From b3475da2daae5f371fe220c3d04fa5e9056dc1ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Wed, 18 Jan 2023 01:52:47 +0100 Subject: [PATCH] Test proxy protocol --- config/default.nix | 21 +++++++++++++++++++++ hosts/public-access-proxy/default.nix | 1 + hosts/public-access-proxy/proxy.nix | 24 +++++++++++++----------- 3 files changed, 35 insertions(+), 11 deletions(-) diff --git a/config/default.nix b/config/default.nix index e3e2c57b..288297f1 100644 --- a/config/default.nix +++ b/config/default.nix @@ -120,6 +120,27 @@ gnome-initial-setup.enable = false; }; + nginx = { + appendHttpConfig = '' + log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + access_log /var/log/nginx/access.log proxyCombined; + ''; + commonServerConfig = with zentralwerk.lib.config.site.net.serv; '' + # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ + set_real_ip_from ${hosts4.public-access-proxy}; + set_real_ip_from ${hosts6.up4.public-access-proxy}; + + real_ip_header proxy_protocol; + + proxy_set_header X-Real-IP $proxy_protocol_addr; + proxy_set_header X-Forwarded-For $proxy_protocol_addr; + ''; + defaultExtraParameters = [ "proxy_protocol" ]; + }; + openssh = { # Required for deployment and sops enable = true; diff --git a/hosts/public-access-proxy/default.nix b/hosts/public-access-proxy/default.nix index 48c4e7ed..279058d2 100644 --- a/hosts/public-access-proxy/default.nix +++ b/hosts/public-access-proxy/default.nix @@ -76,6 +76,7 @@ } { hostNames = [ "gitea.c3d2.de" ]; proxyTo.host = hostRegistry.gitea.ip4; + proxyProtocol = true; } { hostNames = [ "grafana.hq.c3d2.de" ]; proxyTo.host = hostRegistry.grafana.ip4; diff --git a/hosts/public-access-proxy/proxy.nix b/hosts/public-access-proxy/proxy.nix index 21f5070e..76cc58e5 100644 --- a/hosts/public-access-proxy/proxy.nix +++ b/hosts/public-access-proxy/proxy.nix @@ -23,6 +23,7 @@ in Proxy these hostNames. ''; }; + proxyTo = lib.mkOption { type = lib.types.submodule { options = { @@ -55,14 +56,19 @@ in ''; default = { }; }; + + proxyProtocol = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether to use proxy protocol to connect to the server."; + }; + matchArg = lib.mkOption { type = lib.types.str; default = ""; description = "Optional argument to HAProxy `req.ssl_sni -i`"; }; - }; - }); default = [ ]; example = [{ @@ -97,13 +103,11 @@ in option forwardfor http-request set-header X-Forwarded-Proto http http-request set-header X-Forwarded-Port 80 - ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }: + ${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }: lib.optionalString (hostNames != [ ] && proxyTo.host != null) ( lib.concatMapStrings (hostname: '' use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} } - server ${canonicalize hostname}-http ${proxyTo.host}:${ - toString proxyTo.httpPort - } weight 1 + server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"} '') hostNames ) ) cfg.proxyHosts @@ -113,17 +117,15 @@ in bind :::443 v4v6 tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } - ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }: + ${lib.concatMapStrings ({ proxyTo, hostNames, matchArg, ... }: lib.concatMapStrings (hostname: '' use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} } '') hostNames ) cfg.proxyHosts} - ${lib.concatMapStrings ({ proxyTo, ... }: '' + ${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: '' backend ${canonicalize proxyTo.host}-https - server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${ - toString proxyTo.httpsPort - } weight 1 + server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"} '') cfg.proxyHosts} ''; };