Enable proxyProtocol not together with old proxy method

2024-03-14 18:41:02 +01:00 · 2024-03-14 18:41:02 +01:00 · 5560deef4c
parent 3a6c6384ee
commit 5560deef4c
3 changed files with 35 additions and 15 deletions
--- a/hosts/public-access-proxy/default.nix
+++ b/hosts/public-access-proxy/default.nix
@ -15,6 +15,7 @@
    proxyHosts = [ {
      hostNames = [ "auth.c3d2.de" ];
      proxyTo.host = hostRegistry.auth.ip4;
+      proxyProtocol = true;
    } {
      hostNames = [ "jabber.c3d2.de" ];
      proxyTo = {
@ -78,6 +79,8 @@
        "nix-cache.hq.c3d2.de"
      ];
      proxyTo.host = hostRegistry.hydra.ip4;
+      # TODO: enable in hydra
+      # proxyProtocol = true;
    } {
      hostNames = [
        "zentralwerk.org"
@ -87,18 +90,23 @@
    } {
      hostNames = [ "mate.c3d2.de" "matemat.c3d2.de" "matemat.hq.c3d2.de" ];
      proxyTo.host = hostRegistry.matemat.ip4;
+      proxyProtocol = true;
    } {
      hostNames = [
        "element.c3d2.de"
        "matrix.c3d2.de"
      ];
      proxyTo.host = hostRegistry.matrix.ip4;
+      # TODO: enable in matrix
+      # proxyProtocol = true;
    } {
      hostNames = [ "mobilizon.c3d2.de" ];
      proxyTo.host = hostRegistry.mobilizon.ip4;
    } {
      hostNames = [ "drkkr.hq.c3d2.de" ];
      proxyTo.host = hostRegistry.pulsebert.ip4;
+      # TODO: enable in pipebert
+      # proxyProtocol = true;
    } {
      hostNames = [ "scrape.hq.c3d2.de" ];
      proxyTo.host = hostRegistry.scrape.ip4;
@ -119,12 +127,15 @@
    } {
      hostNames = [ "wiki.c3d2.de" ];
      proxyTo.host = hostRegistry.mediawiki.ip4;
+      proxyProtocol = true;
    } {
      hostNames = [ "owncast.c3d2.de" ];
      proxyTo.host = hostRegistry.owncast.ip4;
    } {
      hostNames = [ "c3d2.social" ];
      proxyTo.host = hostRegistry.mastodon.ip4;
+      # TODO: enable in mastodon
+      # proxyProtocol = true;
    } {
      hostNames = [ "relay.fedi.buzz" ];
      proxyTo.host = zentralwerk.lib.config.site.net.serv.hosts4.buzzrelay;
@ -135,12 +146,18 @@
    } {
      hostNames = [ "home-assistant.hq.c3d2.de" ];
      proxyTo.host = hostRegistry.home-assistant.ip4;
+      # TODO: enable in home-assistant
+      # proxyProtocol = true;
    } {
      hostNames = [ "pretalx.c3d2.de" "talks.datenspuren.de" ];
      proxyTo.host = hostRegistry.pretalx.ip4;
+      # TODO: enable in pretalx
+      # proxyProtocol = true;
    } {
      hostNames = [ "vaultwarden.c3d2.de" ];
      proxyTo.host = hostRegistry.vaultwarden.ip4;
+      # TODO: enable in vaultwarden
+      # proxyProtocol = true;
    } ];
  };

--- a/hosts/public-access-proxy/proxy.nix
+++ b/hosts/public-access-proxy/proxy.nix
@ -73,7 +73,7 @@ in

          proxyProtocol = lib.mkOption {
            type = lib.types.bool;
-            default = true;
+            default = false;
            description = "Whether to use proxy protocol to connect to the server.";
          };

@ -137,8 +137,10 @@ in
                lib.concatMapStrings (hostname: ''

                  use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
-                    server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"}
-                   ${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"}
+                    server ${canonicalize hostname}-http ${proxyTo.host}:${
+                      if proxyProtocol then "${toString proxyTo.proxyHttpPort} check send-proxy-v2"
+                      else "${toString proxyTo.httpPort} check"
+                    }
                '') hostNames
              )
            ) cfg.proxyHosts
@ -159,8 +161,10 @@ in
        ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ...  }: ''

          backend ${canonicalize proxyTo.host}-https
-            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"}
-            ${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"}
+            server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
+              if proxyProtocol then "${toString proxyTo.proxyHttpsPort} check send-proxy-v2"
+              else "${toString proxyTo.httpsPort} check"
+            }
        '') cfg.proxyHosts}
      '';
    };
--- a/lib/nginx.nix
+++ b/lib/nginx.nix
@ -3,16 +3,15 @@ _:
 {
  defaultListen = let
    listen = [
-      # breaks satisfy any
-      # {
-      #   addr = "[::]";
-      #   port = 80;
-      # }
-      # {
-      #   addr = "[::]";
-      #   port = 443;
-      #   ssl = true;
-      # }
+      {
+        addr = "[::]";
+        port = 80;
+      }
+      {
+        addr = "[::]";
+        port = 443;
+        ssl = true;
+      }
      {
        addr = "[::]";
        port = 8080;