summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/nodes/proxyin.yaml6
-rw-r--r--sitemodules/profiles/files/sniproxy/nginx.conf4
-rw-r--r--sitemodules/profiles/manifests/sniproxy.pp42
-rw-r--r--sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp21
-rw-r--r--sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp12
5 files changed, 62 insertions, 23 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml
index 5f8615f..bd1e96c 100644
--- a/hieradata/nodes/proxyin.yaml
+++ b/hieradata/nodes/proxyin.yaml
@@ -3,9 +3,13 @@ classes:
- roles::proxyin
profiles::base::admins:
- jandd
-profiles::sniproxy::https_forwards:
+profiles::sniproxy::https_forwards_sniproxy:
- "motion\\.cacert\\.org$ 10.0.0.117:8443"
- "selfservice\\.cacert\\.org$ 10.0.0.118:8443"
+profiles::sniproxy::https_forwards:
+ motion.cacert.org: "10.0.0.117:8443"
+ selfservice.cacert.org: "10.0.0.118:8443"
+profiles::sniproxy::https_port: 8443
profiles::icinga2_agent::pki_ticket: >
ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAVh+d4e8x8Tub+RMVEeyllfUZz2VGaqIL0mW7
diff --git a/sitemodules/profiles/files/sniproxy/nginx.conf b/sitemodules/profiles/files/sniproxy/nginx.conf
index c27d5a5..b6fb650 100644
--- a/sitemodules/profiles/files/sniproxy/nginx.conf
+++ b/sitemodules/profiles/files/sniproxy/nginx.conf
@@ -23,7 +23,9 @@ http {
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
server {
- listen 127.0.0.1:8080 default_server;
+ listen 80 default_server;
return 301 https://$host$request_uri;
}
+
+ include /etc/nginx/sni-servers.conf;
}
diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp
index fb65b55..f63829e 100644
--- a/sitemodules/profiles/manifests/sniproxy.pp
+++ b/sitemodules/profiles/manifests/sniproxy.pp
@@ -6,7 +6,13 @@
# Parameters
# ----------
#
-# @param https_forwards a list of server names to target ips/ports
+# @param https_forwards_sniproxy a list of server names to target ips/ports for
+# the sniproxy configuration
+#
+# @param https_forwards a hash of server names to target ips/ports for
+# nginx
+#
+# @param https_port the https port for nginx
#
# Examples
# --------
@@ -27,7 +33,9 @@
# Copyright 2017-2021 Jan Dittberner
#
class profiles::sniproxy (
- Array[String] $https_forwards,
+ Array[String] $https_forwards_sniproxy,
+ Hash[String,String] $https_forwards,
+ Integer $https_port = 443,
) {
# not required since Buster
file { '/etc/apt/preferences.d/sniproxy':
@@ -54,7 +62,7 @@ class profiles::sniproxy (
mode => '0644',
content => epp(
'profiles/sniproxy/sniproxy.conf.epp',
- {'https_forwards' => $https_forwards}
+ {'https_forwards' => $https_forwards_sniproxy}
),
require => Package['sniproxy'],
}
@@ -71,19 +79,35 @@ class profiles::sniproxy (
owner => 'root',
group => 'root',
mode => '0755',
- } ->
- file { '/etc/nginx/nginx.conf':
+ }
+ -> file { '/etc/nginx/nginx.conf':
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
source => 'puppet:///modules/profiles/sniproxy/nginx.conf',
- } ->
- package { 'nginx-light':
+ }
+ -> package { 'nginx-full':
ensure => present,
- } ->
- service { 'nginx':
+ }
+ -> service { 'nginx':
ensure => running,
enable => true,
}
+
+ file { '/etc/nginx/sni-servers.conf}':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp(
+ 'profiles/sniproxy/nginx.sni-server.epp',
+ {
+ 'https_forwards' => $https_forwards,
+ 'https_port' => $https_port,
+ },
+ ),
+ require => Package['nginx-full'],
+ notify => Service['nginx'],
+ }
}
diff --git a/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
new file mode 100644
index 0000000..6246604
--- /dev/null
+++ b/sitemodules/profiles/templates/sniproxy/nginx.sni-server.epp
@@ -0,0 +1,21 @@
+<%- | Hash[String, String] $https_forwards, Integer $https_port | -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+stream {
+ map $ssl_preread_server_name $targetBackend {
+<%- $https_forwards.each |$host_name, $target| { %>
+ <%= $host_name %> <%= $target %>;
+<% } %>
+ }
+
+ server {
+ listen <%= $https_port %>;
+
+ proxy_connect_timeout 1s;
+ proxy_timeout 3s;
+
+ proxy_pass $targetBackend;
+ ssl_preread on;
+ }
+}
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
index 9791139..6632340 100644
--- a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
+++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
@@ -20,18 +20,6 @@ error_log {
priority notice
}
-listen 80 {
- proto http
- table http_hosts
- # Fallback backend server to use if we can not parse the client request
- fallback 127.0.0.1:8080
-
- access_log {
- filename /var/log/sniproxy/http_access.log
- priority notice
- }
-}
-
listen 443 {
proto tls
table https_hosts