From 827165f8d27c951daa6d25a7666bb6081ad2733a Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 28 Aug 2020 23:18:23 +0200 Subject: ch-http-proxy: prepare reverse proxy for passwd.chaos-at-home.org --- chaos-at-home/ch-http-proxy.yml | 212 ++++++++++++++++++++++++++++------------ chaos-at-home/ch-imap-proxy.yml | 2 +- 2 files changed, 153 insertions(+), 61 deletions(-) (limited to 'chaos-at-home') diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 544c781c..92076588 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -9,72 +9,15 @@ - role: apt-repo/spreadspace - role: acmetool/base - role: nginx/base - - role: nginx/vhost - nginx_vhost: - default: yes - name: web - template: static-files-with-acme - acme: yes - hostnames: - - web.chaos-at-home.org - root: /var/www/default - index: index.html - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: webmail - template: generic-proxy-no-buffering-with-acme - acme: yes - hostnames: - - webmail.chaos-at-home.org - client_max_body_size: "200M" - proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: webdav - template: generic-proxy-no-buffering-with-acme - acme: yes - hostnames: - - webdav.chaos-at-home.org - proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" - acmetool_cert_config: - request: - challenge: - http-self-test: false - - role: nginx/vhost - nginx_vhost: - name: imap - acme: no - content: | - server { - listen 80; - listen [::]:80; - - server_name imap.chaos-at-home.org; - - location /.well-known/acme-challenge/ { - proxy_pass http://{{ network_services.imap.addr }}; - } - - location / { - return 303 https://webmail.chaos-at-home.org; - } - } - post_tasks: - name: lower minimum tls protocol version to 1.0 lineinfile: path: /etc/ssl/openssl.cnf regexp: '^MinProtocol\s*=' - line: 'MinProtocol = TLSv1.0' + line: 'MinProtocol = TLSv1' + + #### web.chaos-at-home.org (default-server) - name: create directory for default server file: path: /var/www/default @@ -100,6 +43,155 @@ + + + - name: configure default vhost web.chaos-at-home.org + vars: + nginx_vhost: + default: yes + name: web + template: static-files-with-acme + acme: yes + hostnames: + - web.chaos-at-home.org + root: /var/www/default + index: index.html + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### passwd.chaos-at-home.org + - name: create directory for whawty auth ca cert + file: + path: /etc/ssl/whawty-auth-ca + state: directory + + - name: install whawty auth ca cert + copy: + dest: /etc/ssl/whawty-auth-ca/ca.pem + content: | + -----BEGIN CERTIFICATE----- + MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN + BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy + YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo + MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y + MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G + A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o + b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t + ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK + AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk + 1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO + mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY + dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA + VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ + REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I + RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj + KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI + GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH + mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE + cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO + BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0 + E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh + yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv + MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am + VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy + Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N + DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb + CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7 + JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC + c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP + /04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs + EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c + y8wejeuvOelX6YEzJpnebARk + -----END CERTIFICATE----- + + - name: configure vhost for passwd.chaos-at-home.org + vars: + nginx_vhost: + name: passwd + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - passwd.chaos-at-home.org + # proxy_pass: "https://{{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ipaddr('address') }}/" + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-auth-legacy']) | ipaddr('address') }}:843/" + proxy_ssl: + verify: "on" + trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### webmail.chaos-at-home.org + - name: configure vhost for webmail.chaos-at-home.org + vars: + nginx_vhost: + name: webmail + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - webmail.chaos-at-home.org + client_max_body_size: "200M" + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### webdav.chaos-at-home.org + - name: configure vhost for webdav.chaos-at-home.org + vars: + nginx_vhost: + name: webdav + template: generic-proxy-no-buffering-with-acme + acme: yes + hostnames: + - webdav.chaos-at-home.org + proxy_pass: "https://{{ network_zones.lan.prefix | ipaddr(network_zones.lan.offsets['ch-prometheus-old']) | ipaddr('address') }}/" + acmetool_cert_config: + request: + challenge: + http-self-test: false + include_role: + name: nginx/vhost + + + #### imap.chaos-at-home.or + - name: configure vhost for imap.chaos-at-home.org + vars: + nginx_vhost: + name: imap + acme: no + content: | + server { + listen 80; + listen [::]:80; + server_name imap.chaos-at-home.org; + + location /.well-known/acme-challenge/ { + proxy_pass http://{{ network_services.imap.addr }}; + } + + location / { + return 303 https://webmail.chaos-at-home.org; + } + } + include_role: + name: nginx/vhost + + + ### Service IP # - name: install systemd service unit for service-ip # copy: # dest: /etc/systemd/system/http-service-ip.service diff --git a/chaos-at-home/ch-imap-proxy.yml b/chaos-at-home/ch-imap-proxy.yml index 1a05a39f..aff3a689 100644 --- a/chaos-at-home/ch-imap-proxy.yml +++ b/chaos-at-home/ch-imap-proxy.yml @@ -19,7 +19,7 @@ lineinfile: path: /etc/ssl/openssl.cnf regexp: '^MinProtocol\s*=' - line: 'MinProtocol = TLSv1.0' + line: 'MinProtocol = TLSv1' - name: install stunnel package apt: -- cgit v1.2.3