From e450e6cdf110e91ebc8408b9d59ed6f6e6d0b685 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 11 Apr 2023 01:11:43 +0200 Subject: [PATCH] Enable proxyProtocol for drone and gitea --- config/default.nix | 33 +++++++++++++-------------- flake.nix | 5 +++- hosts/drone/default.nix | 3 ++- hosts/gitea/default.nix | 3 ++- hosts/public-access-proxy/default.nix | 2 ++ hosts/public-access-proxy/proxy.nix | 21 +++++++++++++++-- 6 files changed, 45 insertions(+), 22 deletions(-) diff --git a/config/default.nix b/config/default.nix index fd4fc605..05ab0e41 100644 --- a/config/default.nix +++ b/config/default.nix @@ -159,26 +159,25 @@ gnome-initial-setup.enable = false; }; - # nginx = { - # appendHttpConfig = '' - # log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] ' - # '"$request" $status $body_bytes_sent ' - # '"$http_referer" "$http_user_agent"'; + nginx = { + appendHttpConfig = '' + log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; - # access_log /var/log/nginx/access.log proxyCombined; - # ''; - # commonServerConfig = with zentralwerk.lib.config.site.net.serv; '' - # # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ - # set_real_ip_from ${hosts4.public-access-proxy}; - # set_real_ip_from ${hosts6.up4.public-access-proxy}; + access_log /var/log/nginx/access.log proxyCombined; + ''; + commonServerConfig = with zentralwerk.lib.config.site.net.serv; '' + # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ + set_real_ip_from ${hosts4.public-access-proxy}; + set_real_ip_from ${hosts6.up4.public-access-proxy}; - # real_ip_header proxy_protocol; + real_ip_header proxy_protocol; - # proxy_set_header X-Real-IP $proxy_protocol_addr; - # proxy_set_header X-Forwarded-For $proxy_protocol_addr; - # ''; - # defaultExtraParameters = [ "proxy_protocol" ]; - # }; + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_protocol_addr; + ''; + }; openssh = { # Required for deployment and sops diff --git a/flake.nix b/flake.nix index 7ee9ac5d..a9adcf55 100644 --- a/flake.nix +++ b/flake.nix @@ -225,6 +225,9 @@ inherit (import ./lib/network.nix { inherit lib zentralwerk; }) hostRegistry; + libC = { + inherit (import ./lib/nginx.nix {}) defaultListen; + }; overlayList = [ self.overlays @@ -243,7 +246,7 @@ modules = [ (_: { _module.args = { - inherit hostRegistry nixos zentralwerk; + inherit hostRegistry libC nixos zentralwerk; }; nixpkgs.overlays = overlayList; diff --git a/hosts/drone/default.nix b/hosts/drone/default.nix index 50dc54f5..c6d4c5bd 100644 --- a/hosts/drone/default.nix +++ b/hosts/drone/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, libC, pkgs, ... }: let hostname = "drone.hq.c3d2.de"; @@ -16,6 +16,7 @@ in virtualHosts.${hostname} = { forceSSL = true; enableACME = true; + listen = libC.defaultListen; locations."/".proxyPass = "http://localhost:8080"; }; }; diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index bfc95dfb..0ee5aa71 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, libS, ... }: +{ config, pkgs, lib, libC, libS, ... }: { c3d2.deployment.server = "server10"; @@ -112,6 +112,7 @@ virtualHosts."gitea.c3d2.de" = { forceSSL = true; enableACME = true; + listen = libC.defaultListen; locations."/".proxyPass = "http://localhost:3000"; }; }; diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix index a09d619c..b0b5f47c 100644 --- a/hosts/public-access-proxy/default.nix +++ b/hosts/public-access-proxy/default.nix @@ -70,6 +70,7 @@ } { hostNames = [ "gitea.c3d2.de" ]; proxyTo.host = hostRegistry.gitea.ip4; + proxyProtocol = true; } { hostNames = [ "grafana.hq.c3d2.de" ]; proxyTo.host = hostRegistry.grafana.ip4; @@ -140,6 +141,7 @@ } { hostNames = [ "drone.hq.c3d2.de" ]; proxyTo.host = hostRegistry.drone.ip4; + proxyProtocol = true; } { hostNames = [ "home-assistant.hq.c3d2.de" ]; proxyTo.host = hostRegistry.home-assistant.ip4; diff --git a/hosts/public-access-proxy/proxy.nix b/hosts/public-access-proxy/proxy.nix index 10010c4c..9d2138ae 100644 --- a/hosts/public-access-proxy/proxy.nix +++ b/hosts/public-access-proxy/proxy.nix @@ -49,6 +49,20 @@ in Port to forward http to. ''; }; + proxyHttpPort = lib.mkOption { + type = lib.types.port; + default = 8080; + description = '' + Port to forward http to when using the proxy protocol. + ''; + }; + proxyHttpsPort = lib.mkOption { + type = lib.types.port; + default = 8443; + description = '' + Port to forward http to when using the proxy protocol. + ''; + }; }; }; description = '' @@ -106,8 +120,10 @@ in ${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }: lib.optionalString (hostNames != [ ] && proxyTo.host != null) ( lib.concatMapStrings (hostname: '' + use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} } - server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"} + server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} check ${lib.optionalString proxyProtocol "backup"} + ${lib.optionalString proxyProtocol "server ${canonicalize hostname}-proxy-http ${proxyTo.host}:${toString proxyTo.proxyHttpPort} check send-proxy-v2"} '') hostNames ) ) cfg.proxyHosts @@ -127,7 +143,8 @@ in ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: '' backend ${canonicalize proxyTo.host}-https - server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"} + server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} check ${lib.optionalString proxyProtocol "backup"} + ${lib.optionalString proxyProtocol "server ${canonicalize proxyTo.host}-proxy-https ${proxyTo.host}:${toString proxyTo.proxyHttpsPort} check send-proxy-v2"} '') cfg.proxyHosts} ''; };