summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2021-02-06 11:33:38 +0100
committerJan Dittberner <jandd@cacert.org>2021-02-06 11:33:38 +0100
commit6de282d26244ddbd5b3880536e5bdcc83cfc012e (patch)
tree300b17e7e9c85123f03f8c001b9b6dba8fa46a15
parentfb5427166d19a4e46cafdd8b11cdb9539c2a7024 (diff)
downloadcacert-puppet-6de282d26244ddbd5b3880536e5bdcc83cfc012e.tar.gz
cacert-puppet-6de282d26244ddbd5b3880536e5bdcc83cfc012e.tar.xz
cacert-puppet-6de282d26244ddbd5b3880536e5bdcc83cfc012e.zip
Setup nginx to server SNI tls on port 8443
This commit is the first step to migrate away from sniproxy and use nginx only. Nginx now handles port 80 directly and should provide the same forwarding that sniproxy is doing on port 8443 (will be switched to 443 in a later commit if it turns out to work).
-rw-r--r--hieradata/nodes/proxyin.yaml6
-rw-r--r--sitemodules/profiles/files/sniproxy/nginx.conf4
-rw-r--r--sitemodules/profiles/manifests/sniproxy.pp42
-rw-r--r--sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp21
-rw-r--r--sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp12
5 files changed, 62 insertions, 23 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml
index 5f8615f..bd1e96c 100644
--- a/hieradata/nodes/proxyin.yaml
+++ b/hieradata/nodes/proxyin.yaml
@@ -3,9 +3,13 @@ classes:
- roles::proxyin
profiles::base::admins:
- jandd
-profiles::sniproxy::https_forwards:
+profiles::sniproxy::https_forwards_sniproxy:
- "motion\\.cacert\\.org$ 10.0.0.117:8443"
- "selfservice\\.cacert\\.org$ 10.0.0.118:8443"
+profiles::sniproxy::https_forwards:
+ motion.cacert.org: "10.0.0.117:8443"
+ selfservice.cacert.org: "10.0.0.118:8443"
+profiles::sniproxy::https_port: 8443
profiles::icinga2_agent::pki_ticket: >
ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAVh+d4e8x8Tub+RMVEeyllfUZz2VGaqIL0mW7
diff --git a/sitemodules/profiles/files/sniproxy/nginx.conf b/sitemodules/profiles/files/sniproxy/nginx.conf
index c27d5a5..b6fb650 100644
--- a/sitemodules/profiles/files/sniproxy/nginx.conf
+++ b/sitemodules/profiles/files/sniproxy/nginx.conf
@@ -23,7 +23,9 @@ http {
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
- listen 127.0.0.1:8080 default_server;
+ listen 80 default_server;
return 301 https://$host$request_uri;
}
+
+ include /etc/nginx/sni-servers.conf;
}
diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp
index fb65b55..f63829e 100644
--- a/sitemodules/profiles/manifests/sniproxy.pp
+++ b/sitemodules/profiles/manifests/sniproxy.pp
@@ -6,7 +6,13 @@
# Parameters
# ----------
#
-# @param https_forwards a list of server names to target ips/ports
+# @param https_forwards_sniproxy a list of server names to target ips/ports for
+# the sniproxy configuration
+#
+# @param https_forwards a hash of server names to target ips/ports for
+# nginx
+#
+# @param https_port the https port for nginx
#
# Examples
# --------
@@ -27,7 +33,9 @@
# Copyright 2017-2021 Jan Dittberner
#
class profiles::sniproxy (
- Array[String] $https_forwards,
+ Array[String] $https_forwards_sniproxy,
+ Hash[String,String] $https_forwards,
+ Integer $https_port = 443,
) {
# not required since Buster
file { '/etc/apt/preferences.d/sniproxy':
@@ -54,7 +62,7 @@ class profiles::sniproxy (
mode => '0644',
content => epp(
'profiles/sniproxy/sniproxy.conf.epp',
- {'https_forwards' => $https_forwards}
+ {'https_forwards' => $https_forwards_sniproxy}
),
require => Package['sniproxy'],
}
@@ -71,19 +79,35 @@ class profiles::sniproxy (
owner => 'root',
group => 'root',
mode => '0755',
- } ->
- file { '/etc/nginx/nginx.conf':
+ }
+ -> file { '/etc/nginx/nginx.conf':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profiles/sniproxy/nginx.conf',
- } ->
- package { 'nginx-light':
+ }
+ -> package { 'nginx-full':
ensure => present,
- } ->
- service { 'nginx':
+ }
+ -> service { 'nginx':
ensure => running,
enable => true,
}
+
+ file { '/etc/nginx/sni-servers.conf}':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp(
+ 'profiles/sniproxy/nginx.sni-server.epp',
+ {
+ 'https_forwards' => $https_forwards,
+ 'https_port' => $https_port,
+ },
+ ),
+ require => Package['nginx-full'],
+ notify => Service['nginx'],
+ }
}
diff --git a/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
new file mode 100644
index 0000000..6246604
--- /dev/null
+++ b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
@@ -0,0 +1,21 @@
+<%- | Hash[String, String] $https_forwards, Integer $https_port | -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+stream {
+ map $ssl_preread_server_name $targetBackend {
+<%- $https_forwards.each |$host_name, $target| { %>
+ <%= $host_name %> <%= $target %>;
+<% } %>
+ }
+
+ server {
+ listen <%= $https_port %>;
+
+ proxy_connect_timeout 1s;
+ proxy_timeout 3s;
+
+ proxy_pass $targetBackend;
+ ssl_preread on;
+ }
+}
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
index 9791139..6632340 100644
--- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
+++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
@@ -20,18 +20,6 @@ error_log {
priority notice
}
-listen 80 {
- proto http
- table http_hosts
- # Fallback backend server to use if we can not parse the client request
- fallback 127.0.0.1:8080
-
- access_log {
- filename /var/log/sniproxy/http_access.log
- priority notice
- }
-}
-
listen 443 {
proto tls
table https_hosts