forked from c3d2/nix-config
Test proxy protocol
This commit is contained in:
parent
91ad218241
commit
b3475da2da
|
@ -120,6 +120,27 @@
|
||||||
gnome-initial-setup.enable = false;
|
gnome-initial-setup.enable = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nginx = {
|
||||||
|
appendHttpConfig = ''
|
||||||
|
log_format proxyCombined '$proxy_protocol_addr - $remote_user [$time_local] '
|
||||||
|
'"$request" $status $body_bytes_sent '
|
||||||
|
'"$http_referer" "$http_user_agent"';
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access.log proxyCombined;
|
||||||
|
'';
|
||||||
|
commonServerConfig = with zentralwerk.lib.config.site.net.serv; ''
|
||||||
|
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||||
|
set_real_ip_from ${hosts4.public-access-proxy};
|
||||||
|
set_real_ip_from ${hosts6.up4.public-access-proxy};
|
||||||
|
|
||||||
|
real_ip_header proxy_protocol;
|
||||||
|
|
||||||
|
proxy_set_header X-Real-IP $proxy_protocol_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
||||||
|
'';
|
||||||
|
defaultExtraParameters = [ "proxy_protocol" ];
|
||||||
|
};
|
||||||
|
|
||||||
openssh = {
|
openssh = {
|
||||||
# Required for deployment and sops
|
# Required for deployment and sops
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -76,6 +76,7 @@
|
||||||
} {
|
} {
|
||||||
hostNames = [ "gitea.c3d2.de" ];
|
hostNames = [ "gitea.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.gitea.ip4;
|
proxyTo.host = hostRegistry.gitea.ip4;
|
||||||
|
proxyProtocol = true;
|
||||||
} {
|
} {
|
||||||
hostNames = [ "grafana.hq.c3d2.de" ];
|
hostNames = [ "grafana.hq.c3d2.de" ];
|
||||||
proxyTo.host = hostRegistry.grafana.ip4;
|
proxyTo.host = hostRegistry.grafana.ip4;
|
||||||
|
|
|
@ -23,6 +23,7 @@ in
|
||||||
Proxy these hostNames.
|
Proxy these hostNames.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
proxyTo = lib.mkOption {
|
proxyTo = lib.mkOption {
|
||||||
type = lib.types.submodule {
|
type = lib.types.submodule {
|
||||||
options = {
|
options = {
|
||||||
|
@ -55,14 +56,19 @@ in
|
||||||
'';
|
'';
|
||||||
default = { };
|
default = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
|
proxyProtocol = lib.mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Whether to use proxy protocol to connect to the server.";
|
||||||
|
};
|
||||||
|
|
||||||
matchArg = lib.mkOption {
|
matchArg = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
default = "";
|
default = "";
|
||||||
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
description = "Optional argument to HAProxy `req.ssl_sni -i`";
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
});
|
});
|
||||||
default = [ ];
|
default = [ ];
|
||||||
example = [{
|
example = [{
|
||||||
|
@ -97,13 +103,11 @@ in
|
||||||
option forwardfor
|
option forwardfor
|
||||||
http-request set-header X-Forwarded-Proto http
|
http-request set-header X-Forwarded-Proto http
|
||||||
http-request set-header X-Forwarded-Port 80
|
http-request set-header X-Forwarded-Port 80
|
||||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
${lib.concatMapStrings ({ proxyTo, proxyProtocol, hostNames, matchArg }:
|
||||||
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
lib.optionalString (hostNames != [ ] && proxyTo.host != null) (
|
||||||
lib.concatMapStrings (hostname: ''
|
lib.concatMapStrings (hostname: ''
|
||||||
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
use-server ${canonicalize hostname}-http if { req.hdr(host) -i ${matchArg} ${hostname} }
|
||||||
server ${canonicalize hostname}-http ${proxyTo.host}:${
|
server ${canonicalize hostname}-http ${proxyTo.host}:${toString proxyTo.httpPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
||||||
toString proxyTo.httpPort
|
|
||||||
} weight 1
|
|
||||||
'') hostNames
|
'') hostNames
|
||||||
)
|
)
|
||||||
) cfg.proxyHosts
|
) cfg.proxyHosts
|
||||||
|
@ -113,17 +117,15 @@ in
|
||||||
bind :::443 v4v6
|
bind :::443 v4v6
|
||||||
tcp-request inspect-delay 5s
|
tcp-request inspect-delay 5s
|
||||||
tcp-request content accept if { req.ssl_hello_type 1 }
|
tcp-request content accept if { req.ssl_hello_type 1 }
|
||||||
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg }:
|
${lib.concatMapStrings ({ proxyTo, hostNames, matchArg, ... }:
|
||||||
lib.concatMapStrings (hostname: ''
|
lib.concatMapStrings (hostname: ''
|
||||||
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
use_backend ${canonicalize proxyTo.host}-https if { req.ssl_sni -i ${matchArg} ${hostname} }
|
||||||
'') hostNames
|
'') hostNames
|
||||||
) cfg.proxyHosts}
|
) cfg.proxyHosts}
|
||||||
|
|
||||||
${lib.concatMapStrings ({ proxyTo, ... }: ''
|
${lib.concatMapStrings ({ proxyTo, proxyProtocol, ... }: ''
|
||||||
backend ${canonicalize proxyTo.host}-https
|
backend ${canonicalize proxyTo.host}-https
|
||||||
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${
|
server ${canonicalize proxyTo.host}-https ${proxyTo.host}:${toString proxyTo.httpsPort} weight 1 check ${lib.optionalString proxyProtocol "send-proxy"}
|
||||||
toString proxyTo.httpsPort
|
|
||||||
} weight 1
|
|
||||||
'') cfg.proxyHosts}
|
'') cfg.proxyHosts}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue
Block a user