forked from c3d2/nix-config
Test proxy protocol
This commit is contained in:
parent
91ad218241
commit
b3475da2da
GPG Key ID:
3AF5A43A3EECC2E5
|
|
@ -120,6 +120,27 @@
|
|||
gnome-initial-setup.enable = false;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
appendHttpConfig = ''
|
||||
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $body_bytes_sent '
|
||||
'"$http_referer" "$http_user_agent"';
|
||||
|
||||
access_log /var/log/nginx/access.log proxyCombined;
|
||||
'';
|
||||
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
||||
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||
set_real_ip_from ${hosts4.public-access-proxy};
|
||||
set_real_ip_from ${hosts6.up4.public-access-proxy};
|
||||
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
||||
'';
|
||||
defaultExtraParameters = [ "proxy_protocol" ];
|
||||
};
|
||||
|
||||
openssh = {
|
||||
# Required for deployment and sops
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -76,6 +76,7 @@
|
|||
} {
|
||||
hostNames = [ "gitea.c3d2.de" ];
|
||||
proxyTo.host = hostRegistry.gitea.ip4;
|
||||
proxyProtocol = true;
|
||||
} {
|
||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
||||
proxyTo.host = hostRegistry.grafana.ip4;
|
||||
|
|
|
|||
|
|
@ -23,6 +23,7 @@ in
|
|||
Proxy these hostNames.
|
||||
'';
|
||||
};
|
||||
|
||||
proxyTo = lib.mkOption {
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
|
|
@ -55,14 +56,19 @@ in
|
|||
'';
|
||||
default = { };
|
||||
};
|
||||
|
||||
proxyProtocol = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Whether to use proxy protocol to connect to the server.";
|
||||
};
|
||||
|
||||
matchArg = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
});
|
||||
default = [ ];
|
||||
example = [{
|
||||
|
|
@ -97,13 +103,11 @@ in
|
|||
option forwardfor
|
||||
http-request set-header X-Forwarded-Proto http
|
||||
http-request set-header X-Forwarded-Port 80
|
||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
|
||||
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||
lib.concatMapStrings (hostname: ''
|
||||
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
||||
toString proxyTo.httpPort
|
||||
} weight 1
|
||||
server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
||||
'') hostNames
|
||||
)
|
||||
) cfg.proxyHosts
|
||||
|
|
@ -113,17 +117,15 @@ in
|
|||
bind :::443 v4v6
|
||||
tcp-request inspect-delay 5s
|
||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg, ... }:
|
||||
lib.concatMapStrings (hostname: ''
|
||||
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
||||
'') hostNames
|
||||
) cfg.proxyHosts}
|
||||
|
||||
${lib.concatMapStrings ({ proxyTo, ... }: ''
|
||||
${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''
|
||||
backend ${canonicalize proxyTo.host}-https
|
||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
||||
toString proxyTo.httpsPort
|
||||
} weight 1
|
||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
||||
'') cfg.proxyHosts}
|
||||
'';
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue