summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2020-06-06 01:43:44 +0200
committerJan Dittberner <jandd@cacert.org>2020-06-06 01:43:44 +0200
commit4009f3ee723da5914653dfbebe2cb3d21fe3f96f (patch)
treeb15aa5515bda1a94d640a0b1b5859136f279efde
parentcb19b060bccb57b1e7f04b90a9a35536ec9716ca (diff)
downloadcacert-puppet-4009f3ee723da5914653dfbebe2cb3d21fe3f96f.tar.gz
cacert-puppet-4009f3ee723da5914653dfbebe2cb3d21fe3f96f.tar.xz
cacert-puppet-4009f3ee723da5914653dfbebe2cb3d21fe3f96f.zip
Add new profile nginx_revproxy and use it for email
This commit adds a new profile nginx_revproxy to setup an nginx based reverse proxy. The commit contains configuration for such a proxy to forward traffic for community.cacert.org to the http virtual host on the webstatic system. It also contains custom nginx configuration to enable the redirects from old URLs to the motion and selfservice systems. The profile includes x509cert_common to install the certificate and private key required for the community.cacert.org virtual host. The new profile is assigned to email via the email role.
-rw-r--r--hieradata/nodes/email.yaml18
-rw-r--r--sitemodules/profiles/files/nginx_revproxy/nginx.conf66
-rw-r--r--sitemodules/profiles/manifests/nginx_revproxy.pp87
-rw-r--r--sitemodules/profiles/templates/nginx_revproxy/virtual_host.nginx31
-rw-r--r--sitemodules/roles/manifests/email.pp3
5 files changed, 204 insertions, 1 deletions
diff --git a/hieradata/nodes/email.yaml b/hieradata/nodes/email.yaml
index 4b5f0b9..876c329 100644
--- a/hieradata/nodes/email.yaml
+++ b/hieradata/nodes/email.yaml
@@ -165,6 +165,24 @@ profiles::cacert_selfservice_api::server_private_key: >
huAu6YafNhB8IBwK4oljoITzHVxzpCAP/Pis44IKOkbj4/HWQmJH/IQXmMEl
/02OqZvJJOgkpUGYrsJud+ZAATIhpZwb8JfQMw6mes/6aPdGCZjMJaHPgFjU
h6Q0uA==]
+profiles::nginx_revproxy::virtual_hosts:
+ 'community.cacert.org':
+ target: http://10.0.0.116/
+ custom_config: |
+ location /password.php {
+ return 301 https://selfservice.cacert.org/password-reset;
+ }
+ location /staff.php {
+ return 301 https://selfservice.cacert.org/staff;
+ }
+ location /board {
+ rewrite ^/board/motions.php\?(motion=.*)$ https://motion.cacert.org/motions/$1? last;
+ rewrite ^/board/motions.php https://motion.cacert.org/? last;
+ rewrite ^/board/vote.php https://motion.cacert.org/vote/? last;
+ rewrite ^/board/proxy.php https://motion.cacert.org/proxy/? last;
+ rewrite ^/board https://motion.cacert.org/? last;
+ return 404;
+ }
profiles::x509cert_common::certificates:
'community.cacert.org':
certificate: |
diff --git a/sitemodules/profiles/files/nginx_revproxy/nginx.conf b/sitemodules/profiles/files/nginx_revproxy/nginx.conf
new file mode 100644
index 0000000..39ca3a0
--- /dev/null
+++ b/sitemodules/profiles/files/nginx_revproxy/nginx.conf
@@ -0,0 +1,66 @@
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+#
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+ server_tokens off;
+
+ server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_prefer_server_ciphers on;
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
diff --git a/sitemodules/profiles/manifests/nginx_revproxy.pp b/sitemodules/profiles/manifests/nginx_revproxy.pp
new file mode 100644
index 0000000..df43648
--- /dev/null
+++ b/sitemodules/profiles/manifests/nginx_revproxy.pp
@@ -0,0 +1,87 @@
+# Class: profiles::nginx_revproxy
+# ===============================
+#
+# This class takes care of a simple nginx reverse proxy setup.
+#
+# Parameters
+# ----------
+#
+# @param virtual_hosts a hash of virtual hosts with their proxy target and
+# custom_config fragment
+#
+# Examples
+# --------
+#
+# @example
+# class profiles::myrole {
+# include profiles::nginx_revproxy
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2020 Jan Dittberner
+class profiles::nginx_revproxy (
+ Hash[String, Data] $virtual_hosts,
+) {
+ include profiles::x509cert_common
+
+ file { '/etc/nginx':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ } ->
+ file { '/etc/nginx/nginx.conf':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/nginx_revproxy/nginx.conf',
+ } ->
+ package { 'nginx-light':
+ ensure => present,
+ } ->
+ service { 'nginx':
+ ensure => running,
+ enable => true,
+ }
+
+ file { ['/etc/nginx/sites-enabled/default', '/etc/nginx/sites-enabled/default']:
+ ensure => absent,
+ notify => Service['nginx'],
+ }
+
+ $virtual_hosts.each |$vhost, $virtual_host| {
+ file { "/etc/nginx/sites-available/${vhost}":
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => 0644,
+ content => epp('profiles/nginx_revproxy/virtual_host.nginx',
+ {
+ 'virtual_host' => $vhost,
+ 'target' => $virtual_host['target'],
+ 'custom_config' => $virtual_host['custom_config'],
+ }
+ ),
+ require => File[
+ "/etc/ssl/public/${vhost}.chain.pem",
+ "/etc/ssl/private/${vhost}.key.pem",
+ ],
+ notify => Service['nginx'],
+ } ->
+ file { "/etc/nginx/sites-enabled/${vhost}":
+ ensure => link,
+ owner => 'root',
+ group => 'root',
+ target => "/etc/nginx/sites-available/${vhost}",
+ notify => Service['nginx'],
+ }
+ }
+}
diff --git a/sitemodules/profiles/templates/nginx_revproxy/virtual_host.nginx b/sitemodules/profiles/templates/nginx_revproxy/virtual_host.nginx
new file mode 100644
index 0000000..3798706
--- /dev/null
+++ b/sitemodules/profiles/templates/nginx_revproxy/virtual_host.nginx
@@ -0,0 +1,31 @@
+# <%- | String $virtual_host,
+# String $target,
+# String $custom_config,
+#| -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+server {
+ listen 80;
+ listen [::]:80;
+
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ if ($https != "on") {
+ return 301 https://$host$uri;
+ }
+
+ ssl_certificate /etc/ssl/public/<%= $virtual_host %>.chain.pem;
+ ssl_certificate_key /etc/ssl/private/<%= $virtual_host %>.key.pem;
+
+ access_log /var/log/nginx/<%= $virtual_host %>.access.log;
+ error_log /var/log/nginx/<%= $virtual_host %>.error.log;
+
+ server_name <%= $virtual_hosts %>;
+ <%= $custom_config -%>
+
+ location / {
+ proxy_pass <%= $target %>;
+ }
+}
diff --git a/sitemodules/roles/manifests/email.pp b/sitemodules/roles/manifests/email.pp
index b86844d..bf86b08 100644
--- a/sitemodules/roles/manifests/email.pp
+++ b/sitemodules/roles/manifests/email.pp
@@ -18,11 +18,12 @@
# Copyright
# ---------
#
-# Copyright 2019 Jan Dittberner
+# Copyright 2019, 2020 Jan Dittberner
#
class roles::email {
include profiles::base
include profiles::rsyslog
include profiles::icinga2_agent
include profiles::cacert_selfservice_api
+ include profiles::nginx_revproxy
}