Update to 2022-03-07 14:00

2025-10-31 02:41:36 +01:00 · 2022-03-07 14:00:06 +01:00
parent c55f851cbd
commit 8b7e505180
58 changed files with 1119 additions and 89 deletions
--- a/roles/unmaintained/wh_proxy/handlers/main.yml
+++ b/roles/unmaintained/wh_proxy/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+- include: ../nginx/handlers/main.yml
--- a/roles/unmaintained/wh_proxy/meta/main.yml
+++ b/roles/unmaintained/wh_proxy/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: wh_common
+  - role: nginx
--- a/roles/unmaintained/wh_proxy/tasks/main.yml
+++ b/roles/unmaintained/wh_proxy/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+
+- set_fact: role_wh_proxy={{ True }}
+  tags: web
+
+- name: Deploy web hosting vhosts
+  template: src=nginx_vhosts.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vhosts_wh.conf
+  notify: reload nginx
+  tags: web
+
+- name: Build a list of client vhosts
+  set_fact:
+    wh_vhosts: "{{ wh_vhosts | default([]) + [ item.1.vhost | default(item.0.name + '-' + item.1.name + '.wh.fws.fr') ] }}"
+  loop: "{{ wh_clients | default([]) | subelements('apps') }}"
+  tags: web
+
+- name: Check if Let's Encrypt's cert exist (web hosting)
+  stat: path=/var/lib/dehydrated/certificates/certs/{{ item }}/fullchain.pem
+  register: wh_letsencrypt_certs
+  with_items: "{{ wh_vhosts }}"
+  tags: web
+
+- name: Create directories for missing Let's Encrypt cert (web hosting)
+  file: path=/var/lib/dehydrated/certificates/certs/{{ item.item }} state=directory
+  with_items: "{{ wh_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt cert to the default one (web hosting)
+  file: src={{ nginx_cert_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item }}/fullchain.pem state=link
+  with_items: "{{ wh_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
+- name: Link missing Let's Encrypt key to the default one (web hosting)
+  file: src={{ nginx_key_path }} dest=/var/lib/dehydrated/certificates/certs/{{ item.item }}/privkey.pem state=link
+  with_items: "{{ wh_letsencrypt_certs.results }}"
+  when:
+    - item.stat is defined
+    - not item.stat.exists
+  tags: web
+
--- a/roles/unmaintained/wh_proxy/templates/nginx_vhosts.conf.j2
+++ b/roles/unmaintained/wh_proxy/templates/nginx_vhosts.conf.j2
@@ -0,0 +1,93 @@
+# {{ ansible_managed }}
+
+{% for client in wh_clients | default([]) %}
+{% for app in client.apps | default([]) %}
+{% set app = wh_default_app | combine(app, recursive=True) %}
+
+server {
+  listen 80;
+  listen 443 ssl http2;
+
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ app.vhost | default(client.name + '-' + app.name + '.wh.fws.fr') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ app.vhost | default(client.name + '-' + app.name + '.wh.fws.fr') }}/privkey.pem;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+
+  server_name {{ app.vhost | default(client.name + '-' + app.name + '.wh.fws.fr') }} {{ app.aliases | join(' ') }};
+
+  root /usr/share/nginx/html;
+
+{% if app.maintenance %}
+  include /etc/nginx/ansible_conf.d/maintenance.inc;
+{% endif %}
+
+  # All client's vhost will use http-01 ACME challenges
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+  # Ensure SSL is used
+  include /etc/nginx/ansible_conf.d/force_ssl.inc;
+
+  location / {
+    limit_req zone=limit_req_std burst=200 nodelay;
+    limit_conn limit_conn_std 100;
+
+    include /etc/nginx/ansible_conf.d/perf.inc;
+
+    include /etc/nginx/ansible_conf.d/cache.inc;
+
+{% if app.proxy_custom_rewrites is defined %}
+{{ app.proxy_custom_rewrites | indent(4,true) }}
+{% endif %}
+
+    # Send the original Host header to the backend
+    proxy_set_header Host "$host";
+
+    # Send info about the original request to the backend
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-Proto "$scheme";
+
+    # Handle websocket proxying
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+    proxy_http_version 1.1;
+
+    # Hide some headers sent by the backend
+    proxy_hide_header X-Powered-By;
+    proxy_hide_header Cache-Control;
+    proxy_hide_header Pragma;
+    proxy_hide_header Expires;
+
+    # Set the timeout to read responses from the backend
+    proxy_read_timeout {{ app.php.max_execution_time }}s;
+
+    # Disable buffering large files
+    proxy_max_temp_file_size 5m;
+
+    # Proxy requests to the backend
+    proxy_pass http://{{ app.backend | default(client.backend) | default(wh_defaults.backend) }};
+
+    # per vhost IP blacklist
+{% for ip in app.deny_ip %}
+    deny {{ ip }};
+{% endfor %}
+
+{% if app.allow_ip | length > 0 %}
+    # per vhost IP restriction
+{% for ip in app.allow_ip %}
+    allow {{ ip }};
+{% endfor %}
+    deny all;
+
+{% endif %}
+  }
+
+  location = /RequestDenied {
+    return 403;
+  }
+}
+
+{% endfor %}
+{% endfor %}