; httpsPort = 443; };
41
+      }
42
+    ];
43
+  };
44
+
45
+  networking.firewall.allowedTCPPorts = [ 
46
+    80
47
+    443
48
+   ];
49
+
50
+  users.extraUsers.k-ot = {
51
+    inNormalUser = true;
52
+    uid = 1000;
53
+    extraGroups = [ "wheel" ];
54
+  };
55
+
56
+  system.stateVersion = "18.09"; # Did you read the comment?
57
+
58
+}

+ 112
- 0
hosts/storage-ng/public-access-proxy/proxy.nix View File

@@ -0,0 +1,112 @@
1
+{ config, lib, pkgs, ... }:
2
+
3
+with lib;
4
+let
5
+  cfg = config.my.services.proxy;
6
+
7
+in {
8
+
9
+  options.my.serices.proxy = {
10
+
11
+    enable = mkOption {
12
+      default = false;
13
+      description = "whether to enable proxy";
14
+      type = types.bool;
15
+    };
16
+
17
+    proxyHosts = mkOption {
18
+      type = types.listOf (types.submodule (
19
+        {
20
+          options = {
21
+            hostNames = mkOption {
22
+              type = types.listOf types.str;
23
+              default = [];
24
+              description = ''
25
+                Proxy these hostnames.
26
+              '';
27
+            };
28
+            proxyTo = mkOption {
29
+              type = types.submodule (
30
+                {
31
+                  options = {
32
+                    host = mkOption {
33
+                      type = types.nullOr types.string;
34
+                      default = null;
35
+                      description = ''
36
+                        Host to forward traffic to.
37
+                        Any hostname may only be used once
38
+                      '';
39
+                    };
40
+                    httpPort = mkOption {
41
+                      type = types.int;
42
+                      default = 80;
43
+                      description = ''
44
+                        Port to forward http to.
45
+                      '';
46
+                    };
47
+                    httpsPort = mkOption {
48
+                      type = types.int;
49
+                      default = 443;
50
+                      description = ''
51
+                        Port to forward http to.
52
+                      '';
53
+                    };
54
+                  };
55
+                });
56
+              description = ''
57
+                { host = /* ip or fqdn */; httpPort = 80; httpsPort = 443; } to proxy to
58
+              '';
59
+              default = {};
60
+            };
61
+
62
+        }));
63
+      default = [];
64
+      example = [
65
+        { hostNames = [ "test.hq.c3d2.de" "test.c3d2.de" ];
66
+          proxyTo = { host = "172.22.99.99"; httpPort = 80; httpsPort = 443; };
67
+        }
68
+      ];
69
+    };
70
+
71
+  };
72
+
73
+  config = mkIf cfg.enable {
74
+
75
+    services.haproxy = {
76
+      enable = true;
77
+      config = ''
78
+        frontend http-in
79
+          bind *:80
80
+          default_backend proxy-backend-http
81
+  
82
+        backend proxy-backend-http
83
+          ${concatMapStringSep "\n" (proxyHost:
84
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
85
+              concatMapStringSep "\n" (hostname: ''
86
+                use-server ${hostname}-http if { req.hdr(host) -i ${hostname} }
87
+                server ${hostname}-http ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpPort} weight 0
88
+              ''
89
+              ) (attrValues proxyHost.hostnames)
90
+            )
91
+          ) (attrValues cfg.proxyHosts)
92
+          }
93
+
94
+        frontend https-in
95
+          bind *:443
96
+          default_backend proxy-backend-https
97
+
98
+        backend proxy-backend-https
99
+          ${concatMapStringSep "\n" (proxyHost:
100
+            optionalString (proxyHost.hostNames != [] && proxyHost.proxyTo.host != null) (
101
+              concatMapStringSep "\n" (hostname: ''
102
+                use-server ${hostname}-https if { req.ssl_sni -i ${hostname} }
103
+                server ${hostname}-https ${proxyHost.proxyTo.host}:${proxyHost.proxyTo.httpsPort} weight 0
104
+              ''
105
+              ) (attrValues proxyHost.hostnames)
106
+            )
107
+          ) (attrValues cfg.proxyHosts)
108
+          }
109
+      '';
110
+    };
111
+
112
+}

Loading…
Cancel
Save